AsyncOS 5.1C-Series ConfigurationAsyncOS 5.1C-Series Configuration

Module 6 Anti-Spam

2

Module Objectives

At the conclusion of this module you will be able to:

• Identify the IronPort approach for defending against spam– How the Appliance recognizes spam

• Configure and use the SenderBase Reputation filters

• Configure and Use IronPort Anti-Spam for spam defense

3

Module Map

• The SenderBase Network• IronPort Anti-Spam• Configuring and using SenderBase Reputation Filters

(SBRF)• Configuring and using IronPort Anti-Spam (IPAS)

4

Spam Defense Overview

• IronPort uses two methods to defend against spam:– Reputation Filters (connection based)– IronPort Anti-Spam (content based)

ReputationFilters

+

IronPortAnti-Spam

ContentBased

Connection Based

5

IronPort SenderBase Network

View into over 25% of email traffic20M+ IP addresses tracked globally

Data from 100,000+ sources; 8 of the 10 largest ISPsMillions of human reporters & spamtraps

First, Biggest, Best Email & Web Traffic Monitoring Network

6

SenderBase Network

Global VolumeData

Over 100,000 organizations, email

traffic, web traffic

MessageComposition

Data

Message size, attachment volume, attachment types,

URLs, host names

Spam TrapsSpamCop, ISPs, customer contributions

IP Blacklists &Whitelists

SpamCop, SpamHaus (SBL), NJABL, Bonded

Sender

CompromisedHost Lists

Downloaded files, linking URLs, threat heuristics

Web siteComposition

Data

SORBS, OPM, DSBL

Other Data

Fortune 1000, length of sending history, location,

where the domain is hosted, how long has it

been registered, how long has the site been upFirst to combine email & web data

Over 90 email and 20 web parameters tracked

ComplaintReports

Spam, phishing, virus reports

Spamvertized URLs, phishing URLs, spyware sites

Domain Blacklists& Safelists

7

Preventive Anti-Spam Defense:IronPort Reputation Filters

• Known good is delivered

• Suspicious is rate limited & spam filtered

• Known bad is deleted/tagged

Stop 80% Hostile Mail at the Door….

Anti-SpamEngine

Incoming MailGood, Bad, and “Grey”

or Unknown Email

ReputationFiltering

8

How SenderBase ® WorksData Makes the Difference

• Complaint Reports

• Spam Traps

• MessageComposition Data

• Global Volume Data

• URL Lists

• Compromised Host Lists

• Web Crawlers

• IP Blacklists & Whitelists

• Additional Data

SenderBaseData

Data Analysis/Security Modeling

SenderBaseReputation Scores

-10 to +10

150 ParametersThreat Prevention in Realtime

9

What SenderBase Scores Mean

-10 +10-5 +50

A known enterprise, or sender who has undergone third-party certification, with no complaints and a long sending history.

Long sending history, few complaints.

Some sending history, low or moderate complaints.

May be a dynamic IP (e.g., dialup) sending direct to Internet or an email marketer with poor practices, or a legitimate enterprise with an open server. Possibly spam

Spam houses generating complaints and hitting spam traps. IP listed on one or more open proxy lists. Still guaranteed to be spam.

An IP on one or more reliable blacklists or belonging to a suspicious new sender with some complaints and spamtrap hits. Still sending mostly spam.

An IP address controlled by a spam house or a known open proxy generating massive volume of complaints and hitting many spamtraps. Definitely sending primarily spam.

10

Becoming a SenderBase Participant

11

Module Map

• The SenderBase Network• IronPort Anti-Spam• Configuring and using SenderBase Reputation Filters

(SBRF)• Configuring and using IronPort Anti-Spam (IPAS)

12

IronPort Anti-Spam - Powerful 2nd Layer Defense

SECURITY MODELING

1. SenderBase 2. IronPort Threat Operations Center

3. Context Adaptive Scanning Engine

CASE

• Machine Generated Rules• Threat Evidence Clustering

SECURITY ANALYSTS

• Human Generated Rules• 24 x 7, 32 languages

Over 100,000 updates daily

Cus

tom

er S

iteIro

nPor

t

Score

How?

Where?

Who?

What?

