Anti-spam filtering techniques

Similar documents
Antispam Security Best Practices

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Avira Managed Security AMES FAQ.

Enhanced Spam Defence

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

AntiSpam QuickStart Guide

Collateral Damage. Consequences of Spam and Virus Filtering for the System. Peter Eisentraut 22C3. credativ GmbH.

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

A D M I N I S T R A T O R V 1. 0

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

Mail Avenger. David Mazières New York University

DomainKeys Identified Mail DKIM authenticates senders, message content

Introduction. How does filtering work? What is the Quarantine? What is an End User Digest?

Intercept Anti-Spam Quick Start Guide

security

Marketing Glossary of Terms

EMB. Basics. Goals of this lab: Prerequisites: LXB, NET, DNS

Configuring MDaemon for Centralized Spam Blocking and Filtering

Avira Managed Security (AMES) User Guide

ECE Mail System Overview. Pablo J. Rebollo ECE Network Operations Center

Exim4U. Server Solution For Unix And Linux Systems

The Network Box Anti-Spam Solution

Table of Contents. Electronic mail. History of (2) History of (1) history. Basic concepts. Aka (or according to Knuth)

Panda Cloud Protection

Do you need to... Do you need to...

Security. Help Documentation

English Translation of SecurityGateway for Exchange/SMTP Servers

DST . Product FAQs. Thank you for using our products. DST UK

Libra Esva. Whitepaper. Glossary. How Really Works. Security Virtual Appliance. May, It's So Simple...or Is It?

Why Content Filters Can t Eradicate spam

Analysis of Spam Filter Methods on SMTP Servers Category: Trends in Anti-Spam Development

Technical Note. FORTIMAIL Configuration For Enterprise Deployment. Rev 2.1

Introduction Configuration & Spam Detection WinWare Webmail Accounts Account Notes Definitions...

PROOFPOINT - SPAM FILTER

How To Block Ndr Spam

How To Write An On A Linux Computer (No Mail) (No ) (For Ahem) (Or Ahem, For Ahem). (For An ) Or Ahem.Org) (Ahem) Or An

Domains Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc.

Fighting Spam in an ISP Environment:

Fighting Spam: Tools, Tips, and Techniques

Advanced Settings. Help Documentation

Introduction of the S25R anti-spam system

Hosted CanIt. Roaring Penguin Software Inc. 26 April 2011

Release Notes. for Kerio Connect 8.0.0

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

Spam, Spam and More Spam. Spammers: Cost to send

GRAYWALL. Introduction. Installing Graywall. Graylist Mercury/32 daemon Version 1.0.0

GFI Product Manual. Administration and Configuration Manual

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

Mail system components. Electronic Mail MRA MUA MSA MAA. David Byers

Visendo Suite a reliable solution for SMBs

Cryptographic Protocols to Prevent Spam

XGENPLUS SECURITY FEATURES...

Savita Teli 1, Santoshkumar Biradar 2

MDaemon Vs. Microsoft Exchange Server 2013 Standard

Implementing MDaemon as an Security Gateway to Exchange Server

DKIM last chance for mail service? TFMC2 01/2006

CSE/ISE 311: Systems Administra5on Administra5on

FortiMail Filtering Course 221-v2.2 Course Overview

SCORECARD MARKETING. Find Out How Much You Are Really Getting Out of Your Marketing

Groundbreaking Technology Redefines Spam Prevention. Analysis of a New High-Accuracy Method for Catching Spam

An Overview of Spam Blocking Techniques

ORF ENTERPRISE EDITION 1. Getting the Most Out of ORF

BARRACUDA. N e t w o r k s SPAM FIREWALL 600

Fighting Spam with open source software

Blackbaud Communication Services Overview of Delivery and FAQs

If your response to any of the questions above was Yes, then SmarterMail Enterprise Edition may be right for you.

MDaemon configuration recommendations for dealing with spam related issues

Quick Start Policy Patrol Spam Filter 9

Management CSCU9B2 CSCU9B2 1

Avira Managed Security (AMES) User Guide

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

Security Management Mail abuse prevented by Origin-based Anti Spam measures Getting started

The Open Source Stack: One approach to spam filtering

How to make the s you Send from Outlook 2010 appear to Originate from different Addresses

DNS Record Information for the Pushex Exchange server

EnterGroup offers multiple spam fighting technologies so that you can pick and choose one or more that are right for you.

Quick Start Policy Patrol Mail Security 10

services. Anders Wiehe IT department Gjøvik University College

The What, Why, and How of Authentication

Greylisting has been around since 2003 when Evan Harris wrote the original whitepaper on it as a spam filtering mechanism.

