[Esa-l] Outgoing Mail

John D. Hardin jhardin at impsec.org
Mon Aug 13 14:41:30 PDT 2001 

On Mon, 13 Aug 2001, Lee Howard wrote:
> 
> I'm probably not helping anything by saying this, but I don't
> really understand the value of scanning outgoing mail.  If we
> assume that our users are clean, then what is the value of
> scanning outgoing mail?

That's just it; you can't assume your users are going to stay clean.
What if they get infected via a webmail message, even though you have
policies against webmail attachments and your web proxy is doing the
best it can to filter them out? What if they connect over a VPN from
an unsecure and infected machine at home or a client's site?

> And if we cannot assume that our users are clean, then wouldn't it
> be better to nip the problem in the bud rather than somewhere
> downstream?
>
> I understand the purpose in scanning outgoing mail, but I don't
> understand the value of it.  We scan incoming mail in an effort to
> ensure that we are clean.  If we cannot ensure that we are clean
> ourselves, then why bother scanning incoming mail, even?

Think "defense in depth."

Scanning and quarantining outbound mail will notify you that the
problem exists, and keep you from attacking other sites while you're
fixing the problem. Remember that desktop A/V software is
signature-based and thus reactive, and it takes time for the signature
updates to become available.

I'm not perfect. I want my outbound mail to be scanned so that if I
(or my users) make a mistake somewhere, my network still won't attack
someone else, and I'll be notified of the problem in a timely manner.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at impsec.org        pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  In 1998 more than three times as many people in the US were killed
  by incompetent physicians than were killed by handguns, yet the
  President of the A.M.A. is adopting "gun safety" as his platform.
-----------------------------------------------------------------------
   1177 days until the Presidential Election

More information about the esd-l mailing list