spam and virus handling

Fighting spam by finding and listing Exploitable Servers.


• What’s all the Fuss about…?What’s all the Fuss about…?

• Further problems and liabilities.Further problems and liabilities.

• Common Mail Configurations.Common Mail Configurations.

• Backscatter and Mailbombs.Backscatter and Mailbombs.

• SORBS Mail Configuration.SORBS Mail Configuration.

• Stopping Spam by RBL.Stopping Spam by RBL.

• Stopping Spam by Filtering.Stopping Spam by Filtering.

• Virus handling and blocking.Virus handling and blocking.


• Email security, what is it?Email security, what is it?

• Email security, why bother...?Email security, why bother...?

• Viruses and Trojans, why stop them?Viruses and Trojans, why stop them?

• Spam, why not just press delete?Spam, why not just press delete?


Email Security is about stopping spam and viruses.Email Security is about stopping spam and viruses.

Email Security is about protecting the enduser (the Email Security is about protecting the enduser (the company, as well as the individual) from the company, as well as the individual) from the Internet.Internet.

Email Security is about protecting the Internet from Email Security is about protecting the Internet from the enduser!the enduser!

Email Security is about stopping unauthorised Email Security is about stopping unauthorised distribution of internal documents and user access distribution of internal documents and user access details.details.


Have you considered what would happen if the Have you considered what would happen if the staff payroll got accidentally emailed to staff payroll got accidentally emailed to competitor…?competitor…?

Have you considered what happens when a Have you considered what happens when a very religious person (eg a devout Muslim) very religious person (eg a devout Muslim) receives X-rated porn?receives X-rated porn?

Have you considered what happens to your Have you considered what happens to your trade secrets when a disgruntled employee trade secrets when a disgruntled employee decides to leave?decides to leave?


The obvious answer of course is to protect your The obvious answer of course is to protect your users….users….

However, why do we not just educate them..?However, why do we not just educate them..?

The ‘I love you’ experience…The ‘I love you’ experience…

IT Manager of large corporate in the UK opened the “I Love You”IT Manager of large corporate in the UK opened the “I Love You”

Trojan as Administrator on the corporate Exchange server..!Trojan as Administrator on the corporate Exchange server..!

Outlook/Outlook Express, Outlook/Outlook Express,

why do we call it LookOut, or OutBreak?why do we call it LookOut, or OutBreak?

Mozilla and its derivitives, what makes them different?Mozilla and its derivitives, what makes them different?


Outlook/Outlook Express, Outlook/Outlook Express,

why do we call it LookOut, or OutBreak?why do we call it LookOut, or OutBreak?


The Mozilla way...The Mozilla way...


Time to be fair to Microsoft Outlook 2003...Time to be fair to Microsoft Outlook 2003...


Spammers are telling us we should Spammers are telling us we should ““Just press delete”.Just press delete”.

So the question to ask - “Why not?”So the question to ask - “Why not?”

Resources are all ready consumed.

Tracking information will mean more spam.

Just opening the message will pay the spammer.

How much is your time worth…?An approximation for The University of Queensland if we weren’t using filtering:

8000 Staff

$20/hour average wage.

100-300 spams per day per staff member (average)

10 seconds to ‘Just press delete’

Simple calculation: 8000 x 10 x 200 = 16m seconds lost to spam per day

Cost: ( 16,000,000 / 3600 ) * 20 = $88,888.89 per day in lost time.


• Backups (Storage and Time).Backups (Storage and Time).

• Sexual Harassment and protection of minors.Sexual Harassment and protection of minors.

• Key Logging: The obvious.Key Logging: The obvious.

• Key Logging: The Risks.Key Logging: The Risks.

• Hacking of other machines.Hacking of other machines.

• Denial of Service attacks.Denial of Service attacks.


Cost of media (Online Storage).Cost of media (Online Storage).

Cost of media, initial and incremental backups.Cost of media, initial and incremental backups.

Cost of hardware (drives do wear out).Cost of hardware (drives do wear out).

16 hours to backup data at UQ.16 hours to backup data at UQ.