. Service Option Description. Deltacom Product Management - updated 9/17/2007 1

Spam Filtering Methods for Filtering

Security. Raj Jain. Washington University in St. Louis

Transcription:

Anti-spam filtering techniques Stéphane Bortzmeyer AFNIC (.fr registry) bortzmeyer@nic.fr ITU, 19 january 2006 1 Anti-spam filtering techniques

Background on this work This work started in the french Working Group on spam fighting, created by the government. The group includes actors from many sides. I manage the technical subgroup. 2 Anti-spam filtering techniques

Background on this work This work started in the french Working Group on spam fighting, created by the government. The group includes actors from many sides. I manage the technical subgroup. This work was then sent to the OECD Task Force on spam (www.oecd-antispam.org) and later refined. It will be part of the OECD Anti-Spam Toolkit. The OECD Anti-Spam Tookit is a first step in a broader initiative to help policy makers, regulators and industry players orient their policies relating to spam solutions and restore trust in the Internet and e-mail. 2 Anti-spam filtering techniques

Background on this work This work started in the french Working Group on spam fighting, created by the government. The group includes actors from many sides. I manage the technical subgroup. This work was then sent to the OECD Task Force on spam (www.oecd-antispam.org) and later refined. It will be part of the OECD Anti-Spam Toolkit. The final french report should be out this month. This talk is mostly a summary of the technical part of the report. 2 Anti-spam filtering techniques

The work and its results We focused on incoming spam. Outgoing spam is a different problem (to be addressed later). 3 Anti-spam filtering techniques

The work and its results We focused on incoming spam. Outgoing spam is a different problem (to be addressed later). The emphasis is on practical advices. We care for the poor system administrator, overwhelmed by work and who is asked to fight spam too. 3 Anti-spam filtering techniques

The work and its results We focused on incoming spam. Outgoing spam is a different problem (to be addressed later). The emphasis is on practical advices. We care for the poor system administrator, overwhelmed by work and who is asked to fight spam too. There are many anti-spam solutions. We keep only the good ones. 3 Anti-spam filtering techniques

The work and its results We focused on incoming spam. Outgoing spam is a different problem (to be addressed later). The emphasis is on practical advices. We care for the poor system administrator, overwhelmed by work and who is asked to fight spam too. There are many anti-spam solutions. We keep only the good ones. We fully recognize that spam requires a multi-thing approach: technical, legal and social solutions are necessary and discussed in the full report. We just focus in this talk on the technical part. 3 Anti-spam filtering techniques

Background on security Spam is just a branch of the vast domain of network security. It raises exactly the same issues as other security problems: tradeoffs between efficiency and cost, collateral damages, mix of technical and social issues, etc. 4 Anti-spam filtering techniques

Background on security Spam is just a branch of the vast domain of network security. It raises exactly the same issues as other security problems: tradeoffs between efficiency and cost, collateral damages, mix of technical and social issues, etc. Security is a process, not a product Do not think you will be safe because you bought Anti-Spam Platinum Gold 3.0 4 Anti-spam filtering techniques

Background on security Spam is just a branch of the vast domain of network security. It raises exactly the same issues as other security problems: tradeoffs between efficiency and cost, collateral damages, mix of technical and social issues, etc. Security is a process, not a product Do not think you will be safe because you bought Anti-Spam Platinum Gold 3.0 Security is a tradeoff Yes, we could suppress all the spam. Just shut off the computers. 4 Anti-spam filtering techniques

Background on security Spam is just a branch of the vast domain of network security. It raises exactly the same issues as other security problems: tradeoffs between efficiency and cost, collateral damages, mix of technical and social issues, etc. Security is a process, not a product Do not think you will be safe because you bought Anti-Spam Platinum Gold 3.0 Security is a tradeoff Yes, we could suppress all the spam. Just shut off the computers. In the real world, the question is not How to suppress spam? but How to limit spam without killing email? 4 Anti-spam filtering techniques

The perfect solution 5 Anti-spam filtering techniques

The perfect solution 1. No false negative: catches all the spam 5 Anti-spam filtering techniques

The perfect solution 1. No false negative 2. No false positive: catches only the spam 5 Anti-spam filtering techniques

The perfect solution 1. No false negative 2. No false positive 3. Low cost: small price, runs on small computers, blocks the spam before transmission, saving bandwidth 5 Anti-spam filtering techniques

The perfect solution 1. No false negative 2. No false positive 3. Low cost 4. No change: installs on the current systems, require no change in habits 5 Anti-spam filtering techniques

The perfect solution 1. No false negative 2. No false positive 3. Low cost 4. No change 5. Based on open standards: no vendor lock-in, ability to understand what it does, preferably free (as in free speech) software 5 Anti-spam filtering techniques

The perfect solution 1. No false negative 2. No false positive 3. Low cost 4. No change 5. Based on open standards This solution does not exist But this checklist is a good method to evaluate imperfect solutions. 5 Anti-spam filtering techniques

State of the art Today, almost no spam gets in the default mailbox, if everything is configured with state-of-the-art tools. 6 Anti-spam filtering techniques

