Presentation is loading. Please wait.

Presentation is loading. Please wait.

Methods for Stopping Spam James Lick

Similar presentations


Presentation on theme: "Methods for Stopping Spam James Lick"— Presentation transcript:

1 Methods for Stopping Spam James Lick

2 The Problem AOL blocks 780,000,000 spams each day (Feb 2003) I am sent ~900 spams each day (Jan 2003)

3 Methods for Stopping Spam ● Security ● Policy Enforcement ● Blocking ● Filtering ● Avoidance

4 Disclaimer No method will block all spam Every method will sometimes block real mail Spammers always get more aggressive These tools are just a sample Combining tactics works best Blocking/Filtering hides extent of problem

5 Security ● Make sure you aren't part of the problem ● Check infrastructure and customers: – Open relays – Open proxies – Use of latest security patches ● A lot of spam is sent through security holes ● Notify authorities for extreme cases

6 Policy Enforcement ● Have a reasonable AUP ● Have users agree to it (legal contract) ● Enforce it! – This is a contract, lack of spam law is no excuse – Don't give second chances too easily ● Respond to complaints

7 Policy Enforcement (cont) ● If you get a reputation of soft on spam: – You will get more spamming customers! – Your mail will be blocked more and more – You lose customers – You go out of business ● The earlier you address problems, the easier it is to solve ● Policy enforcement is an ongoing responsibility

8 Blocking ● Bad sender address ● Spam Source lists ● Open Relay lists ● Open Proxy lists ● Dialup/Dynamic IP lists ● Other ● Local blocks

9 Bad sender ● Most spam is sent with forged sender ● Look up sender domain – Reject message if it doesn't exist – Defer message if lookup fails ● Supported by most mail servers ● Default in modern sendmail ● You can also check sending hostname, but this is not reliable as spam sign

10 Spam Source lists ● Lists IP addresses which belong to spammers ● MAPS RBL (www.mail-abuse.org) ● Spamhaus BL (www.spamhaus.org) ● Sometimes widens block to whole networks, but usually in extreme cases

11 Open Relay lists ● Blocks mail from old servers which allow anyone to send mail through them ● MAPS RSS (www.mail-abuse.org) ● ORDB (www.ordb.org) ● Can block real mail from insecure sites ● Sometimes listings are based on old information

12 Open Proxy lists ● Blocks mail from insecure open proxies ● OPM (www.blitzed.org/opm/) ● Usually doesn't block any real mail ● Most lists incomplete – finding open proxies is hard

13 Dialup/Dynamic IP lists ● Blocks direct mail from dialups and dynamic IP addresses ● Be sure to whitelist your own customers! ● Dynamic clients should use ISP mail server to send mail ● SMTP MSP can be used to send mail remotely safely ● Usually does not block real mail

14 Dialup/Dynamic IP lists (cont) ● MAPS DUL (www.mail-abuse.org) ● PDL (www.pan-am.ca/pdl/) ● Dynablock (basic.wirehub.nl/dynablocker.html)

15 Other ● As spammers get more aggressive, anti-spammers get more aggressive in blocking ● Blocking is often done by: – Any IP sending any spam ever – Countries/regions perceived as soft on spam – Networks perceived as soft on spam – Faulty methods of identifying spam – Other forms of 'spite' listings

16 Other (cont) ● Most of these methods are not used widely ● As spam problem gets worse, these methods may become more widespread. ● Before using a blocking service – Make sure their policies match your expectation – Make sure it is reputable – Test it out first

17 Local blocks ● Setup your own local blocks (access_db, local dnsbl) ● Requires diligence and upkeep ● Do it only if you can devote resources to it every day! ● Better yet, get involved with contributing to public blocking lists

18 Filtering ● Analyze content, not where it came from – Pattern matching – Bulk detection

19 Pattern Matching ● Spams have common 'spam signs' – Common types of header forgery – Common disclaimers – Common wording of sales pitch – Garbage strings, header style, etc. ● Filters can detect and score based on how many spam signs are in a message

20 Spam Assassin (www.spamassassin.org) ● Has a set of rules, each with a score ● If a message scores over a threshold, marked as spam ● Can also use bulk detection, blocking lists ● Uses a lot more CPU – Can scale to large mail loads by using a cluster of cheap servers running SA's spamd ● Can be run on a client system too

21 Spam Assassin 2.50 ● Just out! ● Adds Bayesian filtering ● Bayesian filtering statistically analyzes what content shows up in spam more often than real mail ● For best results, needs training on what is and isn't spam ● SA 2.50 auto-trains based on SA scoring

22 Bulk Detection ● Razor (razor.sourceforge.net) aka SpamNet (www.cloudmark.com) ● DCC (www.rhyolite.com/anti-spam/dcc) ● Reliably detects messages sent in bulk ● Razor designed to detect unsolicited bulk ● Not perfect, sometimes blocks large mailing lists (recently Crypto-Gram)

23 Avoidance ● Try not to expose addresses – Don't publish user directories – Give users help and tools to do filtering ● Advise users – Use spam filtering software (in addition to ISP) – Don't give out address freely – Use disposable addresses – Change addresses periodically

24 Q&A Questions Answers Discussion


Download ppt "Methods for Stopping Spam James Lick"

Similar presentations


Ads by Google