2 days to restore the same data.2 days to restore the same data.


Porn spam to women has been recognised as a Porn spam to women has been recognised as a possible harassment suit waiting to happen, but it is possible harassment suit waiting to happen, but it is not limited to women. Men do have the right to sue not limited to women. Men do have the right to sue though currently they are less likely to get visibility.though currently they are less likely to get visibility.

In the educational environment minors are not In the educational environment minors are not uncommon and therefore by law they have to be uncommon and therefore by law they have to be protected from R-rated material.protected from R-rated material.

The good news is it only has to be seen that the The good news is it only has to be seen that the institute is taking reasonable steps to prevent minors institute is taking reasonable steps to prevent minors receiving inappropriate material. Similar reasonable receiving inappropriate material. Similar reasonable steps can avoid judgements against in Sexual steps can avoid judgements against in Sexual Harassment issues.Harassment issues.


The Risks:The Risks:

• User/Pass interception.User/Pass interception.

• Personal or Corporate Banking Information.Personal or Corporate Banking Information.

• Credit card details.Credit card details.

• Unauthorised use of resources.Unauthorised use of resources.

• Onward attacks (local and remote).Onward attacks (local and remote).

• Services down (local and remote).Services down (local and remote).

• Privacy issues.Privacy issues.


The Risks:The Risks:

• Identity Theft/FraudIdentity Theft/Fraud

• Pre-patent Information.Pre-patent Information.

• Email addresses of all staff.Email addresses of all staff.

• Email addresses of all customers.Email addresses of all customers.

• Customer account details.Customer account details.

• Customer Banking Information.Customer Banking Information.

• Corporate accounting information.Corporate accounting information.


Getting infected with a Trojan or Virus can have Getting infected with a Trojan or Virus can have knock on consequences:knock on consequences:

• Hackers can hide themselves in your network Hackers can hide themselves in your network

• Hackers can sniff passwords and protocols ofHackers can sniff passwords and protocols ofmore secure machines.more secure machines.

• Hackers can install ‘Bouncers’ (proxies).Hackers can install ‘Bouncers’ (proxies).

• Not all break ins are hackers at work.Not all break ins are hackers at work.

• “ “Skript Kiddies” are a lot more dangerous.Skript Kiddies” are a lot more dangerous.


““Skript Kiddies”, how do they get in?Skript Kiddies”, how do they get in?

““Skript Kiddies”, what do they want?Skript Kiddies”, what do they want?

The effects of DDoS attacks can be widespread:The effects of DDoS attacks can be widespread:

• Attacks on SORBS caused core routers inAttacks on SORBS caused core routers in

AAPT Connect to reboot disconnectingAAPT Connect to reboot disconnecting

all of Queensland.all of Queensland.

• Outgoing traffic when a DoS client can beOutgoing traffic when a DoS client can besignificant.significant.

• Legal liability when destroying servers.Legal liability when destroying servers.


DMZ Internal Secure Network

INTERNET

Border Router

Mail Hub

Mail Hub

Mail Store

Mail Store

Mail Store

Mail Store

LDAP

LDAP

AuthenticationServer



DMZInternetBorder Routers

Mail Hub

Mail Hub

Mail StoresLoad

Balancer

Internal Secure Network

LDAPMasterServer

LDAPMasterServer

LDAPHub

Server

LDAPHub

Server

iDARs LDAP ServersMMPs

MMPs

PRENTICEBUILDING

GP NORTHBUILDING


What is Backscatter?What is Backscatter?• Virus bounces a problem?Virus bounces a problem?• Spam bounces a problem?Spam bounces a problem?

What is a mailbomb?What is a mailbomb?• Computer destroying explosion?Computer destroying explosion?• Archive bomb?Archive bomb?• Something else?Something else?

What is the difference?What is the difference?

Why should we do something about it?Why should we do something about it?

What can we do about?What can we do about?


