August 8, 2006 for NYExUG Presented by Ben Serebin Welcome to the 1.5 years anniversary meeting. Tue, August 8, 2006. Every 2 nd

August 8, 2006 for NYExUG

Presented by Ben Serebin www.reefsolutions.com

Welcome to the 1.5 years anniversary meeting.

Tue, August 8, 2006. Every 2nd Tuesday of the Month. Same Time and Place

Upcoming MeetingsSeptember - Designing Large Scale Distributed Deployments

by Michael Murphy, TechNet Presenter for MicrosoftOctober – Are your email DBs growing and need SAN based

storage needs, come and get an Intro to iSCSI, Fibre Channel, HBA cards, etc.

Agenda-Enjoy pizza & soda

- Introduction to group, direction of group & topics.- Main Presentation (Inside Scope on Resource Booking by

Steve Lujan of WHEDCO.org2nd Presentation (Server-Side Anti-Spam Techniques by Ben

Serebin of REEFsolutions.com- Raffle Items (wait until the end of the meeting)

New York Exchange User Group

August 8, 2006 for NYExUG

Presented by Ben Serebin www.reefsolutions.com

Latest Server-SideAnti-Spam Technologies &

Techniques

Goal of PresentationTo be able to understand the pros/cons of of

the major techniques and technologies utilized in anti-spam filtering.

Spam affects everyone with an email address, unless you have a

[email protected] email address.

August 8, 2006 for NYExAugust 8, 2006 for NYExUGUG

Presented by Ben Serebin www.reePresented by Ben Serebin www.reefsolutions.comfsolutions.com

IntroductionIntroduction Working in the IT sector since 1996Working in the IT sector since 1996

Specialty is MS Exchange and Spam FilteringSpecialty is MS Exchange and Spam Filtering How I use to list my e-mail address on my How I use to list my e-mail address on my

website (source shown) :website (source shown) :<script type="text/javascript">// -->

</script></script>



Spam – Is it really that bad?Spam – Is it really that bad?

Sadly, yes. Spam counts for even at Sadly, yes. Spam counts for even at the most conservative mail server the most conservative mail server

deployments 50%. I’ve seen deployments 50%. I’ve seen deployments have spam amounting deployments have spam amounting

to as high as 90% of all email!to as high as 90% of all email! According to a recent June 06 study, According to a recent June 06 study,

up to 86% of all email is spam.up to 86% of all email is spam.



What Server-Side Anti-Spam What Server-Side Anti-Spam Options Exist?Options Exist?

There are three major approaches to anti-There are three major approaches to anti-spam filtering : on the mail server, mail spam filtering : on the mail server, mail gateway and DNS proxying.gateway and DNS proxying.

There are a number of pros & cons to the There are a number of pros & cons to the various approaches regarding various approaches regarding performance, accuracy, and ease of use.performance, accuracy, and ease of use.



Filtering on the Mail Server This is considered the old school way and still

one of the best. Using software (e.g. GFI MailEssentials, MailSecurity) on the Exchange Server.

Pro’s- highly accurate- easy to use for users Con’s- CPU and memory performance penalty to run it

on your server- Server backups include spam filtered to Junk

Mail or spam filter folder



Filtering on the Mail Gateway A good approach to protect your Exchange Server and

offer spam filtering via a separate server (e.g. most 3rd mail servers, Merak, CommuniGate, )

Pro’s- protects your Exchange Server from DoS and other

attacks and vulnerabilities- reduces cpu and memory needs on Exchange Server- most configuration possibilities (ability to control in/out-

bound rules) Con’s- most administrator support since spam frequently is

tagged or sent to a global spam mail address- requires separate server



Filtering via DNS Proxying A newer approach to spam filtering that utilizes hosted

services (e.g. Postini, FrontBridge, etc) or enterprise class hardware (e.g Barracuda Networks)

Pro’s- protects your Exchange Server from DoS and other

attacks and vulnerabilities- reduces cpu, memory needs, and backups sizes on

Exchange Server- ease of use for users & administrators Con’s- frequently the most costly solution- trust your company’s email to a 3rd party vendor- requires users to check daily quarantine emails



Anti-Spam TechniquesAnti-Spam TechniquesQuiz yourself on the acronyms.Quiz yourself on the acronyms.

SPF (Sender Policy Framework) – aka Sender ID Filtering. Used to SPF (Sender Policy Framework) – aka Sender ID Filtering. Used to emails sent by spoofed mail servers by using configured DNS emails sent by spoofed mail servers by using configured DNS records. Natively supported in Exchange 2003. Gaining use and records. Natively supported in Exchange 2003. Gaining use and SPF records are frequently incorrectly configured by admins.SPF records are frequently incorrectly configured by admins.

