330 likes | 439 Views
CAUDIT 2005. Messaging Security. Spam and Virus Handling. Matthew Sullivan <matthew@sorbs.net>. Synopsis. What’s all the Fuss about…? Further problems and liabilities. Common Mail Configurations. Backscatter and Mailbombs. SORBS Mail Configuration. Stopping Spam by RBL.
E N D
CAUDIT 2005 Messaging Security Spam and Virus Handling Matthew Sullivan <matthew@sorbs.net>
Synopsis • What’s all the Fuss about…? • Further problems and liabilities. • Common Mail Configurations. • Backscatter and Mailbombs. • SORBS Mail Configuration. • Stopping Spam by RBL. • Stopping Spam by Filtering. • Virus handling and blocking.
What's all the Fuss about? • Email security, what is it? • Email security, why bother...? • Viruses and Trojans, why stop them? • Spam, why not just press delete?
Email Security, what is it? Email Security is about stopping spam and viruses. Email Security is about protecting the enduser (the company, as well as the individual) from the Internet. Email Security is about protecting the Internet from the enduser! Email Security is about stopping unauthorised distribution of internal documents and user access details.
Email Security, why bother...? Have you considered what would happen if the staff payroll got accidentally emailed to competitor…? Have you considered what happens when a very religious person (eg a devout Muslim) receives X-rated porn? Have you considered what happens to your trade secrets when a disgruntled employee decides to leave?
Trojans and Viruses, why stop them? The obvious answer of course is to protect your users…. However, why do we not just educate them..? The ‘I love you’ experience… IT Manager of large corporate in the UK opened the “I Love You” Trojan as Administrator on the corporate Exchange server..! Outlook/Outlook Express, why do we call it LookOut, or OutBreak? Mozilla and its derivitives, what makes them different?
Microsoft Outlook 2003 Outlook/Outlook Express, why do we call it LookOut, or OutBreak?
Mozilla 1.4+ The Mozilla way...
Microsoft Outlook 2003 Time to be fair to Microsoft Outlook 2003...
Spam - Why not 'Just press delete' • Spammers are telling us we should • “Just press delete”. • So the question to ask - “Why not?” • Resources are all ready consumed. • Tracking information will mean more spam. • Just opening the message will pay the spammer. • How much is your time worth…? • An approximation for The University of Queensland if we weren’t using filtering: • 8000 Staff • $20/hour average wage. • 100-300 spams per day per staff member (average) • 10 seconds to ‘Just press delete’ • Simple calculation: 8000 x 10 x 200 = 16m seconds lost to spam per day • Cost: ( 16,000,000 / 3600 ) * 20 = $88,888.89 per day in lost time.
Further problems and liabilities. • Backups (Storage and Time). • Sexual Harassment and protection of minors. • Key Logging: The obvious. • Key Logging: The Risks. • Hacking of other machines. • Denial of Service attacks.
Backups (Storage and Time). Cost of media (Online Storage). Cost of media, initial and incremental backups. Cost of hardware (drives do wear out). 16 hours to backup data at UQ. 2 days to restore the same data.
Sexual Harassment and protection of minors. Porn spam to women has been recognised as a possible harassment suit waiting to happen, but it is not limited to women. Men do have the right to sue though currently they are less likely to get visibility. In the educational environment minors are not uncommon and therefore by law they have to be protected from R-rated material. The good news is it only has to be seen that the institute is taking reasonable steps to prevent minors receiving inappropriate material. Similar reasonable steps can avoid judgements against in Sexual Harassment issues.
Key Logging: The obvious. • The Risks: • User/Pass interception. • Personal or Corporate Banking Information. • Credit card details. • Unauthorised use of resources. • Onward attacks (local and remote). • Services down (local and remote). • Privacy issues.
Key Logging: The Risks. • The Risks: • Identity Theft/Fraud • Pre-patent Information. • Email addresses of all staff. • Email addresses of all customers. • Customer account details. • Customer Banking Information. • Corporate accounting information.
Hacking of other machines. • Getting infected with a Trojan or Virus can have knock on consequences: • Hackers can hide themselves in your network • Hackers can sniff passwords and protocols of • more secure machines. • Hackers can install ‘Bouncers’ (proxies). • Not all break ins are hackers at work. • “Skript Kiddies” are a lot more dangerous.
Denial of Service attacks. • “Skript Kiddies”, how do they get in? • “Skript Kiddies”, what do they want? • The effects of DDoS attacks can be widespread: • Attacks on SORBS caused core routers in • AAPT Connect to reboot disconnecting • all of Queensland. • Outgoing traffic when a DoS client can be • significant. • Legal liability when destroying servers.
Backscatter and Mailbombs. • What is Backscatter? • Virus bounces a problem? • Spam bounces a problem? • What is a mailbomb? • Computer destroying explosion? • Archive bomb? • Something else? • What is the difference? • Why should we do something about it? • What can we do about?
