Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extracting the Ham from Spam

Published byKayla Christie Modified over 10 years ago

Similar presentations

Presentation on theme: "Extracting the Ham from Spam"— Presentation transcript:

1 Extracting the Ham from Spam
David J. Young

2 Introduction History Spam Terminology ASSP Benchmarks Demo Questions

3 Where did the term “spam” come from?
History Where did the term “spam” come from? "Spam" is a popular Monty Python sketch, first broadcast in In the sketch, two customers are trying to order a breakfast from a menu that includes the processed meat product in almost every item. The term spam (in electronic communication) is derived from this sketch.

4 SPiced hAM Spam was one of the few meat products excluded from the British food rationing that began in World War II (and continued for a number of years after the war), and the British grew heartily tired of it. The Monty Python comedy troupe used this as the context for their Spam sketch, in which the menu at a greasy spoon cafe consists entirely of dishes containing one or more portions of spam. Introduced on July 5, 1937, the name "Spam" was chosen in the 1930s when the product, whose original name was far less memorable (Hormel Spiced Ham), began to lose market share. The name was chosen from multiple entries in a naming contest. A Hormel official once stated that the original meaning of the name spam was "Shoulder of Pork and hAM". According to writer Marguerite Patten in Spam – The Cookbook, the name was suggested by Kenneth Daigneau, an actor and the brother of a Hormel vice president. The current official explanation is that the name is a syllabic abbreviation of "SPiced hAM", and that the originator was given a $100 prize for coming up with the name. SPAM is sold in over 99% of grocery stores in the United States. As of 1997, over 5 billion tins had been sold worldwide.

5 SPAM sketch Scene:  A cafe.  One table is occupied by a group of Vikings wearing horned helmets.  Whenever the word "spam" is repeated, they begin singing and/or chanting.  A man and his wife enter.  The man is played by Eric Idle, the wife is played by Graham Chapman (in drag), and the waitress is played by Terry Jones, also in drag. Man:You sit here, dear.Wife:All right.Man:Morning!Waitress:Morning!Man:Well, what've you got?Waitress:Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam; spam bacon sausage and spam; spam egg spam spam bacon and spam; spam sausage spam spam bacon spam tomato and spam;Vikings:Spam spam spam spam...Waitress:...spam spam spam egg and spam; spam spam spam spam spam spam baked beans spam spam spam...Vikings:Spam! Lovely spam! Lovely spam!Waitress:...or Lobster Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and aubergines garnished with truffle pate, brandy and with a fried egg on top and spam.Wife:Have you got anything without spam?Waitress:Well, there's spam egg sausage and spam, that's not got much spam in it.Wife:I don't want ANY spam!Man:Why can't she have egg bacon spam and sausage?Wife:THAT'S got spam in it!Man:Hasn't got as much spam in it as spam egg sausage and spam, has it?Vikings:Spam spam spam spam... (Crescendo through next few lines...)Wife:Could you do the egg bacon spam and sausage without the spam then?Waitress:Urgghh!Wife:What do you mean 'Urgghh'? I don't like spam!Vikings:Lovely spam! Wonderful spam!Waitress:Shut up!Vikings:Lovely spam! Wonderful spam!Waitress:Shut up! (Vikings stop) Bloody Vikings! You can't have egg bacon spam and sausage without the spam.Wife:I don't like spam!Man:Sshh, dear, don't cause a fuss. I'll have your spam. I love it. I'm having spam spam spam spam spam spam spam beaked beans spam spam spam and spam!Vikings:Spam spam spam spam. Lovely spam! Wonderful spam!Waitress:Shut up!! Baked beans are off.Man:Well could I have her spam instead of the baked beans then?Waitress:You mean spam spam spam spam spam spam... (but it is too late and the Vikings drown her words)Vikings:Spam spam spam spam. Lovely spam! Wonderful spam! Spam spa-a-a-a-a-am spam spa-a-a-a-a-am spam. Lovely spam! Lovely spam! Lovely spam! Lovely spam! Lovely spam! Spam spam spam spam! "Spam" is a popular Monty Python sketch, first broadcast in In the sketch, two customers are trying to order a breakfast from a menu that includes the processed meat product in almost every item. The term spam (in electronic communication) is derived from this sketch. Scene:  A cafe.  One table is occupied by a group of Vikings wearing horned helmets.  Whenever the word "spam" is repeated, they begin singing and/or chanting.  A man and his wife enter.  The man is played by Eric Idle, the wife is played by Graham Chapman (in drag), and the waitress is played by Terry Jones, also in drag. Man:You sit here, dear. Wife:All right. Man:Morning! Waitress:Morning! Man:Well, what've you got? Waitress:Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam; spam bacon sausage and spam; spam egg spam spam bacon and spam; spam sausage spam spam bacon spam tomato and spam; Vikings:Spam spam spam spam... Waitress:...spam spam spam egg and spam; spam spam spam spam spam spam baked beans spam spam spam... Vikings:Spam! Lovely spam! Lovely spam! Waitress:...or Lobster Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and aubergines garnished with truffle pate, brandy and with a fried egg on top and spam. Wife:Have you got anything without spam? Waitress:Well, there's spam egg sausage and spam, that's not got much spam in it. Wife:I don't want ANY spam! Man:Why can't she have egg bacon spam and sausage? Wife:THAT'S got spam in it! Man:Hasn't got as much spam in it as spam egg sausage and spam, has it? Vikings:Spam spam spam spam... (Crescendo through next few lines...) Wife:Could you do the egg bacon spam and sausage without the spam then? Waitress:Urgghh! Wife:What do you mean 'Urgghh'? I don't like spam! Vikings:Lovely spam! Wonderful spam! Waitress:Shut up! Waitress:Shut up! (Vikings stop) Bloody Vikings! You can't have egg bacon spam and sausage without the spam. Wife:I don't like spam! Man:Sshh, dear, don't cause a fuss. I'll have your spam. I love it. I'm having spam spam spam spam spam spam spam beaked beans spam spam spam and spam! Vikings:Spam spam spam spam. Lovely spam! Wonderful spam! Waitress:Shut up!! Baked beans are off. Man:Well could I have her spam instead of the baked beans then? Waitress:You mean spam spam spam spam spam spam... (but it is too late and the Vikings drown her words) Vikings:Spam spam spam spam. Lovely spam! Wonderful spam! Spam spa-a-a-a-a-am spam spa-a-a-a-a-am spam. Lovely spam! Lovely spam! Lovely spam! Lovely spam! Lovely spam! Spam spam spam spam!

6 Spam Spam Spam lyrics Lovely spam, wonderful spa-a-m, Lovely spam, wonderful S Spam, Spa-a-a-a-a-a-a-am, Spa-a-a-a-a-a-a-am, SPA-A-A-A-A-A-A-AM, SPA-A-A-A-A-A-A-AM, LOVELY SPAM, LOVELY SPAM, LOVELY SPAM, LOVELY SPAM, LOVELY SPA-A-A-A-AM... SPA-AM, SPA-AM, SPA-AM, SPA-A-A-AM!

7 What is spam? Unsolicited Bulk e-mail (UBE)
Unsolicited Commerical (UCE) “The abuse of electronic messaging systems to send unsolicited, undesired bulk messages” Spamming is economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which add extra capacity to cope with the deluge. Spamming is widely reviled, and has been the subject of legislation in many jurisdictions.

8 The cost of spam Productivity – It is estimated that 80-85% of all is spam Payload may contain malware (virus, worm, trojan, etc.) Internet bandwidth In absolute numbers An spam is sent to 600 addresses. First large-scale spam sent to 6000 newsgroups, reaching millions of people. (June) 30 billion per day (June) 55 billion per day Bill Gates gets 4 million s per year (11,000/day; 456/hr; 7/minute) Most of them were mail purportedly providing help for losing debt and getting rich fast. Jef Poskanzer, the owner of the domain name acme.com, was receiving over one million spam s per day (11.5 spams/sec)

9 How do spammers get e-mail addresses?
Replying to a spam Auto-responders (vacation) Viewing HTML spam (web beacons) Clicking on URLs to websites listed in spam Chain (MUA virus) Mining Usenet postings/message boards/chat rooms Usenet article message-IDs Company or personal websites DNS SOA records whois database Opt-out websites worms harvesting address books Shady businesses selling addresses to spammers Dictionary attacks Zombies Chain may seem fairly harmless, for example, a grammar school student wishing to see how many people can receive his for a science project, but can grow exponentially and be hard to stop. They may contain false information, such as the famous "Forward this to everyone you know and if it reaches 1000 people everyone on the list will receive $1000" type s. They may also be politically motivated, such as "save the scouts, forward this to as many friends as possible". Some recent chain s say that a company "will stop its free service if you don't send this message to X people". Some threaten users with bad luck if not forwarded. Forwarding chain may increase a user's risk of getting viruses, and may also increase the amount of spam received, since participant's addresses are sometimes visible and may end up in the hands of spammers, either directly or via mailing lists archives on the web. s that are forwarded simply because they are enjoyed, such as urban legends or jokes are not necessarily under the chain category, although some chain is obviously humorous. Likewise, most spam is not chain as it doesn't typically ask recipients to forward the to friends.

10 Anti-spam best practices
Turn off “preview” Use throw away addresses Do not use an auto responder Do not read spam Do not click on URLs in spam Give your address only to closely trusted acquaintances Use images or other obfuscation techniques Googling for your address Use a good spam filter

11 Terminology Not Identified as SPAM Identified as SPAM Not SPAM
(Negative) True Negative False Negative (*****SPAM*****) SPAM (Positive) False Positive True Positive What is the difference between the redlist, no-processing, and spamlover lists? True – means properly identified False – means improperly identified Here's a matrix to help identify the differences: [ filtered mail | unfiltered mail ] x [ contributes to whitelist | doesn't contribute ] = filtered & contributes = normal unfiltered & contributes = spamlover filtered & doesn't contribute = redlist (does contribute to spam/nonspam collections) unfiltered & doesn't contribute = no processing (also doesn't contribute to spam/nonspam collections)

12 xxxxx Listing Whitelisting Blacklisting Greylisting Redlisting
A list of addresses which would generally never send you spam Blacklisting A list of addresses or domains you do not wish to receive any from Greylisting Temporarily reject an unknown by imposing a fixed delay before accepting (ASSP calls this Delaying due to a name conflict) Redlisting Keeps an address off the whitelist Greylisting: is delayed. The idea is that If the mail is legitimate, the originating server will try again to send it later, at which time the destination will accept it. If the mail is from a spammer, it will probably not be retried, and spam sources which re-transmit later are more likely to be listed in DNSBLs and distributed signature systems such as Vipul's Razor before the delay expires. Greylisting keeps track of a “tuple” (three things) in a database: 1) IP address of connecting host 2) envelope sender address 3) envelope recipient address Greylisting works best when used with other spam prevention techniques like DNS Black Lists and Spam signature databases ASSP Greylist: ASSP collects statistics from participating ASSP users to help identify mail hosts that tend to send more spam or more not-spam mail. These statistics are compiled together to create a "greylist." The greylist associates IP addresses of mail sending hosts with their recent statistical probability of sending spam or not spam. It's not a whitelist, or a blacklist, but somewhere in-between -- a grey list. Of course it is rare to find a host that sends equal amounts of spam and not-spam, so very few entries are 50/50 or completely grey. This type of information is of practically no value to traditional IP-based spam-blocking systems. However, it is ideal for a Bayesian descriminator: this probability is factored in with other probabilities associated with the mail and helps affect the outcome in the desired way -- better spam AND not-spam detection. ASSP downloads it about every 12 hours. There's no point in downloading it more frequently than that.

13 More ASSP terms Spam Lover Spam Bucket Honeypot Postmaster Bayesian
MTA MUA SMTP Bayesian spam filtering (pronounced "Bays-ee-en", after Rev. Thomas Bayes) is a form of filtering, is the process of using Bayesian statistical methods to classify documents into categories Bayesian poisoning is a technique used by spammers in an attempt to degrade the effectiveness of spam filters that rely on Bayesian filtering. A spammer practicing Bayesian poisoning will send out s with large amounts of legitimate text (gathered from legitimate news or literary sources). The advantage of Bayesian spam filtering is that it can be trained on a per-user basis. The spam that a user receives is often related to the online user's activities. For example, a user may have been subscribed to an online newsletter that the user considers to be spam. This online newsletter is likely to contain words that are common to all newsletters, such as the name of the newsletter and its originating address. A Bayesian spam filter will eventually assign a higher probability based on the user's specific patterns. The legitimate s a user receives will tend to be different. For example, in a corporate environment, the company name and the names of clients or customers will be mentioned often. The filter will assign a lower spam probability to s containing those names. The word probabilities are unique to each user and can evolve over time with corrective training whenever the filter incorrectly classifies an . As a result, Bayesian spam filtering accuracy after training is often superior to pre-defined rules. It can perform particularly well in avoiding false positives, where legitimate is incorrectly classified as spam. For example, if the contains the word "Nigeria", which frequently appeared in a long spam campaign, a pre-defined rules filter might reject it outright. A Bayesian filter would mark the word "Nigeria" as a probable spam word, but would take into account other important words that usually indicate legitimate . For example, the name of a spouse may strongly indicate the is not spam, which could overcome the use of the word "Nigeria.“ Some spam filters combine the results of both Bayesian spam filtering and pre-defined rules resulting in even higher filtering accuracy. Recent spammer tactics include insertion of random innocuous words that are not normally associated with spam, thereby decreasing the 's spam score, making it more likely to slip past a Bayesian spam filter.

