protecting e-mail from spam and malware
Post on 13-May-2015
185 Views
Preview:
TRANSCRIPT
Protecting email from SPAM and Malware
By Scott McDermottscottm@octaldream.com
http://www.octaldream.com/~scottm/talks/protectingemail/
04/12/232
What Is SPAM
• Unsolicited Commercial E-Mail (UCE)– Not requested– Sent to a large number of users– Often with forged headers– Often exploiting insecure mail servers– You don’t care about the message
04/12/233
What Is Malware
• Malicious Software– Includes viruses, worms, and trojans– Designed for:
• Harm• Theft of data• Annoyance/Attention• Anything undesirable
04/12/234
Why Stop It?
• SPAM– Impacts productivity– Annoying
• Malware– Impacts productivity– Annoying– Impacts site security
04/12/235
Solutions
• Spam Filters– Detects spam
• Anti-virus and sanitizing software– Filter Malware– Improve Privacy and Security
04/12/236
Solution I Use
• Amavisd-new– Builds upon SpamAssassin for spam filtering– Builds upon a variety of anti-virus software for AV
• ClamAV– Open Source– Detects phishing and other email attacks– Even if you have another AV engine, it’s good to
provide security in layers
04/12/237
SpamAssassin
• Rules– Header Analysis– Body Analysis
• Blacklists• Razor• Score-based
– High enough score means it’s SPAM
04/12/238
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (10.6 hits, 5 required)
SPAM: PLING (0.1 points) Subject has an exclamation mark
SPAM: MORTGAGE_RATES (4.4 points) BODY: Information on mortgage rates
SPAM: CLICK_BELOW (1.5 points) BODY: Asks you to click below
SPAM: OPT_IN (2.1 points) BODY: Talks about opting in
SPAM: CLICK_HERE_LINK (0.8 points) BODY: Tells you to click on a URL
SPAM: CTYPE_JUST_HTML (1.7 points) HTML-only mail, with no text version
SPAM: -------------------- End of SpamAssassin results ---------------------
SpamAssassin Scores
04/12/239
Protection For All
• Filter all mail through amavisd-new– Use clamd– Spamd not used– Amavisd-new calls Mail::SpamAssassin directly
04/12/2310
Amavisd-new basics
• Amavisd runs on localhost:10024• Protocol is LMTP
– Like ESMTP, but designed specifically for local delivery
• Analyzes message• Sends processed message (maybe) to
specified MTA
04/12/2311
Message flow for postfix example
• Postfix receives email• Postfix sends email to amavis on
localhost:10024• Amavis processes message
– ClamAV– SpamAssassin
• Amavis sends email back to MTA, default is localhost:10025– Use of alternate port avoids recursion– Allows custom settings to improve performance
04/12/2312
Amavis Options
• Per-User Configuration– SQL backend available
• Quarantine• Spam Options
– Score at which spam headers are added– Score at which message is marked as spam– Score at which message is dropped on floor
• Auto-Whitelist
04/12/2313
More Amavis Options
• Defanging– Bad headers– Spam
• Notifications– Sender notifications considered harmful– Can restrict to internal mail
04/12/2314
Discussion
04/12/2315
What If I’m on Windows?
• Use a UNIX relay• Commercial Options
04/12/2316
Software URLs (OS)
SpamAssassinhttp://spamassassin.apache.org/
Amavisd-newhttp://www.ijs.si/software/amavisd/
ClamAVhttp://www.clamav.net
top related