1 39 Anti Spam Best Practices Anti Spam Engine: Time-Tested Scanning An IceWarp White Paper October 2008
2 40 Background The proliferation of spam will increase. That is a fact. Secure Computing s July 2008 report reveals that numbers far exceeded global expectations. Spam rose 280% from July 2007 to July The year s peak was on March 27, with 185 billion spam messages sent that day. Radicati Group also found that by the close of 2008, 78% of worldwide traffic will be spam. This figure will increase steadily over the next four years, totaling 83% in According to Spamhaus, 80% of all internet spam comes from just 100 spam operations worldwide. It should be noted that spam laws are often ineffectual, for they are hard to enforce and many governments choose to turn a blind eye. Spam Levels As new spammers enter the fray and as all spammers refine their tactics, the threat to the business community will only rise. Spam is more than a nuisance because its management can cut sharply into a company s bottom line, and because it can carry malware. While different organizations render slightly different research results, it is clear that businesses are hit by spam the hardest. Consider these additional statistics: Spam rose 280% from July 2007 to July Secure Computing Sophos reveals that the percentage of spam in the average business server reached 96.5% by June Nucleus Research estimates that at least 90% of all reaching corporate servers is spam. Sophos finds that only one of every 28 s received by business is legitimate. Radicati Research Group reports that spam annually costs businesses $20.5 billion in technical expenses and decreased productivity. Nucleus Research calculates that companies annually lose $1,934 per employee, due to spam.
3 41 What Can Be Done About Spam? Since there is no feasible way to eliminate spam, the best defense rests with sophisticated, aggressive filtration. Anti Spam Engine Overview IceWarp s built in Anti Spam Engine is a powerful business tool that can be used to combat the ever increasing amount of internet spam. While this tool s default settings already make for a powerful antispam solution, minor adjustments on the individual server can provide considerable more protection. The administrator can increase the accuracy of spam identification first by identifying the nature of incoming messaging, then by making necessary changes to the Anti Spam module. For proper filtration, it is important to identify the different layers of IceWarp s Anti Spam Engine: RBLs (Real time Black hole Lists) RBLs are lists that check each against known spam servers. Bayesian Learning Engine Bayesian Learning Engines are dynamic, intelligent engines that teach the system about a server s patterns. Antispam protocols can be fine tuned to recognize patterns that have been reviewed by trusted members of the mail server. Quarantine and Spam Folders with Reporting Quarantine and spam folders gives users the ability to monitor incoming messages without examining each item without filling up the inbox. In addition, messages do not fill up the inbox. This method uses whitelisting and gives the end user significant control over their inbox. White Lists White Lists give end users control over the messages they receive. The system can be set to automatically approve addresses that the user sends to, thereby ensuring that incoming from those addresses are approved for the inbox, and will not be flagged as spam or be quarantined. Black Lists Black Lists give end users the ability to reject from disapproved addresses.
4 42 Grey Lists When a receiving server returns a message as a soft failure, the sending server, if RFC compliant, will always resend the message. However, most spammers configure their servers to not return such messages. Greylisting takes advantage of this by rejecting every initial connection to the server for a predetermined number of minutes, then accepting the resent message. While this can initially slow communication, communication speed will increase the longer Greylisting remains active, thus cutting down on the amount of spam. Some estimates indicate that spam can be reduced 70 percent using this method. Miscellaneous Rules Using additional Rules, users can finetune spam identification protocols in IceWarp s Anti Spam Engine. These include, but are not limited to, charset blocking, DNS resolution, and by flagging particular formats. SpamAssassin IceWarp SpamAssassin is the heart of IceWarp s Anti Spam Engine, a robust system that determines the spam value of all incoming messages by comparing it with a series of content rules. SpamAssassin s profiles remain current by updating regularly with the IceWarp's Anti Spam Server. A given s spam score will increase with every violation that is identified. Once the score reaches the threshold that the administrator establishes, it will be marked as spam. IceWarp SpamAssassin is open source, highly configurable and can be tailored to fit the needs of a business. IceWarp does not provide a rigid, narrowly defined spam solution for all users. Rather, the power of the IceWarp Anti Spam is its flexibility. Since there are many different kinds of and the nature of incoming messages can change over time, no single solution is feasible. Therefore, the system administrator will need to monitor the system and make adjustments along the way. IceWarp recommends that the following settings be used in conjunction with the IceWarp Anti Spam Engine. Please note that they do not require licensing of Anti Spam Engine.
5 43 Locking Down the Server Located at [Mail service] [Security] [General tab] Figure 1 Figure 1 illustrates a closed relay in the server. A closed relay rejects local unauthorized domains authorization and permits only the localhost of IP of to send s through the server. These settings prevent an unauthorized account from sending through a server, and with the help of the SMTP log files, make it possible for an administrator to track down the spammer that is using a compromised account on the server. These settings permit the client software (such as Outlook or Thunderbird) With these settings in place the client software (such as Outlook or Thunderbird) would have to use the option my server requires authentication in order to be able to send through the Icewarp Server. There are times when it is necessary to add an IP address to the Trusted IPs and Hosts (When you have a webpage that you wish to be able to send through your server, or if all client machines are within a local IP range, such as *.*), but it is recommended to do this with caution if using any public IP addresses. When using the option for POP before SMTP, authentication is done through POP/IMAP connections, and will show only in those logs, not the SMTP log. This setting will authenticate the IP where the POP/IMAP connection account logged into the system for X number of minutes.
6 44 While it is acceptable to use this setting, it does need to be turned on if the server has been compromised by a spammer sending out through the server. Administrators who experience a system compromise should go to search for spammer relaying, and select the article, Possible Spammer Relaying through My Server. They should then follow the steps provided in order to determine how the system was compromised. To make certain that someone cannot breach the system and send messages to server accounts via the server domain name, administrators should select the option, Reject if originators domain is local and not authorized. This option prohibits spammers from spoofing legitimate accounts such as PostMaster and Admin, and will eliminate uncertainty in the end user. DNS based Blocking Located at [Mail service] [Security] [DNS tab] A list of RBLs that can be used to check incoming is available in the Anti Spam Engine settings. It helps with the marking and distribution of spam. However, a system administrator can also use these DNSBL lists in the Mail Security settings in conjunction with the Intrusion Prevention settings in order to close the settings and reject the connection from known spammers. Figure 2 By closing and blocking the sessions at the IP level, an administrator can significantly lower the amount of traffic to the server because the CPU will not have to process every through the Anti Spam Engine. Thus, the impact on the system is lessened. Figure 2 illustrates the suggested default server settings. Notice that the only two DNSBL lists are used. IceWarp highly recommends
7 45 that no more than be used. Since the system needs to check these lists for each , more than two DNSBLs would result in a longer connection time. Once there is a match, it no longer needs to search for others. This is not true for the RBL lists in SpamAssassin, where the system much check against every list. Once the administrator selects the Reject options based on the rdns, coming into the system is limited to actual domains. This keeps the server from accepting from nonexistent domains, a common technique used by spammers, and domains that do not have proper reverse DNS resolution set up. This guarantees that the coming from the IP associated with that domain and is not being spoofed. Intrusion Prevention Located at [SMTP Service] [Security] [Intrusion Prevention Tab] The IntPr settings block connections to the server according to different levels of suspicious activity. When a sender trips one of these options, their IP address is tagged as a blocked IP in the IntPr table. By default, it will remain blocked for 30 minutes. After that time, a sender from the blocked IP can attempt to send to the server again. This ensures that IceWarp's Server will not be flooded but it does not permanently reject a communication attempt, in the event that the sending server is legitimate but merely compromised by a virus or isolated spammer. This feature leaves the door open for future correspondence with the originating server once the problem has been resolved. Figure 3 Figure 3 illustrates a solid baseline for a system s initial setup. Those interested in learning more about each individual setting should navigate to this screen via the IceWarp Console, and then hit F1 to pull up the Help file. These settings are used because they address activity generally used only by spammers.
8 46 Caution: one of these settings should be used with care. Legitimate might be blocked from clients who subscribe to the same mailing list. This can occur when there are multiple list subscribers, and if the system administrator selects the option, Block IP address that establishes a number of connections in 1 minute. Therefore, while it is a suggested setting, the server postmaster should remain aware of this possibility, and be prepared to change or remove this setting in the event that it happens. Advanced Security Settings Located at [Mail Service] [Security] [Advanced Tab] Very few of these settings will be used as a default installation, but they each serve a special purpose. As illustrated in figure 4, the security setting, Deny SMTP EXPN command, should be selected. SMTP EXPN commands can give attackers the ability to determine which accounts exist on the system. This would give them the means by which to execute a brute force attack on user accounts. EXPN provides additional user data, including identifying information, which should be safeguarded from attackers. Figure 4
9 47 Recommended IceWarp Anti Spam Configuration The following screenshots and details will help administrators set up the IceWarp Anti Spam Engine with suggested default settings. The discussion will include the reasoning behind the settings and the ways that an administrator can determine how to best customize those settings. If a particular setting herein is shown but not discussed, the default setting is suggested. Figure 5 illustrates the basic configuration of IceWarp s Anti Spam Engine. It serves as a baseline, but consideration must be given to the nature of all outbound and the class of business deploying the server. Figure 5 For instance, it is generally advisable for an ISP to scan all outbound , while a small business can usually forego this option. In addition, the system administrator must determine if local accounts should be subject to antispam filtration. A small business might not need to subject local accounts to quarantines, white lists and black lists, while an ISP might seriously consider this option in order to keep its members safe from the spamming attempts of other members within the same domain. The [Anti Spam] Action settings possess the controls that tell the server how to differentiate the different levels of spam and how to deal with them according to their final SpamAssassin score. A system administrator will need to determine tagging, quarantine, rejection and deletion thresholds.
10 48 Figure 6 illustrates a low quarantine threshold and though a message might be quarantined at a low threshold, it might not be marked as spam unless it achieves a higher spam score. Figure 6 Note that figure 6 does not include a rejection threshold, since rejecting spam can, at times, result in having a server blacklisted as a spam trap. Having the system add [Spam] to the subject line is an alternate option; in addition, the postmaster may simply decide to use the different levels of spam organization quarantine and spam. In order to use the spam folder (as opposed to the quarantine folder), a system administrator must select the appropriate option and integrate spam folders with the IMAP folder, and choose the IMAP folder to integrate with it. The spam folder can remain free of spam overload if the server is set to delete spam messages that are 7 days old. The system administrator can also use the Reports tab, indicated in figure 6, to create and daily spam reports. These reports will indicate to users what messages were placed in the Quarantine and Spam folders, giving users manual control.
11 49 SpamAssassin Located at [Anti spam] [SpamAssassin] The postmaster will be able to dictate what parts of the SpamAssassin Engine will be employed via the main screen. There are many options, and not all of them will be used by all servers. Figure 7 Please note that Razor2 technology is not selected in figure 7. A system administrator may choose to exclude this option since, upon receipt of a message, Razor2 queries the sending server for validation. While this tool is highly effective in identifying spam, it can also slow down communication and cause a backup of connections, which can bog down large installation servers. Administrators should use this setting and RBL lists with due consideration. Razor2 is a distributed, collaborative, spam detection and filtering network. Through user contribution, Razor2 establishes a distributed and constantly updating catalogue of spam in propagation that is consulted by clients to filter out known spam. Detection is done with statistical and randomized signatures that efficiently spot mutating spam content. User input is validated through reputation assignments based on consensus on report and revoke assertions which in turn is used for computing confidence values associated with individual signatures. SourceForge.net In order for this to function properly, the system administrator will need to open up access through port This functionality will not work if the port is not open.
12 50 As previously mentioned, RBL lists can reduce processing and filtration speeds on busier systems. This white paper also stated that those using DNSBLs should limit the number of RBL and DNSBL checks to 3, and that the same RBLs used in the DNSBL security settings not be used in SpamAssassin. This measure will prevent the server from creating a redundant check and allow for faster filtration. Figure 8 illustrates the selection of only one RBL list, whereas two were selected in figure 2. Figure 8 Anti Spam Black List and White List Black Lists: Offering flexibility in spam identification, black lists and white lists in IceWarp s Anti Spam Engine give end users ultimate control of their inboxes. IceWarp provides two methods of setting up black lists. By default, the installation sets it up so that blacklisting rejects if the sender is blacklisted The other option is for the administrator to have the black list item add a defined score to the SpamAssassin total, and then deal with the based on the global spam engine settings. (I.e. the engine will send it either to Spam or Quarantine, or else reject or delete it). White Lists: While the black list engine is on by default, the white list engine needs to be turned on manually. Figure 9 illustrates the various whitelisting options.
13 51 For instance, the system can be set to automatically whitelist trusted recipients and senders in groupware address books. Two notable settings that have not been selected in figure 9 are whitelist trusted IPs and authenticated sessions and Whitelist local domain senders. Figure 9 These two settings are recommended for individual businesses and not by ISPs that host for a great many users. By choosing these items, all accounts sent internally within the server would be trusted and bypassed by the spam engine. Miscellaneous Located at [Anti spam] [Miscellaneous] The Miscellaneous tab in figure 10 contains settings that are used to modify the SpamAssassin score after initial scanning. The suggested practice on this is to use the default settings for all three tabs, only changing them with caution. Shown in figure 10, the Content settings reflect common methods spammers use to trick antispam engines into believing spam is legitimate . While none of these criteria, individually, will cause a message to be classified as spam, multiple violations will. Figure 10
14 52 Violations rarely occur in legitimate , as 99% of all clients properly format in order to comply. For instance, spam is often comprised of a graphic, with no bona fide text. Phishers create content that is comprised entirely of a link. Customarily, legitimate includes links as merely one element of many. Charset The Charset tab gives administrators the ability to exclude certain types of . Some spam contains foreign language, such as Russian or Chinese. If a server is spammed with this kind of , the administrator can open up one of the messages, locate the charset line, and place that charset into the Forbidden charsets field shown in figure 11, thus blocking additional messages carrying the string. Figure 11 Sender The optional settings available on the Sender tab will not be defaulted. Administrators should exercise care before selecting them and generally only if the item is the cause of a known problem. See figure 12. Figure 12 The 3 settings available on the Sender tab will only block s from unapproved clients, not those that are RFCcompliant. However, if the originating server is older or belongs to a small company, it is possible for legitimate to be filtered as spam.
15 53 Note This discussion continues in IceWarp s white paper entitled, Anti Spam LIVE Service: Zero Hour Protection.