14 Contributes to whitelist Doesn’t contribute to whitelist
Processing matrix Filtered Mail Unfiltered Mail Contributes to whitelist Normal ASSP operation Spam Lover Doesn’t contribute to whitelist Redlist (but does contribute to spam/nospam collections) No processing (also doesn’t contribute to spam/nospam collections) What is the difference between the redlist, no-processing, and spamlover lists? Here's a matrix to help identify the differences: [ filtered mail | unfiltered mail ] x [ contributes to whitelist | doesn't contribute ] = filtered & contributes = normal unfiltered & contributes = spamlover filtered & doesn't contribute = redlist (does contribute to spam/nonspam collections) unfiltered & doesn't contribute = no processing (also doesn't contribute to spam/nonspam collections)

15 What is ASSP? Anti-Spam SMTP Proxy
“An Open Source platform-independent transparent SMTP proxy server that leverages numerous methodologies and technologies to both rigidly and adaptively identify spam.” -- wikipedia.org The Anti-Spam SMTP Proxy (ASSP) server project is an Open Source platform-independent transparent SMTP proxy server that leverages numerous methodologies and technologies to both rigidly and adaptively identify spam. “An open source (GPL), platform-independent SMTP Proxy server which implements whitelists and Bayesian filtering to rid the planet of the blight of unsolicited (UCE). UCE must be stopped at the SMTP server. Anti-spam tools must be adaptive to new spam and customized for each site’s mail patterns. This free, easy-to-use tool works with any mail transport and achieves these goals requiring no operator intervention after the initial setup phase”

16 Theory of Operation When you install ASSP a colony of super-intelligent thermophilus bacteria takes up residence on your CPU and begin reading all your . They communicate using radio waves directly with the CPU and interface with the ASSP software choosing between spam and nonspam mail. If you choose to read further this myth will be sadly dispelled, and I take no responsibility for the consequences. However, you can always refer your users to this slide to prove to them that their is actually being filtered by super-intelligent bacteria. ASSP uses three complementary strategies to allow good mail and block unsolicited a whitelist, spambuckets, and a Bayesian filter. Every time a message passes through your SMTP server it has a from address and one or more to addresses. Your SMTP server also knows if the message is being sent from your local network (and to allow relaying for that message), or if it’s coming from outside (and must be delivered to a local address). Your local users don’t send unsolicited (right?) and the people they correspond with would only send you solicited . In fact the people they would also be unlikely to send UCE. By monitoring these addresses ASSP builds a web of trust – local users are trusted, the addresses in their TO or CC fields are trusted, as are the addresses in their TO and CC fields. Any from these people is considered not-spam without further checking. (Note this is not a good strategy for virus containment, but it is a good strategy for UCE.) Users of the local mail domains are not added to the whitelist. They are identified by being a part of the local network. Many spammers forge a from addresses with the same domain as the to address, so it is important to avoid adding local addresses to the whitelist. With only a few days of operation you should see your whitelist grow to more than 1000 addresses. The whitelist is not only helpful in identifying non-spam, but in building your database of non-spam s. The whitelist is automatically saved every $UpdateWhitelist seconds (1 hour by default). Spambuckets are addresses which receive only spam. They can be integrated on your web site, posted on Usenet, or come naturally by having employees leave your site; after a reasonable period of time bouncing their mail all mail received for these addresses can be considered unsolicited. Any whose sender is not whitelisted and is addressed to a spambucket is classified as spam. Spambuckets are helpful both in identifying spam, and in building and maintaining your spam database. Finally, if an comes and is not addressed from someone not on your local network, nor on the whitelist, nor addressed to a spambucket, it is compared to the statistical profile generated by the Bayesian filter. The Bayesian filter works by looking for words and phrases (up to three words long) that occur significantly more often in either your non-spam collection, or your spam collection. For most organizations spam identifiers include things like “get rich quick” while non-spam identifiers are things like your organization’s full name or address, or personal names of people who work there. They also include considerably more subtle references like HTML tags which spammers prefer, or jargon specific to your line of business. To classify a new all the words and phrases in the first bytes of the (including the header) are checked against the statistical model. The top 50 ranking words and phrases are combined according to Bayes theorem to predict how well the mail compares to spam / non-spam in your collections. I have made the working assumption that only the first bytes of an are significant for identifying spam. Spammers may change their profile, but historically spam has been relatively small, and keeping many large files in your collection is a waste of disk space and processing time. After an is classified as local or whitelisted, or as Bayesian spam or spam to a spambox its first bytes are are saved in the appropriate collection directory. It is given a random number between 0 and MaxFiles (12000 by default) and written to that file name. In this way older files will gradually (randomly) be replaced with newer files, thus keeping the collections both diverse and up-to-date. Files in the errors folders (correctedspam and correctednotspam) are never overwritten. The rebuildspamdb program is where I will start. It reads the files in your errors/spam, errors/notspam, spam and notspam directories. As it reads the files in the errors directory it also builds a hash of the mail