1 / 17

Anti-Virus and Anti-Spam

Waikato Linux Users Group Monday 27 th October 2003 Craig Box http://www.wlug.org.nz/CraigBox Anti-Virus and Anti-Spam Happy Birthday To Me Synopsis Why viruses in Linux are not an issue Setting up a mail server with virus and spam filtering Client side filtering

RexAlvis
Télécharger la présentation

Anti-Virus and Anti-Spam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Waikato Linux Users Group Monday 27th October 2003 Craig Box http://www.wlug.org.nz/CraigBox Anti-Virus and Anti-Spam

  2. Happy Birthday To Me

  3. Synopsis • Why viruses in Linux are not an issue • Setting up a mail server with virus and spam filtering • Client side filtering • Bayesian filtering & Mozilla Mail • SpamAssassin in Evolution/KMail • Using DNS to stop spam • Virus scanning of cached web pages

  4. Viruses • Not a threat • Viruses in the wild: Near to none • Staog – attempted root exploits • Bliss - “polite” virus • Slapper – exploits Apache • Virus must • run • be able to write to executables • spread • This is why Unix users claim LindowsOS is broken

  5. Viruses 2 • A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread. • If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning -- even before news reports start to raise the awareness level of potential victims.

  6. Why do I bother then? • Windows viruses • Sophos: “87% of all reports of infections during 2002 concerned Windows viruses.” • 7,189 new viruses/worms/trojans – total of more than 78,000. On average, the Sophos virus labs produce detection routines for more than 25 new viruses each day. • Most are variants but still very deadly • The Wildlist – 248 viruses currently “in the wild”

  7. Unix virus scanners • Many commercial vendors have a product • Open source open definitions – ClamAV • The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is kept up to date • ClamAV currently detects 9886 viruses • Updates are regular and definition distribution method is sensible (unlike some AV vendors!)

  8. Protecting Windows networks • Linux firewall stops gateway worms • Inherent gain from NAT, but many losses • Electronic Mail • Web browsing

  9. Email Scanning on Linux • Run this on your gateway machine • Easy to protect a SMTP network by changing MX records • Easy to protect a POP3 server by running fetchmail and a simple mail server such as Courier IMAP • Debian Woody + Exim 3 + Amavis: • http://ente.limmat.ch/linux/exim_v3_-_amavisd-new.html

  10. Fetching mail with Debian • Install Courier IMAP • Install SpamAssassin & Amavis from aurel32 backport repository • Amavis vs. MailScanner • MailScanner is tidier, more maintained and does other useful things (eg. regexp checking) • Amavis only requires a single queue so fits into Exim's model more and is simpler • To get the mail into this system, get Fetchmail and point your email client to your new local mail server

  11. Client side filtering • Server must apply all spam filtering rules to all users • Not everyone gets the same spam – filtering words with predefined score fails in some cases • Allows you to do Bayesian filtering • Per user • Works based on word frequency in pre-seeded spam/non-spam (“ham”) • Paul Graham's “A Plan for Spam” • No longer the best method but a very interesting read

  12. Evolution Filtering • SpamAssassin can be plugged into Evolution via email filters • Server output: • filter on X-Spam-Flag contains YES • Running on local machine • spamassassin -P -e > /dev/null • Returns 1 if spam • But does not score spam in headers • Very similar for Kmail – see Wiki for link

  13. Procmail method .forward: "|exec /usr/bin/procmail" .procmailrc: SHELL = /bin/sh MAILDIR = $HOME/Mail LOGFILE = _logfile VERBOSE = no LOGABSTRACT = all PATH = /bin:/usr/bin:/sbin:/usr/sbin # If the mail is larger than 255k than skip spamassasin :0fw: spamassassin.lock * < 256000 | /usr/bin/spamc # Move very large spam out before I see it =20 :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\* caughtspam

  14. Bayesian Filtering • Natively implemented in: • MacOS X's Mail.app • Mozilla Mail (Cross platform) • Outlook – SpamBayes plugin • Popfile • Buttons in the mail client • Mark as junk • Mark as not junk

  15. Extra for experts • Using DNS to stop spam • Basic idea: only the authorative person for a domain can decide who can send messages appearing from that domain • Domains publish "reverse MX" records to tell the world what machines send mail from the domain. • People can still spam from their own domain, but it can be accurately traced, and few ISPs legitimately allow spammers

  16. Virus scanning Web pages • Use a caching proxy server & content filter • Squid • DansGuardian • Anti-Virus patch • Downloads each page and then scans it • Uses MailScanner's engine • Supports F-Prot and ClamAV

  17. See also • Viruses • Staog - http://www.f-secure.com/v-descs/staog.shtml • Bliss - http://math-www.uni-paderborn.de/~axel/bliss/ • Slapper - http://www.sophos.com/virusinfo/analyses/linuxslappera.html • ELF Virus Writing HOWTO - http://www.lwfug.org/~abartoli/virus-writing-HOWTO/_html/ • Windows vs. Linux Viruses: http://librenix.com/?inode=21 • Windows vs. Linux Viruses: http://www.theregister.co.uk/content/56/33226.html • The Wild List - http://www.wildlist.org/ • Amavis • A Mail Anti-Virus Scanner: http://www.amavis.org/ • Debian Amavis/SpamAssassin HOWTO: http://ente.limmat.ch/linux/exim_v3_-_amavisd-new.html • ClamAV • Clam Anti-Virus: http://clamav.elektrapro.com/ • Web based submission test: http://www.gietl.com/test-clamav/ • Bayesian Filtering • A Plan For Spam: http://www.paulgraham.com/spam.html • Mozilla's built in bayesian filtering: http://www.mozilla.org/mailnews/spam.html • Client Side Filtering with SpamAssassin • Evolution: http://krath.dk/linux/evolution_spamfilter/ • Kmail: http://kmail.kde.org/tools.html • DNS based prevention • Proposals for DNS based email acceptance: http://www.irtf.org/asrg/survey_of_proposals.htm • Senders Permitted From: http://spf.pobox.com/ • Web scanning • Dans Guardian AV plugin: http://www.pcxperience.org/dgvirus/

More Related