Return-Path: <[email protected]>Received: (qmail 14862 invoked from network); 5 Jan 2005 15:05:47 -0000Received: from host250-154.pool8021.interbusiness.it (HELO mail-kr3.gulli.com) (80.21.154.250) by sub.gulli.com with SMTP; 5 Jan 2005 15:05:47 -0000Message-ID: <x818691235.3432410271219664909@smjrixecj>From: Gea <[email protected]>To: <[email protected]>Subject: Fw: Merry Christmas!Date: mer, 05 gen 2005MIME-Version: 1.0Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884"X-Priority: 3X-MSMail-Priority: NormalX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Return-Path: <[email protected]>Received: (qmail 77169 invoked from network); 5 Jan 2005 15:06:35 -0000Received: from unknown (HELO mail.zoomshare.com) (80.21.154.250) by taxis.dwdata.com with SMTP; 5 Jan 2005 15:06:35 -0000Message-ID: <x818691235.3432410271219664909@smjrixecj>From: Gea <[email protected]>To: <[email protected]>Subject: Merry Christmas!Date: mer, 05 gen 2005MIME-Version: 1.0Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884"X-Priority: 3X-MSMail-Priority: NormalX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180


Return-Path: <[email protected]>Received: (qmail 10367 invoked from network); 5 Jan 2005 14:56:24 -0000Received: from host250-154.pool8021.interbusiness.it (HELO mail-kr3.gulli.com) (80.21.154.250) by sub.gulli.com with SMTP; 5 Jan 2005 14:56:24 -0000Message-ID: <x818691235.3432410271219664909@smjrixecj>From: Gea <[email protected]>To: <[email protected]>Subject: Merry Christmas!Date: mer, 05 gen 2005MIME-Version: 1.0Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884"X-Priority: 3X-MSMail-Priority: NormalX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Return-Path: <[email protected]>Received: (qmail 17665 invoked from network); 5 Jan 2005 14:59:33 -0000Received: from unknown (HELO mail.superava.it) (80.21.154.250) by mail.supereva.it with SMTP; 5 Jan 2005 14:59:33 -0000Message-ID: <x818691235.3432410271219664909@smjrixecj>From: Gea <[email protected]>To: <[email protected]>Subject: Buon Natale!Date: mer, 05 gen 2005MIME-Version: 1.0Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884"X-Priority: 3X-MSMail-Priority: NormalX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180


Received: from mail.od2.com ([80.21.154.250]) by mail.od2.co.uk with Microsoft SMTPSVC(6.0.3790.211); Wed, 5 Jan 2005 14:49:19 +0000Message-ID: <x818691235.3432410271219664909@smjrixecj>From: "Gea" <[email protected]>To: <[email protected]>Subject: Merry Christmas!Date: mer, 05 gen 2005MIME-Version: 1.0Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884"X-Priority: 3X-MSMail-Priority: NormalX-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0Return-Path: <[email protected]>X-OriginalArrivalTime: 05 Jan 2005 14:49:19.0384 (UTC) FILETIME=[BC755980:01C4F335]

Return-Path: <[email protected]>Received: (qmail 11561 invoked from network); 5 Jan 2005 14:14:02 -0000Received: from host250-154.pool8021.interbusiness.it (HELO mail.malaguti.org) (80.21.154.250) by server11.ehostsource.com with SMTP; 5 Jan 2005 14:14:02 -0000Message-ID: <x818691235.3432410271219664909@smjrixecj>From: Gea <[email protected]>To: <[email protected]>Subject: Re: Merry Christmas!Date: mer, 05 gen 2005MIME-Version: 1.0Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_34846114.52483884"X-Priority: 3X-MSMail-Priority: NormalX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180


Internal Secure NetworkDMZInternet

Border Router

Mail Hub

Mail Hub

Mail Store

Mail Store

Mail Store

Mail Store

LDAP

LDAP



LDAP

LDAP


SMTP ConnectionHandler

Mail Handler(DATA command)

Queue Handler

Delivery Agent

Incoming SMTP Connection

MAIL FROM:RCPT TO:

Relay Authorisation& Access Control

Outgoing SMTP Connection

Routing Agent

LDAP Client(Routing)

