Upload
hilary-blair
View
217
Download
0
Embed Size (px)
Citation preview
August 8, 2006 for NYExUG
Presented by Ben Serebin www.reefsolutions.com
Welcome to the 1.5 years anniversary meeting.
Tue, August 8, 2006. Every 2nd Tuesday of the Month. Same Time and Place
Upcoming MeetingsSeptember - Designing Large Scale Distributed Deployments
by Michael Murphy, TechNet Presenter for MicrosoftOctober – Are your email DBs growing and need SAN based
storage needs, come and get an Intro to iSCSI, Fibre Channel, HBA cards, etc.
Agenda-Enjoy pizza & soda
- Introduction to group, direction of group & topics.- Main Presentation (Inside Scope on Resource Booking by
Steve Lujan of WHEDCO.org2nd Presentation (Server-Side Anti-Spam Techniques by Ben
Serebin of REEFsolutions.com- Raffle Items (wait until the end of the meeting)
New York Exchange User Group
August 8, 2006 for NYExUG
Presented by Ben Serebin www.reefsolutions.com
Latest Server-SideAnti-Spam Technologies &
Techniques
Goal of PresentationTo be able to understand the pros/cons of of
the major techniques and technologies utilized in anti-spam filtering.
Spam affects everyone with an email address, unless you have a
[email protected] email address.
August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG
Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com
IntroductionIntroduction Working in the IT sector since 1996Working in the IT sector since 1996
Specialty is MS Exchange and Spam FilteringSpecialty is MS Exchange and Spam Filtering How I use to list my e-mail address on my How I use to list my e-mail address on my
website (source shown) :website (source shown) :<script type="text/javascript"><!--<script type="text/javascript"><!--
document.write('<a href="mailto:' + document.write('<a href="mailto:' + 'ben@' + 'ben@' +
'reefsoluti&'reefsolutions.com' + '">' + #111;ns.com' + '">' +
'ben@reefso&#'ben@reefsolutions.com108;utions.com
' + '</a>');' + '</a>');// -->// -->
</script></script>
August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG
Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com
Spam – Is it really that bad?Spam – Is it really that bad?
Sadly, yes. Spam counts for even at Sadly, yes. Spam counts for even at the most conservative mail server the most conservative mail server
deployments 50%. I’ve seen deployments 50%. I’ve seen deployments have spam amounting deployments have spam amounting
to as high as 90% of all email!to as high as 90% of all email! According to a recent June 06 study, According to a recent June 06 study,
up to 86% of all email is spam.up to 86% of all email is spam.
August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG
Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com
What Server-Side Anti-Spam What Server-Side Anti-Spam Options Exist?Options Exist?
There are three major approaches to anti-There are three major approaches to anti-spam filtering : on the mail server, mail spam filtering : on the mail server, mail gateway and DNS proxying.gateway and DNS proxying.
There are a number of pros & cons to the There are a number of pros & cons to the various approaches regarding various approaches regarding performance, accuracy, and ease of use.performance, accuracy, and ease of use.
August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG
Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com
Filtering on the Mail Server This is considered the old school way and still
one of the best. Using software (e.g. GFI MailEssentials, MailSecurity) on the Exchange Server.
Pro’s- highly accurate- easy to use for users Con’s- CPU and memory performance penalty to run it
on your server- Server backups include spam filtered to Junk
Mail or spam filter folder
August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG
Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com
Filtering on the Mail Gateway A good approach to protect your Exchange Server and
offer spam filtering via a separate server (e.g. most 3rd mail servers, Merak, CommuniGate, )
Pro’s- protects your Exchange Server from DoS and other
attacks and vulnerabilities- reduces cpu and memory needs on Exchange Server- most configuration possibilities (ability to control in/out-
bound rules) Con’s- most administrator support since spam frequently is
tagged or sent to a global spam mail address- requires separate server
August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG
Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com
Filtering via DNS Proxying A newer approach to spam filtering that utilizes hosted
services (e.g. Postini, FrontBridge, etc) or enterprise class hardware (e.g Barracuda Networks)
Pro’s- protects your Exchange Server from DoS and other
attacks and vulnerabilities- reduces cpu, memory needs, and backups sizes on
Exchange Server- ease of use for users & administrators Con’s- frequently the most costly solution- trust your company’s email to a 3rd party vendor- requires users to check daily quarantine emails
August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG
Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com
Anti-Spam TechniquesAnti-Spam TechniquesQuiz yourself on the acronyms.Quiz yourself on the acronyms.
