Spread the word, not the virus!
Wednesday October 10, 2007 at 5:57 am CST
Posted by Vinoo Thomas
Organizations have traditionally blocked outbound Simple Mail Transfer Protocol (SMTP) traffic on port 25 that originates from the local area network (LAN) and virtual private network (VPN) segments. This is done to prevent any internal machine that has been infected with a mass-mailer from spamming the outside world. Email can be traced back to its origin via ip address information contained in the mail header, and no organization wants to be held responsible for spreading malware onto the internet – it would be a public relations nightmare.
By blocking port 25 at the firewall, an organization prevents a mass-mailer from spreading. However, by blindly blocking outgoing SMTP traffic, valuable information on real-time internal infections or data leakage arising from threats that use port 25 is lost.
In this month’s Oct 2007 edition of Virus Bulletin, we proposed the need for an in-house SMTP honeypot. A copy of this article titled “The need for an in-house SMTP Honeypot” can be downloaded from our McAfee Avert Labs Technical White Papers page.
Simple Mail Transfer Protocol honeypots have traditionally been used to masquerade as open-relays in order to frustrate spammers and harvest spam. With changed spammer tactics over the years, it is high time we revisited traditional countermeasures and improved upon them.
October 10th, 2007 at 8:27 am
No one should be “blindly” blocking port 25. They should review their logs and locate internal botnet infections, and then try to backtrack to determine how those hosts became infected in the first place. I think that is the information that is most valuable, and establishing countermeasures to battle those infection vectors- beit phishing attack or drive-by download, may go a bit further than analyzing a honeypot.
October 11th, 2007 at 3:38 am
Rather than a honeypot, why not just review your firewall logs?
A simple query on the firewall logs to identify all blocked outbound connections on port 25 should identify any internal hosts that are potentially compromised.
I’ve used this exact technique many times when an outbreak has occured - On many occasions it’s far easier to search for what the malware is doing than it is to search for the malware itself. The same technique works for IRC bots too.
October 11th, 2007 at 7:32 pm
Is the technical white papers page new? Great resource. Thanks for creating it.