Anti Spam Best Practices



Similar documents
AntiSpam QuickStart Guide

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Configuring Your Gateman Server

Anti Spam Best Practices

Antispam Security Best Practices

Getting Started Guide Unix Platform

Intercept Anti-Spam Quick Start Guide

XGENPLUS SECURITY FEATURES...

Barracuda Spam Firewall

Do you need to... Do you need to...

Exim4U. Server Solution For Unix And Linux Systems

MDaemon configuration recommendations for dealing with spam related issues

Web. Anti- Spam. Disk. Mail DNS. Server. Backup

EFFECTIVE SPAM FILTERING WITH MDAEMON

An Overview of Spam Blocking Techniques

Comprehensive Anti-Spam Service

Solutions IT Ltd Virus and Antispam filtering solutions

1 Accessing accounts on the Axxess Mail Server

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

Security. Help Documentation

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

Symantec Hosted Mail Security Getting Started Guide

Comprehensive Filtering. Whitepaper

Guardian Digital Secure Mail Suite Quick Start Guide

INLINE INGUARD GUARDIAN

Configuring Security for SMTP Traffic

Introduction. SonicWALL Security


How To Allow and Block s using White or Black List

FortiMail Filtering Course 221-v2.2 Course Overview

EnterGroup offers multiple spam fighting technologies so that you can pick and choose one or more that are right for you.

Spam DNA Filtering System

Advanced Settings. Help Documentation

Panda Cloud Protection

Frequently Asked Questions for New Electric Mail Administrators 1 Domain Setup/Administration

About this documentation

Access Webmail, Collaboration Tools, and Sync Mobile Devices from Anywhere

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

A D M I N I S T R A T O R V 1. 0

MailFoundry Users Manual. MailFoundry User Manual Revision: MF Copyright 2005, Solinus Inc. All Rights Reserved

Collateral Damage. Consequences of Spam and Virus Filtering for the System. Peter Eisentraut 22C3. credativ GmbH.

English Translation of SecurityGateway for Exchange/SMTP Servers

Core Protection Suite

PANDA CLOUD PROTECTION / Administrator s Manual / 1

Hosted CanIt. Roaring Penguin Software Inc. 26 April 2011

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

Articles Fighting SPAM in Lotus Domino

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Load Balancing & High Availability

Mail Service Reference

Configuring MDaemon for Centralized Spam Blocking and Filtering

More Details About Your Spam Digest & Dashboard

CONFIGURING FUS ANTI-SPAM

Cloud Services. Anti-Spam. Admin Guide

Spam, Spam and More Spam. Spammers: Cost to send

ContentCatcher. Voyant Strategies. Best Practice for Gateway Security and Enterprise-class Spam Filtering

Services Deployment. Administrator Guide

Spamfilter Relay Mailserver

Precis Overview - The Threat

Introduction Configuration & Spam Detection WinWare Webmail Accounts Account Notes Definitions...

Eiteasy s Enterprise Filter

Barracuda Spam Firewall User s Guide

IceWarp Unified Communications. AntiSpam Reference. Version 10.4

Trend Micro Hosted Security Stop Spam. Save Time.

PineApp Anti IP Blacklisting

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

SonicWALL Security Quick Start Guide. Version 4.6

Green House Data Spam Firewall Administrator Guide

Implementing MDaemon as an Security Gateway to Exchange Server

How to Build an Effective Mail Server Defense

Barracuda Spam Firewall Administrator s Guide

Why Spamhaus is Your Best Approach to Fighting Spam

Quarantined Messages 5 What are quarantined messages? 5 What username and password do I use to access my quarantined messages? 5

Migration Quick Reference Guide for Administrators

Setting up Microsoft Office 365

Cyberoam Anti Spam Configuration Guide Version 9

FILTERING FAQ

Network Service, Systems and Data Communications Monitoring Policy

DEFENDER SERVICES

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Setting up Microsoft Office 365

Managing Junk Mail. About the Junk Mail Filter

Avira Managed Security (AMES) User Guide

MDaemon Vs. Microsoft Exchange Server 2013 Standard

Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices

Quick Start Policy Patrol Mail Security 10

IBM Express Managed Security Services for Security. Anti-Spam Administrator s Guide. Version 5.32

Transcription:

39 Anti Spam Best Practices Anti Spam Engine: Time-Tested Scanning An IceWarp White Paper October 2008 www.icewarp.com

40 Background The proliferation of spam will increase. That is a fact. Secure Computing s July 2008 report reveals that numbers far exceeded global expectations. Spam rose 280% from July 2007 to July 2008. The year s peak was on March 27, with 185 billion spam messages sent that day. Radicati Group also found that by the close of 2008, 78% of worldwide email traffic will be spam. This figure will increase steadily over the next four years, totaling 83% in 2012. According to Spamhaus, 80% of all internet spam comes from just 100 spam operations worldwide. It should be noted that spam laws are often ineffectual, for they are hard to enforce and many governments choose to turn a blind eye. Spam Levels As new spammers enter the fray and as all spammers refine their tactics, the threat to the business community will only rise. Spam is more than a nuisance because its management can cut sharply into a company s bottom line, and because it can carry malware. While different organizations render slightly different research results, it is clear that businesses are hit by spam the hardest. Consider these additional statistics: Spam rose 280% from July 2007 to July 2008. Secure Computing Sophos reveals that the percentage of spam in the average business server reached 96.5% by June 2008. Nucleus Research estimates that at least 90% of all email reaching corporate servers is spam. Sophos finds that only one of every 28 emails received by business is legitimate. Radicati Research Group reports that spam annually costs businesses $20.5 billion in technical expenses and decreased productivity. Nucleus Research calculates that companies annually lose $1,934 per employee, due to spam.

41 What Can Be Done About Spam? Since there is no feasible way to eliminate spam, the best defense rests with sophisticated, aggressive filtration. Anti Spam Engine Overview IceWarp s built in Anti Spam Engine is a powerful business tool that can be used to combat the ever increasing amount of internet spam. While this tool s default settings already make for a powerful antispam solution, minor adjustments on the individual server can provide considerable more protection. The administrator can increase the accuracy of spam identification first by identifying the nature of incoming messaging, then by making necessary changes to the Anti Spam module. For proper filtration, it is important to identify the different layers of IceWarp s Anti Spam Engine: RBLs (Real time Black hole Lists) RBLs are lists that check each email against known spam servers. Bayesian Learning Engine Bayesian Learning Engines are dynamic, intelligent engines that teach the system about a server s email patterns. Antispam protocols can be fine tuned to recognize email patterns that have been reviewed by trusted members of the mail server. Quarantine and Spam Folders with Email Reporting Quarantine and spam folders gives users the ability to monitor incoming messages without examining each item without filling up the inbox. In addition, messages do not fill up the inbox. This method uses whitelisting and gives the end user significant control over their inbox. White Lists White Lists give end users control over the messages they receive. The system can be set to automatically approve addresses that the user sends to, thereby ensuring that incoming email from those addresses are approved for the inbox, and will not be flagged as spam or be quarantined. Black Lists Black Lists give end users the ability to reject email from disapproved addresses.

42 Grey Lists When a receiving server returns a message as a soft failure, the sending server, if RFC compliant, will always resend the message. However, most spammers configure their servers to not return such messages. Greylisting takes advantage of this by rejecting every initial connection to the server for a predetermined number of minutes, then accepting the resent message. While this can initially slow communication, communication speed will increase the longer Greylisting remains active, thus cutting down on the amount of spam. Some estimates indicate that spam can be reduced 70 percent using this method. Miscellaneous Rules Using additional Rules, users can finetune spam identification protocols in IceWarp s Anti Spam Engine. These include, but are not limited to, charset blocking, DNS resolution, and by flagging particular email formats. SpamAssassin IceWarp SpamAssassin is the heart of IceWarp s Anti Spam Engine, a robust system that determines the spam value of all incoming messages by comparing it with a series of content rules. SpamAssassin s profiles remain current by updating regularly with the IceWarp's Anti Spam Server. A given email s spam score will increase with every violation that is identified. Once the score reaches the threshold that the email administrator establishes, it will be marked as spam. IceWarp SpamAssassin is open source, highly configurable and can be tailored to fit the needs of a business. IceWarp does not provide a rigid, narrowly defined spam solution for all users. Rather, the power of the IceWarp Anti Spam is its flexibility. Since there are many different kinds of email and the nature of incoming messages can change over time, no single solution is feasible. Therefore, the system administrator will need to monitor the system and make adjustments along the way. IceWarp recommends that the following settings be used in conjunction with the IceWarp Anti Spam Engine. Please note that they do not require licensing of Anti Spam Engine.

43 Locking Down the Server Located at [Mail service] [Security] [General tab] Figure 1 Figure 1 illustrates a closed relay in the server. A closed relay rejects local unauthorized domains authorization and permits only the localhost of IP of 127.0.0.1 to send emails through the server. These settings prevent an unauthorized account from sending email through a server, and with the help of the SMTP log files, make it possible for an administrator to track down the spammer that is using a compromised account on the server. These settings permit the client software (such as Outlook or Thunderbird) With these settings in place the client software (such as Outlook or Thunderbird) would have to use the option my server requires authentication in order to be able to send email through the Icewarp Email Server. There are times when it is necessary to add an IP address to the Trusted IPs and Hosts (When you have a webpage that you wish to be able to send email through your server, or if all client machines are within a local IP range, such as 192.168.*.*), but it is recommended to do this with caution if using any public IP addresses. When using the option for POP before SMTP, authentication is done through POP/IMAP connections, and will show only in those logs, not the SMTP log. This setting will authenticate the IP where the POP/IMAP connection account logged into the system for X number of minutes.

