Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | berenice-leona-garrett |
View: | 216 times |
Download: | 0 times |
www.TASK.to© Toronto Area Security Klatch 2007
A drop-in anti-spam solution
A 15 minute speed talk by Paul Wouters <[email protected]>
www.TASK.to
People still click on spam
www.TASK.to
So spammers spam harder!
Total (personal) spam received until I had to stop counting:
141329That is 38 hours straight at a rate of deleting 1 spam/second
Or one fulltime work week
But much more time then that is spend fixing mailservers
www.TASK.to
And harder... and harder...
www.TASK.to
It's all available online!
Archive at: http://unspammable.xtdnet.nl/
Webstats archive: http://chameleon.cypherpunks.ca/spam/
www.TASK.to
My archive “Collateral Damage”
“United Email Freedom Front” demanded I remove entire archive
They launched a few serious DDOS attacks...
Sounded extremely childish...
Why my archive?
Two years later I found out why...
www.TASK.to
I published MegaMania spam
www.TASK.to
“Pump and Dump” scheme
www.TASK.to
Don't try this at home...
www.TASK.to
Spammers use viruses
www.TASK.to
The problem
www.TASK.to
DROP-in filter machine
Put filter machine in DNS
point domain email to filter machine via MX
But spammers are smart, so:
Add incoming port 25 filter on mail server
ACCEPT incoming port 25 TCP from spam filter to mail server
DROP other incoming port 25
ACCEPT outgoing port 25 TCP
www.TASK.to
Better placement for filter
Only give mail server an internal IP address
Fully transparent if you give filter machine the name and public IP of the real mail server
www.TASK.to
101 of the SMTP protocol
www.TASK.to
Envelope based filteringThis will block >99% spam
Block known infected IP addresses for 24 hours
Block open relays / known spammers / Hacked webservers / Rogue ISP's
Block Misidentifying servers
Block RFC violating domains
Block non-existing Senders
Do not accept non-existing Receivers
Use SPF records to refuse forgeries
Refuse everyone for 15 minutes once per 3 days
www.TASK.to
Content based spam filtering
Filter readme.txt.scr
Filter *.exe, *.reg, etc.
Process zip / rar / gzip / arj
Drop password protected zips
Multiple Anti-virus scanners
Spamassassin rule for image spam works well
Update spamassassin via RulesDuJour
Use distributed resources from Pyzor, Razor and DCC
www.TASK.to
What not to do
Do not use Bayesian Filters: they cost too much CPU
Do not use CPU expensive spamassassin / RulesDuJour rules BLACKLIST, BLACKLIST_URI, TRIPWIRE
Do not enable rules meant for older spamassassin versions (!!)
Do not add positive scores, only use negative scores
Don't run more then 1 Amavis thread per 512MB RAM
Be very careful when using port 25 forwarding - remote connections might appear to be “trusted local clients”
Remove all backup MX servers - It's not worth the trouble
Publish SPF records - It will greatly reduce your own bounces!
Do not leave real mail server port 25 open to the net. Spammers find it without MX records and you problem will be worse then before, because now you do not filter anything on the mail host!
www.TASK.to
Software and online resources
Linux OS (or equivalent)
Postfix Mail Server
Spamassassin / spamd
Amavis content filter
Clamav / Freshclam anti-4us
SPF Filter
MRTG / Apache
pflogsumm.cgi
update-mailstat
SpamHaus SBL list
VIRBL SBL at BIT.nl
RulesDuJour - Dynamic spamassassin rule updater
Pyzor - Email Digests Filtering
Razor - Collaborative Filtering
DCC - Distributed Checksums Clearinghouse
SORBS SBL list
RFC-Ignorant SBL list
www.TASK.to
cdc.xelerance.net example
Partial Postfix configuration example:
smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_access, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client virbl.dnsbl.bit.nl, reject_rbl_client psbl.surriel.com, check_policy_service unix:postgrey/socket
smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender opm.blitzed.org
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender opm.blitzed.org, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender rhsbl.sorbs.net
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, reject_unauth_destination
check_recipient_access = hash:/etc/postfix/recipient_access
content_filter = smtp-amavis:[localhost]:10024
www.TASK.to
I get 0 to 1 spams per day ;-)
www.TASK.to
141329 spams - 30GB/month
www.TASK.to
April 2004-March 2007: $4000