It's all over the news. The big bad viruses are coming! Somewhere in some remote country, or right next door, a user opens an email attachment that unleashes a world of hurt onto his computer, or onto your network as their mail client spews out email to everyone in that person's contact list. Spam is flooding our mailboxes! Even your administration accounts are buried in it, and you don't use them to surf the web or post to newsgroups.
Everyone's looking for who's responsible. That's easy, right? The virus-writers and spammers have to be stopped. Easier said than done. But let's face it, though I know you won't want to: any networking professional who has not taken the steps to properly lock down her setup is also partially responsible.
For viruses, putting anti-virus programs on everyone's desktops is unfortunately not enough. You first have to make sure those programs are updating their virus definitions daily or even more than once a day; if they're not, what's the point of having the scanner? Old viruses might continue making the rounds but it's the new ones that catch everyone off guard. You also must make sure that the anti-virus program starts at boot time, and that your users do nothing to interfere with the program's functioning.
However, what I've started asking myself is: why are we letting the viruses reach the desktop at all? Sure, it's smart to have an anti-virus program on the workstations no matter what, as a fallback line of defense. But what about the mail servers? Most computer viruses are passed using email, so doesn't it make sense to do an initial check before even letting mail into your organization? That's what we do, and I didn't even know about the Klez virus until a colleague of mine complained about getting one hundred copies in her email over the weekend.
Talk about useful. Our mail server over the last two months has intercepted forty virus-infected files (or files that it thinks are infected), and placed them into quarantine. Many of these emails contain the Klez virus headed straight to my personal mailbox; I know this because the mail server notifies the mail administrator when it puts something in quarantine. Of course, once again, the mail server's virus definitions must be kept impeccably up to date or it's useless.
But not all viruses enter through mail. Code Red utilized HTTP to generate a known buffer overflow problem with Microsoft's Internet Information Server 4.0 and 5.0. I repeat, a known problem. I won't make fun of the people who were hit by Code Red, I know some of them, and I know how hard it can be to keep up with all of the security and bug updates. Code Red was hopefully a wakeup call for many: keep your servers up to date! Same for your desktops. Automate it as much as you can, that way you never have to remember or take time out from other tasks to deal with it.
Code Red also used email, which is why it's called a multi-vector virus. It has more than one method of attack. An anti-virus program that only scans email wouldn't have caught the HTTP attacks, but those that have a continual protect mode and watch out for any attempts to change files and master boot records would have had a chance at protecting those machines that had been left vulnerable.
Then there's the spam. Spam's a bit harder to detect since it doesn't have a distinct signature to watch for and it doesn't try to change anything on your computer except the amount of junk email you have to sort through per day. Right alongside the claims that spammers aren't doing anything wrong are the fake addresses they use so you can't complain to them, the fake subjects they use to dupe you into reading the contents, and the fake instructions for how to remove yourself from their lists.
So, as an administrator, how can we deal with spam without having to look at the contents of every piece of mail that enters our servers, or do invasive content scanning that might end up blocking legitimate email? There's one very easy thing we must do if the spam situation is to be gotten under control: lock down our mail servers so they cannot be used as an open relay. The ability to relay, or forward mail on behalf of people on your newtork, is built into every mail server. As you might imagine, this ability is necessary unless you actually write all of your outgoing mail on the mail server itself.
The problem comes in when people set their mail server to allow anyone from anywhere to forward mail through their server. Sometimes this happens when a server comes with default settings that allow it to act as an open relay-hopefully something that most mail server vendors are not doing anymore-and the administrator doesn't bother to change the defaults. Unfortunately, this problem also occurs when a mail admin purposely opens the floodgates, and it happens more often than you might think: mostly with beginning admins or people who were pushed into handling the mail servers with no experience, but don't want to deal with figuring out how to set up the system correctly.
When dealing with both viruses and spam, administrator and user education are both vital. If you're not sure whether you're operating an open relay or not, go to www.abuse.net/relay.html and have your site tested. This is just the start.
Reprinted from networking.earthweb.com.