290 likes | 301 Views
This article discusses the various defense mechanisms against spam and recommends a solution for the growing problem. It covers anti-spam appliances, server-side software, cloud-based solutions, and end-user software. The different pros and cons of each approach are presented, along with their cost implications. The conclusion provides a comprehensive overview and raises important questions.
E N D
Corporate Spam Defense Random Driver Gilles Bouyer Oleg Kipnis Hang Li Samar Patel Ashwin Shanmugasundaram
Agenda • Solutions • Appliances – Server Side Software • Pros and Cons • Cloud Based Solution • Pros and Cons • End User Software • Pros and Cons • Methods used • Legal and Other Solutions • Pros and Cons • Proposed solution • Strength/ Weaknesses • Cost / Implementation • Conclusion - Questions
Problem Statement • Most enterprise users are exposed to spam, which means they are exposed to more threats. Spam is an issue affecting all industrial sectors, government and education. • While missing an email due to a false positive when it comes to personal use might not seem like a big deal, it is important for the enterpriseto be cautious on optimizing communication to reach better business results. • SPAM is an attack on authenticity with the following characteristics: • 70.7% of all email traffic is Spam • 2.3% of all emails contain malicious attachments • 1.8% – 3% of spam makes it through spam filters • Only 1 in 25,000 spam needs to be opened to be profitable for spammers • Costs 20 billion dollars annually • We will review the defense mechanisms and recommend a solution to this problem.
Anti Spam Appliances • Anti-spam appliances are hardware-based solutions integrated with on-board anti-spam software and are normally driven by an operating system optimized for spam filtering • They are deployed at the gateway or in front of the mail server • Appliances provide a solution that does not require configuration of the existing mail server, and can be more effective and of higher performance than a software solution installed on the mail server • Examples: Barracuda, SpamTitan, Fortinet, Cisco Ironport • How does Barracuda work? All incoming mail is screened according to the rules of the Barracuda device and by the rules that are manually created Non spam messages will go directly to inbox folder Messages that are suspected as being spam are informed by a Spam Quarantine
Server Side Software • Anti-spam software is either installed on the mail server itself or in front of mail server. The purpose of this software is to remove the burden of filtering e-mail from the e-mail server. • Examples: • Bogofilter- Used by a MTA to classify messages as they are received from the sending SMTP server. Bogofilter examines tokens in the message body and header to calculate a probability score that a new message is spam • SpamAssassin- It can be run as a standalone application on server or as a subprogram of another application • MailwasherEnterprise- It works as a proxy, sits in front of mail server blocking and denying spam from getting to mail server and users • POPFile- Typically it is used to filter spam mail. It can also be used to sort mail into other user defined "buckets" or categories
PROs and CONs Antispam Appliances PROs CONs • High reliability that works out of the box • Operating system and application software is pre-loaded and configured • Stable OS guarantees less downtime • Updates itself automatically with no user intervention • Upfront costs • If the hardware fails, it requires a warranty or an upfront cost to fix/replace Server Side Software CONs PROs • Difficult to install • Software updates can cause compatibility issues with other software on the system • Requires updating the server OS with the latest patches • Customized filters which can be personalized according to individual user requirement • Whitelisting capabilities • Quarantines spam mails which are kept for a certain duration
Cloud based Solutions • Anti Spam Cloud based solutions enable to filter email on content and authenticity outside the LAN and provide only legitimate • emails to the organization. • Sample of Providers: • elunahttps://heluna.com/ $49/year • McAffee SaaS Email and Web security • Message Labs • Sophos • Untangle • Google Apps • Example of incoming mail:
PROs and CONs PROs CONs • Does not slow down or interfere with program on workstation • No need to update virus definition • Temporary store mail if LAN issues • Built in white / gray / black lists • Subscription based • (# $30/user/year) • Security of the cloud
End User Software • Email Clients– Most Email Clients have built in basic spam filter • Outlook uses Whitelists/Blacklists and Word Blocking • Add-ons to Email Clients – Add more powerful spam filtering to Email Clients • Spam Reader - Uses Bayesian filtering and Whitelist/Blacklist • Vircom - Uses Bayesian filtering • Stand Alone Software – Works with email clients and web mail • Spamhilataor– Uses combination of Word Blocking, Bayesian filtering and user defined lists • Mailwasher – Uses combination of Word Blocking, Bayesian filtering and user defined lists
Pros and Cons Pros Cons • Filters can easily be customized for individual user • Fewer false positives • Blocked and filtered email still reaches the mail server • Difficult for admins to configure for each user • Scalability
Methods • Outbound filters using Transparent SMTP proxy • SMTP Proxies are inserted between sending mail servers on a local network, and the receiving servers on the Internet in order to filter outgoing spam • DNS based Blacklists • Servers maintain a list of IP addresses of via the DNS to reject email from those sources • Checksum based filtering • Spam messages sent in bulk are identical except for few changes in content. Checksum based filters determine checksum and compare with database which stores checksum values of spam messages • Statistical content filtering (Bayesian Filtering) • Users mark messages as spam or non-spam and the filter learns from user judgments • Pattern Detection • Monitors a large database of messages worldwide to detect spam patterns
Methods • Honey Pots • MTA which gives the appearance of being an open mail relay, or a TCP/IP proxy server which gives the appearance of being an open proxy is setup to detect spammers who probe systems for open relays/proxies • Authentication and reputation • Allow email from servers that have been authenticated as senders of legitimate email • Domain-based Message Authentication, Reporting and Conformance (DMARC) • A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes • SPF • DKIM
Sender Policy Framework Sender Policy Framework (SPF): an anti-spam approach in which the Internet domain of an e-mail sender can be authenticated for that sender, thereby discouraging spam mailers, who routinely disguise the origin of their e-mail.
