1 / 27

Antispam activities @ GARR

Antispam activities @ GARR. Michele Michelotto Hepix Karlsruhe, 11 May 2005. WG sec mail. Enrico Ardizzoni (Università di Ferrara) Alberto D’Ambrosio (INFN, Torino) Roberto Cecchini (INFN, Firenze) Fulvia Costa (INFN, Padova) Giacomo Fazio (INAF, Palermo) Antonio Forte (INFN, Roma 1)

mattox
Télécharger la présentation

Antispam activities @ GARR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Antispam activities @ GARR Michele Michelotto Hepix Karlsruhe, 11 May 2005

  2. WG sec mail • Enrico Ardizzoni (Università di Ferrara) • Alberto D’Ambrosio (INFN, Torino) • Roberto Cecchini (INFN, Firenze) • Fulvia Costa (INFN, Padova) • Giacomo Fazio (INAF, Palermo) • Antonio Forte (INFN, Roma 1) • Matteo Genghini (IASF, Bologna) • Michele Michelotto (INFN, Padova) • Ombretta Pinazza (INFN, Bologna) • Alessandro Spanu (INFN, Roma 1) • Alfonso Sparano (Università di Salerno) Antispam activities at GARR

  3. Goals • anti-spam and anti-virus • Stop them or at least reduce to a reasonable level • “best practices” • mail services configuration and mail server protection • Sender authentication • SPF, domain keys • Dissemination • http://www.garr.it/WG/sec-mail • mailto:<secmail-info@garr.it> Antispam activities at GARR

  4. anti-spam • SpamAssassin (SA) analysis and efficiency improvement: • Monitoring; • Bayesian filter; • Real Time Block List (RBL); • Network distributed “cooperative” systems. Antispam activities at GARR

  5. anti-spam • Alternative tools tests: • Bogofilter: http://bogofilter.sourceforge.net/ • DSPAM:http://www.nuclearelephant.com/projects/dspam Antispam activities at GARR

  6. SpamAssassin • Rule based • Each rule adds a score (positive or negative) • Mail over threshold can be deleted, marked, moved to a quarantine folder • Choice of threshold is difficult • Some spam have a score lower than legitimate mail (ham) Antispam activities at GARR

  7. Two weeks 275417 e-mails 208436 spams (75.7%) Threshold too high – Many FALSE NEGATIVES Antispam activities at GARR Dove metto la soglia?

  8. Two weeks 275417 e-mails 208436 spams (75.7%) Threshold too low – Some FALSE POSITIVES (Dangerous) Antispam activities at GARR Dove metto la soglia?

  9. Indipendent methods • Improve the spam/ham identification • I can’t move the threshold • If I lower it I get too many False Negatives • If I raises is even worse because I can get some False Positives • Look for “indipendent methods” • Bayesian Filters • Cooperative methods • RBL Antispam activities at GARR

  10. Bayesian Filters • Based on Bayesian statistics • The filters “learn” which words (actually tokens) are more probable in ham and spam • Bayesian filters ageing • Learning by manually submitting ham spam sample is time consuming • Auto Learning is dangerous. Spammers send mail designed to “poison” the filters • Best performance with frequents update submitted by the users • Even better: different databases for each user Antispam activities at GARR

  11. Bayesian Filters • Filters “ageing”: must keep them up to date. • Manual update is time expensive • Frequents update from selected samples chosen by users, best with individual db for each user. • Automatic update is dangerous • Some mail sent only for bayesing filter “poisoning”. Antispam activities at GARR

  12. ageing NEW TRAINING AGEING Antispam activities at GARR

  13. Real-Time Block List • For each e-mail a DNS query is issued to see if the sender is present in a list of known spammer • Good method to add score • Don’t use to reject mail • Spoofing of sender • Some RBL not very accurate in checking if sender is a real spammer or in removing those who fixed the problem • URIRBL: Very good because the check is done against the URL in the mail body • The spammer will not spoof the URL in the body !!! Antispam activities at GARR

  14. Cooperative methods • UBE: Unsolicited Bulk Email • Based on the Mass Diffusion of spam • Razor: • Users submit spam to a network of Razor server. • Mail with many submission tagged as spam • Users rating • Closed protocol and closed server network • Pyzor: • Similar to Razor but protocol and sw is open source and you can became a server Antispam activities at GARR

  15. DCC • Mail with similar signature are counted in several sites • If a mail is seen by many DCC server is tagged as suspect • Open Network • Our group now has 3 DCC Servers • Each server can provide anonymous access or high priority access to registered user Antispam activities at GARR

  16. Dcc stats Antispam activities at GARR

  17. DCC: our stats • A tipical day at the DCC server at IASF in Palermo • 800k checksum request (70k from registered clients) • 1.2M report from 25000 clients • Average response time 5ms Antispam activities at GARR

  18. Spam in September 04 5000 spam received in my mailbox during the CHEP week 12% False Negatives Antispam activities at GARR

  19. Spam in September 04 From 12% at the end of September to 1.7% False Negatives at end of November Antispam activities at GARR

  20. Monitoring trend Antispam activities at GARR

  21. Top plugin Antispam activities at GARR

  22. Sender Authentication • Sender Policy Framework (SPF): • Each DSN server should publish a “reverse MX record” DNS listing the smtp server autorized to send email for that domain • The receiver can use this information to reject mail or to increase SA score • This means that the roaming users should always use his own SMTP server (after authentication) Antispam activities at GARR

  23. Antispam activities at GARR

  24. SPF tests • Salerno University • One month • 650 · 103 mail • 32% from SPF compliant domain • 12% esternal • 20% internal (useful to cut all the spam with faked internal sender, mostly virus or phishing) Antispam activities at GARR

  25. Best practices • Open port 25 only to your site email server • Open ports 587 and 468 for external authenticated users • Force external users authentication (necessary to implement SPF) • Antivirus configuration to avoid sender notification (since is almost always spoofed) • “greet pause” on sendmail (≥ 8.13) Antispam activities at GARR

  26. Open item • “unofficial” plugin test • Sender Authentication • Bogofilter and dspam tests • More DCC or Pyzor server? • Online filter (spam rejection)? • Close group and buy commercial “turnkey” sw ? • Like we do with A/V • (e.g. Sophos PureMessage) Antispam activities at GARR

  27. Questions? Antispam activities at GARR

More Related