270 likes | 441 Views
Antispam activities @ GARR. Michele Michelotto Hepix Karlsruhe, 11 May 2005. WG sec mail. Enrico Ardizzoni (Università di Ferrara) Alberto D’Ambrosio (INFN, Torino) Roberto Cecchini (INFN, Firenze) Fulvia Costa (INFN, Padova) Giacomo Fazio (INAF, Palermo) Antonio Forte (INFN, Roma 1)
E N D
Antispam activities @ GARR Michele Michelotto Hepix Karlsruhe, 11 May 2005
WG sec mail • Enrico Ardizzoni (Università di Ferrara) • Alberto D’Ambrosio (INFN, Torino) • Roberto Cecchini (INFN, Firenze) • Fulvia Costa (INFN, Padova) • Giacomo Fazio (INAF, Palermo) • Antonio Forte (INFN, Roma 1) • Matteo Genghini (IASF, Bologna) • Michele Michelotto (INFN, Padova) • Ombretta Pinazza (INFN, Bologna) • Alessandro Spanu (INFN, Roma 1) • Alfonso Sparano (Università di Salerno) Antispam activities at GARR
Goals • anti-spam and anti-virus • Stop them or at least reduce to a reasonable level • “best practices” • mail services configuration and mail server protection • Sender authentication • SPF, domain keys • Dissemination • http://www.garr.it/WG/sec-mail • mailto:<secmail-info@garr.it> Antispam activities at GARR
anti-spam • SpamAssassin (SA) analysis and efficiency improvement: • Monitoring; • Bayesian filter; • Real Time Block List (RBL); • Network distributed “cooperative” systems. Antispam activities at GARR
anti-spam • Alternative tools tests: • Bogofilter: http://bogofilter.sourceforge.net/ • DSPAM:http://www.nuclearelephant.com/projects/dspam Antispam activities at GARR
SpamAssassin • Rule based • Each rule adds a score (positive or negative) • Mail over threshold can be deleted, marked, moved to a quarantine folder • Choice of threshold is difficult • Some spam have a score lower than legitimate mail (ham) Antispam activities at GARR
Two weeks 275417 e-mails 208436 spams (75.7%) Threshold too high – Many FALSE NEGATIVES Antispam activities at GARR Dove metto la soglia?
Two weeks 275417 e-mails 208436 spams (75.7%) Threshold too low – Some FALSE POSITIVES (Dangerous) Antispam activities at GARR Dove metto la soglia?
Indipendent methods • Improve the spam/ham identification • I can’t move the threshold • If I lower it I get too many False Negatives • If I raises is even worse because I can get some False Positives • Look for “indipendent methods” • Bayesian Filters • Cooperative methods • RBL Antispam activities at GARR
Bayesian Filters • Based on Bayesian statistics • The filters “learn” which words (actually tokens) are more probable in ham and spam • Bayesian filters ageing • Learning by manually submitting ham spam sample is time consuming • Auto Learning is dangerous. Spammers send mail designed to “poison” the filters • Best performance with frequents update submitted by the users • Even better: different databases for each user Antispam activities at GARR
Bayesian Filters • Filters “ageing”: must keep them up to date. • Manual update is time expensive • Frequents update from selected samples chosen by users, best with individual db for each user. • Automatic update is dangerous • Some mail sent only for bayesing filter “poisoning”. Antispam activities at GARR
ageing NEW TRAINING AGEING Antispam activities at GARR
Real-Time Block List • For each e-mail a DNS query is issued to see if the sender is present in a list of known spammer • Good method to add score • Don’t use to reject mail • Spoofing of sender • Some RBL not very accurate in checking if sender is a real spammer or in removing those who fixed the problem • URIRBL: Very good because the check is done against the URL in the mail body • The spammer will not spoof the URL in the body !!! Antispam activities at GARR
Cooperative methods • UBE: Unsolicited Bulk Email • Based on the Mass Diffusion of spam • Razor: • Users submit spam to a network of Razor server. • Mail with many submission tagged as spam • Users rating • Closed protocol and closed server network • Pyzor: • Similar to Razor but protocol and sw is open source and you can became a server Antispam activities at GARR
DCC • Mail with similar signature are counted in several sites • If a mail is seen by many DCC server is tagged as suspect • Open Network • Our group now has 3 DCC Servers • Each server can provide anonymous access or high priority access to registered user Antispam activities at GARR
Dcc stats Antispam activities at GARR
DCC: our stats • A tipical day at the DCC server at IASF in Palermo • 800k checksum request (70k from registered clients) • 1.2M report from 25000 clients • Average response time 5ms Antispam activities at GARR
Spam in September 04 5000 spam received in my mailbox during the CHEP week 12% False Negatives Antispam activities at GARR
Spam in September 04 From 12% at the end of September to 1.7% False Negatives at end of November Antispam activities at GARR
Monitoring trend Antispam activities at GARR
Top plugin Antispam activities at GARR
Sender Authentication • Sender Policy Framework (SPF): • Each DSN server should publish a “reverse MX record” DNS listing the smtp server autorized to send email for that domain • The receiver can use this information to reject mail or to increase SA score • This means that the roaming users should always use his own SMTP server (after authentication) Antispam activities at GARR
SPF tests • Salerno University • One month • 650 · 103 mail • 32% from SPF compliant domain • 12% esternal • 20% internal (useful to cut all the spam with faked internal sender, mostly virus or phishing) Antispam activities at GARR
Best practices • Open port 25 only to your site email server • Open ports 587 and 468 for external authenticated users • Force external users authentication (necessary to implement SPF) • Antivirus configuration to avoid sender notification (since is almost always spoofed) • “greet pause” on sendmail (≥ 8.13) Antispam activities at GARR
Open item • “unofficial” plugin test • Sender Authentication • Bogofilter and dspam tests • More DCC or Pyzor server? • Online filter (spam rejection)? • Close group and buy commercial “turnkey” sw ? • Like we do with A/V • (e.g. Sophos PureMessage) Antispam activities at GARR
Questions? Antispam activities at GARR