Hit the Ground Spam(fight)ing

Similar documents
Untitled Page. Help Documentation

GFI product comparison: GFI MailEssentials vs. Barracuda Spam Firewall

Mailspike. Henrique Aparício

Best Practices. Kevin Chege

Handling unwanted . What are the main sources of junk ?

GFI product comparison: GFI MailEssentials vs. McAfee Security for Servers

Introduction This paper will discuss the best practices for stopping the maximum amount of SPAM arriving in a user's inbox. It will outline simple

GFI product comparison: GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

GFI product comparison: GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.5

How Internet Works

PROTECTION. ENCRYPTION. LARGE FILES.

GFI Product Comparison. GFI MailEssentials vs Sophos PureMessage

Managing Spam. To access the spam settings in admin panel: 1. Login to the admin panel by entering valid login credentials.

Deliverability Terms

Certified Spam Assassin Professional VS-1114

SMTP Scanner Creation

Analysis of Spam Filter Methods on SMTP Servers

Get Bitdefender Security for Mail Servers online software downloads ]

HELO my IP is... You had me at HELO. A case study in spam fighting Randal L. Schwartz Stonehenge Consulting Services, Inc.

Ethical Hacking and. Version 6. Spamming

anti-spam techniques beyond Bayesian filters

BOTNET-GENERATED SPAM

Comodo Dome Antispam Software Version 6.0

CAMELOT Configuration Overview Step-by-Step

Smart elab volume 3, anno 2014 Networking. Setup of a clustered antispam and antivirus service based on Mailcleaner suite

Technical Note. FortiMail Best Practices Version 3.0 MR4.

MxVault Questions and Answers

MDaemon Vs. Kerio Connect

Security with FailSafe

MDaemon Vs. Microsoft Exchange Server 2016 Standard

MDaemon Vs. Zimbra Network Edition Professional

Specially Prepared Advertising Material How do we manage it? Andy Linton

MDaemon Vs. Kerio Connect

Current developments. Zombies suck the life out of the mail server. Wietse at mailserver conference, IBM Research IBM Corporation

MDaemon Vs. SmarterMail Enterprise Edition

Step 2 - Deploy Advanced Security for Exchange Server

MDaemon Vs. Microsoft Exchange Server 2016 Standard

SolarWinds Mail Assure

MDaemon Vs. IceWarp Unified Communications Server

TOTAL CONTROL SECURITY END USER GUIDE

CPSC156a: The Internet Co-Evolution of Technology and Society

MDaemon Vs. MailEnable Enterprise Premium

MDaemon Vs. MailEnable Enterprise Premium

MDaemon Vs. SmarterMail Enterprise Edition

CONTENTS IN DETAIL PART I AN INTRODUCTION TO SPAM FILTERING INTRODUCTION 1 THE HISTORY OF SPAM 3 2 HISTORICAL APPROACHES TO FIGHTING SPAM 25

Data Query Service Manual

Comodo Dome Antispam Software Version 6.0

Technical description

Use and Abuse of Anti-Spam White/Black Lists

MDaemon Vs. SmarterMail Enterprise Edition

========================================================================= Symantec Messaging Gateway (formerly Symantec Brightmail Gateway) version

Migrating to Precis from SpamAssassin

Test-king q

Appliance Installation Guide

A Reputation-based Collaborative Approach for Spam Filtering

Deployment Guides. Help Documentation

MDaemon Vs. SmarterMail Enterprise Edition

PureMessage for UNIX

Symantec ST Symantec Messaging Gateway Download Full Version :

Gateways. Kevin Chege

Advanced Settings. Help Documentation

Spam UF. Use and customization instructions for the Barracuda Spam service at the University of Florida.

Fortinet.Certdumps.FCESP.v by.Zocki.81q. Exam Code: FCESP. Exam Name: Fortinet Certified Security Professional

SPF classic. Przemek Jaroszewski CERT Polska / NASK The 17th TF-CSIRT and FIRST joint Event, Amsterdam, January 2006

Debian/GNU Linux Mailing

Documentation for: MTA developers

Introduction to Antispam Practices

Barracuda Security Gateway User 's Guide 6 and Above

Vendor: Cisco. Exam Code: Exam Name: ESFE Cisco Security Field Engineer Specialist. Version: Demo

Barracuda Security Service User Guide

PureMessage for UNIX User Guide. Product Version 6.4 Sophos Limited 2018

SpamCheetah manual. By implementing protection against botnets we can ignore mails originating from known Bogons and other sources of spam.