13

Machine Generated Rules

SECURITYMODELING

COMBINEDEVIDENCE

NEW RULES

• Mutating spam outbreaks randomize message content

• Threat Evidence Clustering identifies non-transient elements

• Over 100,000 message attributes are examined

FROM: Header

FROM: Header

“Ergonomic Mouse”

FROM: Header

Mail Server Location

“Ergonomic Mouse”

URL

Web Server Owner

Mail Server Location

Sender Reputation

Sender Reputation

14

Human Generated RulesPowered By Threat Operations Analysts

• Monitor SenderBase Network & profile new attacks

• 24 x 7 real-time “Outbreak”Rules

• Rapid closed loop verification of reports

• Maintain real-time, globally representative email corpus

• Expert team of skilledanalysts

• Staffed 24 x 7 x 365• 32 languages spoken • Documented & verified

processes• State-of-the-art tools

& techniques

INSIDE THE TOC

Jan Mak, ManagerThreat Operations Center

15

Image Spam Example

WHAT?

HOW?

WHO?

WHERE?

• All text inside an image• Random dots appear

within the message• Nearly identical color

scheme in 100,000’s spamtrap msgs

Verdict

BLOCKBLOCK

• IP address recently started sending email

• Message originated from dial-up IP address

• Sending IP address located in Russia

• Message leaves trace of spamware tool

16

• The SenderBase Network• IronPort Anti-Spam• Configuring and using SenderBase Reputation Filters

(SBRF)• Configuring and using IronPort Anti-Spam (IPAS)

Module Map

17

Getting Started

• Define Mail Flow Policies– Conservative– Moderate– Aggressive

• Define which Sender Groups to use– Assign sender group policies

• Assign Reputation Scores• Configure Reputation Scores • Configure IronPort Anti-Spam

18

Recommended Best Practices

• HAT Policies determine SBRS– An overly aggressive policy can lead to a false positive

Policy Blocked Throttle Accepted TrustedConservative -10 to -7 -7 to -2 -2 to 7

-1 to 6

0.4 to 4

7 to 10

Moderate -10 to -4 -4 to -1 6 to 10

Aggressive -10 to -2 -2 to -.05 4 to 10

19

Using SBRS Scores in the HAT

Sender Group Phase 1 Policy/Action(New Setup Wizard

Defaults)

Phase 2 Policy/Action(Recommended For

All Customers)BLACKLIST BLOCKED/Reject

[ -10.0 : -3.0 ]BLOCKED/Reject

[ -10.0 : -2.0 ]

SUSPECTLIST THROTTLED/ratelimit[ -3.0 : -1.0 ]

THROTTLED/ratelimit[ -2.0 : -1.0 ]

WHITELIST TRUSTED/Accept[ 9.0 : 10.0 ]

In the Basic User Guide, IronPort recommends Aggressive settings for blocking and Moderate settings for throttling, similar to the values shown above

20

Assigning Reputation Score Range per Sender Group Q: If you want to throttle senders with an SBRS score

between -7 and -2, where does that go in the HAT? A: Add an SBRS range to a Sender Group.

We could make a new SG; instead we’ll add to BLACKLIST

GUI: Mail Policies - HAT Overview

21

Assigning Reputation Score Range per Sender Group (cont.)

Select the Suspect sender groupClick on Edit Settings

22

Assigning Reputation Score Range per Sender Group (cont.)

SBRS allows you to watch out for sites without reputation scoresRemember to click on “Commit Changes”

23

Bypassing Spam Filtering in Mail Flow Policies

Default HAT for a Public Listener

Default HAT for a Private Listener

Sender Group Policy Name Action Inbound Throttling

Anti-spam Anti-virus

WHITELISTBLACKLISTSUSPECTLISTUNKNOWNLIST

ALL $ACCEPTED ACCEPT Moderate YES

NO

YES

N/AYESN/AYESYES

YES YES

NON/AYESModerate

ACCEPTREJECTACCEPTACCEPT

$TRUSTED$BLOCKED$THROTTLED$ACCEPTED

Sender Group Policy Name Action Inbound Throttling

Anti-spam Anti-virus

RELAYLIST NOALL

YESN/AN/A

NON/A

ACCEPTREJECT

$RELAYED$BLOCKED

• Performance and false positives are reasons you might want to do that

24

• The SenderBase Network• IronPort Anti-Spam• Configuring and using SenderBase Reputation Filters

(SBRF)• Configuring and using IronPort Anti-Spam (IPAS)

Module Map

25

Recommended IronPort Anti-Spam Settings

Spam Method 1 Actions(Aggressive)

Method 2 Actions(Conservative)

Positively Identified

Drop Deliver with “[Positive Spam]”added to the subject of messages

Suspected Deliver with “[Suspected Spam]”added to the subject of messages

Deliver with “[Suspected Spam]”added to the subject of messages

26

Controlling IPAS Policy in Three Places

Match HAT Mail Flow Policy

Skip Anti-Spam in

HAT?

