Caresoft Presentation

Random DriverCorporate Spam Defense Gilles BouyerOleg KipnisHang LiSamar PatelAshwin ShanmugasundaramRandom Driver Random Driver #AgendaSolutionsAppliances Server Side SoftwarePros and ConsCloud Based SolutionPros and ConsEnd User SoftwarePros and ConsMethods usedLegal and Other SolutionsPros and ConsProposed solutionStrength/ Weaknesses Cost / ImplementationConclusion - Questions

Random Driver #2Problem StatementMost enterprise users are exposed to spam, which means they are exposed to more threats. Spam is an issue affecting all industrial sectors, government and education.While missing an email due to a false positive when it comes to personal use might not seem like a big deal, it is important for the enterprise to be cautious on optimizing communication to reach better business results. SPAM is an attack on authenticity with the following characteristics:70.7% of all email traffic is Spam2.3% of all emails contain malicious attachments1.8% 3% of spam makes it through spam filtersOnly 1 in 25,000 spam needs to be opened to be profitable for spammersCosts 20 billion dollars annuallyWe will review the defense mechanisms and recommend a solution to this problem. Random Driver #3Anti Spam Appliances Anti-spam appliances are hardware-based solutions integrated with on-board anti-spam software and are normally driven by an operating system optimized for spam filteringThey are deployed at the gateway or in front of the mail serverAppliances provide a solution that does not require configuration of the existing mail server, and can be more effective and of higher performance than a software solution installed on the mail server Examples: Barracuda, SpamTitan, Fortinet, Cisco Ironport How does Barracuda work?

All incoming mail is screened according to the rules of the Barracuda device and by the rules that are manually createdNon spam messages will go directly to inbox folderMessages that are suspected as being spam are informed by a Spam Quarantine

Random Driver #Server Side SoftwareAnti-spam software is either installed on the mail server itself or in front of mail server. The purpose of this software is to remove the burden of filtering e-mail from the e-mail server.Examples:Bogofilter- Used by a MTA to classify messages as they are received from the sending SMTP server. Bogofilter examines tokens in the message body and header to calculate a probability score that a new message is spamSpamAssassin- It can be run as a standalone application on server or as a subprogram of another applicationMailwasherEnterprise- It works as a proxy, sits in front of mail server blocking and denying spam from getting to mail server and usersPOPFile- Typically it is used to filter spam mail. It can also be used to sort mail into other user defined "buckets" or categories

Random Driver #PROs and CONsHigh reliability that works out of the boxOperating system and application software is pre-loaded and configuredStable OS guarantees less downtimeUpdates itself automatically with no user intervention

PROsCONsAntispam Appliances Upfront costs If the hardware fails, it requires a warranty or an upfront cost to fix/replace

Server Side SoftwareCustomized filters which can be personalized according to individual user requirementWhitelisting capabilitiesQuarantines spam mails which are kept for a certain durationPROsCONsDifficult to installSoftware updates can cause compatibility issues with other software on the systemRequires updating the server OS with the latest patches

Random Driver #Cloud based SolutionsAnti Spam Cloud based solutions enable to filter email on content and authenticity outside the LAN and provide only legitimate emails to the organization.

Sample of Providers:eluna https://heluna.com/ $49/yearMcAffee SaaS Email and Web securityMessage LabsSophosUntangleGoogle Apps

Example of incoming mail:

Random Driver #PROs and CONsDoes not slow down or interfere with program on workstationNo need to update virus definitionTemporary store mail if LAN issuesBuilt in white / gray / black lists

Subscription based (# $30/user/year)Security of the cloud

PROsCONsRandom Driver #End User SoftwareEmail Clients Most Email Clients have built in basic spam filter Outlook uses Whitelists/Blacklists and Word BlockingAdd-ons to Email Clients Add more powerful spam filtering to Email ClientsSpam Reader - Uses Bayesian filtering and Whitelist/BlacklistVircom - Uses Bayesian filteringStand Alone Software Works with email clients and web mailSpamhilataor Uses combination of Word Blocking, Bayesian filtering and user defined lists Mailwasher Uses combination of Word Blocking, Bayesian filtering and user defined lists

Random Driver #Pros and ConsFilters can easily be customized for individual userFewer false positives

Blocked and filtered email still reaches the mail serverDifficult for admins to configure for each userScalability

ProsConsRandom Driver #MethodsOutbound filters using Transparent SMTP proxySMTP Proxies are inserted between sending mail servers on a local network, and the receiving servers on the Internet in order to filter outgoing spamDNS based BlacklistsServers maintain a list of IP addresses of via the DNS to reject email from those sources Checksum based filteringSpam messages sent in bulk are identical except for few changes in content. Checksum based filters determine checksum and compare with database which stores checksum values of spam messagesStatistical content filtering (Bayesian Filtering)Users mark messages as spam or non-spam and the filter learns from user judgmentsPattern DetectionMonitors a large database of messages worldwide to detect spam patterns

Random Driver #MethodsHoney Pots MTA which gives the appearance of being an open mail relay, or a TCP/IP proxy server which gives the appearance of being an open proxy is setup to detect spammers who probe systems for open relays/proxiesAuthentication and reputation Allow email from servers that have been authenticated as senders of legitimate emailDomain-based Message Authentication, Reporting and Conformance(DMARC)A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passesSPFDKIM

Random Driver #Sender Policy Framework Sender Policy Framework (SPF): an anti-spam approach in which the Internet domain of an e-mail sender can be authenticated for that sender, thereby discouraging spam mailers, who routinely disguise the origin of their e-mail.

Random Driver #DomainKeys Identified MailDKIM is a specification for cryptographically signing e-mail messages. A signing domain (eg: Gmail) claims responsibility for the email by adding aDKIM-Signature header field to messages header.

The verifierrecovers the signer'spublic keyusing theDNS, and then verifies that the signature matches the actual message's content. The receivingSMTPserver uses the domain name and the selector to perform a DNS lookup.

Random Driver #DKIM workflow

1234567Random Driver #Sending Servers Message generated by a user is transmitted into the Message Handling Service(MHS) to an Mail Submission Agent (MSA) that is within users administrative domain.MSA accepts the message submitted by an user and enforces the policies of the hosting domain and the requirements of Internet standards. The domain owner generates a public/private key pair to be used for signing outgoing messages. The default signing algorithm is RSA with SHA-256. The public key is published in a DNS TXT record, and the private key is made available to the DKIM-enabled outbound email server.When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normalReceiving Servers5.The signed message then passes through the Internet via Message Transfer Agents (MTAs). Relaying is performed by a sequence of MTAs until the message reaches a destination Mail Delivery Agent (MDA)6.At the destination, the MDA extracts the signature and claimed From: domain from the email heade7.The public key is retrieved from the DNS system for the claimed From: domain. The public key is used by the MDA to verify the signature before passing the message on to the destination e-mail client

15Other Current SolutionsEnd user actionsWhitelisting : Reject everything except the email addresses accepted one by oneSpam Poisoning: Restrict the distribution of ones address to only trusted parties, effectively hiding from spammer. (eg. user@exampleREMOVETHIS.com) Collaborative filtering: detect messages being sent to large number of recipientsIdeas under consideration:Micropayment: Charging 1cent per email sent. If answer remove the charge.Internet Mail 2000: Internet 2000 mail messages are stored by the sender. The receiver is pulling his(her) message from the sender server.Random Driver #Existing SPAM legislations: http://en.wikipedia.org/wiki/Email_spam_legislation_by_countryCountryLegislation ArgentinaPersonal Data Protection Act (2000) AustraliaSpam Act 2003 AustriaAustrian Telecommunications Act 1997 BelgiumLoi du 11 mars 2003 Canada Personal Information Protection and Electronic Documents Act 2000 (PIPEDA) Canada Fighting Internet and Wireless Spam Act 2010ChinaRegulations on Internet email Services - Death penalty risked by spammers CyprusRegulation of Electronic Communications and Postal Services Law of 2004 Czech RepublicAct No. 480/2004 Coll., on Certain Information Society Services DenmarkDanish marketing practices act European UnionDirective on Privacy and Electronic Communications FinlandAct on Data Protection in Electronic Communications (516/2004) FranceLoi informatique et libertee Jan 6 1978 GermanyGesetz gegen Unlauteren Wettbewerb (UWG) ("Act against Unfair Competition") Hong KongUnsolicited Electronic Messaging Ordinance HungaryAct CVIII of 2001 on Electronic Commerce IndonesiaUndang-undang Informasi dan Transaksi Elektronic (ITE) (Internet Law) IrelandEuropean Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 IsraelCommunications Law (Telecommunications and Broadcasting), 1982 (Amendment 2008) ItalyData Protection Code (Legislative Decree no. 196/2003) JapanThe Law on Regulation of Transmission of Specified Electronic Mail MalaysiaCommunications and Multimedia Act 1998 MaltaData Protection Act (CAP 440) NetherlandsDutch Telecommunications Act New ZealandUnsolicited Electronic Messages Act 2007 PakistanPrevention of Electronic Crimes Ordinance 2007 SingaporeSpam Control Act 2007 South AfricaElectronic Communications and Transactions Act, 2002 South AfricaConsumer Protection Act, 2008 South KoreaAct on Promotion of Information and Communication and Communications Network Utilization and Information Protection of SpainAct 34/2002 of 11 July on Information Society Services and Electronic Commerce SwedenMarknadsfringslagen (1995:450) Swedish Marketing Act United KingdomPrivacy and Electronic Communications (EC Directive) Regulations 2003 United StatesControlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act of 2003)NoneBrazil, India, Mexico, Russia