44 While it is acceptable to use this setting, it does need to be turned on if the server has been compromised by a spammer sending out through the server. Administrators who experience a system compromise should go to http://esupport.icewarp.com, search for spammer relaying, and select the article, Possible Spammer Relaying through My Server. They should then follow the steps provided in order to determine how the system was compromised. To make certain that someone cannot breach the system and send messages to server accounts via the server domain name, administrators should select the option, Reject if originators domain is local and not authorized. This option prohibits spammers from spoofing legitimate accounts such as PostMaster and Admin, and will eliminate uncertainty in the end user. DNS based Blocking Located at [Mail service] [Security] [DNS tab] A list of RBLs that can be used to check incoming email is available in the Anti Spam Engine settings. It helps with the marking and distribution of spam. However, a system administrator can also use these DNSBL lists in the Mail Security settings in conjunction with the Intrusion Prevention settings in order to close the settings and reject the connection from known spammers. Figure 2 By closing and blocking the sessions at the IP level, an administrator can significantly lower the amount of traffic to the server because the CPU will not have to process every email through the Anti Spam Engine. Thus, the impact on the system is lessened. Figure 2 illustrates the suggested default email server settings. Notice that the only two DNSBL lists are used. IceWarp highly recommends

45 that no more than be used. Since the system needs to check these lists for each email, more than two DNSBLs would result in a longer connection time. Once there is a match, it no longer needs to search for others. This is not true for the RBL lists in SpamAssassin, where the system much check against every list. Once the administrator selects the Reject options based on the rdns, email coming into the system is limited to actual email domains. This keeps the server from accepting email from nonexistent domains, a common technique used by spammers, and domains that do not have proper reverse DNS resolution set up. This guarantees that the email coming from the IP associated with that domain and is not being spoofed. Intrusion Prevention Located at [SMTP Service] [Security] [Intrusion Prevention Tab] The IntPr settings block connections to the server according to different levels of suspicious activity. When a sender trips one of these options, their IP address is tagged as a blocked IP in the IntPr table. By default, it will remain blocked for 30 minutes. After that time, a sender from the blocked IP can attempt to send to the server again. This ensures that IceWarp's Email Server will not be flooded but it does not permanently reject a communication attempt, in the event that the sending server is legitimate but merely compromised by a virus or isolated spammer. This feature leaves the door open for future correspondence with the originating server once the problem has been resolved. Figure 3 Figure 3 illustrates a solid baseline for a system s initial setup. Those interested in learning more about each individual setting should navigate to this screen via the IceWarp Console, and then hit F1 to pull up the Help file. These settings are used because they address activity generally used only by spammers.

46 Caution: one of these settings should be used with care. Legitimate email might be blocked from clients who subscribe to the same mailing list. This can occur when there are multiple list subscribers, and if the system administrator selects the option, Block IP address that establishes a number of connections in 1 minute. Therefore, while it is a suggested setting, the email server postmaster should remain aware of this possibility, and be prepared to change or remove this setting in the event that it happens. Advanced Security Settings Located at [Mail Service] [Security] [Advanced Tab] Very few of these settings will be used as a default installation, but they each serve a special purpose. As illustrated in figure 4, the security setting, Deny SMTP EXPN command, should be selected. SMTP EXPN commands can give attackers the ability to determine which accounts exist on the system. This would give them the means by which to execute a brute force attack on user accounts. EXPN provides additional user data, including identifying information, which should be safeguarded from attackers. Figure 4

47 Recommended IceWarp Anti Spam Configuration The following screenshots and details will help administrators set up the IceWarp Email Anti Spam Engine with suggested default settings. The discussion will include the reasoning behind the settings and the ways that an administrator can determine how to best customize those settings. If a particular setting herein is shown but not discussed, the default setting is suggested. Figure 5 illustrates the basic configuration of IceWarp s Anti Spam Engine. It serves as a baseline, but consideration must be given to the nature of all outbound email and the class of business deploying the server. Figure 5 For instance, it is generally advisable for an ISP to scan all outbound email, while a small business can usually forego this option. In addition, the system administrator must determine if local accounts should be subject to antispam filtration. A small business might not need to subject local accounts to quarantines, white lists and black lists, while an ISP might seriously consider this option in order to keep its members safe from the spamming attempts of other members within the same domain. The [Anti Spam] Action settings possess the controls that tell the server how to differentiate the different levels of spam and how to deal with them according to their final SpamAssassin score. A system administrator will need to determine tagging, quarantine, rejection and deletion thresholds.

