mod06 cseries ga 050407
DESCRIPTION
mod06TRANSCRIPT
AsyncOS 5.1C-Series ConfigurationAsyncOS 5.1C-Series Configuration
Module 6 Anti-Spam
2
Module Objectives
At the conclusion of this module you will be able to:
• Identify the IronPort approach for defending against spam– How the Appliance recognizes spam
• Configure and use the SenderBase Reputation filters
• Configure and Use IronPort Anti-Spam for spam defense
3
Module Map
• The SenderBase Network• IronPort Anti-Spam• Configuring and using SenderBase Reputation Filters
(SBRF)• Configuring and using IronPort Anti-Spam (IPAS)
4
Spam Defense Overview
• IronPort uses two methods to defend against spam:– Reputation Filters (connection based)– IronPort Anti-Spam (content based)
ReputationFilters
+
IronPortAnti-Spam
ContentBased
Connection Based
5
IronPort SenderBase Network
View into over 25% of email traffic20M+ IP addresses tracked globally
Data from 100,000+ sources; 8 of the 10 largest ISPsMillions of human reporters & spamtraps
First, Biggest, Best Email & Web Traffic Monitoring Network
6
SenderBase Network
Global VolumeData
Over 100,000 organizations, email
traffic, web traffic
MessageComposition
Data
Message size, attachment volume, attachment types,
URLs, host names
Spam TrapsSpamCop, ISPs, customer contributions
IP Blacklists &Whitelists
SpamCop, SpamHaus (SBL), NJABL, Bonded
Sender
CompromisedHost Lists
Downloaded files, linking URLs, threat heuristics
Web siteComposition
Data
SORBS, OPM, DSBL
Other Data
Fortune 1000, length of sending history, location,
where the domain is hosted, how long has it
been registered, how long has the site been upFirst to combine email & web data
Over 90 email and 20 web parameters tracked
ComplaintReports
Spam, phishing, virus reports
Spamvertized URLs, phishing URLs, spyware sites
Domain Blacklists& Safelists
7
Preventive Anti-Spam Defense:IronPort Reputation Filters
• Known good is delivered
• Suspicious is rate limited & spam filtered
• Known bad is deleted/tagged
Stop 80% Hostile Mail at the Door….
Anti-SpamEngine
Incoming MailGood, Bad, and “Grey”
or Unknown Email
ReputationFiltering
8
How SenderBase ® WorksData Makes the Difference
• Complaint Reports
• Spam Traps
• MessageComposition Data
• Global Volume Data
• URL Lists
• Compromised Host Lists
• Web Crawlers
• IP Blacklists & Whitelists
• Additional Data
SenderBaseData
Data Analysis/Security Modeling
SenderBaseReputation Scores
-10 to +10
150 ParametersThreat Prevention in Realtime
9
What SenderBase Scores Mean
-10 +10-5 +50
A known enterprise, or sender who has undergone third-party certification, with no complaints and a long sending history.
Long sending history, few complaints.
Some sending history, low or moderate complaints.
May be a dynamic IP (e.g., dialup) sending direct to Internet or an email marketer with poor practices, or a legitimate enterprise with an open server. Possibly spam
Spam houses generating complaints and hitting spam traps. IP listed on one or more open proxy lists. Still guaranteed to be spam.
An IP on one or more reliable blacklists or belonging to a suspicious new sender with some complaints and spamtrap hits. Still sending mostly spam.
An IP address controlled by a spam house or a known open proxy generating massive volume of complaints and hitting many spamtraps. Definitely sending primarily spam.
10
Becoming a SenderBase Participant
11
Module Map
• The SenderBase Network• IronPort Anti-Spam• Configuring and using SenderBase Reputation Filters
(SBRF)• Configuring and using IronPort Anti-Spam (IPAS)
12
IronPort Anti-Spam - Powerful 2nd Layer Defense
SECURITY MODELING
1. SenderBase 2. IronPort Threat Operations Center
3. Context Adaptive Scanning Engine
CASE
• Machine Generated Rules• Threat Evidence Clustering
SECURITY ANALYSTS
• Human Generated Rules• 24 x 7, 32 languages
Over 100,000 updates daily
Cus
tom
er S
iteIro
nPor
t
Score
How?
Where?
Who?
What?