Random Driver #Examples of penaltiesUK Nov 2012 Christopher Niebel and Gary McNeish fined $700,000 sending million SMS http://www.theverge.com/2012/11/28/3701210/sms-spammers-fined-700000-ukNetherlands Oct 2012 Companeo fined 100,000 , 15 Million email between 2009 and 2011 without the consent of the recipients https://www.signal-spam.fr/actualites/une-soci%C3%A9t%C3%A9-condamn%C3%A9e-%C3%A0-100-000%E2%82%AC-damende-pour-lenvoi-de-spamsFrancehttp://www.tomsguide.fr/actualite/spamming,36022.htmlOne man fined 22,000 1 Million SPAMs. +1,000 per new SPAM.CASL: Canada Anti Spam Legislationhttp://blog.eliteemail.com/2013/05/16/all-about-casl-canadas-anti-spam-legislation/Value Click has settled charges today with the Federal Trade Commission, netting the FTC $2.9 million in civil penalties.Failure to disclose that users must first sign up for other offers (ones that cost them money) before collecting the prize.

[9:26:06 PM] Samar Patel: http://news.techeye.net/security/spammer-fined-a-billion-bucksAustralian Communication and Media Authority: Spam Act 2003. regulates the sending of commercial electronic messages (CEMs) and prohibits the sending of these messages except in certain limited circumstances. Email, MMS, SMS.http://www.bit.com.au/News/316120,dont-get-stung-by-australias-anti-spam-laws.aspxOct 9th 2013: Grays has become the latest online retailer to get caught emailing people without providing an unsubscribe button, and the company has paid AU$165,000 for the mistake.Russia: The biggest spammer was found dead in his apartment.http://www.theinternetpatrol.com/spammer-receives-the-death-penalty

Random Driver #PROs and CONsSeveral Countries have legislationOrganization are being fined

Majority of the countries do not have legislationFines against individuals rarely work. Either too high or too lowLack of identificationHard to have legislation keep up with technologyLegislators are not tech savvy

PROsCONsRandom Driver #Proposed Solution

Random Driver #Proposed SolutionGmail Spam filterGmail spam filters use combination of statistical filtering, content filtering and authentication methods like SPF and DKIM to filter spamUsers can train system by marking email as spam or not spamAdministrators can set up whitelists/graylists/blacklistsScans all attachments for viruses before reaching the userLess than 1% of email in the inbox reported as spam (average is between 1.8% and 3%)Less than 1% of email falsely marked as spam

Random Driver #Cost & Implementation.

Cost - $50/user/yearIncludes other services and not just spam protectionImplementation - FeasibilityEasy to migrate from Exchange serverUsers can continue using current email client like outlook or use web mailCan be implemented in 90 days for large enterprise(>750 users), in 4 weeks for medium businesses and within 1 hour for a small business Statistics:Gmail has no more than 1% of the enterprise email market, but it has close to 50% of the market for enterprise cloud email (2011 Gartner)39% of small companies