Domain Keys – uses public/private key encryption to add headers Domain Keys – uses public/private key encryption to add headers to authenticate SMP. Created by Yahoo and is now open-source. to authenticate SMP. Created by Yahoo and is now open-source. Difficult, not commonly used outside of Yahoo.Difficult, not commonly used outside of Yahoo.

Challenge Response – recipient server generates a response email Challenge Response – recipient server generates a response email to email sender and requires sender to visit a website to enter a to email sender and requires sender to visit a website to enter a code to allow email message to be accepted. Not very popular code to allow email message to be accepted. Not very popular since only Yahoo and open source mail servers support this since only Yahoo and open source mail servers support this (frequently Linux/Unix based solutions).(frequently Linux/Unix based solutions).

Tarpitting & Directory Harvesting Checking – insures spammers Tarpitting & Directory Harvesting Checking – insures spammers cannot use dictionary attack on a recipient’s server. Natively cannot use dictionary attack on a recipient’s server. Natively supported in Exch 2003.supported in Exch 2003.

????? – receiving mail server checks in-bound email against DNS ????? – receiving mail server checks in-bound email against DNS server to determine if they are on a list. There are a # of different server to determine if they are on a list. There are a # of different lists. Some that I recommend. I STRONGLY recommend you read lists. Some that I recommend. I STRONGLY recommend you read and understand the philosophy and the process for and understand the philosophy and the process for adding/removing mail servers & IP to the lists.adding/removing mail servers & IP to the lists.

Whitelists – IP based for other mail servers, network devices, fully Whitelists – IP based for other mail servers, network devices, fully from email addresses ([email protected]), from domains from email addresses ([email protected]), from domains (citibank.com), and to email address ([email protected])(citibank.com), and to email address ([email protected])



Anti-Spam Techniques Anti-Spam Techniques (continued...)(continued...)Quiz yourself on the acronyms.Quiz yourself on the acronyms.

Bayesian Analysis – highly intelligent method of filtering that Bayesian Analysis – highly intelligent method of filtering that dynamically learns based on your usage of email.dynamically learns based on your usage of email.

RBLs (real time block lists) – email messages headers and/or RBLs (real time block lists) – email messages headers and/or sending mail server are checking against a database of spammers sending mail server are checking against a database of spammers via DNS. Recommend: dnsbl.njabl.org, relays.ordb.org, via DNS. Recommend: dnsbl.njabl.org, relays.ordb.org, bl.spamcop.net, sbl-xml.spamhaus.orgbl.spamcop.net, sbl-xml.spamhaus.org

SURBLs (spam URL) – any URLs in an email messages body is SURBLs (spam URL) – any URLs in an email messages body is checked against a database of spammers via DNS. Recommend checked against a database of spammers via DNS. Recommend multi.surbl.org, bl.spamcop.netmulti.surbl.org, bl.spamcop.net

Content Filters (header and body, e.g. Intelligent Message Filter) – Content Filters (header and body, e.g. Intelligent Message Filter) – filters based on headers such as subject and body content. An filters based on headers such as subject and body content. An example is an email with the subject of “p0rn” should example is an email with the subject of “p0rn” should automatically be considered spam.automatically be considered spam.

New Senders – tags the email and notifies a recipient that this is New Senders – tags the email and notifies a recipient that this is the first time a new user is emailing you. Not very useful, I would the first time a new user is emailing you. Not very useful, I would disable it.disable it.

Greylisting – 1Greylisting – 1stst time a mail server attempts to connect results in a time a mail server attempts to connect results in a 4xx error, means retry in a short time. Useful, but has nasty side-4xx error, means retry in a short time. Useful, but has nasty side-effect of slowing down mail flow.effect of slowing down mail flow.

BATV (Bounce Address Tag Validation) – protects against bounced BATV (Bounce Address Tag Validation) – protects against bounced messages redirecting to valid accounts.messages redirecting to valid accounts.



ConclusionConclusion

Q&A Now…Q&A Now…

Questions or comments: email me @ Questions or comments: email me @ ben A-T reefsolutions . comben A-T reefsolutions . com

This presentation will be online this This presentation will be online this week.week.

Documents

August 8, 2006 for NYExUG Presented by Ben Serebin Welcome to the 1.5 years anniversary meeting. Tue, August 8, 2006. Every 2 nd