1. Protecting email from SPAM and
Malware
By Scott McDermott
scottm@octaldream.com
http://www.octaldream.com/~scottm/talks/protectingemail/
2. What Is SPAM
• Unsolicited Commercial E-Mail (UCE)
– Not requested
– Sent to a large number of users
– Often with forged headers
– Often exploiting insecure mail servers
– You don’t care about the message
2 10/19/12
3. What Is Malware
• Malicious Software
– Includes viruses, worms, and trojans
– Designed for:
• Harm
• Theft of data
• Annoyance/Attention
• Anything undesirable
3 10/19/12
6. Solution I Use
• Amavisd-new
– Builds upon SpamAssassin for spam filtering
– Builds upon a variety of anti-virus software for AV
• ClamAV
– Open Source
– Detects phishing and other email attacks
– Even if you have another AV engine, it’s good to provide security
in layers
6 10/19/12
7. SpamAssassin
• Rules
– Header Analysis
– Body Analysis
• Blacklists
• Razor
• Score-based
– High enough score means it’s SPAM
7 10/19/12
8. SpamAssassin Scores
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (10.6 hits, 5 required)
SPAM: PLING (0.1 points) Subject has an exclamation mark
SPAM: MORTGAGE_RATES (4.4 points) BODY: Information on mortgage rates
SPAM: CLICK_BELOW (1.5 points) BODY: Asks you to click below
SPAM: OPT_IN (2.1 points) BODY: Talks about opting in
SPAM: CLICK_HERE_LINK (0.8 points) BODY: Tells you to click on a URL
SPAM: CTYPE_JUST_HTML (1.7 points) HTML-only mail, with no text version
SPAM: -------------------- End of SpamAssassin results ---------------------
8 10/19/12
9. Protection For All
• Filter all mail through amavisd-new
– Use clamd
– Spamd not used
– Amavisd-new calls Mail::SpamAssassin directly
9 10/19/12
10. Amavisd-new basics
• Amavisd runs on localhost:10024
• Protocol is LMTP
– Like ESMTP, but designed specifically for local delivery
• Analyzes message
• Sends processed message (maybe) to specified MTA
10 10/19/12
11. Message flow for postfix example
• Postfix receives email
• Postfix sends email to amavis on localhost:10024
• Amavis processes message
– ClamAV
– SpamAssassin
• Amavis sends email back to MTA, default is
localhost:10025
– Use of alternate port avoids recursion
– Allows custom settings to improve performance
11 10/19/12
12. Amavis Options
• Per-User Configuration
– SQL backend available
• Quarantine
• Spam Options
– Score at which spam headers are added
– Score at which message is marked as spam
– Score at which message is dropped on floor
• Auto-Whitelist
12 10/19/12
13. More Amavis Options
• Defanging
– Bad headers
– Spam
• Notifications
– Sender notifications considered harmful
– Can restrict to internal mail
13 10/19/12
Abstract: If you use email, you have a SPAM problem. You have also seen plenty of email borne viruses. This presentation will discuss the use of amavisd-new coupled with SpamAssassin and ClamAV to block SPAM and malware. Who should attend: Anyone who manages mail systems and wants ideas on protecting their systems or themselves from SPAM and Mailware.
According to MAPS (http://mail.abuse.net/standard.html): An electronic message is "spam" IF: (1) the recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; AND (2) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND (3) the transmission and reception of the message appears to the recipient to give a disproportionate benefit to the sender. Most spam, falls under the category of Unsolicited Commercial E-mail or UCE. These are e-mail messages of a commercial nature, that you did not request, you do not want to receive, are poorly targeted, and highly unlikely to be of any benefit to you. A high percentage of this unsolicited commercial e-mail, bulk e-mail, spam whatever you want to call it, is for adult sites or products and is probably not to what you want to be receiving in your work e-mail. The rest of it is for products and services you’ll probably never use, and almost certainly have no interest in. Often the headers are forged, thus making it difficult to trace back to its source. Spammers will often exploit insecure mail servers that allow relaying, such as the default install for Microsoft Exchange 5.5 or very old sendmail installations, and use them as the injection point for their bulk e-mail. Most Spam will actually claim that you can be removed from their lists, but usually this just serves to verify your e-mail address as valid and monitored by a real person. This makes their list of e-mail addresses more valuable when the turn around and sell them to other spammers. This is why spam tends to start as a trickle, over time turns into a torrent, and eventually can make an e-mail account totally useless. See your average AOL account for an example.
