1U YYEAR TUPGRADE
B ER PRO ECTION PLAN
E-MAIL VIRUS
PROTECTION HANDBOOK
FREE Monthly
“The E-mail Virus Protection Handbook is
the only book that shows you what might
Technology Updates
be lurking in your e-mail. It's our e-mail
Bible and it should be yours!” One-year Vendor
—Brad Goodyear, Product Upgrade
President Protection Plan
www.virus.com
FREE Membership to
Access.Globalknowledge
Brian Bagnall, Sun Certified Java Programmer and Developer
Chris O. Broomes, MCSE, MCP+I, CCNA
Ryan Russell, CCNP, and author of the best-selling
Hack Proofing Your Network
Technical Editor:
James Stanger, MCSE, MCT, CIW Security Professional
[email protected]
With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we have come to know many of you personally. By
listening, we've learned what you like and dislike about typical computer
books. The most requested item has been for a web-based service that
keeps you current on the topic of the book and related technologies. In
response, we have created
[email protected], a service that
includes the following features:
s A one-year warranty against content obsolescence that occurs as
the result of vendor product upgrades. We will provide regular web
updates for affected chapters.
s Monthly mailings that respond to customer FAQs and provide
detailed explanations of the most difficult topics, written by content
experts exclusively for
[email protected].
s Regularly updated links to sites that our editors have determined
offer valuable additional information on key topics.
s Access to “Ask the Author”™ customer query forms that allow
readers to post questions to be addressed by our authors and
editors.
Once you've purchased this book, browse to
www.syngress.com/solutions.
To register, you will need to have the book handy to verify your purchase.
Thank you for giving us the opportunity to serve you.
E-MAIL VIRUS
PROTECTION HANDBOOK
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the
Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold
AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through
Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack
Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 9TM1L2ADSE
002 XPS1697TC4
003 CLNKK98FV7
004 DC5EPL4RL6
005 Z74DQ81524
006 PJ62NT41NB
007 4W2VANZX44
008 V8DF743RTD
009 65Q2M94ZTS
010 SM654PSMRN
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
E-mail Virus Protection Handbook
Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis-
tributed in any form or by any means, or stored in a database or retrieval system, without the prior written per-
mission of the publisher, with the exception that the program listings may be entered, stored, and executed in a
computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-23-7
Copy edit by: Eileen Kramer Proofreading by: Adrienne Rebello
Technical edit by: James Stanger Technical Review by: Stace Cunningham
Index by: Rober Saigh Page Layout and Art by: Shannon Tozier
Project Editor: Katharine Glennon Co-Publisher: Richard Kristof
Distributed by Publishers Group West
Acknowledgments
We would like to acknowledge the following people for their kindness and
support in making this book possible.
Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin
Murray, Dale Leatherwood, Shelley Everett, Laurie Hedrick, Rhonda
Harmon, Lisa Lavallee, and Robert Sanregret of Global Knowledge, for their
generous access to the IT industry’s best courses, instructors and training
facilities.
Ralph Troupe and the team at Rt. 1 Solutions for their invaluable insight
into the challenges of designing, deploying and supporting world-class
enterprise networks.
Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin
Votel, Brittin Clark, Sarah Schaffer, Luke Kreinberg, Ellen Lafferty and
Sarah MacLachlan of Publishers Group West for sharing their incredible
marketing experience and expertise.
Peter Hoenigsberg, Mary Ging, Caroline Hird, Simon Beale, Julia Oldknow,
Kelly Burrows, Jonathan Bunkell, Catherine Anderson, Peet Kruger, Pia
Rasmussen, Denelise L'Ecluse, Rosanna Ramacciotti, Marek Lewinson,
Marc Appels, Paul Chrystal, Femi Otesanya, and Tracey Alcock of Harcourt
International for making certain that our vision remains worldwide in
scope.
Special thanks to the professionals at Osborne with whom we are proud to
publish the best-selling Global Knowledge Certification Press series.
v
From Global Knowledge
At Global Knowledge we strive to support the multiplicity of learning styles
required by our students to achieve success as technical professionals. As
the world's largest IT training company, Global Knowledge is uniquely
positioned to offer these books. The expertise gained each year from pro-
viding instructor-led training to hundreds of thousands of students world-
wide has been captured in book form to enhance your learning experience.
We hope that the quality of these books demonstrates our commitment to
your lifelong learning success. Whether you choose to learn through the
written word, computer based training, Web delivery, or instructor-led
training, Global Knowledge is committed to providing you with the very
best in each of these categories. For those of you who know Global
Knowledge, or those of you who have just found us for the first time, our
goal is to be your lifelong competency partner.
Thank your for the opportunity to serve you. We look forward to serving
your needs again in the future.