13
Machine Generated Rules
SECURITYMODELING
COMBINEDEVIDENCE
NEW RULES
• Mutating spam outbreaks randomize message content
• Threat Evidence Clustering identifies non-transient elements
• Over 100,000 message attributes are examined
FROM: Header
FROM: Header
“Ergonomic Mouse”
FROM: Header
Mail Server Location
“Ergonomic Mouse”
URL
Web Server Owner
Mail Server Location
Sender Reputation
Sender Reputation
14
Human Generated RulesPowered By Threat Operations Analysts
• Monitor SenderBase Network & profile new attacks
• 24 x 7 real-time “Outbreak”Rules
• Rapid closed loop verification of reports
• Maintain real-time, globally representative email corpus
• Expert team of skilledanalysts
• Staffed 24 x 7 x 365• 32 languages spoken • Documented & verified
processes• State-of-the-art tools
& techniques
INSIDE THE TOC
Jan Mak, ManagerThreat Operations Center
15
Image Spam Example
WHAT?
HOW?
WHO?
WHERE?
• All text inside an image• Random dots appear
within the message• Nearly identical color
scheme in 100,000’s spamtrap msgs
Verdict
BLOCKBLOCK
• IP address recently started sending email
• Message originated from dial-up IP address
• Sending IP address located in Russia
• Message leaves trace of spamware tool
16
• The SenderBase Network• IronPort Anti-Spam• Configuring and using SenderBase Reputation Filters
(SBRF)• Configuring and using IronPort Anti-Spam (IPAS)
Module Map
17
Getting Started
• Define Mail Flow Policies– Conservative– Moderate– Aggressive
• Define which Sender Groups to use– Assign sender group policies
• Assign Reputation Scores• Configure Reputation Scores • Configure IronPort Anti-Spam
18
Recommended Best Practices
• HAT Policies determine SBRS– An overly aggressive policy can lead to a false positive
Policy Blocked Throttle Accepted TrustedConservative -10 to -7 -7 to -2 -2 to 7
-1 to 6
0.4 to 4
7 to 10
Moderate -10 to -4 -4 to -1 6 to 10
Aggressive -10 to -2 -2 to -.05 4 to 10
19
Using SBRS Scores in the HAT
Sender Group Phase 1 Policy/Action(New Setup Wizard
Defaults)
Phase 2 Policy/Action(Recommended For
All Customers)BLACKLIST BLOCKED/Reject
[ -10.0 : -3.0 ]BLOCKED/Reject
[ -10.0 : -2.0 ]
SUSPECTLIST THROTTLED/ratelimit[ -3.0 : -1.0 ]
THROTTLED/ratelimit[ -2.0 : -1.0 ]
WHITELIST TRUSTED/Accept[ 9.0 : 10.0 ]
In the Basic User Guide, IronPort recommends Aggressive settings for blocking and Moderate settings for throttling, similar to the values shown above
20
Assigning Reputation Score Range per Sender Group Q: If you want to throttle senders with an SBRS score
between -7 and -2, where does that go in the HAT? A: Add an SBRS range to a Sender Group.
We could make a new SG; instead we’ll add to BLACKLIST
GUI: Mail Policies - HAT Overview
21
Assigning Reputation Score Range per Sender Group (cont.)
Select the Suspect sender groupClick on Edit Settings
22
Assigning Reputation Score Range per Sender Group (cont.)
SBRS allows you to watch out for sites without reputation scoresRemember to click on “Commit Changes”
23
Bypassing Spam Filtering in Mail Flow Policies
Default HAT for a Public Listener
Default HAT for a Private Listener
Sender Group Policy Name Action Inbound Throttling
Anti-spam Anti-virus
WHITELISTBLACKLISTSUSPECTLISTUNKNOWNLIST
ALL $ACCEPTED ACCEPT Moderate YES
NO
YES
N/AYESN/AYESYES
YES YES
NON/AYESModerate
ACCEPTREJECTACCEPTACCEPT
$TRUSTED$BLOCKED$THROTTLED$ACCEPTED
Sender Group Policy Name Action Inbound Throttling
Anti-spam Anti-virus
RELAYLIST NOALL
YESN/AN/A
NON/A
ACCEPTREJECT
$RELAYED$BLOCKED
• Performance and false positives are reasons you might want to do that
24
• The SenderBase Network• IronPort Anti-Spam• Configuring and using SenderBase Reputation Filters
(SBRF)• Configuring and using IronPort Anti-Spam (IPAS)
Module Map
25
Recommended IronPort Anti-Spam Settings
Spam Method 1 Actions(Aggressive)
Method 2 Actions(Conservative)
Positively Identified
Drop Deliver with “[Positive Spam]”added to the subject of messages
Suspected Deliver with “[Suspected Spam]”added to the subject of messages
Deliver with “[Suspected Spam]”added to the subject of messages
26
Controlling IPAS Policy in Three Places
Match HAT Mail Flow Policy
Skip Anti-Spam in
HAT?
