Steve Friedl has a post about exploiting the ability to quickly block new worms, in this case the NetSky worm. This is a support for my ongoing argument that, if you're running an Exchange server, you should have a Unix/Linux-based mail handler immediately upstream from it to filter viruses, score/filter spam, and gather various metrics. Why? If you know Perl (or some other just as capable scripting language), you can quickly adapt to an outbreak, in as little as fifteen minutes, without having to wait for the anti-virus vendors to issue a signature update (which can take up to two days).
For Steve's example, it would look something like:
if($source_domain eq $dest_domain) {
move_to_quarantine($msg_ID);
}
This design exploits the assumption that anything meant to remain within the domain would remain on the Exchange box. The mail handler would filter only traffic entering or leaving the network. The idea is to add an additional level of security, invisible to the users. For that matter, even MS can be used for this as long as it's not running the same MTA software as the main mail server.
No comments:
Post a Comment