DomainKeys Identified Mail • DKIM is a specification for cryptographically signing e-mail messages. A signing domain (eg: Gmail) claims responsibility for the email by adding a DKIM-Signature header field to message’s header. • The verifier recovers the signer's public key using the DNS, and then verifies that the signature matches the actual message's content. The receiving SMTP server uses the domain name and the selector to perform a DNS lookup.
DKIM workflow 4 5 6 3 7 2 1
Other Current Solutions • End user actions • Whitelisting : Reject everything except the email addresses accepted one by one • Spam Poisoning: Restrict the distribution of one’s address to only trusted parties, effectively hiding from spammer. (eg. ‘user@exampleREMOVETHIS.com) • Collaborative filtering: detect messages being sent to large number of recipients • Ideas under consideration: • Micropayment: Charging 1cent per email sent. If answer remove the charge. • Internet Mail 2000: “Internet 2000” mail messages are stored by the sender. The receiver is pulling his(her) message from the sender server.
Existing SPAM legislations: http://en.wikipedia.org/wiki/Email_spam_legislation_by_country
Examples of penalties • UK Nov 2012 Christopher Niebel and Gary McNeish fined $700,000 sending million SMS • http://www.theverge.com/2012/11/28/3701210/sms-spammers-fined-700000-uk • Netherlands Oct 2012 Companeo fined 100,000 €, 15 Million email between 2009 and 2011 without the consent of the recipients • https://www.signal-spam.fr/actualites/une-soci%C3%A9t%C3%A9-condamn%C3%A9e-%C3%A0-100-000%E2%82%AC-damende-pour-lenvoi-de-spams • France • http://www.tomsguide.fr/actualite/spamming,36022.html • One man fined 22,000 € 1 Million SPAMs. +1,000 € per new SPAM. • CASL: Canada Anti Spam Legislation • http://blog.eliteemail.com/2013/05/16/all-about-casl-canadas-anti-spam-legislation/ • Value Click has settled charges today with the Federal Trade Commission, netting the FTC $2.9 million in civil penalties. • Failure to disclose that users must first sign up for other offers (ones that cost them money) before collecting the prize. • [9:26:06 PM] Samar Patel: http://news.techeye.net/security/spammer-fined-a-billion-bucks • Australian Communication and Media Authority: Spam Act 2003. regulates the sending of commercial electronic messages (CEMs) and prohibits the sending of these messages except in certain limited circumstances. Email, MMS, SMS. • http://www.bit.com.au/News/316120,dont-get-stung-by-australias-anti-spam-laws.aspx • Oct 9th 2013: Grays has become the latest online retailer to get caught emailing people without providing an unsubscribe button, and the company has paid AU$165,000 for the mistake. • Russia: The biggest spammer was found dead in his apartment. • http://www.theinternetpatrol.com/spammer-receives-the-death-penalty
PROs and CONs PROs CONs • Majority of the countries do not have legislation • Fines against individuals rarely work. Either too high or too low • Lack of identification • Hard to have legislation keep up with technology • Legislators are not tech savvy • Several Countries have legislation • Organization are being fined
Proposed Solution • Gmail Spam filter • Gmail spam filters use combination of statistical filtering, content filtering and authentication methods like SPF and DKIM to filter spam • Users can train system by marking email as spam or not spam • Administrators can set up whitelists/graylists/blacklists • Scans all attachments for viruses before reaching the user • Less than 1% of email in the inbox reported as spam (average is between 1.8% and 3%) • Less than 1% of email falsely marked as spam
Cost & Implementation . • Cost - $50/user/year • Includes other services and not just spam protection • Implementation - Feasibility • Easy to migrate from Exchange server • Users can continue using current email client like outlook or use web mail • Can be implemented in 90 days for large enterprise(>750 users), in 4 weeks for medium businesses and within 1 hour for a small business • Statistics: • Gmail has no more than 1% of the enterprise email market, but it has close to 50% of the market for enterprise cloud email (2011 Gartner) • 39% of small companies <50p use Gmail • 20% of large companies use Gmail
Strength and Weaknesses STRENGTHS WEAKNESSES • Uses multiple techniques to block spam includes DMARC • Google acquired Postini (2007) that made them superior. • Less than 1% spam (Avg. 1.8% - 3%) • Google Apps is better suited for heterogeneous environments • Easy to implement • Automatic updated and easy to configure by users and administrators • Includes complete productivity suites in the cost of subscription • Trusting data to cloud provider • Legal concern over privacy of data • Expensive if only looking for anti spam solution and not any other functionality • Solution is as good as the capacity of Spammer to find a new exploit
Conclusion - Questions • While there are no perfect solutions to stop all SPAM, the protection mechanisms can be very efficient. • This does not solve the generation of 70% email traffic that weight on the internet. • The impetus for change is likely to be given by governments requesting ISP to find solutions. • Once ISP find the value of non spam network and avoid the inherent threats posed by these messages, they will seriously work on the issue and find solution.
Backup Slides Additional Material
eMail accounts and Traffic – Current and Projection http://www.radicati.com/wp/wp-content/uploads/2012/04/Email-Statistics-Report-2012-2016-Executive-Summary.pdf