Continue in Pipeline but flag
to skip Anti-Spam
Match Scriptable Message Filters
Skip Anti-Spam in
filter?
Continue in Pipeline but flag
to skip Anti-Spam
Match Mail Policy
Once a message is flagged to skip Anti-Spam, no successive policy will change that
Yes
No
No
Yes
IsAnti-Spamenabled?
Continue to next step in Pipeline
Yes Apply Anti-Spam settings in matched
Mail Policy
No
27
Configuring IronPort Anti-Spam
IronPort Anti-Spam has very few global settings
28
Choosing Mail Policy Spam Settings
1
2
3
29
Choosing Mail Policy Spam Settings(cont.)
You have the same choices for Spam and Suspected Spam
You have the same choices for Spam and Suspected Spam
Modify the message if you want to deliver suspected spam and mark it somehow
Modify the message if you want to deliver suspected spam and mark it somehow
Redirect, quarantine, or archive the message if you want to avoid normal delivery
Redirect, quarantine, or archive the message if you want to avoid normal delivery
Override Default policy
30
Logging of SBRS and IronPort Anti-SpamInfo: New SMTP ICID 27150 interface Data 1 (192.35.195.42) address 200.42.233.54 Info: Start MID 28786 ICID 27150Info: MID 28786 ICID 27150 From: <[email protected]>Info: MID 28786 ICID 27150 RID 0 To: <[email protected]>Info: MID 28786 Message-ID '<201f01c5995b$d8701fb8$3bbc4b03@bdznpmb>'Info: MID 28786 Subject "Get Cia'lis soft.tabs - no prior pr.escriptionneeded"Info: MID 28786 ready 907 bytes from <[email protected]>Info: MID 28786 matched all recipients for per-recipient policy SCU.COM RecipientsInfo: MID 28786 using engine: CASE spam positiveInfo: Message aborted MID 28786 Dropped by CASEInfo: Message finished MID 28786 doneInfo: ICID 27150 closeInfo: CASE - engine (25372) : [MID 28754] case-daemon: checking message <[email protected]> for (unknown):783Info: CASE - engine (25372) : [MID 28754] case-daemon: clean message (0.0/5.0) for (unknown):783 in 0.1 seconds, 3590 bytes.Info: CASE - engine (25372) : [MID 28754] case-daemon: result: . 0 - SUCCESS scantime=0.1,size=3590,user=(unknown),uid=783,required_score=5.0,rhost=localInfo: CASE update - Checking for CASE UpdateInfo: CASE utility - processed 4351 entries, changed 1364 removed 1410 added 1577Info: CASE update - Restarting daemons - updated uridb_updates from package 20050803_231014
31
Using Headers for Tracking and Testing Spam
Name Example Use
Status headerX-IronPort-Anti-Spam-Filtered: true Troubleshooting - Confirm
message was scanned by Anti-Spam
Suspect spam header
X-advertisement: suspect spam Testing - Used to trigger a suspected spam verdict
Definite spam header
X-advertisement: spam Testing - Used to trigger a spam positive verdict
Definite spam body
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Testing - Insert in body to trigger a spam positive verdict
Tracker header
X-IronPort-Anti-Spam-Result: AISrAr..
Troubleshooting - IronPort Support can decipher this to understand the verdict on a message
32
Module 6 Lab: Implement Anti-Spam using SenderBase and IronPort Anti-Spam
• Use SenderBase Reputation Scores and IronPortAnti-Spam filtering to reduce spam
• Configure your HAT to inform spammers of their reputation score.
• Enable IronPort Anti-Spam filter.
33
Module 6 Lab: Implement Anti-Spam using SenderBase and IronPort Anti-Spam
34
Module 6 Lab: Implement Anti-Spam using SenderBase and IronPort Anti-Spam
35
Module Summary
You are now able to:• Identify the IronPort approach for defending against
spam– How the Appliance recognizes spam
• Configure and use the SenderBase Reputation filters• Configure and use IronPort Anti-Spam for spam
defense
36