48 Figure 6 illustrates a low quarantine threshold and though a message might be quarantined at a low threshold, it might not be marked as spam unless it achieves a higher spam score. Figure 6 Note that figure 6 does not include a rejection threshold, since rejecting spam can, at times, result in having a server blacklisted as a spam trap. Having the system add [Spam] to the subject line is an alternate option; in addition, the postmaster may simply decide to use the different levels of spam organization quarantine and spam. In order to use the spam folder (as opposed to the quarantine folder), a system administrator must select the appropriate option and integrate spam folders with the IMAP folder, and choose the IMAP folder to integrate with it. The spam folder can remain free of spam overload if the server is set to delete spam messages that are 7 days old. The system administrator can also use the Reports tab, indicated in figure 6, to create and email daily spam reports. These reports will indicate to users what messages were placed in the Quarantine and Spam folders, giving users manual control.

49 SpamAssassin Located at [Anti spam] [SpamAssassin] The postmaster will be able to dictate what parts of the SpamAssassin Engine will be employed via the main screen. There are many options, and not all of them will be used by all email servers. Figure 7 Please note that Razor2 technology is not selected in figure 7. A system administrator may choose to exclude this option since, upon receipt of a message, Razor2 queries the sending server for validation. While this tool is highly effective in identifying spam, it can also slow down email communication and cause a backup of connections, which can bog down large installation servers. Administrators should use this setting and RBL lists with due consideration. Razor2 is a distributed, collaborative, spam detection and filtering network. Through user contribution, Razor2 establishes a distributed and constantly updating catalogue of spam in propagation that is consulted by email clients to filter out known spam. Detection is done with statistical and randomized signatures that efficiently spot mutating spam content. User input is validated through reputation assignments based on consensus on report and revoke assertions which in turn is used for computing confidence values associated with individual signatures. SourceForge.net In order for this to function properly, the system administrator will need to open up access through port 2703. This functionality will not work if the port is not open.

50 As previously mentioned, RBL lists can reduce email processing and filtration speeds on busier systems. This white paper also stated that those using DNSBLs should limit the number of RBL and DNSBL checks to 3, and that the same RBLs used in the DNSBL security settings not be used in SpamAssassin. This measure will prevent the server from creating a redundant check and allow for faster filtration. Figure 8 illustrates the selection of only one RBL list, whereas two were selected in figure 2. Figure 8 Anti Spam Black List and White List Black Lists: Offering flexibility in spam identification, black lists and white lists in IceWarp s Anti Spam Engine give end users ultimate control of their inboxes. IceWarp provides two methods of setting up black lists. By default, the installation sets it up so that blacklisting rejects email if the sender is blacklisted The other option is for the administrator to have the black list item add a defined score to the SpamAssassin total, and then deal with the email based on the global spam engine settings. (I.e. the engine will send it either to Spam or Quarantine, or else reject or delete it). White Lists: While the black list engine is on by default, the white list engine needs to be turned on manually. Figure 9 illustrates the various whitelisting options.

51 For instance, the system can be set to automatically whitelist trusted email recipients and senders in groupware address books. Two notable settings that have not been selected in figure 9 are whitelist trusted IPs and authenticated sessions and Whitelist local domain senders. Figure 9 These two settings are recommended for individual businesses and not by ISPs that host email for a great many users. By choosing these items, all accounts sent internally within the server would be trusted and bypassed by the spam engine. Miscellaneous Located at [Anti spam] [Miscellaneous] The Miscellaneous tab in figure 10 contains settings that are used to modify the SpamAssassin score after initial scanning. The suggested practice on this is to use the default settings for all three tabs, only changing them with caution. Shown in figure 10, the Content settings reflect common methods spammers use to trick antispam engines into believing spam is legitimate email. While none of these criteria, individually, will cause a message to be classified as spam, multiple violations will. Figure 10

52 Violations rarely occur in legitimate email, as 99% of all email clients properly format email in order to comply. For instance, spam is often comprised of a graphic, with no bona fide text. Phishers create email content that is comprised entirely of a link. Customarily, legitimate email includes links as merely one element of many. Charset The Charset tab gives administrators the ability to exclude certain types of email. Some spam contains foreign language, such as Russian or Chinese. If a server is spammed with this kind of email, the administrator can open up one of the messages, locate the charset line, and place that charset into the Forbidden charsets field shown in figure 11, thus blocking additional messages carrying the string. Figure 11 Sender The optional settings available on the Sender tab will not be defaulted. Administrators should exercise care before selecting them and generally only if the item is the cause of a known problem. See figure 12. Figure 12 The 3 settings available on the Sender tab will only block emails from unapproved clients, not those that are RFCcompliant. However, if the originating server is older or belongs to a small company, it is possible for legitimate email to be filtered as spam.

53 Note This discussion continues in IceWarp s white paper entitled, Anti Spam LIVE Service: Zero Hour Protection.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information