body to be able to identify duplicate messages misfiled. This hash is used to delete messages from the notspam collection that were also in the errors/spam collection and from the spam collection that were also in the errors/notspam collection. Think of it like scrubbing bubbles – they do the work so you don’t have toooo! As rebuildspamdb reads the files it also does two things. First it runs a filter (the subroutine “clean”) that prepares the message for statistical analysis. Second it walks through the file tallying word pairs in the spam or not-spam categories according to the collection. Files in the errors/spam collection count double; files in the errors/spam count x4. The “clean” subroutine does a number of important operations. Primarily its function is to undo the things spammers do to trick filters. It cleans up base64 encoding. It cleans up many HTML obfuscation techniques. Look at the code of the “sub clean” for more details – it’s all commented. It also does two other things (and may do more in the future) to help the Bayesian analysis. First, it inserts a keyword after each word of the subject – this lets the Bayesian filter recognize words in the subject uniquely. For example the word “free” in the subject will have a different Bayesian rating than the word “free” in the body of the message. Second it does a couple of tricks to isolate the “HELO” greeting that was sent when the message was delivered. This has also proven to be a useful Bayesian factor in identifying spam. Paul Graham’s “A Plan for Spam” recommends complete header analysis within the Bayesian filter. Because ASSP initially used three-keyword identifiers, and now (as of 0.3.4) two-keyword identifiers, I found this useless. However, header analysis will be a fruitful area of development for improving ASSP’s spam / ham recognition rate in the future. That will take place in the “clean” subroutine. There may be other pre-processing features that will be introduced there in the future. Once each mail message is pre-processed (cleaned) each word pair is tallied (words being defined as [-\$A-Za-z0-9\'\.!\240-\377]+ – shorter than 2 or longer than 19 are ignored and are further cleaned in this way: s/[,.']+$//; s/!!!+/!!/g; s/--+/-/g;) [Sorry for the technical stuff for those allergic to it.] So that in the end you end up with a big database of word pairs and their counts: “in the”: spam=23210, total=46411; “order now”: spam=20001, total= The rebuildspamdb program then steps through this database discarding identifiers with total less than 5 (i.e. if a word pair occurred 4 or fewer times in all the collections combined and with errors/spam x2, and errors/spam x4 then the pair can be ignored) and calculating the spaminess ratio this way: If the spam count = 0 or the spam count = the total count then square both counts. (This amplifies factors which appear only in the spam or not-spam collection.) Spaminess = (spam count + 1) / (total count + 2) (This should look familiar to anyone with a basic understanding of Bayesian filters. It also somewhat de-emphasizes rare identifiers and emphasizes common ones.) Throw out the identifier if it’s between 0.41 and 0.59 – this identifier appears almost equally in both spam and non-spam there’s no point in keeping it. Force the result between and – Bayesian classifiers croak if the value is too close to 0 or 1. All of these results are sorted (by identifier) and stored in the spamdb for use by ASSP. Rebuildspamdb also randomly (1 time in 20) prunes outdated entries in the whitelist and goodhosts databases. Now you know how the spamdb is built, so let’s see how it is used. Suppose a mailer in the internet connects to ASSP. ASSP makes a connection to your “SMTP Destination” and begins relaying their conversation. It notes the IP address of the connecting server. It notes their HELO string. It notes their MAIL FROM (envelope sender). It notes their RCPT TOs. It notes their DATA directive. (This is all in sub “getline”.) Relay attempts are blocked. The presence of spam bucket addresses is noted. Mail to the interface is detected. Mail to no-processing or “spam lover” addresses is noted. Assuming none of that qualifies the message is passed on to “getheader.” Getheader is looking for the mail header. When the header is complete getheader calls “onwhitelist” which determines if the message should be treated as whitelisted/local (it’s the same really) and if so to update the whitelist. If not processing goes on to “getbody.” Getbody reads the rest of the message (or the first bytes including the header, which ever comes first), checks for attached executables (if that’s enabled) and calls “isspam” which is probably why you’re reading this document. The isspam subroutine first checks WhiteRe and BlackRE, the expressions to identify non-spam and spam, respectively. Then it calls “clean” to clean up any spammer obfuscation, and calls them again with the “cleaned” version. Then it checks for a DNSBL hit, which adds 0.97 twice to the list of Bayesian factors for this message. Then it checks for a goodhost miss, which adds whatever your site’s goodhost factor is twice, provided it is > Then it walks through the message’s word pairs, just like rebuildspamdb did, completing the list of Bayesian factors. Unlike rebuildspamdb, an identifier hit will only be counted a maximum of two times, so if the identifier “free money” rates and “free money” occurs three or more times in the mail message, only the first two count. The list of factors is sorted and the thirty factors closest to 0 or 1 (i.e. the 30 furthest from 0.5 or neutral) are combined as Bayes taught into a single probability. If this probability is greater than 0.6 the message is spam. (Mail is very rarely between 0.2 and 0.8 – it’s almost always > 0.9 or < 0.1.) Spam is logged in the spam directory and local and whitelisted mail is logged in the notspam directory. Headers are updated as configured. If you’re not in test-mode the connection to your “SMTP Destination” is dropped if it is spam, and when the client stops spewing the mail body, it gets the “spam error” message, and it’s connection is dropped. (In test mode the connection is completed and ASSP sends updated headers.)

17 True Theory of Operation
ASSP uses three complementary strategies to allow good and to block unsolicited Whitelisting Spambuckets Bayesian filtering Local mail domain users are not whitelisted ASSP uses three complementary strategies to allow good mail and block unsolicited a whitelist, spambuckets, and a Bayesian filter. Every time a message passes through your SMTP server it has a from address and one or more to addresses. Your SMTP server also knows if the message is being sent from your local network (and to allow relaying for that message), or if it’s coming from outside (and must be delivered to a local address). Your local users don’t send unsolicited (right?) and the people they correspond with would only send you solicited . In fact the people they would also be unlikely to send UCE. By monitoring these addresses ASSP builds a web of trust – local users are trusted, the addresses in their TO or CC fields are trusted, as are the addresses in their TO and CC fields. Any from these people is considered not-spam without further checking. (Note this is not a good strategy for virus containment, but it is a good strategy for UCE.) Users of the local mail domains are not added to the whitelist. They are identified by being a part of the local network. Many spammers forge a from addresses with the same domain as the to address, so it is important to avoid adding local addresses to the whitelist. With only a few days of operation you should see your whitelist grow to more than 1000 addresses. The whitelist is not only helpful in identifying non-spam, but in building your database of non-spam s. The whitelist is automatically saved every $UpdateWhitelist seconds (1 hour by default). Spambuckets are addresses which receive only spam. They can be integrated on your web site, posted on Usenet, or come naturally by having employees leave your site; after a reasonable period of time bouncing their mail all mail received for these addresses can be considered unsolicited. Any whose sender is not whitelisted and is addressed to a spambucket is classified as spam. Spambuckets are helpful both in identifying spam, and in building and maintaining your spam database. Finally, if an comes and is not addressed from someone not on your local network, nor on the whitelist, nor addressed to a spambucket, it is compared to the statistical profile generated by the Bayesian filter. The Bayesian filter works by looking for words and phrases (up to three words long) that occur significantly more often in either your non-spam collection, or your spam collection. For most organizations spam identifiers include things like “get rich quick” while non-spam identifiers are things like your organization’s full name or address, or personal names of people who work there. They also include considerably more subtle references like HTML tags which spammers prefer, or jargon specific to your line of business. To classify a new all the words and phrases in the first bytes of the (including the header) are checked against the statistical model. The top 50 ranking words and phrases are combined according to Bayes theorem to predict how well the mail compares to spam / non-spam in your collections. I have made the working assumption that only the first bytes of an are significant for identifying spam. Spammers may change their profile, but historically spam has been relatively small, and keeping many large files in your collection is a waste of disk space and processing time. After an is classified as local or whitelisted, or as Bayesian spam or spam to a spambox its first bytes are are saved in the appropriate collection directory. It is given a random number between 0 and MaxFiles (12000 by default) and written to that file name. In this way older files will gradually (randomly) be replaced with newer files, thus keeping the collections both diverse and up-to-date. Files in the errors folders (correctedspam and correctednotspam) are never overwritten. The rebuildspamdb program is where I will start. It reads the files in your errors/spam, errors/notspam, spam and notspam directories. As it reads the files in the errors directory it also builds a hash of the mail body to be able to identify duplicate messages misfiled. This hash is used to delete messages from the notspam collection that were also in the errors/spam collection and from the spam collection that were also in the errors/notspam collection. Think of it like scrubbing bubbles – they do the work so you don’t have toooo! As rebuildspamdb reads the files it also does two things. First it runs a filter (the subroutine “clean”) that prepares the message for statistical analysis. Second it walks through the file tallying word pairs in the spam or not-spam categories according to the collection. Files in the errors/spam collection count double; files in the errors/spam count x4. The “clean” subroutine does a number of important operations. Primarily its function is to undo the things spammers do to trick filters. It cleans up base64 encoding. It cleans up many HTML obfuscation techniques. Look at the code of the “sub clean” for more details – it’s all commented. It also does two other things (and may do more in the future) to help the Bayesian analysis. First, it inserts a keyword after each word of the subject – this lets the Bayesian filter recognize words in the subject uniquely. For example the word “free” in the subject will have a different Bayesian rating than the word “free” in the body of the message. Second it does a couple of tricks to isolate the “HELO” greeting that was sent when the message was delivered. This has also proven to be a useful Bayesian factor in identifying spam. Paul Graham’s “A Plan for Spam” recommends complete header analysis within the Bayesian filter. Because ASSP initially used three-keyword identifiers, and now (as of 0.3.4) two-keyword identifiers, I found this useless. However, header analysis will be a fruitful area of development for improving ASSP’s spam / ham recognition rate in the future. That will take place in the “clean” subroutine. There may be other pre-processing features that will be introduced there in the future. Once each mail message is pre-processed (cleaned) each word pair is tallied (words being defined as [-\$A-Za-z0-9\'\.!\240-\377]+ – shorter than 2 or longer than 19 are ignored and are further cleaned in this way: s/[,.']+$//; s/!!!+/!!/g; s/--+/-/g;) [Sorry for the technical stuff for those allergic to it.] So that in the end you end up with a big database of word pairs and their counts: “in the”: spam=23210, total=46411; “order now”: spam=20001, total= The rebuildspamdb program then steps through this database discarding identifiers with total less than 5 (i.e. if a word pair occurred 4 or fewer times in all the collections combined and with errors/spam x2, and errors/spam x4 then the pair can be ignored) and calculating the spaminess ratio this way: If the spam count = 0 or the spam count = the total count then square both counts. (This amplifies factors which appear only in the spam or not-spam collection.) Spaminess = (spam count + 1) / (total count + 2) (This should look familiar to anyone with a basic understanding of Bayesian filters. It also somewhat de-emphasizes rare identifiers and emphasizes common ones.) Throw out the identifier if it’s between 0.41 and 0.59 – this identifier appears almost equally in both spam and non-spam there’s no point in keeping it. Force the result between and – Bayesian classifiers croak if the value is too close to 0 or 1. All of these results are sorted (by identifier) and stored in the spamdb for use by ASSP. Rebuildspamdb also randomly (1 time in 20) prunes outdated entries in the whitelist and goodhosts databases. Now you know how the spamdb is built, so let’s see how it is used. Suppose a mailer in the internet connects to ASSP. ASSP makes a connection to your “SMTP Destination” and begins relaying their conversation. It notes the IP address of the connecting server. It notes their HELO string. It notes their MAIL FROM (envelope sender). It notes their RCPT TOs. It notes their DATA directive. (This is all in sub “getline”.) Relay attempts are blocked. The presence of spam bucket addresses is noted. Mail to the interface is detected. Mail to no-processing or “spam lover” addresses is noted. Assuming none of that qualifies the message is passed on to “getheader.” Getheader is looking for the mail header. When the header is complete getheader calls “onwhitelist” which determines if the message should be treated as whitelisted/local (it’s the same really) and if so to update the whitelist. If not processing goes on to “getbody.” Getbody reads the rest of the message (or the first bytes including the header, which ever comes first), checks for attached executables (if that’s enabled) and calls “isspam” which is probably why you’re reading this document. The isspam subroutine first checks WhiteRe and BlackRE, the expressions to identify non-spam and spam, respectively. Then it calls “clean” to clean up any spammer obfuscation, and calls them again with the “cleaned” version. Then it checks for a DNSBL hit, which adds 0.97 twice to the list of Bayesian factors for this message. Then it checks for a goodhost miss, which adds whatever your site’s goodhost factor is twice, provided it is > Then it walks through the message’s word pairs, just like rebuildspamdb did, completing the list of Bayesian factors. Unlike rebuildspamdb, an identifier hit will only be counted a maximum of two times, so if the identifier “free money” rates and “free money” occurs three or more times in the mail message, only the first two count. The list of factors is sorted and the thirty factors closest to 0 or 1 (i.e. the 30 furthest from 0.5 or neutral) are combined as Bayes taught into a single probability. If this probability is greater than 0.6 the message is spam. (Mail is very rarely between 0.2 and 0.8 – it’s almost always > 0.9 or < 0.1.) Spam is logged in the spam directory and local and whitelisted mail is logged in the notspam directory. Headers are updated as configured. If you’re not in test-mode the connection to your “SMTP Destination” is dropped if it is spam, and when the client stops spewing the mail body, it gets the “spam error” message, and it’s connection is dropped. (In test mode the connection is completed and ASSP sends updated headers.)

18 ASSP Implementation Version 1.2.5 It is a single Perl script 360 KB
10,000 lines Built in web server Built in Pseudo-SMTP server ASSP is a project on SourceForge.net.

19 ASSP Target User Base ASSP’s primary target audience is mail administrators or system administrators at smallish institutions. If you operate an ISP or a mailhost with a heterogeneous user base, you may not have a good enough consensus about what is considered spam or is not. It should work well with between 1 and 300 client addresses and a mail volume of up to around 100,000 messages per day. Testing has not been done to verify these ranges ASSP is not for the following: Individual clients -- ASSP must be installed together with a SMTP server Domains which receive mail indirectly, for example if you use fetchmail

20 ASSP Philosophy Reject SPAM before the SMTP server
Work with any SMTP MTA Adapt quickly as spammers change attack strategies Require low maintenance after initial setup

21 Main ASSP capabilities
Automatic Whitelisting Spam Traps Bayesian filtering Greylist Whitelist RE Matching interface Mail Analyzer Automatic Statistics SPF (Sender Policy Framework) DNSBL (DNS Black Lists) ClamAV virus scanner Mail host Headers Originally SPF stood for Sender Permitted From and was sometimes also called SMTP+SPF, but it was changed to Sender Policy Framework in February 2004. SPF is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in spam. SPF is defined in RFC 4408 Automatic Whitelisting: Outbound is automatically whitelisted assp]# telnet spam 25 Trying Connected to spam.domain.com ( ). Escape character is '^]'. 220 .domain.com GroupWise Internet Agent Ready (C)1993, 1998 Novell, Inc. Foremost amongst ASSP's features are: Bayesian analysis, Penalty Box (PB) trapping, RBL (Real-time Black-hole Listing, aka DNSBL), multi-level SPF (aka Sender Policy Framework) validation, SRS (aka Sender Rewriting Scheme) fix-up, Delaying (aka Greylisting), sender validation & recipient validation, multi-level attachment blocking, as well as multiple RFC validation mechanisms.

22 ASSP Features Uses existing MTA and MUA’s
Runs on Linux, Unix, Windows, OS X, and more Automatic whitelist – no-one you will ever be blocked Redlist keeps an address off the whitelist Uses honeypot type spambucket addresses to automatically recognize spam and update your spam database Bayesian filter intelligently classifies into spam and non-spam Supports site-defined regular expressions to identify spam or non-spam Accepts whitelist submissions and spam error reports by authorized Browser based setup Keeps spam statistics for your site Recognizes Mime encoded and other camouflaged spam Can listen on more than one smtp port Basic anti-virus filtering using the ClamAV virus databases Optionally blocks no mail but adds an header and/or updates the message subject (*****SPAM*****) Can block spam-bombs (when spammers forge your domain in the from field) More

23 ASSP Flexibility Whitelist-only mode
Don’t filter, just tag subject line Let specific addresses receive SPAM Use a mail list behind ASSP Use ASSP with redundant MX domains Web based configuration Spam Lovers configuration option allows ASSP to forward SPAM The No Processing option will skip whitelist additions and will not contribute to the SPAM/NOTSPAM database. Remove Whitelist Entries: Copy the section of the maillog that contains the erronious whitelist addition -- edit it to make sure there's no valid whitelisted addresses in it, then paste it into the "remove addresses" box in the ASSP config -- you don't have to clean out the other text from the maillog -- just make sure the only addresses that appear in what you post are ones you want removed.

24 ASSP Mail Processing What order does ASSP process mail to check if it is spam? Local or whitelisted? Blacklisted Domain? Spam Helo? Addressed to spam-bucket? Mail bomb? Blocked attachment? Matches expression to identify non-spam? Matches expression to identify spam? Bayesian evaluation If the message is identified as spam at any step along the way it goes to the spam directory. If the message is local or whitelisted it goes to the notspam directory.

25 Installation Overview
Install ASSP and dependencies Configure ASSP Put ASSP in test mode Modify mail flow of test user(s) Test that it is working Prime the system Create the Bayesian database Automate daily Bayesian database updates Monitor spam filtering Correct false negatives and false positives Take ASSP out of test mode Train user community Modify mail flow of trained users Spend a few minutes each day moving the new messages that are miss-categorized from the spam directory to the notspam directory (or visa versa). If you are unsure if a message is misscategorized, just delete it -- it's not worth spending much time on. Once you have at least 400 messages that are properly categorized, do this: perl rebuildspamdb.pl True Negative: SPAM identified as SPAM True Positive: Non-SPAM not identified as SPAM False Negative: Non-SPAM identified as SPAM False Positives: SPAM not identified as SPAM Testing: Inbound, outbound, spam/notspam directories are getting populated, whitelist additions,

26 ASSP Installation Install Perl Install Perl modules from CPAN
Compress::Zlib NEEDED - Standard Perl installation Digest::MD5 NEEDED - Standard Perl installation Time::HiRes NEEDED - Standard Perl installation Net::DNS NEEDED TO RUN RBL, SPF and 1.2.X :Valid OPTIONAL, BUT ADVISED File::ReadBackwards OPTIONAL, BUT ADVISED Mail::SPF::Query OPTIONAL Mail::SRS OPTIONAL Sys::Syslog OPTIONAL Net::LDAP OPTIONAL :: NEEDED IF YOU RUN LDAP Win32::Daemon NEEDED to run as a service on Windows No installation script GUNZIP assp.tar.gz to /usr/local/assp In /usr/local create the following directories: assp/spam assp/notspam assp/errors assp/errors/spam assp/errors/notspam

27 Configure ASSP Start ASSP Configure ASSP
perl assp.pl Configure ASSP Login: <empty> Password: nospam4me (default) Beware of the “Show Advanced Configuration” Option

28 ASSP Configuration

29 Initial Configuration
Change values for “Web Admin Password” “Accept All Mail” “Local Domains” “Spam Error” “Spam Addresses” Addresses of recipients at your site that only receive spam (website spam-bait, ex-employees) Remember to press Enter or click the button at the bottom to register your changes – simply clearing a checkbox doesn’t send the change to ASSP.

30 Mail Flow Internet Mail Svr Clients Inbound Internet Mail Svr Clients
Outbound with ASSP Internet ASSP Mail Svr Clients Inbound ASSP can’t be last stop before the Internet for a few reasons It’s not an MTA, so it doesn’t have the intelligence built in to route It needs to be close to the client/Groupware system to intercept messages for the interface Internet Mail Svr ASSP Clients Outbound Internet ASSP Mail Svr Clients Invalid

31 Email Flow Internet ASSP MTA Clients Inbound Internet MTA ASSP Clients
GroupWise/ Exchange Clients Inbound Internet MTA ASSP GroupWise/ Exchange Clients Outbound smtp0 white red grey black in 25 ASSP 125 MTA out Errors Bayesian DB spam Not spam

32 1999 GWIA MTA POA GroupWise Internet
This is an that is being sent to the Internet. Th This is an that is

33 2003 sendmail Internet MTA GWIA MTA POA GroupWise Internet DNS Block
Virtuser table aliases Internet MTA DNS Block List GWIA MTA POA GroupWise Internet

34 2004 Internet MTA sendmail SpamAssassin GroupWise sendmail GWIA MTA
Virtuser table aliases POA Internet

35 2006 Internet MTA sendmail SpamAssassin GroupWise sendmail GWIA MTA
Virtuser table aliases POA ASSP sendmail spam Not white red black grey Bayesian DB Errors Internet

36 Phase In Internet MTA sendmail SpamAssassin GroupWise sendmail GWIA
Virtuser table aliases POA ASSP sendmail spam Not white red black grey Bayesian DB Errors Internet

37 Flow with Anti-Virus Internet ASSP Mail Svr Clients Inbound Internet
Outbound

38 Flow with Groupware Internet ASSP MTA Groupware Clients Inbound Internet MTA ASSP Groupware Clients Outbound To use ASSP with Exchange, Lotus Notes or GroupWise, you’ll also need to implement a “smarthost” relay like sendmail, qmail, postfix, exim or one in a number of others

39 DNSBL vs Greylist The ASSP Greylist supercedes DNSBL
ASSP “Greylist” is not to be confused with “Greylisting” Use of DNSBL is discouraged (If a DNSBL lookup blocks, ASSP will block due to it’s multiplex design) The dnsbl setting has been superceeded by the greylist and is only present to provide backward compatability. Its use is strongly depreciated. But I hear you say, "But I want to block mail from known-bad IP addresses." Can't ASSP do that? ASSP could do that but that is not what the DNSBL setting was used for. These are the factors involved with DNS black listing and how they relate to ASSP: 1) I used DNS black lists for a number of years before I wrote ASSP. I found that they rejected far too little spam and had far too many false positives. They change slowly, while spammers adjust quickly. There is no such thing as a "realtime" black-hole list. I also found that truely successful black-hole lists either get sued out of existance, become pay (ie for profit) services, or simply go bust too quickly. The bottom line is that an IP address alone does not give you enough information to correctly classify incoming mail. ASSP's greylist is an attempt to make use of what information is available about an IP address without creating false positives or negatives. Perhaps you'll argue that you know of a truely fantastic black hole list, and maybe times have changed and such a thing really exists. If you have one that's > 99% effective, then use it and skip ASSP. If it's less than 99% effective, then just use ASSP and forget about the black hole list -- it's unnecessary and a distraction. 2) ASSP is a multiplexed server, not multi-process or multi-threaded. This allows ASSP to be truely cross platform and quite effecient in how it handles connections. Unfortunately it means that any process that blocks will cause a temporary SMTP outage. Perl's standard DNS functions block. This means that traditional DNSBL lookups via DNS are incompatible with ASSP's multiplexed design. The alternative (and the approach in the original DNSBL and that continues in today's greylist) is to load all the DNSBL values into a file where lookups can be made in a timely fashion. However most DNSBL services only provide this option if you can prove that your load is quite high. Or you can use a tool like openrbl and update your file on a daily basis. This ends up being problematic. 3) "Spam filtering works best by combining a variety of spam-fighting technologies." And to the extent that that is true, ASSP incorporates a variety of spam-fighting technologies. However, each technology carries not just a benifit, but also a margin of error and a maintenance cost. You must be careful in combining technologies or you find that you increase your maintenance costs and increase your overall error margin without increasing your accuracy. I believe DNS blacklists fall in this category. 4) Bayesian content filtering is a fantastic tool. Generally the requests I've received from people who want DNSBL support are from those who have used it in the past and haven't used a good Bayesian content filter before. They're trying to keep doing what they've always done before. I'd encourage you to give ASSP a try. See how it performs. I expect that even without DNSBL support it will exceed your expectations in most cases.

40 Penalty Box This will blacklist an SMTP server for about 72 hours or so from sending to your server if they violate basic SMTP connection conventions over a certain threshold. The Penalty Box is a new idea added to ASSP only recently by Fritz Borgstedt. It is added to from many different tests on the IP, connection, and content. Many of the PB tests are connection based and as such, are very reliable for adding high scores to PB. Some are not; bayesian can add to PB as well. I set bayesian classified s to add 0 to the PB and the same for HELO blacklist. However I add 200 for any IP that uses my own server ID as a Forged HELO, effectively blacklisting them via high PB and later addition to denySMTP file. I also have some addresses that are exploited by malware infected computers spewing spam and viruses. One hit to that address kills their access to my mail server with a high PB score. The Penalty Box database even has a whitelist component that gets added to when an comes from a whitelisted sender or has no spamminess to it.

41 SMTP Ports For example, internet mail needs to connect to ASSP on port 25 (ASSP's listen port), and ASSP can proxy to your mail server on port 125 (or any port you choose) -- ASSP's SMTP Destination. You need to change your mail server to match.

42 Sender Notification With most client-based filters (POPFile, SpamBayes, SpamAssassin) senders receive NO NOTIFICATION if their mail isn't delivered. With most of these solutions, the user bears full responsibility to VERIFY that no good mail is blocked. ASSP’s solution to this is that when spam is blocked the SENDER RECEIVES NOTIFICATION, and it does this without generating non-delivery reports that bounce and bounce again because spammers forge their from address.

43 Catch-22 Issue: Let’s say a client receives a non-delivery report, how can he (not in whitelist) send a message to the organization if he is still not in whitelist? I mean, if the recipient or assp admin does not receive the notification, they will not know that there is a false positive and will not add the unknown client to whitelist... Solution: Set up an address and put it in the Spam-Lover Address configuration option. Then modify the spam error message to direct people to "500 Mail appears to be unsolicited (spam) -- please forward this to if you feel this is in error." Any false positives that bounce back to clients will hopefully be reported to the Mail Admin via the spam lover address (they just forward it), assuming they read the rejected .

44 Interface Any user can help to improve ASSP’s spam filtering accuracy. Users can use it to add addresses to the whitelist, report spam, or false-positives. To use it, you must have it enabeled in the configuration, and have names set for the addresses. The interface only accepts mail addressed to addresses at any of your localdomains, and only from "Accept All Mail" hosts, or authenticated SMTP connections. assp-white -- for whitelist additions assp-spam -- to report spam that got through assp-notspam -- to report mis-categorized spam Whitelisting: Assuming that your local-domain is yourdomain.com, to add addresses to the whitelist, you’d create a message to You can either put the addresses in the body of the message, or as recipients of the message. For example, if you wanted to add all the addresses in your address book to the whitelist, create a message to and then add your entire address book to the BCC part of the message and click send. Note that no mail will be delivered to any address except (and that won't actually be passed to your mail transport). Within a short time you'll receive a response from ASSP showing the results of your mail. False Negatives: To report a spam that got through, simply forward the mail to It's best to forward it as an attachment, but you can just forward it normally if you must. In a short time you will receive a confirmation. False Positives: The process is the same to report a miscategorized spam, but send it to

45 Spam Report

46 Benchmarks Spam Bucket Ex-employee that left the company 5 years ago
Receives spam mails per day

47 Filter effectiveness SpamAssassin 60-65% effective in 2004
Deteriorated to 11% by 2006 (267 of 2238 True Positives) ASSP in first 3 weeks of operation 99.7% (1336 of 1340 True Positives)

48 ASSP vs SpamAssassin SpamAssassin ASSP is difficult to install
great investment in hand-made regular expressions and header analysis to identify spam Hand-crafted expressions are brittle as spammers adjust their strategies Requires frequent updates to accurately identify spam ASSP is low maintenance is easy to install is a complete spam blocking solution, not just a filter that must be integrated into your MTA works with nearly every MTA on any OS Poorly documented > 1. Is SpamAssassin in ASSP integrated no. > 2. if not ... why I used spamassassin ( for some time prior to developing ASSP. I found SA difficult to install. It also had to be regularly upgraded. Finally, ASSP's Bayesian filter was more effective at stopping spam than SA. I understand that since then SA has developed a Bayesian component as well, but I'm not completly up-to-date on their development. > 3. what are the pros of SpamAssassin compared to ASSP SA has a great investment in hand-made regular expressions and header analysis to recognize spam. > 4. what are the cons of SpamAssassin compared to ASSP These same hand-crafted expressions are brittle as spammers adjust their strategies. ASSP relies on the flexibility (and customization) from your own site's Bayesian database. Furthermore, ASSP is a complete spam blocking solution, not just a filter that must be integrated to your mail transport. I credit SA with some of the impetus for getting ASSP going -- it is a great tool with a lot of features. In fact SA's smtp proxy was part of the inspiration for ASSP. And I would cheer them on -- every effective anti-spam tool reduces spammer's success and makes spam less profitable However, my goal was to have a system that was easy to install, worked unmodified with nearly every MTA on any OS, and I believe ASSP is achiving those goals. Yes, a competant Linux system administrator can probably achieve similar results with SA, but ASSP broadens that opportunity 100 fold.

49 Before ASSP

50 Turning ASSP on

51 With ASSP

52 stat.pl Statistics [root@smtp]# perl stat.pl /tmp/m.log
As of Mon Jan 22 21:48: the mail logfile shows: 0 proxy / smtp connections 253 were dropped for attempted relays (0.0% of total). 31523 messages, were spam (53.2%) in 65 days for messages per day or spams per day 1518 additions to / verifications of the whitelist (23.4 per day) 14643 were judged spam by the bayesian filter (87.4% of spam) 2115 were to spam addresses (12.6% of spam) 0 were rejected for executable attachments (0% of spam) 10121 were sent from local clients (68.5% of nonspam) 842 were from whitelisted addresses (5.7% of nonspam) 0 messages were passed to SPAMLOVERs 3802 were ok after a bayesian check (25.8% of nonspam) 1498 addresses are on the whitelist 0 hits on the blacklist 0 resulted in spam (0.0% of Bayesian spam, 0.0% of blacklist hits) 0 resulted in non-spam (0.000% of blacklist hits)

53 ASSP Statistics

54 Issues Vacation Auto Replies TLS and secure SMTP
ASSP is site based, not per-user TLS is a form of encryption that allows your SMTP server to have secure communications with the SMTP client. If the communications were secure, ASSP couldn't proxy the transmission to block spam (because it can’t see it) As of version ASSP disables your server's TLS conversations through the ASSP port. In theory one could use STUNNEL to still allow TLS connections to ASSP and then on to your mail transport. Also in theory one could use a version of openssl to add this capability to ASSP. If anyone does either of these please write me and I'll include it with future releases of ASSP.

55 Lessons Learned Whitelist + spambucket + Bayesian is a great spam filtering strategy The default is SPF failures will filter even if whitelisted Be very careful what you put in the relay hosts list ASSP is not multi-process or multi-threaded

56 Utilities rebuildspamdb.pl repair.pl move2num.pl stat.pl
If you have been using ASSP with the UseSubjectsAsMaillogNames option you will find it much easier to identify spam s. However when you are ready to start normal operation you need to rename all these files to numbers so that they get overwritten in time with newer (more modern) spam/nonspam. The move2num.pl script accomplishes this for you. You can also use this script if you have manually moved a number of files into the spam/nonspam folders and want to convert their filenames to ASSP's numbers. perl move2num.pl -r Note that ASSP reads all files in the directories irregardless of their name, so numbers or words for filenames is fine. However filenames that aren't numbers will remain eternally in the spam / nonspam folders and never be rotated out.

57 Demo Web configuration Mail analyzer

58 Resources on the Internet

59 Questions

Download ppt "Extracting the Ham from Spam"

Similar presentations

Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3

Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
What you will get? Or what you like to know?

What you will get? Or what you like to know?
Using the Self Service BMC Helpdesk

Using the Self Service BMC Helpdesk
1 Effective, secure and reliable hosted email security and continuity solution.

1 Effective, secure and reliable hosted security and continuity solution.
MY NCBI (module 4.5).

MY NCBI (module 4.5).
Basic Communication on the Internet:

Basic Communication on the Internet:
Centre de Compétence BtoB – Internet/Intranet FileConnect Training FileConnect Welcome Agenda Summary Training Summary TrainingWebsite access Welcome Method.

Centre de Compétence BtoB – Internet/Intranet FileConnect Training FileConnect Welcome Agenda Summary Training Summary TrainingWebsite access Welcome Method.
Karam al-sofy & Faten alhasan. Overview HMailServer is an email server for Microsoft Windows. It allows you to handle all your email yourself without.

Karam al-sofy & Faten alhasan. Overview HMailServer is an server for Microsoft Windows. It allows you to handle all your yourself without.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Paul Vanbosterhaut Managing Director, Vircom Europe January 2007 ModusGate™ 4.4 Smart Email Assurance Gateway Not Just Warmed-over Open Source Technology…

Paul Vanbosterhaut Managing Director, Vircom Europe January 2007 ModusGate™ 4.4 Smart Assurance Gateway Not Just Warmed-over Open Source Technology…
Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.
Fighting spam: the thin grey line Alun Jones,

Fighting spam: the thin grey line Alun Jones,
CSS Central: Central Management Utility Screen View Samples Next.

CSS Central: Central Management Utility Screen View Samples Next.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 VMO and SMTP TOI Aaron Belcher.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 VMO and SMTP TOI Aaron Belcher.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
Google Apps: Google Mail Got Gmail?....Need Help? Mrs. Connor.

Google Apps: Google Mail Got Gmail?....Need Help? Mrs. Connor.
Calendar Browser is a groupware used for booking all kinds of resources within an organization. Calendar Browser is installed on a file server and in a.

Calendar Browser is a groupware used for booking all kinds of resources within an organization. Calendar Browser is installed on a file server and in a.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how e-mail server and client software work Use FTP to transfer files Initiate.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.

Similar presentations

Ads by Google