Warmest regards,
Duncan Anderson
President and Chief Executive Officer, Global Knowledge
vi
Contributors
Philip Baczewski is the Associate Director of Academic
Computing Services at the University of North Texas Computing
Center. He serves as project manager for university student
Internet services, and works with client server implementations
of IMAP, IMSP, SMTP, and LDAP protocols. Philip also provides
technical consultation support in the areas of mainframe and
UNIX programming, data management, electronic mail, and
Internet services. Philip holds his Doctorate in Musical Arts,
Composition from the University of North Texas.
Brian Bagnall is a Sun Certified Java Programmer and
Developer. His current project is designing and programming a
distributed computing effort for Distco.com. Brian would like to
say thanks to Deck Reyes for his help with the material. He
would also like to thank his family for their support. Contact
Brian at
[email protected].
Chris O. Broomes (MCSE, MCP+I, MCT, CCNA) has over seven
years of networking experience. He started his career as a con-
sultant at Temple University, and has worked with organizations
such as Morgan, Lewis & Bockius, Temple University Dental
School, and Dynamic Technologies, Inc. Currently, Chris works
in Philadelphia as a Network Administrator at EXE Technologies,
Inc., a global provider of business-to-business e-fulfillment solu-
tions.
vii
Patrick T. Lane (MCSE, MCP+I, MCT, CIW Foundations, CIW
Server Administrator, CIW Internetworking Professional, and
CompTIA Network+ and i-Net+) is a Content Architect for
ProsoftTraining.com who assisted in the creation of the Certified
Internet Webmaster (CIW) program. He holds a Master’s degree
in Education. Lane began working with computers in 1984, and
has developed curriculum and trained students across the com-
puter industry since 1994. He is the author of more than 20
technical courses, the director of the CIW Foundations and CIW
Internetworking Professional series, and a member of the
CompTIA Network+ Advisory Committee. Lane’s work has been
published in six languages, and he has been a featured speaker
at Internet World.
Michael Marfino is the IS Operations Manager for EDS in Las
Vegas, Nevada. He earned a Bachelor’s of Science degree in
Management Information Systems from Canisius College in
Buffalo, N.Y. He has over a decade of technical industry experi-
ence, working in hardware/software support, e-mail administra-
tion, system administration, network administration, and IT
management. His tenure includes positions at MCI Worldcom
and Softbank.
Eriq Oliver Neale is a full-time computing technology profes-
sional, part-time author and teacher, and occasional musician.
He has worked in the computer support industry for over 13
years, and has been on the anti-virus bandwagon since before
Michelangelo hit the national media. His recommendations for
practicing “safe hex” have been presented in numerous articles
and seminars. Eriq lives in the North Texas area with his wife
and their two dogs, seven cats, and a school of Mollies that are
reproducing faster than believed possible. Eriq has been known
to teach the occasional class in web development and attend
major league baseball games when not otherwise occupied.
viii
Ryan Russell (CCNA, CCNP) has been been employed in the net-
working field for over ten years, including more than five years
working with Cisco equipment. He has held IT positions ranging
from help desk support to network design, providing him with a
good perspective on the challenges that face a network manager.
Recently, Ryan has been doing mostly information security work
involving network security and firewalls. He has completed his
CCNP, and holds a Bachelor’s of Science degree in computer sci-
ence.
Henk-Evert Sonder (CCNA) has about 15 years of experience as
an Information and Communication Technologies (ICT) profes-
sional, building and maintaining ICT infrastructures. In recent
years he has specialized in integrating ICT infrastructures with
business applications and the security that comes with it. His
mission is to raise the level of companies security awareness
about their networks. According to Henk, “So many people talk
about the security threats coming from the Internet, but they
can forget that the threats from within are equally dangerous.”
Currently he works as a senior consultant for a large Dutch ICT
solutions provider. His own company, IT Selective, helps retailers
get e-connected.
ix
Technical Editor
James Stanger (Ph.D., MCSE, MCT, CIW Security Professional)
is a writer and systems analyst currently living in Washington
State, where he works for ProsoftTraining.com’s research and
development department. He also consults for companies such
as Axent, IBM, DigitalThink, and Evinci concerning attack detec-
tion and analysis. In addition to Windows 2000 and Linux secu-
rity issues, his areas of expertise include e-mail and DNS server
security, firewall and proxy server deployment, and securing Web
servers in enterprise environments. He is currently an acting
member of the Linux Professional Institute (LPI), Linux+, and
Server+ advisory boards, and leads development concerning the
Certified Internet Webmaster security certification. A prolific
author, he has written titles concerning network security
auditing, advanced systems administration, network monitoring
with SNMP, I-Net+ certification, Samba, and articles concerning
William Blake, the nineteenth-century British Romantic poet and
artist. When not writing or consulting, he enjoys bridge and cliff
jumping, preferably into large, deep bodies of water.
