Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extracting the Ham from Spam David J. Young. Introduction History History Spam Spam Terminology Terminology ASSP ASSP Benchmarks Benchmarks Demo Demo.

Similar presentations


Presentation on theme: "Extracting the Ham from Spam David J. Young. Introduction History History Spam Spam Terminology Terminology ASSP ASSP Benchmarks Benchmarks Demo Demo."— Presentation transcript:

1 Extracting the Ham from Spam David J. Young

2 Introduction History History Spam Spam Terminology Terminology ASSP ASSP Benchmarks Benchmarks Demo Demo Questions Questions

3 History Where did the term spam come from? Where did the term spam come from?

4 SPiced hAM

5 SPAM sketch Scene: A cafe. One table is occupied by a group of Vikings wearing horned helmets. Whenever the word "spam" is repeated, they begin singing and/or chanting. A man and his wife enter. The man is played by Eric Idle, the wife is played by Graham Chapman (in drag), and the waitress is played by Terry Jones, also in drag. Scene: A cafe. One table is occupied by a group of Vikings wearing horned helmets. Whenever the word "spam" is repeated, they begin singing and/or chanting. A man and his wife enter. The man is played by Eric Idle, the wife is played by Graham Chapman (in drag), and the waitress is played by Terry Jones, also in drag. Man:You sit here, dear.Wife:All right.Man:Morning!Waitress:Morning!Man:Well, what've you got?Waitress:Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam; spam bacon sausage and spam; spam egg spam spam bacon and spam; spam sausage spam spam bacon spam tomato and spam;Vikings:Spam spam spam spam...Waitress:...spam spam spam egg and spam; spam spam spam spam spam spam baked beans spam spam spam...Vikings:Spam! Lovely spam! Lovely spam!Waitress:...or Lobster Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and aubergines garnished with truffle pate, brandy and with a fried egg on top and spam.Wife:Have you got anything without spam?Waitress:Well, there's spam egg sausage and spam, that's not got much spam in it.Wife:I don't want ANY spam!Man:Why can't she have egg bacon spam and sausage?Wife:THAT'S got spam in it!Man:Hasn't got as much spam in it as spam egg sausage and spam, has it?Vikings:Spam spam spam spam... (Crescendo through next few lines...)Wife:Could you do the egg bacon spam and sausage without the spam then?Waitress:Urgghh!Wife:What do you mean 'Urgghh'? I don't like spam!Vikings:Lovely spam! Wonderful spam!Waitress:Shut up!Vikings:Lovely spam! Wonderful spam!Waitress:Shut up! (Vikings stop) Bloody Vikings! You can't have egg bacon spam and sausage without the spam.Wife:I don't like spam!Man:Sshh, dear, don't cause a fuss. I'll have your spam. I love it. I'm having spam spam spam spam spam spam spam beaked beans spam spam spam and spam!Vikings:Spam spam spam spam. Lovely spam! Wonderful spam!Waitress:Shut up!! Baked beans are off.Man:Well could I have her spam instead of the baked beans then?Waitress:You mean spam spam spam spam spam spam... (but it is too late and the Vikings drown her words)Vikings:Spam spam spam spam. Lovely spam! Wonderful spam! Spam spa-a-a-a-a-am spam spa-a-a-a-a-am spam. Lovely spam! Lovely spam! Lovely spam! Lovely spam! Lovely spam! Spam spam spam spam! Man:You sit here, dear.Wife:All right.Man:Morning!Waitress:Morning!Man:Well, what've you got?Waitress:Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam; spam bacon sausage and spam; spam egg spam spam bacon and spam; spam sausage spam spam bacon spam tomato and spam;Vikings:Spam spam spam spam...Waitress:...spam spam spam egg and spam; spam spam spam spam spam spam baked beans spam spam spam...Vikings:Spam! Lovely spam! Lovely spam!Waitress:...or Lobster Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and aubergines garnished with truffle pate, brandy and with a fried egg on top and spam.Wife:Have you got anything without spam?Waitress:Well, there's spam egg sausage and spam, that's not got much spam in it.Wife:I don't want ANY spam!Man:Why can't she have egg bacon spam and sausage?Wife:THAT'S got spam in it!Man:Hasn't got as much spam in it as spam egg sausage and spam, has it?Vikings:Spam spam spam spam... (Crescendo through next few lines...)Wife:Could you do the egg bacon spam and sausage without the spam then?Waitress:Urgghh!Wife:What do you mean 'Urgghh'? I don't like spam!Vikings:Lovely spam! Wonderful spam!Waitress:Shut up!Vikings:Lovely spam! Wonderful spam!Waitress:Shut up! (Vikings stop) Bloody Vikings! You can't have egg bacon spam and sausage without the spam.Wife:I don't like spam!Man:Sshh, dear, don't cause a fuss. I'll have your spam. I love it. I'm having spam spam spam spam spam spam spam beaked beans spam spam spam and spam!Vikings:Spam spam spam spam. Lovely spam! Wonderful spam!Waitress:Shut up!! Baked beans are off.Man:Well could I have her spam instead of the baked beans then?Waitress:You mean spam spam spam spam spam spam... (but it is too late and the Vikings drown her words)Vikings:Spam spam spam spam. Lovely spam! Wonderful spam! Spam spa-a-a-a-a-am spam spa-a-a-a-a-am spam. Lovely spam! Lovely spam! Lovely spam! Lovely spam! Lovely spam! Spam spam spam spam!

6 Spam Spam Spam lyrics Lovely spam, wonderful spa-a-m, Lovely spam, wonderful S Spam, Spa-a-a-a-a-a-a-am, Spa-a-a-a-a-a-a-am, SPA-A-A-A-A-A-A-AM, SPA-A-A-A-A-A-A-AM, LOVELY SPAM, LOVELY SPAM, LOVELY SPAM, LOVELY SPAM, LOVELY SPA-A-A-A-AM... SPA-AM, SPA-AM, SPA-AM, SPA-A-A-AM! Lovely spam, wonderful spa-a-m, Lovely spam, wonderful S Spam, Spa-a-a-a-a-a-a-am, Spa-a-a-a-a-a-a-am, SPA-A-A-A-A-A-A-AM, SPA-A-A-A-A-A-A-AM, LOVELY SPAM, LOVELY SPAM, LOVELY SPAM, LOVELY SPAM, LOVELY SPA-A-A-A-AM... SPA-AM, SPA-AM, SPA-AM, SPA-A-A-AM!

7 What is spam? Unsolicited Bulk (UBE) Unsolicited Bulk (UBE) Unsolicited Commerical (UCE) Unsolicited Commerical (UCE) The abuse of electronic messaging systems to send unsolicited, undesired bulk messages

8 The cost of spam Productivity – It is estimated that 80-85% of all is spam Productivity – It is estimated that 80-85% of all is spam Payload may contain malware (virus, worm, trojan, etc.) Payload may contain malware (virus, worm, trojan, etc.) Internet bandwidth Internet bandwidth

9 How do spammers get addresses? Replying to a spam Replying to a spam Auto-responders (vacation) Auto-responders (vacation) Viewing HTML spam (web beacons) Viewing HTML spam (web beacons) Clicking on URLs to websites listed in spam Clicking on URLs to websites listed in spam Chain (MUA virus) Chain (MUA virus) Mining Mining Usenet postings/message boards/chat roomsUsenet postings/message boards/chat rooms Usenet article message-IDsUsenet article message-IDs Company or personal websitesCompany or personal websites DNS SOA recordsDNS SOA records whois databasewhois database Opt-out websites Opt-out websites worms harvesting address books worms harvesting address books Shady businesses selling addresses to spammers Shady businesses selling addresses to spammers Dictionary attacks Dictionary attacks Zombies Zombies

10 Anti-spam best practices Turn off preview Turn off preview Use throw away addresses Use throw away addresses Do not use an auto responder Do not use an auto responder Do not read spam Do not read spam Do not click on URLs in spam Do not click on URLs in spam Give your address only to closely trusted acquaintances Give your address only to closely trusted acquaintances Use images or other obfuscation techniques Use images or other obfuscation techniques Googling for your address Googling for your address Use a good spam filter Use a good spam filter

11 Terminology Not Identified as SPAM Identified as SPAM Not SPAM (Negative) True Negative False Negative (*****SPAM*****) SPAM(Positive) False Positive True Positive (*****SPAM*****)

12 xxxxx Listing Whitelisting Whitelisting A list of addresses which would generally never send you spam Blacklisting Blacklisting A list of addresses or domains you do not wish to receive any from Greylisting Greylisting Temporarily reject an unknown by imposing a fixed delay before accepting (ASSP calls this Delaying due to a name conflict) Redlisting Redlisting Keeps an address off the whitelist

13 More ASSP terms Spam Lover Spam Lover Spam Bucket Spam Bucket Honeypot Honeypot Postmaster Postmaster Bayesian Bayesian MTA MTA MUA MUA SMTP SMTP

14 Processing matrix Filtered Mail Unfiltered Mail Contributes to whitelist Normal ASSP operation Spam Lover Doesnt contribute to whitelist Redlist (but does contribute to spam/nospam collections) No processing (also doesnt contribute to spam/nospam collections)

15 What is ASSP? Anti-Spam SMTP Proxy An Open Source platform-independent transparent SMTP proxy server that leverages numerous methodologies and technologies to both rigidly and adaptively identify spam. -- wikipedia.org

16 Theory of Operation When you install ASSP a colony of super- intelligent thermophilus bacteria takes up residence on your CPU and begin reading all your . They communicate using radio waves directly with the CPU and interface with the ASSP software choosing between spam and nonspam mail. If you choose to read further this myth will be sadly dispelled, and I take no responsibility for the consequences. However, you can always refer your users to this slide to prove to them that their is actually being filtered by super-intelligent bacteria.

17 True Theory of Operation ASSP uses three complementary strategies to allow good and to block unsolicited ASSP uses three complementary strategies to allow good and to block unsolicited WhitelistingWhitelisting SpambucketsSpambuckets Bayesian filteringBayesian filtering Local mail domain users are not whitelisted Local mail domain users are not whitelisted

18 ASSP Implementation Version Version It is a single Perl script It is a single Perl script 360 KB 360 KB 10,000 lines 10,000 lines Built in web server Built in web server Built in Pseudo-SMTP server Built in Pseudo-SMTP server

19 ASSP Target User Base ASSPs primary target audience is mail administrators or system administrators at smallish institutions. If you operate an ISP or a mailhost with a heterogeneous user base, you may not have a good enough consensus about what is considered spam or is not. It should work well with between 1 and 300 client addresses and a mail volume of up to around 100,000 messages per day. Testing has not been done to verify these ranges ASSPs primary target audience is mail administrators or system administrators at smallish institutions. If you operate an ISP or a mailhost with a heterogeneous user base, you may not have a good enough consensus about what is considered spam or is not. It should work well with between 1 and 300 client addresses and a mail volume of up to around 100,000 messages per day. Testing has not been done to verify these ranges ASSP is not for the following: ASSP is not for the following: 1.Individual clients -- ASSP must be installed together with a SMTP server 2.Domains which receive mail indirectly, for example if you use fetchmail

20 ASSP Philosophy Reject SPAM before the SMTP server Reject SPAM before the SMTP server Work with any SMTP MTA Work with any SMTP MTA Adapt quickly as spammers change attack strategies Adapt quickly as spammers change attack strategies Require low maintenance after initial setup Require low maintenance after initial setup

21 Main ASSP capabilities Automatic Whitelisting Automatic Whitelisting Spam Traps Spam Traps Bayesian filtering Bayesian filtering Greylist Greylist Whitelist RE Matching Whitelist RE Matching interface interface Mail Analyzer Mail Analyzer Automatic Statistics Automatic Statistics SPF (Sender Policy Framework) SPF (Sender Policy Framework) DNSBL (DNS Black Lists) DNSBL (DNS Black Lists) ClamAV virus scanner ClamAV virus scanner Mail host Headers Mail host Headers

22 ASSP Features Uses existing MTA and MUAs Uses existing MTA and MUAs Runs on Linux, Unix, Windows, OS X, and more Runs on Linux, Unix, Windows, OS X, and more Automatic whitelist – no-one you will ever be blocked Automatic whitelist – no-one you will ever be blocked Redlist keeps an address off the whitelist Redlist keeps an address off the whitelist Uses honeypot type spambucket addresses to automatically recognize spam and update your spam database Uses honeypot type spambucket addresses to automatically recognize spam and update your spam database Bayesian filter intelligently classifies into spam and non-spam Bayesian filter intelligently classifies into spam and non-spam Supports site-defined regular expressions to identify spam or non-spam Supports site-defined regular expressions to identify spam or non-spam Accepts whitelist submissions and spam error reports by authorized Accepts whitelist submissions and spam error reports by authorized Browser based setup Browser based setup Keeps spam statistics for your site Keeps spam statistics for your site Recognizes Mime encoded and other camouflaged spam Recognizes Mime encoded and other camouflaged spam Can listen on more than one smtp port Can listen on more than one smtp port Basic anti-virus filtering using the ClamAV virus databases Basic anti-virus filtering using the ClamAV virus databases Optionally blocks no mail but adds an header and/or updates the message subject (*****SPAM*****) Optionally blocks no mail but adds an header and/or updates the message subject (*****SPAM*****) Can block spam-bombs (when spammers forge your domain in the from field) Can block spam-bombs (when spammers forge your domain in the from field) More More

23 ASSP Flexibility Whitelist-only mode Whitelist-only mode Dont filter, just tag subject line Dont filter, just tag subject line Let specific addresses receive SPAM Let specific addresses receive SPAM Use a mail list behind ASSP Use a mail list behind ASSP Use ASSP with redundant MX domains Use ASSP with redundant MX domains Web based configuration Web based configuration

24 ASSP Mail Processing What order does ASSP process mail to check if it is spam? 1.Local or whitelisted? 2.Blacklisted Domain? 3.Spam Helo? 4.Addressed to spam-bucket? 5.Mail bomb? 6.Blocked attachment? 7.Matches expression to identify non-spam? 8.Matches expression to identify spam? 9.Bayesian evaluation If the message is identified as spam at any step along the way it goes to the spam directory. If the message is local or whitelisted it goes to the notspam directory.

25 Installation Overview Install ASSP and dependencies Install ASSP and dependencies Configure ASSP Configure ASSP Put ASSP in test mode Put ASSP in test mode Modify mail flow of test user(s) Modify mail flow of test user(s) Test that it is working Test that it is working Prime the system Prime the system Create the Bayesian database Create the Bayesian database Automate daily Bayesian database updates Automate daily Bayesian database updates Monitor spam filtering Monitor spam filtering Correct false negatives and false positives Correct false negatives and false positives Take ASSP out of test mode Take ASSP out of test mode Train user community Train user community Modify mail flow of trained users Modify mail flow of trained users

26 ASSP Installation Install Perl Install Perl Install Perl modules from CPAN Install Perl modules from CPAN Compress::ZlibNEEDED - Standard Perl installationCompress::ZlibNEEDED - Standard Perl installation Digest::MD5NEEDED - Standard Perl installationDigest::MD5NEEDED - Standard Perl installation Time::HiResNEEDED - Standard Perl installationTime::HiResNEEDED - Standard Perl installation Net::DNSNEEDED TO RUN RBL, SPF and 1.2.XNet::DNSNEEDED TO RUN RBL, SPF and 1.2.X :ValidOPTIONAL, BUT ADVISED :ValidOPTIONAL, BUT ADVISED File::ReadBackwardsOPTIONAL, BUT ADVISEDFile::ReadBackwardsOPTIONAL, BUT ADVISED Mail::SPF::QueryOPTIONALMail::SPF::QueryOPTIONAL Mail::SRSOPTIONALMail::SRSOPTIONAL Sys::SyslogOPTIONALSys::SyslogOPTIONAL Net::LDAPOPTIONAL :: NEEDED IF YOU RUN LDAPNet::LDAPOPTIONAL :: NEEDED IF YOU RUN LDAP Win32::DaemonNEEDED to run as a service on WindowsWin32::DaemonNEEDED to run as a service on Windows No installation script No installation script GUNZIP assp.tar.gz to /usr/local/asspGUNZIP assp.tar.gz to /usr/local/assp In /usr/local create the following directories:In /usr/local create the following directories: assp/spam assp/spam assp/notspam assp/notspam assp/errors assp/errors assp/errors/spam assp/errors/spam assp/errors/notspam assp/errors/notspam

27 Configure ASSP Start ASSP Start ASSP perl assp.pl Configure ASSP Configure ASSP Login: Login: Password: nospam4me (default) Beware of the Show Advanced Configuration Option Beware of the Show Advanced Configuration Option

28 ASSP Configuration

29 Initial Configuration Change values for Change values for 1.Web Admin Password 2.Accept All Mail 3.Local Domains 4.Spam Error 5.Spam Addresses Addresses of recipients at your site that only receive spam (website spam-bait, ex- employees)

30 Mail Flow InternetMail SvrClients Inbound Outbound InternetASSPMail SvrClients Inbound Outbound InternetASSPMail SvrClients InternetMail SvrClients with ASSP InternetMail SvrASSPClients Invalid

31 Flow InternetASSP GroupWise/ Exchange Clients Inbound Outbound MTA Internet GroupWise/ Exchange ClientsMTAASSP MTA smtp0 inout spam Not spam whiteredblackgrey Bayesian DB Errors

32 GWIAMTA POA GroupWise1999 This is an that is being sent to the Internet. Th This is an that is Internet

33 GWIAMTA POA GroupWise sendmail Virtuser table aliases Internet MTA DNS Block List 2003

34 2004 GWIAMTA POA GroupWise sendmail Virtuser table aliases sendmail SpamAssassin Internet MTA Internet

35 ASSPsendmail ASSP spam Not spam whiteredblackgrey Bayesian DB Errors 2006 GWIAMTA POA GroupWise sendmail Virtuser table aliases sendmail SpamAssassin Internet MTA Internet

36 ASSPsendmail ASSP spam Not spam whiteredblackgrey Bayesian DB Errors Phase In GWIAMTA POA GroupWise sendmail Virtuser table aliases sendmail SpamAssassin Internet MTA Internet

37 Flow with Anti-Virus InternetASSPMail SvrClients InternetASSPClients Inbound Outbound Antivirus Mail Svr Antivirus

38 Flow with Groupware InternetASSP Groupware Clients Inbound Outbound MTA Internet Groupware ClientsMTAASSP To use ASSP with Exchange, Lotus Notes or GroupWise, youll also need to implement a smarthost relay like sendmail, qmail, postfix, exim or one in a number of others To use ASSP with Exchange, Lotus Notes or GroupWise, youll also need to implement a smarthost relay like sendmail, qmail, postfix, exim or one in a number of others

39 DNSBL vs Greylist The ASSP Greylist supercedes DNSBL The ASSP Greylist supercedes DNSBL ASSP Greylist is not to be confused with Greylisting ASSP Greylist is not to be confused with Greylisting Use of DNSBL is discouraged (If a DNSBL lookup blocks, ASSP will block due to its multiplex design) Use of DNSBL is discouraged (If a DNSBL lookup blocks, ASSP will block due to its multiplex design)

40 Penalty Box This will blacklist an SMTP server for about 72 hours or so from sending to your server if they violate basic SMTP connection conventions over a certain threshold. This will blacklist an SMTP server for about 72 hours or so from sending to your server if they violate basic SMTP connection conventions over a certain threshold.

41 SMTP Ports For example, internet mail needs to connect to ASSP on port 25 (ASSP's listen port), and ASSP can proxy to your mail server on port 125 (or any port you choose) -- ASSP's SMTP Destination. You need to change your mail server to match.

42 Sender Notification With most client-based filters (POPFile, SpamBayes, SpamAssassin) senders receive NO NOTIFICATION if their mail isn't delivered. With most of these solutions, the user bears full responsibility to VERIFY that no good mail is blocked. With most client-based filters (POPFile, SpamBayes, SpamAssassin) senders receive NO NOTIFICATION if their mail isn't delivered. With most of these solutions, the user bears full responsibility to VERIFY that no good mail is blocked. ASSPs solution to this is that when spam is blocked the SENDER RECEIVES NOTIFICATION, and it does this without generating non-delivery reports that bounce and bounce again because spammers forge their from address. ASSPs solution to this is that when spam is blocked the SENDER RECEIVES NOTIFICATION, and it does this without generating non-delivery reports that bounce and bounce again because spammers forge their from address.

43 Catch-22 Issue: Lets say a client receives a non-delivery report, how can he (not in whitelist) send a message to the organization if he is still not in whitelist? I mean, if the recipient or assp admin does not receive the notification, they will not know that there is a false positive and will not add the unknown client to whitelist... Issue: Lets say a client receives a non-delivery report, how can he (not in whitelist) send a message to the organization if he is still not in whitelist? I mean, if the recipient or assp admin does not receive the notification, they will not know that there is a false positive and will not add the unknown client to whitelist... Solution: Set up an address and put it in the Spam- Lover Address configuration option. Then modify the spam error message to direct people to "500 Mail appears to be unsolicited (spam) -- please forward this to not- if you feel this is in error." Any false positives that bounce back to clients will hopefully be reported to the Mail Admin via the spam lover address (they just forward it), assuming they read the rejected . Solution: Set up an address and put it in the Spam- Lover Address configuration option. Then modify the spam error message to direct people to "500 Mail appears to be unsolicited (spam) -- please forward this to not- if you feel this is in error." Any false positives that bounce back to clients will hopefully be reported to the Mail Admin via the spam lover address (they just forward it), assuming they read the rejected .

44 Interface Any user can help to improve ASSPs spam filtering accuracy. Users can use it to add addresses to the whitelist, report spam, or false-positives. To use it, you must have it enabeled in the configuration, and have names set for the addresses. The interface only accepts mail addressed to addresses at any of your localdomains, and only from "Accept All Mail" hosts, or authenticated SMTP connections. assp-white -- for whitelist additions assp-white -- for whitelist additions assp-spam -- to report spam that got through assp-spam -- to report spam that got through assp-notspam -- to report mis-categorized spam assp-notspam -- to report mis-categorized spam Whitelisting: Assuming that your local-domain is yourdomain.com, to add addresses to the whitelist, youd create a message to You can either put the addresses in the body of the message, or as recipients of the message. For example, if you wanted to add all the addresses in your address book to the whitelist, create a message to and then add your entire address book to the BCC part of the message and click send. Note that no mail will be delivered to any address except (and that won't actually be passed to your mail transport). Within a short time you'll receive a response from ASSP showing the results of your mail. Whitelisting: Assuming that your local-domain is yourdomain.com, to add addresses to the whitelist, youd create a message to You can either put the addresses in the body of the message, or as recipients of the message. For example, if you wanted to add all the addresses in your address book to the whitelist, create a message to and then add your entire address book to the BCC part of the message and click send. Note that no mail will be delivered to any address except (and that won't actually be passed to your mail transport). Within a short time you'll receive a response from ASSP showing the results of your mail. False Negatives: To report a spam that got through, simply forward the mail to It's best to forward it as an attachment, but you can just forward it normally if you must. In a short time you will receive a confirmation. False Negatives: To report a spam that got through, simply forward the mail to It's best to forward it as an attachment, but you can just forward it normally if you must. In a short time you will receive a confirmation. False Positives: The process is the same to report a miscategorized spam, but send it to False Positives: The process is the same to report a miscategorized spam, but send it to

45 Spam Report

46 Benchmarks Spam Bucket Spam Bucket Ex-employee that left the company 5 years ago Ex-employee that left the company 5 years ago Receives spam mails per day Receives spam mails per day

47 Filter effectiveness SpamAssassin 60-65% effective in 2004 SpamAssassin 60-65% effective in 2004 Deteriorated to 11% by 2006 Deteriorated to 11% by 2006 (267 of 2238 True Positives) ASSP in first 3 weeks of operation 99.7% ASSP in first 3 weeks of operation 99.7% (1336 of 1340 True Positives)

48 ASSP vs SpamAssassin SpamAssassin SpamAssassin is difficult to installis difficult to install great investment in hand-made regular expressions and header analysis to identify spamgreat investment in hand-made regular expressions and header analysis to identify spam Hand-crafted expressions are brittle as spammers adjust their strategiesHand-crafted expressions are brittle as spammers adjust their strategies Requires frequent updates to accurately identify spamRequires frequent updates to accurately identify spam ASSP ASSP is low maintenanceis low maintenance is easy to installis easy to install is a complete spam blocking solution, not just a filter that must be integrated into your MTAis a complete spam blocking solution, not just a filter that must be integrated into your MTA works with nearly every MTA on any OSworks with nearly every MTA on any OS Poorly documentedPoorly documented

49 Before ASSP

50 Turning ASSP on

51 With ASSP

52 stat.pl Statistics perl stat.pl /tmp/m.log As of Mon Jan 22 21:48: the mail logfile shows: 0 proxy / smtp connections 253 were dropped for attempted relays (0.0% of total) messages, were spam (53.2%) in 65 days for messages per day or spams per day 1518 additions to / verifications of the whitelist (23.4 per day) were judged spam by the bayesian filter (87.4% of spam) 2115 were to spam addresses (12.6% of spam) 0 were rejected for executable attachments (0% of spam) were sent from local clients (68.5% of nonspam) 842 were from whitelisted addresses (5.7% of nonspam) 0 messages were passed to SPAMLOVERs 3802 were ok after a bayesian check (25.8% of nonspam) 1498 addresses are on the whitelist 0 hits on the blacklist 0 resulted in spam (0.0% of Bayesian spam, 0.0% of blacklist hits) 0 resulted in non-spam (0.000% of blacklist hits)

53 ASSP Statistics

54 Issues Vacation Vacation Auto Replies Auto Replies TLS and secure SMTP TLS and secure SMTP ASSP is site based, not per-user ASSP is site based, not per-user

55 Lessons Learned Whitelist + spambucket + Bayesian is a great spam filtering strategy Whitelist + spambucket + Bayesian is a great spam filtering strategy The default is SPF failures will filter even if whitelisted The default is SPF failures will filter even if whitelisted Be very careful what you put in the relay hosts list Be very careful what you put in the relay hosts list ASSP is not multi-process or multi- threaded ASSP is not multi-process or multi- threaded

56 Utilities rebuildspamdb.pl rebuildspamdb.pl repair.pl repair.pl move2num.pl move2num.pl stat.pl stat.pl

57 Demo Web configuration Web configuration Mail analyzer Mail analyzer

58 Resources on the Internet

59 Questions


Download ppt "Extracting the Ham from Spam David J. Young. Introduction History History Spam Spam Terminology Terminology ASSP ASSP Benchmarks Benchmarks Demo Demo."

Similar presentations


Ads by Google