Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.TASK.to © Toronto Area Security Klatch 2007 A drop-in anti-spam solution A 15 minute speed talk by Paul Wouters.

Published byBerenice Leona Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.TASK.to © Toronto Area Security Klatch 2007 A drop-in anti-spam solution A 15 minute speed talk by Paul Wouters."— Presentation transcript:

1 www.TASK.to © Toronto Area Security Klatch 2007 A drop-in anti-spam solution A 15 minute speed talk by Paul Wouters

2 www.TASK.to People still click on spam

3 www.TASK.to So spammers spam harder! Total (personal) spam received until I had to stop counting: 141329 That is 38 hours straight at a rate of deleting 1 spam/second Or one fulltime work week But much more time then that is spend fixing mailservers

4 www.TASK.to And harder... and harder...

5 www.TASK.to It's all available online! Archive at: http://unspammable.xtdnet.nl/ Webstats archive: http://chameleon.cypherpunks.ca/spam/

6 www.TASK.to My archive “Collateral Damage” “United Email Freedom Front” demanded I remove entire archive They launched a few serious DDOS attacks... Sounded extremely childish... Why my archive? Two years later I found out why...

7 www.TASK.to I published MegaMania spam

8 www.TASK.to “Pump and Dump” scheme

9 www.TASK.to Don't try this at home...

10 www.TASK.to Spammers use viruses

11 www.TASK.to The problem

12 www.TASK.to DROP-in filter machine  Put filter machine in DNS  point domain email to filter machine via MX But spammers are smart, so:  Add incoming port 25 filter on mail server  ACCEPT incoming port 25 TCP from spam filter to mail server  DROP other incoming port 25  ACCEPT outgoing port 25 TCP

13 www.TASK.to Better placement for filter  Only give mail server an internal IP address  Fully transparent if you give filter machine the name and public IP of the real mail server

14 www.TASK.to 101 of the SMTP protocol

15 www.TASK.to Envelope based filtering This will block >99% spam  Block known infected IP addresses for 24 hours  Block open relays / known spammers / Hacked webservers / Rogue ISP's  Block Misidentifying servers  Block RFC violating domains  Block non-existing Senders  Do not accept non-existing Receivers  Use SPF records to refuse forgeries  Refuse everyone for 15 minutes once per 3 days

16 www.TASK.to Content based spam filtering  Filter readme.txt.scr  Filter *.exe, *.reg, etc.  Process zip / rar / gzip / arj  Drop password protected zips  Multiple Anti-virus scanners  Spamassassin rule for image spam works well  Update spamassassin via RulesDuJour  Use distributed resources from Pyzor, Razor and DCC

17 www.TASK.to What not to do  Do not use Bayesian Filters: they cost too much CPU  Do not use CPU expensive spamassassin / RulesDuJour rules  BLACKLIST, BLACKLIST_URI, TRIPWIRE  Do not enable rules meant for older spamassassin versions (!!)  Do not add positive scores, only use negative scores  Don't run more then 1 Amavis thread per 512MB RAM  Be very careful when using port 25 forwarding - remote connections might appear to be “trusted local clients”  Remove all backup MX servers - It's not worth the trouble  Publish SPF records - It will greatly reduce your own bounces!  Do not leave real mail server port 25 open to the net. Spammers find it without MX records and you problem will be worse then before, because now you do not filter anything on the mail host!

18 www.TASK.to Software and online resources  Linux OS (or equivalent)  Postfix Mail Server  Spamassassin / spamd  Amavis content filter  Clamav / Freshclam anti-4us  SPF Filter  MRTG / Apache  pflogsumm.cgi  update-mailstat  SpamHaus SBL list  VIRBL SBL at BIT.nl  RulesDuJour - Dynamic spamassassin rule updater  Pyzor - Email Digests Filtering  Razor - Collaborative Filtering  DCC - Distributed Checksums Clearinghouse  SORBS SBL list  RFC-Ignorant SBL list

19 www.TASK.to cdc.xelerance.net example Partial Postfix configuration example: smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_access, reject_rbl_client sbl- xbl.spamhaus.org, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client virbl.dnsbl.bit.nl, reject_rbl_client psbl.surriel.com, check_policy_service unix:postgrey/socket smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender opm.blitzed.org smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender opm.blitzed.org, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender rhsbl.sorbs.net smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, reject_unauth_destination check_recipient_access = hash:/etc/postfix/recipient_access content_filter = smtp-amavis:[localhost]:10024

20 www.TASK.to I get 0 to 1 spams per day ;-)

21 www.TASK.to 141329 spams - 30GB/month

22 www.TASK.to April 2004-March 2007: $4000

Download ppt "Www.TASK.to © Toronto Area Security Klatch 2007 A drop-in anti-spam solution A 15 minute speed talk by Paul Wouters."

Similar presentations

Filtragem Email Filtragem de Email com Red Hat Linux Implementações Práticas e Apresentação de Laboratórios Ruben Oliveira RHCE RHCX MCSE MCITP.

Filtragem Filtragem de com Red Hat Linux Implementações Práticas e Apresentação de Laboratórios Ruben Oliveira RHCE RHCX MCSE MCITP.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Fighting spam: the thin grey line Alun Jones,

Fighting spam: the thin grey line Alun Jones,
Methods for Stopping Spam James Lick

Methods for Stopping Spam James Lick
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
----Presented by Di Xu 17.12.2010.  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.

The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Handling Spam in Postfix. Computer Center, CS, NCTU 2 Nature of Spam  Spam UBE – Unsolicited Bulk Email UCE – Unsolicited Commercial Email  Spam There.

Handling Spam in Postfix. Computer Center, CS, NCTU 2 Nature of Spam  Spam UBE – Unsolicited Bulk UCE – Unsolicited Commercial  Spam There.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.

The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Sender policy framework. Note: is a good reference source for SPFhttp://www.openspf.org/

Sender policy framework. Note: is a good reference source for SPFhttp://
Office 365 SMTP Relay June 2013. Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.

Office 365 SMTP Relay June Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.
Spam Resources How can I help you? William Stearns

Spam Resources How can I help you? William Stearns
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Fighting Spam Enterprise Spam Filtering Using Open Source Tools.

Fighting Spam Enterprise Spam Filtering Using Open Source Tools.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Spam Reduction Techniques Using greylisting and SpamAssassin.

Spam Reduction Techniques Using greylisting and SpamAssassin.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
CT NIKHEF Nov 2003 1 Mail NIKHEF CT system support.

CT NIKHEF Nov Mail NIKHEF CT system support.

Similar presentations

Ads by Google