Presentation is loading. Please wait.

Presentation is loading. Please wait.

Antispam GARR Michele Michelotto Hepix Karlsruhe, 11 May 2005.

Published byMarian Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "Antispam GARR Michele Michelotto Hepix Karlsruhe, 11 May 2005."— Presentation transcript:

1 Antispam activities @ GARR Michele Michelotto Hepix Karlsruhe, 11 May 2005

2 HEPIX, Karlsruhe 11/5/05 1 Antispam activities at GARR WG sec mail Enrico Ardizzoni (Università di Ferrara) Enrico Ardizzoni (Università di Ferrara) Alberto D’Ambrosio (INFN, Torino) Alberto D’Ambrosio (INFN, Torino) Roberto Cecchini (INFN, Firenze) Roberto Cecchini (INFN, Firenze) Fulvia Costa (INFN, Padova) Fulvia Costa (INFN, Padova) Giacomo Fazio (INAF, Palermo) Giacomo Fazio (INAF, Palermo) Antonio Forte (INFN, Roma 1) Antonio Forte (INFN, Roma 1) Matteo Genghini (IASF, Bologna) Matteo Genghini (IASF, Bologna) Michele Michelotto (INFN, Padova) Michele Michelotto (INFN, Padova) Ombretta Pinazza (INFN, Bologna) Ombretta Pinazza (INFN, Bologna) Alessandro Spanu (INFN, Roma 1) Alessandro Spanu (INFN, Roma 1) Alfonso Sparano (Università di Salerno) Alfonso Sparano (Università di Salerno)

3 HEPIX, Karlsruhe 11/5/05 2 Antispam activities at GARR Goals anti-spam and anti-virus anti-spam and anti-virus Stop them or at least reduce to a reasonable level Stop them or at least reduce to a reasonable level “best practices” “best practices” mail services configuration and mail server protection mail services configuration and mail server protection Sender authentication Sender authentication SPF, domain keys SPF, domain keys Dissemination Dissemination http://www.garr.it/WG/sec-mail http://www.garr.it/WG/sec-mail http://www.garr.it/WG/sec-mail mailto: mailto:

4 HEPIX, Karlsruhe 11/5/05 3 Antispam activities at GARR anti-spam SpamAssassin (SA) analysis and efficiency improvement: SpamAssassin (SA) analysis and efficiency improvement: Monitoring; Monitoring; Bayesian filter; Bayesian filter; Real Time Block List (RBL); Real Time Block List (RBL); Network distributed “cooperative” systems. Network distributed “cooperative” systems.

5 HEPIX, Karlsruhe 11/5/05 4 Antispam activities at GARR anti-spam Alternative tools tests: Alternative tools tests: Bogofilter: http://bogofilter.sourceforge.net/ Bogofilter: http://bogofilter.sourceforge.net/ DSPAM: http://www.nuclearelephant.com/projects/dspam DSPAM: http://www.nuclearelephant.com/projects/dspam

6 HEPIX, Karlsruhe 11/5/05 5 Antispam activities at GARR SpamAssassin Rule based Rule based Each rule adds a score (positive or negative) Each rule adds a score (positive or negative) Mail over threshold can be deleted, marked, moved to a quarantine folder Mail over threshold can be deleted, marked, moved to a quarantine folder Choice of threshold is difficult Choice of threshold is difficult Some spam have a score lower than legitimate mail (ham) Some spam have a score lower than legitimate mail (ham)

7 HEPIX, Karlsruhe 11/5/05 6 Antispam activities at GARR Dove metto la soglia? Threshold too high – Many FALSE NEGATIVES Two weeks 275417 e-mails 208436 spams (75.7%)

8 HEPIX, Karlsruhe 11/5/05 7 Antispam activities at GARR Dove metto la soglia? Threshold too low – Some FALSE POSITIVES (Dangerous) Two weeks 275417 e-mails 208436 spams (75.7%)

9 HEPIX, Karlsruhe 11/5/05 8 Antispam activities at GARR Indipendent methods Improve the spam/ham identification Improve the spam/ham identification I can’t move the threshold I can’t move the threshold If I lower it I get too many False Negatives If I lower it I get too many False Negatives If I raises is even worse because I can get some False Positives If I raises is even worse because I can get some False Positives Look for “indipendent methods” Look for “indipendent methods” Bayesian Filters Bayesian Filters Cooperative methods Cooperative methods RBL RBL