SPF (Sender Policy Framework) – aka Sender ID Filtering. Used to SPF (Sender Policy Framework) – aka Sender ID Filtering. Used to emails sent by spoofed mail servers by using configured DNS emails sent by spoofed mail servers by using configured DNS records. Natively supported in Exchange 2003. Gaining use and records. Natively supported in Exchange 2003. Gaining use and SPF records are frequently incorrectly configured by admins.SPF records are frequently incorrectly configured by admins.
Domain Keys – uses public/private key encryption to add headers Domain Keys – uses public/private key encryption to add headers to authenticate SMP. Created by Yahoo and is now open-source. to authenticate SMP. Created by Yahoo and is now open-source. Difficult, not commonly used outside of Yahoo.Difficult, not commonly used outside of Yahoo.
Challenge Response – recipient server generates a response email Challenge Response – recipient server generates a response email to email sender and requires sender to visit a website to enter a to email sender and requires sender to visit a website to enter a code to allow email message to be accepted. Not very popular code to allow email message to be accepted. Not very popular since only Yahoo and open source mail servers support this since only Yahoo and open source mail servers support this (frequently Linux/Unix based solutions).(frequently Linux/Unix based solutions).
Tarpitting & Directory Harvesting Checking – insures spammers Tarpitting & Directory Harvesting Checking – insures spammers cannot use dictionary attack on a recipient’s server. Natively cannot use dictionary attack on a recipient’s server. Natively supported in Exch 2003.supported in Exch 2003.
????? – receiving mail server checks in-bound email against DNS ????? – receiving mail server checks in-bound email against DNS server to determine if they are on a list. There are a # of different server to determine if they are on a list. There are a # of different lists. Some that I recommend. I STRONGLY recommend you read lists. Some that I recommend. I STRONGLY recommend you read and understand the philosophy and the process for and understand the philosophy and the process for adding/removing mail servers & IP to the lists.adding/removing mail servers & IP to the lists.
Whitelists – IP based for other mail servers, network devices, fully Whitelists – IP based for other mail servers, network devices, fully from email addresses ([email protected]), from domains from email addresses ([email protected]), from domains (citibank.com), and to email address ([email protected])(citibank.com), and to email address ([email protected])
August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG
Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com
Anti-Spam Techniques Anti-Spam Techniques (continued...)(continued...)Quiz yourself on the acronyms.Quiz yourself on the acronyms.
Bayesian Analysis – highly intelligent method of filtering that Bayesian Analysis – highly intelligent method of filtering that dynamically learns based on your usage of email.dynamically learns based on your usage of email.
RBLs (real time block lists) – email messages headers and/or RBLs (real time block lists) – email messages headers and/or sending mail server are checking against a database of spammers sending mail server are checking against a database of spammers via DNS. Recommend: dnsbl.njabl.org, relays.ordb.org, via DNS. Recommend: dnsbl.njabl.org, relays.ordb.org, bl.spamcop.net, sbl-xml.spamhaus.orgbl.spamcop.net, sbl-xml.spamhaus.org
SURBLs (spam URL) – any URLs in an email messages body is SURBLs (spam URL) – any URLs in an email messages body is checked against a database of spammers via DNS. Recommend checked against a database of spammers via DNS. Recommend multi.surbl.org, bl.spamcop.netmulti.surbl.org, bl.spamcop.net
Content Filters (header and body, e.g. Intelligent Message Filter) – Content Filters (header and body, e.g. Intelligent Message Filter) – filters based on headers such as subject and body content. An filters based on headers such as subject and body content. An example is an email with the subject of “p0rn” should example is an email with the subject of “p0rn” should automatically be considered spam.automatically be considered spam.
New Senders – tags the email and notifies a recipient that this is New Senders – tags the email and notifies a recipient that this is the first time a new user is emailing you. Not very useful, I would the first time a new user is emailing you. Not very useful, I would disable it.disable it.
Greylisting – 1Greylisting – 1stst time a mail server attempts to connect results in a time a mail server attempts to connect results in a 4xx error, means retry in a short time. Useful, but has nasty side-4xx error, means retry in a short time. Useful, but has nasty side-effect of slowing down mail flow.effect of slowing down mail flow.
BATV (Bounce Address Tag Validation) – protects against bounced BATV (Bounce Address Tag Validation) – protects against bounced messages redirecting to valid accounts.messages redirecting to valid accounts.
August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG
Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com
ConclusionConclusion
Q&A Now…Q&A Now…
Questions or comments: email me @ Questions or comments: email me @ ben A-T reefsolutions . comben A-T reefsolutions . com
This presentation will be online this This presentation will be online this week.week.