Continue in Pipeline but flag

to skip Anti-Spam

Match Scriptable Message Filters

Skip Anti-Spam in

filter?

Continue in Pipeline but flag

to skip Anti-Spam

Match Mail Policy

Once a message is flagged to skip Anti-Spam, no successive policy will change that

Yes

No

No

Yes

IsAnti-Spamenabled?

Continue to next step in Pipeline

Yes Apply Anti-Spam settings in matched

Mail Policy

No

27

Configuring IronPort Anti-Spam

IronPort Anti-Spam has very few global settings

28

Choosing Mail Policy Spam Settings

1

2

3

29

Choosing Mail Policy Spam Settings(cont.)

You have the same choices for Spam and Suspected Spam

You have the same choices for Spam and Suspected Spam

Modify the message if you want to deliver suspected spam and mark it somehow

Modify the message if you want to deliver suspected spam and mark it somehow

Redirect, quarantine, or archive the message if you want to avoid normal delivery

Redirect, quarantine, or archive the message if you want to avoid normal delivery

Override Default policy

30

Logging of SBRS and IronPort Anti-SpamInfo: New SMTP ICID 27150 interface Data 1 (192.35.195.42) address 200.42.233.54 Info: Start MID 28786 ICID 27150Info: MID 28786 ICID 27150 From: <c.bower_sh@emb.de>Info: MID 28786 ICID 27150 RID 0 To: <zendelshabraouy571@scu.com>Info: MID 28786 Message-ID '<201f01c5995b$d8701fb8$3bbc4b03@bdznpmb>'Info: MID 28786 Subject "Get Cia'lis soft.tabs - no prior pr.escriptionneeded"Info: MID 28786 ready 907 bytes from <c.bower_sh@emb.de>Info: MID 28786 matched all recipients for per-recipient policy SCU.COM RecipientsInfo: MID 28786 using engine: CASE spam positiveInfo: Message aborted MID 28786 Dropped by CASEInfo: Message finished MID 28786 doneInfo: ICID 27150 closeInfo: CASE - engine (25372) : [MID 28754] case-daemon: checking message <01LREQ5WU8ZM9IAUF4@Opus1.COM> for (unknown):783Info: CASE - engine (25372) : [MID 28754] case-daemon: clean message (0.0/5.0) for (unknown):783 in 0.1 seconds, 3590 bytes.Info: CASE - engine (25372) : [MID 28754] case-daemon: result: . 0 - SUCCESS scantime=0.1,size=3590,user=(unknown),uid=783,required_score=5.0,rhost=localInfo: CASE update - Checking for CASE UpdateInfo: CASE utility - processed 4351 entries, changed 1364 removed 1410 added 1577Info: CASE update - Restarting daemons - updated uridb_updates from package 20050803_231014

31

Using Headers for Tracking and Testing Spam

Name Example Use

Status headerX-IronPort-Anti-Spam-Filtered: true Troubleshooting - Confirm

message was scanned by Anti-Spam

Suspect spam header

X-advertisement: suspect spam Testing - Used to trigger a suspected spam verdict

Definite spam header

X-advertisement: spam Testing - Used to trigger a spam positive verdict

Definite spam body

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Testing - Insert in body to trigger a spam positive verdict

Tracker header

X-IronPort-Anti-Spam-Result: AISrAr..

Troubleshooting - IronPort Support can decipher this to understand the verdict on a message

32

Module 6 Lab: Implement Anti-Spam using SenderBase and IronPort Anti-Spam

• Use SenderBase Reputation Scores and IronPortAnti-Spam filtering to reduce spam

• Configure your HAT to inform spammers of their reputation score.

• Enable IronPort Anti-Spam filter.

33

Module 6 Lab: Implement Anti-Spam using SenderBase and IronPort Anti-Spam

34

Module 6 Lab: Implement Anti-Spam using SenderBase and IronPort Anti-Spam

35

Module Summary

You are now able to:• Identify the IronPort approach for defending against

spam– How the Appliance recognizes spam

• Configure and use the SenderBase Reputation filters• Configure and use IronPort Anti-Spam for spam

defense

36