10 HEPIX, Karlsruhe 11/5/05 9 Antispam activities at GARR Bayesian Filters Based on Bayesian statistics Based on Bayesian statistics The filters “learn” which words (actually tokens) are more probable in ham and spam The filters “learn” which words (actually tokens) are more probable in ham and spam Bayesian filters ageing Bayesian filters ageing Learning by manually submitting ham spam sample is time consuming Learning by manually submitting ham spam sample is time consuming Auto Learning is dangerous. Spammers send mail designed to “poison” the filters Auto Learning is dangerous. Spammers send mail designed to “poison” the filters Best performance with frequents update submitted by the users Best performance with frequents update submitted by the users Even better: different databases for each user Even better: different databases for each user

11 HEPIX, Karlsruhe 11/5/05 10 Antispam activities at GARR Bayesian Filters Filters “ageing”: must keep them up to date. Filters “ageing”: must keep them up to date. Manual update is time expensive Manual update is time expensive Frequents update from selected samples chosen by users, best with individual db for each user. Frequents update from selected samples chosen by users, best with individual db for each user. Automatic update is dangerous Automatic update is dangerous Some mail sent only for bayesing filter “poisoning”. Some mail sent only for bayesing filter “poisoning”.

12 HEPIX, Karlsruhe 11/5/05 11 Antispam activities at GARRageing AGEING NEW TRAINING

13 HEPIX, Karlsruhe 11/5/05 12 Antispam activities at GARR Real-Time Block List For each e-mail a DNS query is issued to see if the sender is present in a list of known spammer For each e-mail a DNS query is issued to see if the sender is present in a list of known spammer Good method to add score Good method to add score Don’t use to reject mail Don’t use to reject mail Spoofing of sender Spoofing of sender Some RBL not very accurate in checking if sender is a real spammer or in removing those who fixed the problem Some RBL not very accurate in checking if sender is a real spammer or in removing those who fixed the problem URIRBL: Very good because the check is done against the URL in the mail body URIRBL: Very good because the check is done against the URL in the mail body The spammer will not spoof the URL in the body !!! The spammer will not spoof the URL in the body !!!

14 HEPIX, Karlsruhe 11/5/05 13 Antispam activities at GARR Cooperative methods UBE: Unsolicited Bulk Email UBE: Unsolicited Bulk Email Based on the Mass Diffusion of spam Based on the Mass Diffusion of spam Razor: Razor: Users submit spam to a network of Razor server. Users submit spam to a network of Razor server. Mail with many submission tagged as spam Mail with many submission tagged as spam Users rating Users rating Closed protocol and closed server network Closed protocol and closed server network Pyzor: Pyzor: Similar to Razor but protocol and sw is open source and you can became a server Similar to Razor but protocol and sw is open source and you can became a server

15 HEPIX, Karlsruhe 11/5/05 14 Antispam activities at GARR DCC Mail with similar signature are counted in several sites Mail with similar signature are counted in several sites If a mail is seen by many DCC server is tagged as suspect If a mail is seen by many DCC server is tagged as suspect Open Network Open Network Our group now has 3 DCC Servers Our group now has 3 DCC Servers Each server can provide anonymous access or high priority access to registered user Each server can provide anonymous access or high priority access to registered user

16 HEPIX, Karlsruhe 11/5/05 15 Antispam activities at GARR Dcc stats

17 HEPIX, Karlsruhe 11/5/05 16 Antispam activities at GARR DCC: our stats A tipical day at the DCC server at IASF in Palermo A tipical day at the DCC server at IASF in Palermo 800k checksum request (70k from registered clients) 800k checksum request (70k from registered clients) 1.2M report from 25000 clients 1.2M report from 25000 clients Average response time 5ms Average response time 5ms

18 HEPIX, Karlsruhe 11/5/05 17 Antispam activities at GARR Spam in September 04 5000 spam received in my mailbox during the CHEP week 12% False Negatives

19 HEPIX, Karlsruhe 11/5/05 18 Antispam activities at GARR Spam in September 04 From 12% at the end of September to 1.7% False Negatives at end of November