Understanding the Pipeline

Detecting and Quantifying Abusive IPv6 SMTP!

Mail Assure. Quick Start Guide

I G H T T H E A G A I N S T S P A M. ww w.atmail.com. Copyright 2015 atmail pty ltd. All rights reserved. 1

Mail Server. Introduction

PureMessage for Unix. help

Franzes Francisco Manila IBM Domino Server Crash and Messaging

Getting Started 2 Logging into the system 2 Your Home Page 2. Manage your Account 3 Account Settings 3 Change your password 3

Debian/GNU Linux Mailing

Cisco Download Full Version :

KASPERSKY LAB. Kaspersky Anti-Spam 3.0. Administrator's Guide

Anti-Spam. Overview of Anti-Spam Scanning

ECE 435 Network Engineering Lecture 6

Proxmox Mail Gateway. Deployment Guide 8/23/2017. MailGatewayDeploymentGuide-V2.3.docx

KASPERSKY LAB. Kaspersky Anti-Spam 3.0. Administrator's Guide

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

VisNetic MailPermit. Enterprise Anti-spam Software. VisNetic MailPermit

Using Centralized Security Reporting

SpammerTrap Administration Manual

Spam, Security and SORBS v2.0

SmarterMail Edition Comparison

Anti-Spam. Overview of Anti-Spam Scanning

NORDUnet Nordic Infrastructure for Research & Education. Intro. SPAM-hantering på NUNOC och internt i SUNET

Red Condor had. during. testing. Vx Technology high availability. AntiSpam,

Malware, , Database Security

Domain name system black list false reporting attack

Debian/GNU Linux Mailing

Open Mic: IBM SmartCloud Notes Mail Hygiene. Robert Newell SmartCloud Notes Support July, 20 th 2016

Transcription:

Hit the Ground Spam(fight)ing LISA 05, San Diego December, 2005 John Rowan Littell Earlham College littejo (at) earlham (dot) edu

$ARGV[0] There is no magic bullet. Many products, both commercial and open source; the best ones combine methods and have feedbacks among methods. Time is short I won t mention everything. Goal: Help you fight spam or understand the systems that are doing it for you. John Rowan Littell 2

Two Approaches Protocol Hacks Content Analysis John Rowan Littell 3

Protocol Hacks: DNSBL Reject mail from IP addresses presumed to be spammers via DNS lookup Pros: Quick, widely supported Cons: Quality varies, false positives can be hard to work around Suggestions: Choose a well-respected one, have a method in place for exceptions Reference: http://en.wikipedia.org/wiki/dnsbl John Rowan Littell 4

Protocol Hacks: Greylist Tempfail the first instance of sender/recipient/ip address triplet, accept when it tries back Pros: Entirely within SMTP, effective against virii Cons: Delays the first message, some broken SMTP servers don t play well Suggestions: Choose a flexible one, use the well-known whitelist, have a method for exceptions Reference: http://en.wikipedia.org/wiki/greylist John Rowan Littell 5

Protocol Hacks: Callback Test that sender address can receive mail via MX probe Pros: Basic form of address verification, mostly hidden from users Cons: Can create backscatter with MXs that blindly accept any address Suggestions: Set exceptions for servers that don t work well with callback, have a method for other exceptions Reference: http://www.snertsoft.com/sendmail/milter-sender/ John Rowan Littell 6

Protocol Hacks: TMDA Require senders to validate themselves the first time they send to a recipient Pros: Very effective Cons: Outside of SMTP protocol, requires a fair amount of human maintenance, some implementations may be defeatable by automatic methods Suggestions: Pre-whitelist your regular correspondents and any approved non-human senders or use pre-certified tagged addresses Reference: http://en.wikipedia.org/wiki/tmda John Rowan Littell 7

Protocol Hacks: SPF Reverse MX check that mail originates from valid IP for sender domain Pros: Mainly a method for tracing the sender of a message (no guarantee about nature of content) Cons: Breaks basic forwarding and aliases lists, only useful in most restricted cases, slow adoption Suggestions: Reject or raise the score on messages that fail to comply with published SPF records Reference: http://en.wikipedia.org/wiki/sender Policy Framework John Rowan Littell 8