State of the art Today, almost no spam gets in the default mailbox, if everything is configured with state-of-the-art tools. Yes, today, the spam never reaches users But it has a cost: computers, bandwidth, engineers. And it requires to use tools choosen by the experts, not snake-oil sold by salesmen. 6 Anti-spam filtering techniques

State of the art Today, almost no spam gets in the default mailbox, if everything is configured with state-of-the-art tools. Yes, today, the spam never reaches users But it has a cost: computers, bandwidth, engineers. And it requires to use tools choosen by the experts, not snake-oil sold by salesmen. Also, we cannot be sure it will stay that way in the future: the research must go on. 6 Anti-spam filtering techniques

Reminder: email architecture Submission SMTP MSA (sendmail, postfix) MUA (mutt, Eudora, Thunderbird) Misc. protocols MDA (procmail) SMTP MTA (sendmail, postfix, courier) POP, IMAP Use DNS MX records to find the next MTA 7 Anti-spam filtering techniques

Good practices 8 Anti-spam filtering techniques

Good practices 1. Greylisting http://www.greylisting.org/ 8 Anti-spam filtering techniques

Good practices 1. Greylisting 2. Heuristic filters, with scores computed against real spam and ham SpamAssassin http://www.spamassassin.org/ 8 Anti-spam filtering techniques

Good practices 1. Greylisting 2. Heuristic filters, with scores computed against real spam and ham SpamAssassin 3. Bayesian filters on the user s desktop like bogofilter http://www.bogofilter.org/ 8 Anti-spam filtering techniques

Good practices 1. Greylisting 2. Heuristic filters, with scores computed against real spam and ham SpamAssassin 3. Bayesian filters on the user s desktop This group of three kills almost all the spam with very little false positives. It just requires big machines (spam is a big plague in the countries of the South). 8 Anti-spam filtering techniques

Greylisting Deliberately returns a temporary error when receiving email from a new machine. The typical spammer software does not retry. A legitimate MTA does. Surprisingly effective and very simple to deploy. 9 Anti-spam filtering techniques

Heuristic filters Starts from spamicity tests: Attempts to disguise the word viagra HTML has very strong shouting markup Claims you can opt-out... A score is then computed automatically (humans can be wrong on the spamicity of something) for each test. Tests are applied to the message and a total spam score is produced. The better known one is SpamAssassin, from the Apache Foundation. Many anti-spam appliances use it. 10 Anti-spam filtering techniques

Bayesian filters Starts from nothing: they have no prejudice. Human users trains the filter by giving it spam and ham. The filter learns the vocabulary of each. Then, it can calculate a spam score for the message, using Bayes statistics. Proper training is important So there is a user interface and user training issue. They are the most efficient filters today. But no solution is perfect alone: you need to combine several techniques. 11 Anti-spam filtering techniques

bogofilter in practice Analysis of one message with bogofilter -v : n pgood pbad fw "$99" 8 0.000275 0.002554 0.901823 pbad = spamicity. fw = probability of being a spam. The string 99$ is a good spam mark. You can also display the whole database with bogoutil : Viagra 88 0 20041116 Viagra was in 88 spams and no ham (a doctor would have different results: this is my personal database). 13 Anti-spam filtering techniques

Less good practices There are other methods but either unrealistic, harmful or questionable. Since we emphasize practical advices, we mention shortly these techniques in the report. Not specific technique mentioned here, to be reserved for discussion. 14 Anti-spam filtering techniques

The issue of authentication Authentication is not an anti-spam technique by itself (spammer can have a passport, too). But it may help: 1. Better accountability may deter spammers, 2. Whitelisting cannot work without authentication. 15 Anti-spam filtering techniques

Authentication techniques A lot of unsolved questions: what to authenticate? (Which identity?) Also, there is no common identity service (the Internet has no government). 16 Anti-spam filtering techniques

Authentication techniques A lot of unsolved questions: what to authenticate? (Which identity?) Also, there is no common identity service (the Internet has no government). 1. SPF, Sender Policy Framework: the sender indicates in the DNS which machines can send mail on its behalf. Since it is the DNS, it authenticates a domain, not an user. 16 Anti-spam filtering techniques

Authentication techniques A lot of unsolved questions: what to authenticate? (Which identity?) Also, there is no common identity service (the Internet has no government). 1. SPF, Sender Policy Framework 2. DKIM, Domain Keys Identified Mail, IETF Working Group security/dkim: the sender cryptographically signs the headers. The key is typically a domain key, not an user key. The key can be retrieved by various means, including the DNS. 16 Anti-spam filtering techniques

Authentication techniques A lot of unsolved questions: what to authenticate? (Which identity?) Also, there is no common identity service (the Internet has no government). 1. SPF, Sender Policy Framework 2. DKIM, Domain Keys Identified Mail, IETF Working Group security/dkim 3. PGP, Pretty Good Privacy: very good system for user authentication, only deployed in limited communities. 16 Anti-spam filtering techniques

What to do with spam? Once it is detected by the heuristic filter or the bayesian filter, what do we do with spam? Technical hint: rejection during the SMTP session is an interesting solution because you never took responsability for the mail. Not always easy to do and has its own problems. 17 Anti-spam filtering techniques

What to do with spam? Once it is detected by the heuristic filter or the bayesian filter, what do we do with spam? 1. Tell the sender? No, most spams are joe jobs (the address is forged). Technical hint: rejection during the SMTP session is an interesting solution because you never took responsability for the mail. Not always easy to do and has its own problems. 17 Anti-spam filtering techniques

What to do with spam? Once it is detected by the heuristic filter or the bayesian filter, what do we do with spam? 1. Tell the sender? No, most spams are joe jobs (the address is forged). 2. Drop silently? Harsh but probably necessary, if the end user accepted it. Technical hint: rejection during the SMTP session is an interesting solution because you never took responsability for the mail. Not always easy to do and has its own problems. 17 Anti-spam filtering techniques

What to do with spam? Once it is detected by the heuristic filter or the bayesian filter, what do we do with spam? 1. Tell the sender? No, most spams are joe jobs (the address is forged). 2. Drop silently? Harsh but probably necessary, if the end user accepted it. 3. File in a spam mailbox: probably the best default solution. Copies are a good idea, specially at the beginning, because they allow later screening. Technical hint: rejection during the SMTP session is an interesting solution because you never took responsability for the mail. Not always easy to do and has its own problems. 17 Anti-spam filtering techniques

A few hints about outgoing spam (Not part of the report) To fight spam as its source: 18 Anti-spam filtering techniques

A few hints about outgoing spam (Not part of the report) To fight spam as its source: 1. Try to stop MS-Windows machines to be recruited as zombies. A botnet is comparable to compulsory military service for Windows boxes. (Stromberg) 18 Anti-spam filtering techniques

A few hints about outgoing spam (Not part of the report) To fight spam as its source: 1. Try to stop MS-Windows machines to be recruited as zombies. A botnet is comparable to compulsory military service for Windows boxes. (Stromberg) 2. Rate-limit outgoing mail (but you need exemptions because some users host mailing lists) and/or block outgoing SMTP (you also need exemptions or you are no longer an Internet access provider). 18 Anti-spam filtering techniques

The problem of collateral damages Like medical drugs......anti-spam solutions have secondary effects. You can limit them, you cannot suppress them (do not believe the ads). 19 Anti-spam filtering techniques

The problem of collateral damages Like medical drugs......anti-spam solutions have secondary effects. You can limit them, you cannot suppress them (do not believe the ads). 1. False positives: legitimate messages are refused 19 Anti-spam filtering techniques

The problem of collateral damages Like medical drugs......anti-spam solutions have secondary effects. You can limit them, you cannot suppress them (do not believe the ads). 1. False positives: legitimate messages are refused 2. High human and machine costs (fighting the spam is a full-time job for some) 19 Anti-spam filtering techniques

The problem of collateral damages Like medical drugs......anti-spam solutions have secondary effects. You can limit them, you cannot suppress them (do not believe the ads). 1. False positives: legitimate messages are refused 2. High human and machine costs (fighting the spam is a full-time job for some) 3. Loss of trust: some people switch away from email 19 Anti-spam filtering techniques

The problem of collateral damages Like medical drugs......anti-spam solutions have secondary effects. You can limit them, you cannot suppress them (do not believe the ads). 1. False positives: legitimate messages are refused 2. High human and machine costs (fighting the spam is a full-time job for some) 3. Loss of trust: some people switch away from email 4. Loss of freedom: more filters, more rules, less authorized things 19 Anti-spam filtering techniques

Deeper changes ahead 20 Anti-spam filtering techniques

Deeper changes ahead The anti-spam struggle sometimes change the architecture of the Internet in a bad way. 20 Anti-spam filtering techniques

Deeper changes ahead The anti-spam struggle sometimes change the architecture of the Internet in a bad way. The Internet is a continuum between the operators and the end-users, with all sort of people in-between. There is room for the ordinary user, the savvy user, the university, the bank, the big operator in a northern country, the small operator in Africa... 20 Anti-spam filtering techniques

Deeper changes ahead The anti-spam struggle sometimes change the architecture of the Internet in a bad way. The Internet is a continuum between the operators and the end-users, with all sort of people in-between. There is room for the ordinary user, the savvy user, the university, the bank, the big operator in a northern country, the small operator in Africa... Some anti-spam proposals try to make it a binary network: only operators (all from the North) and end-users, pure consumers. 20 Anti-spam filtering techniques

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information