Re: Evaluation SMTP Gateway.

From: Alin-Adrian Anton (aanton@spintech.ro)
Date: Fri Feb 11 2005 - 15:54:55 EST


Daniel Espinosa wrote:
> Hello,
>
> I will evaluate a SMPT Gateway (it is an appliance), the objective of
> this evaluation is to validate if it really works well in the next
> criteria:
>
> 1.- Anti-Spam.
> 2.- Antivirus.
> 3.- WebMail Protection.
>
> To do this, I have implemented a lab with the characteristics of an
> operational environment (Firewall - SMPT Gategay - MailServer - Work
> stations)
>
> Do you know any security methodology to test the previous criteria?,
> What tools I can use?, Do you have any idea to test those
> functionalities?
>
> Thanks for your help.

Hi,

Just some quick thoughts of what's a nice to-do:

1. Get a virii collection, especially worms (they are the most common
form of mail viruses).
    Having the "in the wild" collection is also a good start.
    Use a script to test the detection rate of the mail-server with AV.
    See what file types are allowed to be attached, and what file types
are not. Is there also any sanity-checking done on the SMTP BODY? etc.
    See if AV can look into archives, and what type of archives.

2. Do the same with the spamassassin Spam Corpus, they have different
level of spam corpuses, the "torture test" being the hardest to detect.

    One VERY important thing about AV but especially about anti-spam
software, is what happens with blocked messages?
    Is there a mechanism to check the blocked messages, or not? How well
and user friendly this is? How practical is it? Or maybe the messages
are black-holed?

    Is the AV bouncing-back "you got virii" spam messages to
innocent/inexistant senders, or not?

    Anti-spam software which blackholes 0.00001% of innocent messages is
garbage. It violates the design principles of Internet and SMTP itself.

PS: dns-blacklists blackhole 40% of the Internet.

3. All levels of web-based, CGI-based, httpd-based attacks. Depends on
the software itself.
    Is webmail accesible from intranet only, or it is accesible from
Internet too? How bullet-proof is the user authentication mechanism? Can
the password/cookie be intercepted? How? (also VPN? SSL? JS hashes? etc?)

PPS: You can do much more, those are just few ideas quickly crossing my
mind. Hope it helps a bit.

PPPS: Still, you should in the end give them a short idea if they are
using buggy software on this gateway (with potential to allow intruders
in). (like sendmail for instance)

Yours,

-- 
Alin-Adrian Anton
GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785  2F7C 5823 ABA0 1830 87BA)
gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA
"It is dangerous to be right when the government is wrong." - Voltaire


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:16 EDT