Protocol Hacks: SMTP and TCP Tricks Require senders to follow RFCs and basic good behavior Possible Methods: HELO before data, HELO string checking, Sendmail greet pause, throttle connections, reduce bandwidth Pros: Catches a number of spamware systems Cons: Catches a few legitimate mail server implementations, some methods need maintenance, some methods are only implemented as hacks (milters, etc.). Suggestions: Watch for exceptions, don t use high-maintenance tricks John Rowan Littell 9

Content Analysis: Accept/Reject Lists Sender addresses (or patterns) to accept or reject Pros: Regex patterns can match a number of spamware senders Cons: Requires maintenance Suggestions: Comb logs for identified spam and add regex patterns, keep regexes simple, allow users to build their own basic lists, use auto-whitelisting John Rowan Littell 10

Content Analysis: Content Matching Simple (keyword) or complex (regex) matching of spam content Pros: Can be very effective (e.g., SpamAssassin), keywords are easy for users to understand Cons: Regex rules are complicated and need constant tuning or updates, only catches known spam content Suggestions: If using keywords, allow users to specify them themselves; couple content rules with other methods or use a scoring technique John Rowan Littell 11

Content Analysis: Fuzzy Signatures Compute fuzzy checksums of messages to compare with known spam content Pros: Can be fairly accurate, can work around minor obfuscation techniques Cons: Only able to recognize known spam content, relies on others identification of spam Suggestions: Use as a scoring technique, heavy users of free services should join submission network Implementations: Distributed Checksum Clearinghouse (DCC), Vipul s Razor John Rowan Littell 12

Content Analysis: SURBL Spam URI Realtime Blocklist DNS based URI list Pros: Effective against phishing or other click-through spam Cons: Only works with known spam URIs Suggestions: Use as a scoring technique and give matches a high weight Reference: http://www.surbl.org/ John Rowan Littell 13

Content Analysis: Bayesian Classification + Learning Calculate probability of spam content based on learned spam words and tokens Pros: Over time can become very accurate, requires little maintenance Cons: Diverse mail content can lower accuracy Suggestions: Allow users to build individual Bayes databases for individual accuracy, combine with site-wide database for shared known spam Reference: http://en.wikipedia.org/wiki/naive Bayes classifier John Rowan Littell 14

Content Analysis: Antivirus Identify known e-mail viruses and executable content Pros: AV engines are very accurate for viruses, some include phishing matching Cons: Takes resources Suggestions: Dump or quarantine positive matches, do not send sender notifications this is spam! John Rowan Littell 15

Where to Can Your Spam Client or Access Server perform content analysis in the MUA or the POP/IMAP daemon Pros: getting to be easy for users Cons: can only do content analysis Suggestions: use as a first step or if your e-mail provider won t support other methods Examples: POPFile, Thunderbird, MacOS X Mail John Rowan Littell 16

Where to Can Your Spam Mail Server integrate spam processing as part of incoming or final delivery on primary mail server Pros: easy to set up, easy to tune for individual users Cons: heavy load on server, final delivery not the best place for processing Suggestions: best suited for small sites Examples: SpamAssassin called by procmail, numerous milters and plugins for Postfix, Qmail, etc. John Rowan Littell 17

Where to Can Your Spam Spam Gateway Appliance insert appliance as primary MX Pros: easy to install, automatic updates and shared signatures, best place for spam processing, quarantine areas, redundant units Cons: cost and quality varies, some work best only with certain mail architectures Suggestions: verify recipient addresses, restrict access to internal mail servers Examples: Postini, Barracuda, Mirapoint Razorgate, CanIT, Meridius, build-your-own... John Rowan Littell 18

Where to Can Your Spam Firewall/IPS inline security appliances that can perform content analysis or protocol hacks Pros: can protect entire network, some can operate as an invisible bridge Cons: new technology, header tagging and quarantine often not available Examples: OpenBSD s spamd(8) John Rowan Littell 19

Eating Your Spam The Recipient Is Correct... except when the President, the Lawyers, or Your Boss is... COROLLARY: There is an Exception to (nearly) Everything... be prepared, technically and politically, to deal with exceptions for filter hurdles... HOWEVER: The Recipient Needs Simplicity... don t give your average user too many configuration options... John Rowan Littell 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback