The worm broke out on the office network at 10:42 a.m. Joe—the email administrator—was on the phone at the time, making arrangements to take his wife to dinner that evening. As the worm slithered from mailbox to address book to mailbox, Joe was happily contemplating enjoying a quiet evening out with his spouse, blissfully unaware of the monster growing within his network. Little did he realize that within a few hours, he'd have to cancel his plans.
As Joe hung up the phone, his heart sank when he saw the message appear in his Inbox: Important notify about your e-mail account. Joe recognized the subject title as a variant of the Bagel worm and realized that the worm was in his network. He'd have to put everything on hold to deal with the outbreak of this latest worm—a routine that Joe was all too familiar with.
I've long been disappointed that many modern email servers (such as Microsoft Exchange Server) lack standard mail-filtering capabilities. Microsoft has released an add-on for Exchange Server 2003 called the Exchange Intelligent Message Filter that gives you some control over your mail flow, but certain fundamental capabilities, such as attachment blocking, should be available on every server out of the box. Imagine how much less time we'd spend fighting Internet worms if all mail servers had even a rudimentary attachment-blocking capability. I decided to address this need, so I looked for an open-source mail filter that runs on Windows and can block attachments and help me manage the deluge of spam that continually assaults my network.
A Word About Mail Relays
The use of a mail relay or proxy server to deliver email messages is gaining popularity as a defense against hostile attachments, spam, and other email nuisances. Separating mail storage (handled by the mail server) from mail delivery (handled by the mail relay or proxy server) also makes sense from a security and performance perspective. By setting up a mail relay or proxy server in a demilitarized zone (DMZ) on your network, you can prevent the outside world from even connecting to your mail server.
Establishing a mail relay or proxy is typically accomplished by allowing SMTP traffic over TCP port 25 into the relay or proxy servers within the DMZ, then letting the relay or proxy servers communicate via SMTP with your mail server, which is behind a firewall. By delegating tasks such as spam filtering and attachment blocking to a relay or proxy server, you can decrease the processor load on the mail server.
Because the mail proxy package I discuss in this article is open source, you might want to consider implementing more than one on your network, for a couple reasons. First, open-source software sometimes has bugs. Although I've found my open-source mail filter to be exceptionally reliable in most environments, running two mail proxies gives you a backup should one proxy server crash or otherwise stop processing messages. The second reason is that because the software is free and doesn't cost anything other than some additional hardware, you can implement a second relay server. By using multiple DNS MX records, you can have both servers work on processing your network's incoming mail.
Fluffy the SMTPGuardDog
I first noticed Fluffy the SMTPGuardDog about a year ago. Fluffy is an open-source mail-filter application for systems running Windows 95 and later that derives its name from the ferocious three-headed dog in the Harry Potter book series. I was impressed to see an open-source mail-filtering solution for Windows platforms. Designed to act as a proxy between the Internet and your mail server, Fluffy checks all incoming messages and attempts to filter out hostile attachments and spam.
Fluffy doesn't require much processing power to run. The application's author, Wayne McDougall, says that his 233MHz Pentium machine can handle roughly 1500 messages in 10 minutes without fault. You can run Fluffy on the same system as your existing mail server or on a dedicated DMZ system. Although I highly recommend the DMZ-based implementation, for the purposes of this article, I set up Fluffy on the same system as my mail server, which is a bit more complicated than setting it up on a separate system.
You'll need to download the executable code for Fluffy, along with a Visual Basic (VB) runtime engine to install on your system. You can obtain both items from the application's homepage at http://smtpfilter.sourceforge.net. For this article, I use version 1.4.95 of Fluffy.
Install the VB runtime by downloading and executing msvbvm50.exe, which provides the necessary support for the primary application. Then, you're ready to install Fluffy. Unzip the installation package for Fluffy and launch setup.exe. There are no real options to choose for the installation—you need to specify only the directory you want to use. After you've installed the application, you're ready to start configuring it to filter your mail.
Fluffy doesn't run as a service, so you must leave your system logged on and run Fluffy as a desktop application. Currently, this is the only supported configuration for Fluffy. However, some users report that they've been able to run Fluffy as a service by using the resource kit utility Srvany or set up Fluffy as a scheduled task to launch at system start-up. (For more information about Srvany, see Resources.) Although it's a slight security risk, I like to leave Fluffy running on the desktop so that I can see its main console window, which Figure 1 shows—it gives me a real-time look at how much my mail server is being assaulted and also helps me diagnose users' email problems.
Setting Up Fluffy
When you launch Fluffy from the Start menu for the first time, the program asks you some configuration questions. I leave most of the options blank so that I can set them up on my own. However, Fluffy provides some useful default settings, and we'll accept some of them here. The first question you're asked is whether you want to let Fluffy detect the network settings for your system. I recommend you select Yes.
Previous
)
)
a blocked attachment that it will bounce back a message to the sender. Is this an email message to the alleged sender's email address as
opposed to a 550 protocol error to the IP address of the MTA? I want
to avoid sending email messages to the spoofed/forged email addresses
of innocent people.
cfrankb September 08, 2004 (Article Rating: