E-MAIL GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING

Greg WoodsNational Center for Atmospheric Research

Scientific Computing DivisionBoulder, CO

woods@ucar.edu

Postfix Guru:Rich Johnson

rjohnson@ucar.edu

OVERVIEW

● Goals● Choice of hardware and software● Cluster design● Mail system design● User interface● Effectiveness● Technical details

GOALS

● Low cost● Scalability● Reliability● Flexibility

– Virus Scanning– Centralized Alias Database– PER-USER spam blocking

SYSTEM CHOICE

● PC cluster● Linux Virtual Server (LVS)● Heartbeat● Postfix● DNS-based blocklists● SpamAssassin● F-PROT● LDAP

Director

LINUX VIRTUAL SERVER

Heartbeat

BackupDirector

Node1 Node2 Node3 Node4

MAIL PATH

Postfix

Recipient/Blocklist check

Port 25 Receiver(smtpd)

Localhost Receiver

Alias Expansion

Scanner Input Queue

Attscand

Cluster Node

Scanner Output Queue

Quarantine

ReinjectdLDAPServer

In

Out

smapq

DNS BLOCKLISTS

● Occurs while SMTP connection still open, after RCPT is given

● User spam block class looked up in LDAP● Determines which DNS blocklists to use● Originating IP address checked against blocklists● Match results in a 550 refused message error● If message refused, never receive message

content!● Passed messages placed in scanner input queue

BLOCKLISTS (2)

● Level 0: no blocking, all IP's OK● Level 1: Block only misconfigured hosts (open

relays and proxies)● Default: Almost level 2, applied to any address

not specifically listed in LDAP database● Level 2: Block misconfigured hosts plus known

spam sources● Level 3, or “internal only”: block entire Internet

outside of our IP space

SMAPQ

● Called by Postfix smptd once message passes blocklist check

● Writes queue file which contains original message plus SMTP envelope information

● Uses “x” bit lock protocol

QUEUE FILE LOCKING

● Uses “x” permission bit● Explicitly set when done writing queue file● Daemons ignore files in queue without “x” set● Daemons remove “x” bit first thing, before

processing file● Used by smapq, attscand, and reinjectd

ATTACHMENT SCANNER

● Use F-PROT to scan for known viruses/worms– Can even examine files within ZIP archive

● Use grep to scan for executable MIME attachment types– This addition kept out Sobig.F

● Add SpamAssassin headers– No quarantining based on SpamAssassin; headers are

there if end user wants to use them; again avoid content filtering

REINJECT DAEMON

● Takes messages from scanner output queue● Send back to localhost listener, which is

programmed for normal delivery● Localhost listener does alias expansion via

LDAP, then sends message on to next hop

USER INTERFACE

● 15-year-old ASCII screen-based interface● Sends e-mail to database maintainers● Flat files sent out twice daily; scripts update

LDAP database from these● Forwarding address updated immediately,

anything else takes ½ a working day● Development of direct web-to-LDAP interface in

progress

EFFECTIVENESS

● Very few false positives– One major incident: Osirusoft DoS

● Filter effectiveness generally good, but varied– Some users report little reduction in spam– Others report total or near elimination of spam– Personal godsend: from hundreds of spams daily

down to less than half a dozen

TECHNICAL DETAILS

● How LVS director works● Heartbeat● Postfix main receiver and localhost receiver● Postfix blocklists● Postfix LDAP lookups● Virus scanning script● Reinjector daemon● System monitoring

LINUX VIRTUAL SERVER Tricks with ARP

Director Node1 Node2

RS1 RS2VS

VSVS

http://www.linuxvirtualserver.org

Router VS = Virtual ServerRS = Real Server

HEARTBEAT

● Uses dedicated ethernet crossover AND serial links

● If primary server stops responding to heartbeat, secondary takes over

● Config files tell which IP addresses and which services to take over

● For LVS director, secondary takes over VS and the director function

http://www.linux-ha.org

POSTFIX BLOCKLISTS

● smtpd_restriction_classes = class_prospam_blocks, class_easynet, .... (declare classes)

● class_prospam_blocks = class_easynet,...● lookup_easynet = blackholes.easynet.nl 554 \

$client_address dnsbl listed by easynet Blackholes. See <http://blackholes.easynet.nl/errors.html>. See <http://www.ucar.edu/nospam>

POSTFIX RECEIVERS

● SMTP Port 25– smtp inet n - n - - smtpd -o

content_filter=smapq– smapq unix - n n - 5 pipe

flags=q user=smap argv=/local/sbin/smapq ${sender} ${recipient}

● Localhost only, port 1075– localhost:1075 inet n - n - - smtpd -o content_filter=

POSTFIX LDAP SEARCHESsmtpd_client_restrictions = permit_mynetworks, ...., check_recipient_access ldap:spam

spam_search_base = ou=spamblock,dc=ucar,dc=eduspam_server_host = 127.0.0.1spam_server_port = 389spam_query_filter = (sn=%s)spam_result_attribute = spam

alias_maps = ldap:aliasalias_search_base = ou=aliases,dc=ucar,dc=edualias_server_host = 127.0.0.1alias_server_port = 389alias_query_filter = (sn=%s)alias_result_attribute = fwd

VIRUS SCANNER

● F-PROT run, exit status checked● grep -f pattern-file message-file

● If virus or executable attachment found, write to quarantine directory and exit– No longer send warnings, sender is always forged

● Add SpamAssassin headers

● Write to output queue (using “x” bit locking)

filename[ ]*=.*\.exe"*$^[ ]*name[ ]*=.*\.exe[ "]*$

REINJECTD

● Reads from virus scanner output queue (using “x” bit locking)

● Preserves original envelope FROM/RCPT● Connects to localhost:1075 and initiates SMTP

transaction● Always passes permit_mynetworks● Normal delivery now occurs

SYSTEM MONITORING

● Qmond script monitors queue directories● Work in progress● Reports when message has been in queue too long● Needs to have a “memory” implemented of what

has already been reported, to avoid an overwhelming number of reports when system is slow– Large numbers of reports add to problem