www.TASK.to© Toronto Area Security Klatch 2007

A drop-in anti-spam solution

A 15 minute speed talk by Paul Wouters <paul@xelerance.com>

www.TASK.to

People still click on spam

www.TASK.to

So spammers spam harder!

Total (personal) spam received until I had to stop counting:

141329That is 38 hours straight at a rate of deleting 1 spam/second

Or one fulltime work week

But much more time then that is spend fixing mailservers

www.TASK.to

And harder... and harder...

www.TASK.to

It's all available online!

Archive at: http://unspammable.xtdnet.nl/

Webstats archive: http://chameleon.cypherpunks.ca/spam/

www.TASK.to

My archive “Collateral Damage”

“United Email Freedom Front” demanded I remove entire archive

They launched a few serious DDOS attacks...

Sounded extremely childish...

Why my archive?

Two years later I found out why...

www.TASK.to

I published MegaMania spam

www.TASK.to

“Pump and Dump” scheme

www.TASK.to

Don't try this at home...

www.TASK.to

Spammers use viruses

www.TASK.to

The problem

www.TASK.to

DROP-in filter machine

Put filter machine in DNS

point domain email to filter machine via MX

But spammers are smart, so:

Add incoming port 25 filter on mail server

ACCEPT incoming port 25 TCP from spam filter to mail server

DROP other incoming port 25

ACCEPT outgoing port 25 TCP

www.TASK.to

Better placement for filter

Only give mail server an internal IP address

Fully transparent if you give filter machine the name and public IP of the real mail server

www.TASK.to

101 of the SMTP protocol

www.TASK.to

Envelope based filteringThis will block >99% spam

Block known infected IP addresses for 24 hours

Block open relays / known spammers / Hacked webservers / Rogue ISP's

Block Misidentifying servers

Block RFC violating domains

Block non-existing Senders

Do not accept non-existing Receivers

Use SPF records to refuse forgeries

Refuse everyone for 15 minutes once per 3 days

www.TASK.to

Content based spam filtering

Filter readme.txt.scr

Filter *.exe, *.reg, etc.

Process zip / rar / gzip / arj

Drop password protected zips

Multiple Anti-virus scanners

Spamassassin rule for image spam works well

Update spamassassin via RulesDuJour

Use distributed resources from Pyzor, Razor and DCC

www.TASK.to

What not to do

Do not use Bayesian Filters: they cost too much CPU

Do not use CPU expensive spamassassin / RulesDuJour rules BLACKLIST, BLACKLIST_URI, TRIPWIRE

Do not enable rules meant for older spamassassin versions (!!)

Do not add positive scores, only use negative scores

Don't run more then 1 Amavis thread per 512MB RAM

Be very careful when using port 25 forwarding - remote connections might appear to be “trusted local clients”

Remove all backup MX servers - It's not worth the trouble

Publish SPF records - It will greatly reduce your own bounces!

Do not leave real mail server port 25 open to the net. Spammers find it without MX records and you problem will be worse then before, because now you do not filter anything on the mail host!

www.TASK.to

Software and online resources

Linux OS (or equivalent)

Postfix Mail Server

Spamassassin / spamd

Amavis content filter

Clamav / Freshclam anti-4us

SPF Filter

MRTG / Apache

pflogsumm.cgi

update-mailstat

SpamHaus SBL list

VIRBL SBL at BIT.nl

RulesDuJour - Dynamic spamassassin rule updater

Pyzor - Email Digests Filtering

Razor - Collaborative Filtering

DCC - Distributed Checksums Clearinghouse

SORBS SBL list

RFC-Ignorant SBL list

www.TASK.to

cdc.xelerance.net example

Partial Postfix configuration example:

smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_access, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client virbl.dnsbl.bit.nl, reject_rbl_client psbl.surriel.com, check_policy_service unix:postgrey/socket

smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender opm.blitzed.org

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender opm.blitzed.org, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender rhsbl.sorbs.net

smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, reject_unauth_destination

check_recipient_access = hash:/etc/postfix/recipient_access

content_filter = smtp-amavis:[localhost]:10024

www.TASK.to

I get 0 to 1 spams per day ;-)

www.TASK.to

141329 spams - 30GB/month

www.TASK.to

April 2004-March 2007: $4000