Securing user by means of e-mail server

Of  cause  best  we can is to stop possible attack before it reaches the
user.  If  we really can. What can we do and what kind of attacks can or
can't be stopped this way?

First,  we  have  to  do  all possible limitations. Remember: nothing is
unlimited  in  this  world.  If you have unlimited mailbox size, message
size,  number  of  recipients  in the single message, string size inside
message,  number  of  messages  in  the  mailbox,  etc  you  can  get an
unpredictable  behavior of client program (MUA) leading to DoS or may be
code  execution. Everything can be limited should be limited. It doesn't
mean  you  have to restrict your users: all border values must be chosen
to not affect normal user's operations.

We can try to prevent address book attacks. It's not hard to make a filter,
for example for sendmail's mfilter API to detect situations like

From: user1@host1.com <user2@host2.com>
or
From: user1@ <user2@host2.com> host2.com

and to normalize it to

From: user2@host2.com <user2@host2.com>

We can store archive of all e-mails for long period of time. It may be
extremely helpful for incident handling

We  can  setup  antiviral  software and/or content filtering software to
filter  possible malware messages. It should be noted, that any software
of  this  kind  helps  you  to  protect your users, but never guarantees
protection. This kind of software always looks for some signatures (even
if  you  simply check for .exe attachments). This set of signatures will
never   be  complete,  because  different  software  may  use  different
algorithms  to  detect  attachments,  specially  if  message has non-RFC
formatting.  There  is  always  a way to compose a message which will be
processed  by  filter  and, for example, by Outlook Express in different
ways with different results.

SECURITY.NNOV   maintains   a   page,   "Bypassing   content   filtering
software",  we publish all known ways to bypass this kind of protection.
You can read it here

http://www.security.nnov.ru/advisories/content.asp

Please note this page is constantly updated.

Same  mailfilter  API  I  told  before  may  be  used  to limit possible
malcrafted messages, for example ones with '\0' characters, '\n' or '\r'
characters,  oversized  strings,  double  headers,  etc.  It may be very
helpful,  but it's just another "security through obscurity" method, so,
it still gives no protection guarantee for you.

Mailfilter  API can also be used to detect an block spam. SPAM is a huge
problem  (a  large  amount  of  SPAM may be treated as denial of service
against  user,  because  he  processes  amount  of unwanted information)
instead  of  doing  his  job. Currently I began to work on mailfilter to
support  all  features  listed. It will be published as soon as I'll get
working version.