x
Technical Reviewer
Stace Cunningham (CCNA, MCSE, CLSE, COS/2E, CLSI,
COS/2I, CLSA, MCPS, A+) is a Systems Engineer with SDC
Consulting located in Biloxi, MS. SDC Consulting specializes in
the design, engineering, and installation of networks. Stace is
also certified as an IBM Certified LAN Server Engineer, IBM
Certified OS/2 Engineer, IBM Certified LAN Server Administrator,
IBM Certified LAN Server Instructor, IBM Certified OS/2
Instructor. Stace has participated as a Technical Contributor for
the IIS 3.0 exam, SMS 1.2 exam, Proxy Server 1.0 exam,
Exchange Server 5.0 and 5.5 exams, Proxy Server 2.0 exam, IIS
4.0 exam, IEAK exam, and the revised Windows 95 exam.
In addition, he has coauthored or technical edited about 30
books published by Microsoft Press, Osborne/McGraw-Hill, and
Syngress Media as well as contributed to publications from The
SANS Institute and Internet Security Advisor magazine.
His wife Martha and daughter Marissa are very supportive of
the time he spends with his computers, routers, and firewalls in
the “lab” of their house. Without their love and support he would
not be able to accomplish the goals he has set for himself.
xi
Contents
Introduction xxvi
Chapter 1: Understanding the Threats:
E-mail Viruses, Trojans, Mail Bombers,
Worms, and Illicit Servers 1
Introduction 2
Essential Concepts 3
Servers, Services, and Clients 3
Authentication and Access Control 3
Hackers and Attack Types 4
What Do Hackers Do? 4
Attack Types 5
Overview of E-mail Clients and Servers 7
Understanding a Mail User Agent and a
Mail Transfer Agent 7
The Mail Delivery Agent 9
When Are Security Problems Introduced? 10
History of E-mail Attacks 10
The MTA and the Robert Morris Internet Worm 11
MDA Attacks 12
Analyzing Famous Attacks 12
Case Study 14
Learning from Past Attacks 14
Viruses 15
Worms 15
Types of Worms 16
Trojans 17
Illicit Servers 17
Differentiating between Trojans and
Illicit Servers 18
xiii
xiv Contents
E-mail Bombing 19
Sniffing Attacks 19
Carnivore 20
Spamming and Security 21
Common Authoring Languages 22
Protecting Your E-mail 23
Protecting E-mail Clients 23
Third-party Applications 23
Encryption 24
Hash Encryption and Document Signing 27
Protecting the Server 27
Summary 28
FAQs 29
Chapter 2: Securing Outlook 2000 31
Introduction 32
Common Targets, Exploits, and Weaknesses 33
The Address Book 35
The Mail Folders 36
Visual Basic Files 37
Attacks Specific to This Client 38
No Attachment Security 38
Default Settings Are Not Secure 38
Zone Security 39
Word 2000 as the Outlook E-mail Editor 39
Security Updates 39
Enabling Filtering 42
Junk E-mail 42
Filtering Keywords 44
Mail Settings and Options 44
HTML Messages 45
Zone Settings 46
Attachment Security 48
Attachment Security After Applying Outlook
E-mail Security Update 51
Enabling S/MIME 54
Why You Should Use Public Key Encryption 56
Installing and Enabling Pretty Good Privacy (PGP) 57
Installing PGP 58
Contents xv
Understanding Public Key Encryption 62
Generating a Key Pair 65
Exchanging Keys 67
Key Distribution Sites 69
Summary 70
FAQs 71
Chapter 3: Securing Outlook Express 5.0 and
Eudora 4.3 75
Introduction 76
Outlook Express for Windows 76
Security Settings 77
Secure Mail 78
Security Zones 80
Attachments 82
Outlook Express for Macintosh 85
Junk Mail Filter 85
Message Rules 88
Attachments 89
Case Study: Automated Virus Scanning of
Mail Attachments 90
Eudora for Windows and Macintosh 91
Security 91
Attachments 91
Filtering 93
Enabling PGP for both Outlook Express and Eudora 95
Sending and Receiving PGP-Secured Messages 96
Eudora for Windows 97
Outlook Express for Windows 101
Eudora for Macintosh 103
Outlook Express for Macintosh 105
Automatic Processing of Messages 107
File Attachments and PGP 108
Case Study: Securing File Attachments with PGP 109
Summary 113
FAQs 115
Chapter 4: Web-based Mail Issues 119
Introduction 120
xvi Contents
Choices in Web-based E-mail Services 121
Why Is Web-based E-mail So Popular? 122
The Cost of Convenience 122
Specific Weaknesses 124
Internet Architecture and the Transmission Path 124
Reading Passwords 126
Case Study 128
Specific Sniffer Applications 131
Code-based Attacks 133
The PHF Bug 134
Hostile Code 135
Taking Advantage of System Trusts 135
Cracking the Account with a “Brute Force” or Dictionary
Application 136
Physical Attacks 137
Cookies and Their Associated Risks 138
Solving the Problem 139
Using Secure Sockets Layer (SSL) 139
Secure HTTP 139
Practical Implementations 140
Local E-mail Servers 141
Using PGP with Web-based E-mail 141
Making Yourself Anonymous 142
Summary 143
FAQs 144
Chapter 5: Client-Side Anti-Virus Applications 147
Introduction 148
McAfee VirusScan 5 150
Availability of VirusScan 151
Updates of Virus Definition Files 152
Installation of VirusScan 5 152
Configuration of VirusScan 5 156
Norton AntiVirus 2000 163
Availability of Norton AntiVirus 2000 163
Updates of Norton AntiVirus 2000
Definition Files 164
Installation of Norton AntiVirus 2000 165
Configuration of Norton AntiVirus 2000 167
Trend Micro PC-cillin 2000 176
Contents xvii
Availability of Trend Micro PC-cillin 2000 176
Updates of PC-cillin Virus Definition Files 177
Installation of Trend Micro PC-cillin 2000 178
Configuration of Trend Micro PC-cillin 2000 181
Trend PC-cillin 2000 Configuration Settings 185
Trend Micro PC-cillin 2000 Links 188
Summary 189
FAQs 190
Chapter 6: Mobile Code Protection 195
Introduction 196
Dynamic E-mail 196
Active Content 197
Taking Advantage of Dynamic E-mail 197
Composing an HTML E-mail 198
Inserting Your Own HTML File 198
Sending an Entire Web Page 200
Dangers 200
No Hiding Behind the Firewall 201
Mobile Code 201
Java 202
Security Model 203
Playing in the Sandbox 203
Playing Outside the Sandbox 205
Points of Weakness 205
Background Threads 206
Hogging System Resources 206
I Swear I Didn’t Send That E-mail 207
Scanning for Files 207
How Hackers Take Advantage 207
Spam Verification 207
Theft of Processing Power 208
Unscrupulous Market Research 208
Applets Are Not That Scary 208
Precautions You Can Take 208
JavaScript 211
Security Model 211
Points of Weakness 212
How Hackers Take Advantage 213
Web-Based E-mail Attacks 213
xviii Contents
Are Plug-in Commands a Threat? 213
Social Engineering 213
Precautions to Take 214
ActiveX 215
Security Model 215
Safe for Scripting 216
Points of Weakness 217
How Hackers Can Take Advantage 218
Preinstalled ActiveX Controls 218
Bugs Open the Door 219
Intentionally Malicious ActiveX 219
My Mistake... 220
Trojan Horse Attacks 220
Precautions to Take 220
VBScript 221
Security Model 222
Points of Weakness 222
VBScript, Meet ActiveX 222
How Hackers Take Advantage 223
Social Engineering Exploits 223
VBScript-ActiveX Can Double Team Your Security 223
Precautions to Take 224
Summary 225
FAQs 226
Chapter 7: Personal Firewalls 227
Introduction 228
What Is a Personal Firewall? 228
Blocks Ports 230
Block IP Addresses 230
Access Control List (ACL) 231
Execution Control List (ECL) 232
Intrusion Detection 233
Personal Firewalls and E-mail Clients 234
Levels of Protection 235
False Positives 235
Network Ice BlackICE Defender 2.1 236
Installation 236
Configuration 239
E-mail and BlackICE 248
Contents xix
Aladdin Networks’ eSafe, Version 2.2 248
Installation 248
Configuration 252
E-mail and ESafe 269
Norton Personal Firewall 2000 2.0 269
Installation 270
Configuration 274
ZoneAlarm 2.1 283
Installation 284
Configuration 287
E-mail and ZoneAlarm 291
Summary 292
FAQs 292
Chapter 8: Securing Windows 2000 Advanced
Server and Red Hat Linux 6 for E-mail Services 295
Introduction 296
Updating the Operating System 296
Microsoft Service Packs 296
Red Hat Linux Updates and Errata Service Packages 297
Disabling Unnecessary Services and Ports 299
Windows 2000 Advanced Server—Services to Disable 299
The Server Service 300
Internet Information Services (IIS) 302
Red Hat Linux—Services to Disable 304
Inetd.conf 304
Rlogin 305
Locking Down Ports 305
Well-Known and Registered Ports 306
Determining Ports to Block 308
Blocking Ports in Windows 308
Blocking Ports in Linux 310
Inetd Services 310
Stand-Alone Services 310
Maintenance Issues 311
Microsoft Service Pack Updates, Hot Fixes,
and Security Patches 312
Case Study 313
Red Hat Linux Errata: Fixes and Advisories 314
Case Study 316