Protecting email from SPAM and Malware

By Scott McDermottscottm@octaldream.com

http://www.octaldream.com/~scottm/talks/protectingemail/

04/12/232

What Is SPAM

• Unsolicited Commercial E-Mail (UCE)– Not requested– Sent to a large number of users– Often with forged headers– Often exploiting insecure mail servers– You don’t care about the message

04/12/233

What Is Malware

• Malicious Software– Includes viruses, worms, and trojans– Designed for:

• Harm• Theft of data• Annoyance/Attention• Anything undesirable

04/12/234

Why Stop It?

• SPAM– Impacts productivity– Annoying

• Malware– Impacts productivity– Annoying– Impacts site security

04/12/235

Solutions

• Spam Filters– Detects spam

• Anti-virus and sanitizing software– Filter Malware– Improve Privacy and Security

04/12/236

Solution I Use

• Amavisd-new– Builds upon SpamAssassin for spam filtering– Builds upon a variety of anti-virus software for AV

• ClamAV– Open Source– Detects phishing and other email attacks– Even if you have another AV engine, it’s good to

provide security in layers

04/12/237

SpamAssassin

• Rules– Header Analysis– Body Analysis

• Blacklists• Razor• Score-based

– High enough score means it’s SPAM

04/12/238

SPAM: -------------------- Start SpamAssassin results ----------------------

SPAM: This mail is probably spam. The original message has been altered

SPAM: so you can recognise or block similar unwanted mail in future.

SPAM: See http://spamassassin.org/tag/ for more details.

SPAM:

SPAM: Content analysis details: (10.6 hits, 5 required)

SPAM: PLING (0.1 points) Subject has an exclamation mark

SPAM: MORTGAGE_RATES (4.4 points) BODY: Information on mortgage rates

SPAM: CLICK_BELOW (1.5 points) BODY: Asks you to click below

SPAM: OPT_IN (2.1 points) BODY: Talks about opting in

SPAM: CLICK_HERE_LINK (0.8 points) BODY: Tells you to click on a URL

SPAM: CTYPE_JUST_HTML (1.7 points) HTML-only mail, with no text version

SPAM: -------------------- End of SpamAssassin results ---------------------

SpamAssassin Scores

04/12/239

Protection For All

• Filter all mail through amavisd-new– Use clamd– Spamd not used– Amavisd-new calls Mail::SpamAssassin directly

04/12/2310

Amavisd-new basics

• Amavisd runs on localhost:10024• Protocol is LMTP

– Like ESMTP, but designed specifically for local delivery

• Analyzes message• Sends processed message (maybe) to

specified MTA

04/12/2311

Message flow for postfix example

• Postfix receives email• Postfix sends email to amavis on

localhost:10024• Amavis processes message

– ClamAV– SpamAssassin

• Amavis sends email back to MTA, default is localhost:10025– Use of alternate port avoids recursion– Allows custom settings to improve performance

04/12/2312

Amavis Options

• Per-User Configuration– SQL backend available

• Quarantine• Spam Options

– Score at which spam headers are added– Score at which message is marked as spam– Score at which message is dropped on floor

• Auto-Whitelist

04/12/2313

More Amavis Options

• Defanging– Bad headers– Spam

• Notifications– Sender notifications considered harmful– Can restrict to internal mail

04/12/2314

Discussion

04/12/2315

What If I’m on Windows?

• Use a UNIX relay• Commercial Options

04/12/2316

Software URLs (OS)

SpamAssassinhttp://spamassassin.apache.org/

Amavisd-newhttp://www.ijs.si/software/amavisd/

ClamAVhttp://www.clamav.net