Reply to post:

FBI: Who was going around hijacking Barracuda email boxes? China, probably

sitta_europea Silver badge

Probably not, because the compromise happens when the appliance processes the malicious mail message.

Most firewalls don't look at the content of the traffic which they police. Typically a firewall blocks connections based on whether or not the connection is 'to be expected'.

Aside from connections from known bad sources, most connections to a mail appliance to offer a mail message to it will come under the 'to be expected' heading. These messages can come from absolutely *anywhere*, so blocking things like source IPs, ASNs, country codes, domains etc., won't do the job.

If the firewall permits the mail message to reach the appliance, it's game over.

If the firewall does deep packet inspection and prevents the message from being processed then yes, that will help, until the adversary gets wise to it and crafts a message which the firewall accepts.

It's easy enough to block these messages at the mail server, assuming that (1) such a facility exists (2) the admin knows what he's looking for so he can write for example a Yara rule and (3 of course) the server it isn't vulnerable.

I've had nothing but trouble from fancy gateways.

Keep It Simple. The more complicated things are, the more likely they are to have vulnerabilities.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon