| |
 An example of how to set up your FirstClass Internet Services to reject a virus/worm infected email:
In this example, we will speak about the W32.Sober.X@mm (name, and variants may change) which is a mass-mailing worm that uses its own SMTP engine to spread and lowers security settings. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.
First, start by gathering information about the virus or worm. In this case, we know that the email arrives with a zip file attachment, and various subject names (including but not limited to: Your IP was logged, You_visit_illegal_websites). By visiting a website like www.sarc.com (Symantec Anti-Virus Research Center), we can obtain a list of known subject names, and email attachment names. With that information, we can set up a mail filter to look for these messages (providing you do not have either an Anti-Virus Email Gateway, or use the Symantec Anti-Virus Scan Engine with FirstClass).
We will begin our simple project by logging on to your FirstClass Server as the Administrator, and open "Internet Services/Filters/Rules.MailRules".
Next we will look for the section that deals with handling a virus/worm. Look for the section labeled "# Virus/worm checking tests go here", and you will find an example of the NetSky virus. All that is needed is to use that information as a template. Add the following couple of lines below the netsky:
#@: IF (@length($attname) && @InWordList("lists.VirusSoberSubject", $Subject) && @InWordList("lists.VirusSoberAttachment", $attname)) NDN 550 "No worms allowed"
@: IF (@length($attname) && @InWordList("lists.VirusSoberSubject", $Subject) && @InWordList("lists.VirusSoberAttachment", $attname)) SET $spamlevel += 101 AND $spamtests += "VIRUS_ALERT;"
Next, we need to create the two documents mentioned in the above rules. One being "lists.VirusSoberAttachment", and another called "lists.VirusSoberSubject". These documents MUST be FirstClass Documents, and be created at the root level of the Filters folder.
 With the information you obtained from visiting www.sarc.com (or similar), you can now populate the lists.VirusSoberSubject and lists.VirusSoberAttachment documents with the appropriate information.
When completed, please close all Filters documents, and perform a "Configuration Update" (either perform a "reload config" (Internet Monitor > Control Tab), or restart Internet Services (Please note that ALL Configuration windows MUST be closed when performing either of these options)).
Other ways of handling a virus/worm infected email:
1. In your rules.MailRules document, immediately preceding the section we were previously working on, you will find an entry that looks like:
# In the first hours of virus outbreak, uncomment this line and do a Reload Config on the Control tab of the Internet Services Monitor
#@: IF (1) NDN 550 "No attachments allowed in this system"
If you were to remove the "#" (comment) at the start of the line, and perform a Configuration Update, any email you receive with an attachment will be denied. This allows you the opportunity to handle the situation.
2. You can also elect to "reject unknown domain names". This will force Internet Services to request a reverse DNS lookup on the senders IP address. FirstClass will request a "PTR" record lookup (IP address to Domain Name lookup)on the sender. If no PTR record is found, email will be rejected with "Unknown Host". Since most modern virii propagate by using the virus' own SMTP engine, this option will handle the vast majority of viruses.
NOTE: This option has a downside in that some legitimate email may be rejected, as their domain records may not contain any PTR records.
3. You can add the virus attachment names to your rules.attachmentblock filter document, however the downside is that some virus creators will use common file names for their packages (this is why we check subject and attachment names in our modified rule above).
4. You can block (in this case) the extensions used by the virus (.zip) to your group privileges [Image:11232005_94128_3.png].
Note: not all (in this case) *.zip files are going to be infected, and therefore some legitimate attachments may not be downloadable.
IMPORTANT: Whenever making changes to files in the Filters, these changes will only take effect once you have clicked on the Reload Config button on the Internet Services Monitor's Control tab.
| ||