120 likes | 252 Views
RedIRIS Reputation Block List. September 2008. RedIRIS and mail services. At the beginning, RedIRIS was directly involved in the direct provision of e-mail services to affiliated institutions However, several years ago it stopped providing those services (including webmail)
E N D
RedIRIS Reputation Block List • September 2008
RedIRIS and mail services • At the beginning, RedIRIS was directly involved in the direct provision of e-mail services to affiliated institutions • However, several years ago it stopped providing those services (including webmail) • End of life cycle within NREN – commodity services provided by the institutions and the market • RedIRIS has kept working on issues related to e-mail, but mostly trying to improve its quality and to fight against spam • RACE (audit of University mail configuration, coordinated by RedIRIS and done by peers) • Promotion of security policies (e.g., SPF,DKIM,BATV) • Whitelists, spamtraps • These initiatives were well received, but it was necessary to bring them further to have a real impact • Ideas obtained from TF-LCPM (spam filtering services offered by SURFnet and UNINETT, and presented at TF-LCPM meetings)
Spam1.0 Spam2.0 Spam3.0 What’s being sent Unsolicited advertising • : Massive distribution of services: Viagra ,loans, sex etc. • Worms/virus • Masive distribution ++ plus economic fraud • Images, pdf etc. • Convergence spam/worms-virus Spam evolution Email addresses Simple methods Massive harvesting of e-mail addresses • Directionary attacks • E-mail addresses bought and sold How Open-relay Vulnerabilities: cgi, php, open-proxies, sockets Open-proxies, BOTNETs Solutions • Basic content filter • DNSbl • Bayesian, multilingual content filters • Evolution of DNSbl zombies • Adaptation of content filters • New evolución of DNSbl to target zombies • Spamtraps
Some data about zombies (botnets) * New bots per day 500 Nº of bots anytime 6-8 millions Average lifetime of bots 2-3 hours Zombies Nº of bots in some attacks 10.000-200.000 Nº of messages sent by botnet 80 millions/hour 85% from spam is sent from zombies * Data: “Email Threats Trend Report” October 2007. Commtouch Zombies are main origin of spam Block SMTP zombies Less spam Identification of zombies Warnings about IP zombies
Goals Description Effectiveness Reduce spam 70-90% False positives As few as possible – and easy to solve if any Scalability Easy to adapt to new needs Simple Easy usage and configuration Criteria for a reputation system Compatible with users policies Users decides what’s spam and what it makes with it Resilience Any service problem shall not affect users email services Support Technology known by system administrators Open Complementarities with RedIRIS projects as white lists, spamtraps Report Detection of suspicious IP Cost 24/7?
zombie SMTP Reputation scheme hard medium SMTP DNS University Sends spam to University IP DNS query Is IP in the zone? Sends spam to spamtraps exclusion RedIRIS whitelist Updates in real time rsync IRISRBL Servicio AntiSpam Red Académica RedIRIS spamtraps External sources: CBL, SORBS, Spamhaus,Sophos
Service Model Model Sources Maximum Spamhaus + Habeas + Sophos + TrendMicro Very effective + intermediate Spamhaus 80-90% Minimum CBL+DUL+spamcop +… 75-80% • Need to integrate several sources • RedIRIS internal sources such as spamtraps are statistically very effective, but they cover a very limited part of the zone • It is necessary to add external databases
Model Detection % spam detected % spam undetected Trial Spamcop 145196 63,96% 34,73% soft.rediris 151094 66,56% 32,13% Spamhaus 157528 69,39% 28,3% hard.rediris 186178 82,01% 16,8% • University of Zaragoza
Survey (1) We did a survey to collect information about use of RBL in RedIRIS institution
Survey (2) Answers from 65 Institutions 82% willing to use RedIRISRBL 84% use Whitelist 78% has SPF record 74% use RBLs 80% block
What next • Service on trial using RKS developed with Sandvine • 50 institutions trying it • 15 millions queries per day • Positive feedback • Need to increase information in the system – collective purchase of licence of commercial providers? • First stage to gain confidence from users – and then upgrade the service? • Evaluation towards new model of service similar to those of Surfnet and Nordunet
Thanks for your attention!