Server acceptsResponsibility for

delivery here

LDAP Client (Addresses)

Content Filter

Postfix 2.1.5

SMTP ConnectionHandler

Mail Handler(DATA command)

Queue Handler

Delivery Agent

Incoming SMTP Connection

MAIL FROM:RCPT TO:

Relay Authorisation& Access Control

LINK

LAYER

ClamAVVirus

Scanner

SORBSProprietary

ContentAnalyser

Outgoing SMTP Connection

Routing Agent

LDAP Client(Routing)

Server acceptsResponsibility for

delivery here

SORBS

LDAP Client (Addresses)

Content Filter

Postfix 2.1.5


How effective are they?How effective are they?

Which ones to use?Which ones to use?

• SpamhausSpamhaus• MAPSMAPS• SORBSSORBS• DSBLDSBL• NJABLNJABL

How do you want to use them?How do you want to use them?• Block or Weight?Block or Weight?


AHBL The Abusive Hosts Blocking List Hits: 1009 10%BOGONS completewhois.com: Bogon IP's Hits: 144 1%BOPM Blitzed Open Proxy Monitor Hits: 510 6%CBL Composite Blocking List Hits: 3010 24%DRBL Distributed Realtime Blocking List Hits: 1653 11%DSBL Distributed Server Boycott List Hits: 2962 25%FIVETEN Local Blackholes at Five-Ten Hits: 5903 47%JIPPGMA JIPPG's Relay Blackhole List Hits: 142 1%NJABL Not Just Another Bogus List Hits: 1769 16%NOMORE dr. Jørgen Mash's DNSbl Hits: 338 3%ORDB Open Relay DataBase Hits: 167 0%PSBL Passive Spam Block List Hits: 1161 9%SBL Spamhaus Block List Hits: 698 6%SORBS Spam and Open Relay Blocking System Hits: 4643 42%SPAMBAG Spambags Hits: 1167 11%SPAMCOP SpamCop Hits: 1868 17%SPAMRBL Hits: 9 0%SPAMSITE Spamware Peddler and Spamservices Hits: 5 0%SPEWS Spam Prevention Early Warning System Hits: 1552 12%UCEPROT Hits: 880 8%WPBL Weighted Private Block List Hits: 778 7%

Which shows statistics mean nothing!Which shows statistics mean nothing!


How not to use RBLs….How not to use RBLs….

RFC 821 & RFC 2821 should be considered….RFC 821 & RFC 2821 should be considered….6.1 Reliable Delivery and Replies by Email

When the receiver-SMTP accepts a piece of mail (by sending a "250 OK" message in response to DATA), it is accepting responsibility for delivering or relaying the message. It must take this responsibility seriously. It MUST NOT lose the message for frivolous reasons, such as because the host later crashes or because of a predictable resource shortage.

If there is a delivery failure after acceptance of a message, the receiver-SMTP MUST formulate and mail a notification message. This notification MUST be sent using a null ("<>") reverse path in the envelope. The recipient of this notification MUST be the address from the envelope return path (or the Return-Path: line). However, if this address is null ("<>"), the receiver-SMTP MUST NOT send a notification.

Remember the Backscatter issue….?Remember the Backscatter issue….?


SpamAssassin for filtering?SpamAssassin for filtering?

Greylisting?Greylisting?

SORBS spam filter?SORBS spam filter?

Bayesian filters?Bayesian filters?

RegEx’s?RegEx’s?

Sieve?Sieve?

How not to filter messages….!How not to filter messages….!

Remember RFC 2821...?Remember RFC 2821...?

Remember the Backscatter issue….?Remember the Backscatter issue….?


Open Source, or not?Open Source, or not?

Reject, delete, or disinfect messages?Reject, delete, or disinfect messages?

• Do you notify the sender…?Do you notify the sender…?

• Do you notify the receiver...?Do you notify the receiver...?

Remember the RFCs…?Remember the RFCs…?

Remember the Backscatter issue…?Remember the Backscatter issue…?

spam and virus handling

Documents