Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

In our company we use a hosting provider for e-mails and it seems they don\'t sc

ID: 657913 • Letter: I

Question

In our company we use a hosting provider for e-mails and it seems they don't scan incoming email against viruses. And our employees does not very careful about attachments... So we deal with virus infections from time to time. (TorrentLocker and Cryptolocker nowadays)

I would like to do virus scan at network level, and I expect this appliance/system to stop infected incoming e-mails which are stored/managed in our hosting providers servers before they can reach our employee computers.

How can I scan hosted incoming POP3 or IMAP e-mail for viruses? Can I use UTM/proxy appliance or software for this purpose (Sophos UTM Essential, Endian etc. there are several free ones for business use)?

Does anyone use such system?

Explanation / Answer

Scanning POP3 traffic for viruses is mostly easy, because the mails are transmitted in full. There are free solutions which can traffic (provided that you have a virus scanner which is mostly not free) and most better (deep inspection) firewalls are able to do this.

IMAP instead is much harder, because mail clients often don't get the full mail at once but only the parts they need at the moment. Typical examples are Thunderbird which gets big attachments in parts and Apple Mail which gets first the mail structure and then each part separately. If you only do passive network analysis (like most firewalls do) you are missing context like the content-transfer-encoding which is important for scanning the attachments.

Therefore lots of firewalls either don't support IMAP at all (like Sophos UTM), have documented limits which point to serious implications in real usage once you understand them (see "Understanding IMAP Antivirus Scanning Limitations" for Juniper Firewalls) or claim to have support for IMAP but probably don't know what they are talking about (or are silent about the limits). Secure inline IMAP scanning instead needs application level gateways (ALG) which not only inspect traffic but can manipulate it so that they have enough context. The passive deep inspection you have in most NGFW (Next Generation Firewall) or UTM (Unified Threat Management) might be sufficient for demonstrations but not for real life.

Some firewalls don't offer inline IMAP scanning but instead mirror the IMAP accounts, scan new mails and provide the mails with an IMAP server at the firewall itself. In this case the credentials of the original IMAP account need to be stored at the firewall and the user gets different credentials to access the firewalls IMAP server.

Related Questions

In order to study whether there is a relationship between gender and age at marr
Question #3022833
In order to support the hypothesis hat a complex eye could have evolved through
Question #171976
In order to support the hypothesis hat a complex eye could have evolved through
Question #223638
In order to test a new drug for adverse reactions, the drug was administered to
Question #3073190
In order to test reading abilities of fifth grade children, a representative sam
Question #2954492
In order to test the effectiveness of a drug called XZR designed to reduce chole
Question #3153385
In order to test the mean IQ of employees in an organization is greater than 100
Question #3385618
In order to test the quality of a certain brand of rivets, an engineer randomly
Question #3275198
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
In our class thought experiment isobarically boiling water, we saw that the liqu
Next
In our computer systems lecture we were introduced to the MIPS processor. It was

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.