210 likes | 352 Views
Build Your Own Spam Firewall Using Postfix & SpamAssassin Zach Levow, vp engineering April 20, 2005 / SecureIT. Agenda. Introduction to Barracuda Networks (10 Min) Building a security appliance using open source technologies (10 Min) Anti-Spam technologies (40 Min)
E N D
Build Your Own Spam Firewall Using Postfix & SpamAssassin Zach Levow, vp engineering April 20, 2005 / SecureIT
Agenda • Introduction to Barracuda Networks (10 Min) • Building a security appliance using open source technologies (10 Min) • Anti-Spam technologies (40 Min) • System considerations (10 Min) • Q/A
Company Background • Mission • Deliver easy to use and cost effective solutions for protecting email servers • Founded December 2002 • Research and development since 2001 • Barracuda Spam Firewall Launch October 2003 • Barracuda Spyware Firewall Launch April 2005 • Headquarters in Cupertino, California • Offices in Europe (UK), China (Shanghai), Canada, Australia, India, Pakistan, United Arab Emirates (Dubai), and USA • 100+ employees worldwide • Experienced management & development team • Privately Funded • Profitable • Market Leader • 14,000 customers worldwide
BarracudaSpamFirewall • Comprehensive email protection • Blocks spam and virus • Integrated hardware and software solution • Ease of use • Plug-and-play • No changes needed to email servers • Enterprise Features • Reliable and Robust • Aggressively Priced • No per user licensing fees • Market leading anti-spam appliance Launched Oct. 13, 2003
Barracuda Spam Firewall - Outbound Edition • Comprehensive MTA • Includes Barracuda Spam Firewall Features • Easy to use and Configure (web interface) • Secure • Reporting and logging • Stops Virus Proliferation • Enforces Corporate & Regulatory Policies • Foul language and security • HIPAA, Sarbanes-Oxley • Prevents Spamming & Open Relay Function Launched Jan. 17, 2005
Barracuda Spyware Firewall Features • Gateway appliance • Powerful, easy to use & install • Intuitive user interface • Affordable • Prices starting at $1,999 • Available in five models: • Spyware Firewall 210 ($1,999) • Spyware Firewall 310 ($3,299) • Spyware Firewall 410 ($5,999) • Inline hardware appliance • Complete scalability for growing organizations
Cardinal Rules of Spam Filtering • No false positives! • A false positive where the sender is not notified is even worse • Reject rather than bounce • Don’t assume everyone’s mail looks like yours
Open Source Technical Issues • Immature products: One size does not fit all • Mature products: Bloated codebase – hard to maintain • Security issues • Pro: an active community will find and fix security issues. • Con: an active community will introduce security flaws. • Con: publishing your source does expose you to more exploits. Hackers go for the lowest common denominator. • Chroot, chroot, chroot – it’s always worth it.
Open Source Business Issues • Giving back to the community • Many changes aren’t for everyone • Extra time to polish changes for contribution • Separating proprietary technology • Configuration files are yours • Absolutely no linking if you don’t want to share.
Anti-spam Technologies • Intent Analysis • Open alternative: SURBL – Bill Stearns’ URL Blacklist • Real-time query performance issues • RBLs • Spamhaus – only list with minimal false positives • SpamAssassin • Rules Updates • SPF • Rate Control/Throttling • Virus scanning • Several fairly good open source solutions… • No one solution catches all… • Combine them
Anti-Spam Technologies (Cont.) • Bayesian • International Charsets • IBM’s ICU library very efficient • Token Chaining Crucial • Per-user Bayes very important • Noise reduction very helpful • Pro: most proactive anti-spam technique • Con: Troubleshooting is usually a nightmare! • Make user classification easy
Controversial Anti-Spam Techniques • Graylisting • Pro: Very effective at blocking spam • Con: Potentially delays all messages from new senders by several hours • Con: Spammers know how to defeat it, but most don’t yet • Tarpitting • Pro: effective at slowing down dictionary attacks • Con: Will bury a busy system if a process or thread is required per connection. • Challenge-response • Increases internet chatter • Unless linked to outbound SMTP, can lead to “Deadlock”
DNS MX Records • Example MX record barracudanetworks.com MX preference = 10, mail exchanger = barracuda2.barracudanetworks.com barracudanetworks.com MX preference = 10, mail exchanger = barracuda.barracudanetworks.com • SMTP is great to load-balancing/failover • Put as many systems as you like at the same “Preference” and all known clients will round-robin until they find an available system • DON’T LEAVE YOUR MAIL SERVER AS A BACKUP MX FOR YOUR SPAM FILTER!! Spammers will attack it directly
Phishing • No link should ever say that it is HTTPS in a message and then actually link to a non-HTTPS page • Relatively small list of known scams – fairly easy to keep up with if you have a good sample of email. It is worth the effort.
Quarantine • Effective tool for reducing “False Positives” while increasing catch rate. • Best if integrated with directory services so that a user with multiple email addresses only has one quarantine box. • No perfect open-source solution: • Need web interface • Should send daily digest
Per-User Settings • Major reduction in administration if users can update personal allow/block lists, passphrases, etc. • Again, best when integrated with directory services. • User interface issues.
System Considerations • Databases: • Most open source databases are great for low-volume, general purpose applications. • In high load situations they all break down – specialized databases become necessary. • High-availability • Syncing of configurations (meta-data) • Syncing of quarantine information (data)
System Considerations (Cont.) • Hard drives • Typical drives will last 6-12 months under a constant and steady mail load. • Use Raid • Turn off write cache (hdparm) • Filesystems • Use Journaling Filesystem • Ext3: slow, but robust • XFS/ReiserFS: faster, but less robust • Mount with synchronous I/O (sync)
Fighting Spam Can Be Effective • False positives are not acceptable or necessary. • Keep your spam rules and virus definitions up to date. • Reduce your administration load and false positives/negatives by giving control to your users through personal settings and quarantine.