20 HEPIX, Karlsruhe 11/5/05 19 Antispam activities at GARR Monitoring trend

21 HEPIX, Karlsruhe 11/5/05 20 Antispam activities at GARR Top plugin

22 HEPIX, Karlsruhe 11/5/05 21 Antispam activities at GARR Sender Authentication Sender Policy Framework (SPF): Sender Policy Framework (SPF): Each DSN server should publish a “reverse MX record” DNS listing the smtp server autorized to send email for that domain Each DSN server should publish a “reverse MX record” DNS listing the smtp server autorized to send email for that domain The receiver can use this information to reject mail or to increase SA score The receiver can use this information to reject mail or to increase SA score This means that the roaming users should always use his own SMTP server (after authentication) This means that the roaming users should always use his own SMTP server (after authentication)

23 HEPIX, Karlsruhe 11/5/05 22 Antispam activities at GARR

24 HEPIX, Karlsruhe 11/5/05 23 Antispam activities at GARR SPF tests Salerno University Salerno University One month One month 650 · 10 3 mail 650 · 10 3 mail 32% from SPF compliant domain 32% from SPF compliant domain 12% esternal 12% esternal 20% internal (useful to cut all the spam with faked internal sender, mostly virus or phishing) 20% internal (useful to cut all the spam with faked internal sender, mostly virus or phishing)

25 HEPIX, Karlsruhe 11/5/05 24 Antispam activities at GARR Best practices Open port 25 only to your site email server Open port 25 only to your site email server Open ports 587 and 468 for external authenticated users Open ports 587 and 468 for external authenticated users Force external users authentication (necessary to implement SPF) Force external users authentication (necessary to implement SPF) Antivirus configuration to avoid sender notification (since is almost always spoofed) Antivirus configuration to avoid sender notification (since is almost always spoofed) “greet pause” on sendmail (≥ 8.13) “greet pause” on sendmail (≥ 8.13)

26 HEPIX, Karlsruhe 11/5/05 25 Antispam activities at GARR Open item “unofficial” plugin test “unofficial” plugin test Sender Authentication Sender Authentication Bogofilter and dspam tests Bogofilter and dspam tests More DCC or Pyzor server? More DCC or Pyzor server? Online filter (spam rejection)? Online filter (spam rejection)? Close group and buy commercial “turnkey” sw ? Close group and buy commercial “turnkey” sw ? Like we do with A/V Like we do with A/V (e.g. Sophos PureMessage) (e.g. Sophos PureMessage)

27 HEPIX, Karlsruhe 11/5/05 26 Antispam activities at GARR Questions?

Download ppt "Antispam GARR Michele Michelotto Hepix Karlsruhe, 11 May 2005."

Similar presentations

Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3

Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3
· SoftScan Solna Strandväg 78 171 54 Solna Sweden The less you hear from us the better Shhh… The less.

· SoftScan Solna Strandväg Solna Sweden The less you hear from us the better Shhh… The less.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
On-premises Exchange Online Protection Office 365 Directory Sync ADFS (optional) Single sign on Secure mail flow Existing email environment.

On-premises Exchange Online Protection Office 365 Directory Sync ADFS (optional) Single sign on Secure mail flow Existing environment.
Methods for Stopping Spam James Lick

Methods for Stopping Spam James Lick
Course 201 – Administration, Content Inspection and SSL VPN Filtering

Course 201 – Administration, Content Inspection and SSL VPN Filtering
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
----Presented by Di Xu 17.12.2010.  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.

1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
IMF Mihály Andó IT-IS 6 November 2006. Mihály Andó 2 / 11 6 November 2006 What is IMF? ­ Intelligent Message Filter ­ provides server-side message filtering,

IMF Mihály Andó IT-IS 6 November Mihály Andó 2 / 11 6 November 2006 What is IMF? ­ Intelligent Message Filter ­ provides server-side message filtering,
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
E-mail Defense System (a.k.a. Junk mail & Virus Filtering at the Server level)

Defense System (a.k.a. Junk mail & Virus Filtering at the Server level)
Spam May 15 2006 CS239. Taxonomy E-mail (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:

Spam May CS239. Taxonomy (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:
SPAM WeeSan Lee

SPAM WeeSan Lee
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
Spam Resources How can I help you? William Stearns

Spam Resources How can I help you? William Stearns
Fighting Spam Enterprise Spam Filtering Using Open Source Tools.

Fighting Spam Enterprise Spam Filtering Using Open Source Tools.

Similar presentations

Ads by Google