> yes it has a port sniffer etc... just to make sure i understand you I'm not saying a port sniffer. A packet sniffer. Different things.
This virus has a mail server component it uses to send out. So your users do not use your mail server when they send this virus. So when they do outbound connections on port 25, it is going to pass through your router. If this router has a firewall, or there is one attached, it will generally work one of two ways. 1) Port level, 2) Packet level. A firewall that works at port level may or may not be a stateful firewall. The limit is that it can only block based off of the port. If you have this limit, than you need to kill outbound connections heading from your users IPs, and on Port 25. A firewall that works on the packet level must be a stateful firewall. It examines the packets and applies a set of rules based on what it finds. It is sort of like a guard at an immigration counter that asks you to open your bags, and passes them through an X-Ray machine. If they see anything they do not like, they may set your bags aside, or may just take notes on who you are and let your bags through. In a stateful firewall, it maintains information on communications chains, rather than just a single instance. In other words, it keeps constant tabs on the state of connections. This is needed for packet filtering, but is not needed for port filtering. HOWEVER, it does make port filtering better, so it is advisable no matter what. A firewall that acts at packet level should be able to detect outbound traffic that is created by this virus, and block it. This would allow the other traffic from the customers to still go out directly. But if you do not have packet level discrimination, you are left with port level. > correctly...your saying to deny anything leaving the firewall on port 25 > ...right? Well, not leaving. Entering, but from your side. A minor technical detail as to how these things generally work. Anything coming from your user IP blocks, going to the firewall, should be stopped if the destination is any IP, and port 25. This will irritate some users, but if you are worried about having this virus direct send, it is the best way. So: source = customer IP & port any destination = any IP & port 25 As long as the customer's access to your mail servers is not going through this pipe, it will work. It makes it so they MUST send email through your server. In fact, I wish all the major broadband providers did this already. Force their users to authenticate against a mail server to allow outbound transmissions. It would cut down on both viruses and spam. --Eric
