It’s all over the news. The big bad viruses are coming! Somewhere in
some remote country, or right next door, a user opens an email
attachment that unleashes a world of hurt onto his computer, or onto
your network as their mail client spews out email to everyone in that
person’s contact list. Spam is flooding our mailboxes! Even your
administration accounts are buried in it, and you don’t use them to
surf the web or post to newsgroups.
Everyone’s looking for who’s responsible. That’s easy, right? The
virus-writers and spammers have to be stopped. Easier said than done.
But let’s face it, though I know you won’t want to: any networking
professional who has not taken the steps to properly lock down her
setup is also partially responsible.
Am I blaming the victims? Only those who have set themselves up to be
one. Viruses and spam have been around for years. We have the
technology to deal with these issues before they even reach the user,
most of the time. In fact, as network administrators, we have the
ability to make sure at the very least that our systems aren’t used to
spread the problem.
For viruses, putting anti-virus programs on everyone’s desktops is
unfortunately not enough. You first have to make sure those
programs are updating their virus definitions daily or even more than
once a day; if they’re not, what’s the point of having the scanner?
Old viruses might continue making the rounds but it’s the new ones
that catch everyone off guard. You also must make sure that the
anti-virus program starts at boot time, and that your users do nothing
to interfere with the program’s functioning.
However, what I’ve started asking myself is: why are we letting the
viruses reach the desktop at all? Sure, it’s smart to have an
anti-virus program on the workstations no matter what, as a fallback
line of defense. But what about the mail servers? Most computer
viruses are passed using email, so doesn’t it make sense to do an
initial check before even letting mail into your organization? That’s
what we do, and I didn’t even know about the Klez virus until a
colleague of mine complained about getting one hundred copies in her
email over the weekend.
Talk about useful. Our mail server over the last two months has
intercepted forty virus-infected files (or files that it thinks are
infected), and placed them into quarantine. Many of these emails
contain the Klez virus headed straight to my personal mailbox; I know
this because the mail server notifies the mail administrator when it
puts something in quarantine. Of course, once again, the mail server’s
virus definitions must be kept impeccably up to date or it’s useless.
But not all viruses enter through mail. Code Red utilized HTTP to
generate a known buffer overflow problem with Microsoft’s Internet
Information Server 4.0 and 5.0. I repeat, a known problem. I won’t
make fun of the people who were hit by Code Red, I know some of them,
and I know how hard it can be to keep up with all of the security and
bug updates. Code Red was hopefully a wakeup call for many: keep your
servers up to date! Same for your desktops. Automate it as much as you
can, that way you never have to remember or take time out from other
tasks to deal with it.
Code Red also used email, which is why it’s called a multi-vector
virus. It has more than one method of attack. An anti-virus program
that only scans email wouldn’t have caught the HTTP attacks, but those
that have a continual protect mode and watch out for any attempts to
change files and master boot records would have had a chance at
protecting those machines that had been left vulnerable.
Then there’s the spam. Spam’s a bit harder to detect since it doesn’t
have a distinct signature to watch for and it doesn’t try to change
anything on your computer except the amount of junk email you have to
sort through per day. Right alongside the claims that spammers aren’t
doing anything wrong are the fake addresses they use so you can’t
complain to them, the fake subjects they use to dupe you into reading
the contents, and the fake instructions for how to remove yourself
from their lists.
So, as an administrator, how can we deal with spam without having to
look at the contents of every piece of mail that enters our servers,
or do invasive content scanning that might end up blocking legitimate
email? There’s one very easy thing we must do if the spam situation is
to be gotten under control: lock down our mail servers so they cannot
be used as an open relay. The ability to relay, or forward mail on
behalf of people on your newtork, is built into every mail server. As
you might imagine, this ability is necessary unless you actually write
all of your outgoing mail on the mail server itself.
The problem comes in when people set their mail server to allow
anyone from anywhere to forward mail through their server. Sometimes
this happens when a server comes with default settings that allow it
to act as an open relay–hopefully something that most mail server
vendors are not doing anymore–and the administrator doesn’t bother to
change the defaults. Unfortunately, this problem also occurs when a
mail admin purposely opens the floodgates, and it happens more often
than you might think: mostly with beginning admins or people who were
pushed into handling the mail servers with no experience, but don’t
want to deal with figuring out how to set up the system correctly.
When dealing with both viruses and spam, administrator and user
education are both vital. If you’re not sure whether you’re operating
an open relay or not, go to www.abuse.net/relay.html and have your
site tested. This is just the start. In the next article in this
series, I’ll address specific methods for locking down your Microsoft
Internet Information Server, Linux/Unix Sendmail, and Novell Netware
Groupwise servers against spam and viruses. In the meantime, get
started by going to www.abuse.net.