As defined by the helpful folks at UMBC (http://www.umbc.edu/oit/faq/question.html?question_id=247): The term “malware” is a contraction of "malicious software” and is used to describe any kind of software designed to harm a system, steal secrets, or do other undesirable things. Malware includes computer viruses, worms, and Trojans/Trojan horses. There are several main categories of malware attacks. Active content attacks, which utilize scripting features in HTML, usually attacking Microsoft e-mail products or those that integrate Internet Explorer. Buffer overflow attacks, which exploit bugs into various e-mail readers (or embedded HTML renders) causing them to execute code of the attackers choice. Trojan horse, where an executable or macro based attack executes code of the attackers choice on the user’s machine
Obviously, you’ll want these to stop. Both problems impact productivity, waste people’s time deleting them, avoiding them, complaining about them, and fixing problems that they cause. Worse, now wears a security breach of your site. More recent examples include one exploit that caused outlets users to e-mail random documents from their documents falter to various people in their address book. This can lead to sensitive corporate information being linked to outsiders, or at best embarrassing documents being leaked to who knows who.up for
We have a two part solution, one for each main problem. You can, of course, mix and match as best fits your environment and policies. SpamAssassin is excellent at detecting SPAM. If you want to lay down some good cash, you can subscribe to BrightMail or another commercial anti-spam service. This solution is free. You either need scripts to wrap it if you are going to block it altogether or filtering of some sort that can deal with headers. Both John Hardin’s procmail-based filters and the Anomy sanitizer can help protect from Malware, web bugs, and the like.
SpamAssassin detects spam messages using a variety of rules. These rules analyze various parts of the e-mail message for signs that it may be unsolicited commercial e-mail. Header analysis rules it look for common tricks and that spammers used to hide their identity, as well as telltale signs of Bulk mail delivery software. It will also examine the subject header for things such as “FREE FREE FREE” and “Make Money Fast”. Body analysis will looks for common phrases that are used in spam, such as “100 percent guaranteed” and offers to enlarge your penis or breasts. It will test headers against the black lists. It supports RBL, spamcop, five-ten, a long list of them. It also supports several of the checksum clearing houses, such as Razor and DCC. The real power of SpamAssassin comes into play when you realize that the simple act of matching any of these rules does not, in and of itself, mark the message as spam. The system is score based. Each rule is assigned to value, it could be positive, it may also be negative. Things I was discussing earlier in my examples, such as “FREE such and such” has the subject or being listed and one of the blacklists, will add to the score. Other things, such as the sender using mutt for their MUA, will cause a reduction of the score. Messages that aren’t spam tend come in with negative scores. Using this score based system, and a reasonably high score requirement, will result in very little or no false positives. You will allow some spam through, but nowhere near has many as you would’ve had without SpamAssassin.
This is a sample of the default output that SpamAssassin will append to the beginning of an email it thinks is SPAM.
If you’re going to install SpamAssassin systemwide, you almost certainly want to use it has a daemon. When running the daemon form, the SpamAssassin Perl engine will listen on a TCP socket for connections from the spam clients software. The spam client (spamc) is written in C and is low overhead. Using spamc in conjunction with the daemon will significantly reduce system loads compared to firing off a Perl process to process every e-mail in your system. It’s not obvious if you’re not bothering to read the docs (or you’re installing a port and don’t know where to start looking) the default config file is /etc/mail/spamassassin/local.cf and documentation for this file will be in the Mail::SpamAssassin::Conf man page. You can install SpamAssassin as non-root for your own use via procmail. SpamAssassin’s documentation covers this.
If you are on Windows, my best answer is use a UNIX system as a mail relay. You probably don’t want an Exchange server talking to the outside world, anyway. SpamAssassin Pro is available for client systems running Outlook. You might look into Lyris MailShield as a Windows based MX service, even if it’s on the same machine as your Windows based mail service. I looked at quite a few different Windows solutions before I came to the conclusion that a UNIX relay was the only solution. MailShield looked the best of the Windows options.