Backscatter: Examples Return-Path: <help@pcbugfixer.com> Received: (qmail 14862 invoked from network); 5 Jan 2005 15:05:47 -0000 Received: from host250-154.pool8021.interbusiness.it (HELO mail-kr3.gulli.com) (80.21.154.250) by sub.gulli.com with SMTP; 5 Jan 2005 15:05:47 -0000 Message-ID: <x818691235.3432410271219664909@smjrixecj> From: Gea <help@pcbugfixer.com> To: <zuzo@gulli.com> Subject: Fw: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884" X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Return-Path: <help@pcbugfixer.com> Received: (qmail 77169 invoked from network); 5 Jan 2005 15:06:35 -0000 Received: from unknown (HELO mail.zoomshare.com) (80.21.154.250) by taxis.dwdata.com with SMTP; 5 Jan 2005 15:06:35 -0000 Message-ID: <x818691235.3432410271219664909@smjrixecj> From: Gea <help@pcbugfixer.com> To: <puha@zoomshare.com> Subject: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884" X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Backscatter: Examples Return-Path: <help@pcbugfixer.com> Received: (qmail 10367 invoked from network); 5 Jan 2005 14:56:24 -0000 Received: from host250-154.pool8021.interbusiness.it (HELO mail-kr3.gulli.com) (80.21.154.250) by sub.gulli.com with SMTP; 5 Jan 2005 14:56:24 -0000 Message-ID: <x818691235.3432410271219664909@smjrixecj> From: Gea <help@pcbugfixer.com> To: <weceuho@gulli.com> Subject: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884" X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Return-Path: <help@pcbugfixer.com> Received: (qmail 17665 invoked from network); 5 Jan 2005 14:59:33 -0000 Received: from unknown (HELO mail.superava.it) (80.21.154.250) by mail.supereva.it with SMTP; 5 Jan 2005 14:59:33 -0000 Message-ID: <x818691235.3432410271219664909@smjrixecj> From: Gea <help@pcbugfixer.com> To: <iter@freemail.it> Subject: Buon Natale! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884" X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Backscatter: Examples Received: from mail.od2.com ([80.21.154.250]) by mail.od2.co.uk with Microsoft SMTPSVC(6.0.3790.211); Wed, 5 Jan 2005 14:49:19 +0000 Message-ID: <x818691235.3432410271219664909@smjrixecj> From: "Gea" <help@pcbugfixer.com> To: <sube@od2.com> Subject: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884" X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Return-Path: <help@pcbugfixer.com> X-OriginalArrivalTime: 05 Jan 2005 14:49:19.0384 (UTC) FILETIME=[BC755980:01C4F335] Return-Path: <help@pcbugfixer.com> Received: (qmail 11561 invoked from network); 5 Jan 2005 14:14:02 -0000 Received: from host250-154.pool8021.interbusiness.it (HELO mail.malaguti.org) (80.21.154.250) by server11.ehostsource.com with SMTP; 5 Jan 2005 14:14:02 -0000 Message-ID: <x818691235.3432410271219664909@smjrixecj> From: Gea <help@pcbugfixer.com> To: <aniwe@malaguti.org> Subject: Re: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884" X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Stopping Spam by RBL. • How effective are they? • Which ones to use? • Spamhaus • MAPS • SORBS • DSBL • NJABL • How do you want to use them? • Block or Weight?
Some Statistics From OpenRBL AHBL The Abusive Hosts Blocking List Hits: 1009 10% BOGONS completewhois.com: Bogon IP's Hits: 144 1% BOPM Blitzed Open Proxy Monitor Hits: 510 6% CBL Composite Blocking List Hits: 3010 24% DRBL Distributed Realtime Blocking List Hits: 1653 11% DSBL Distributed Server Boycott List Hits: 2962 25% FIVETEN Local Blackholes at Five-Ten Hits: 5903 47% JIPPGMA JIPPG's Relay Blackhole List Hits: 142 1% NJABL Not Just Another Bogus List Hits: 1769 16% NOMORE dr. Jørgen Mash's DNSbl Hits: 338 3% ORDB Open Relay DataBase Hits: 167 0% PSBL Passive Spam Block List Hits: 1161 9% SBL Spamhaus Block List Hits: 698 6% SORBS Spam and Open Relay Blocking System Hits: 4643 42% SPAMBAG Spambags Hits: 1167 11% SPAMCOP SpamCop Hits: 1868 17% SPAMRBL Hits: 9 0% SPAMSITE Spamware Peddler and Spamservices Hits: 5 0% SPEWS Spam Prevention Early Warning System Hits: 1552 12% UCEPROT Hits: 880 8% WPBL Weighted Private Block List Hits: 778 7% Which shows statistics mean nothing!
Stopping Spam by RBL. How not to use RBLs…. RFC 821 & RFC 2821 should be considered…. 6.1 Reliable Delivery and Replies by Email When the receiver-SMTP accepts a piece of mail (by sending a "250 OK" message in response to DATA), it is accepting responsibility for delivering or relaying the message. It must take this responsibility seriously. It MUST NOT lose the message for frivolous reasons, such as because the host later crashes or because of a predictable resource shortage. If there is a delivery failure after acceptance of a message, the receiver-SMTP MUST formulate and mail a notification message. This notification MUST be sent using a null ("<>") reverse path in the envelope. The recipient of this notification MUST be the address from the envelope return path (or the Return-Path: line). However, if this address is null ("<>"), the receiver-SMTP MUST NOT send a notification. Remember the Backscatter issue….?
Stopping Spam by Filtering. SpamAssassin for filtering? Greylisting? SORBS spam filter? Bayesian filters? RegEx’s? Sieve? How not to filter messages….! Remember RFC 2821...? Remember the Backscatter issue….?
Virus Filtering. • Open Source, or not? • Reject, delete, or disinfect messages? • Do you notify the sender…? • Do you notify the receiver...? • Remember the RFCs…? Remember the Backscatter issue…?
Thank You Matthew Sullivan