Handling Spam in Postfix. Computer Center, CS, NCTU 2 Nature of Spam  Spam UBE – Unsolicited Bulk Email UCE – Unsolicited Commercial Email  Spam There.

Slides:



Advertisements
Similar presentations
Basic Communication on the Internet:
Advertisements

Fighting spam: the thin grey line Alun Jones,
Course 201 – Administration, Content Inspection and SSL VPN Filtering
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Postfix. Computer Center, CS, NCTU 2 3 Role of Postfix  MTA that Receive and deliver over the network via SMTP Local delivery directly or use.
Sender policy framework. Note: is a good reference source for SPFhttp://
Chapter 30 Electronic Mail Representation & Transfer
SMTP Simple Mail Transfer Protocol. Content I.What is SMTP? II.History of SMTP III.General Features IV.SMTP Commands V.SMTP Replies VI.A typical SMTP.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Spam Reduction Techniques Using greylisting and SpamAssassin.
-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
Introduction to Internet Mail Noah Sematimba Based on Materials by Philip Hazel.
Design and Management of Service
1 New : Create your own message starting from scratch 2 New From Template: add professionally designed templates provided exclusively by Gorilla Contact.
1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
1 Introduction AfNOG CHIX 2011 Blantyre, Malawi By Evelyn NAMARA.
Mail Server Three major components MTA MUA MDA Mail Transfer Agent
Mail Services.
PRINCIPLES – DNS – ARCHITECTURES – SPAM
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
ProtectionProfiles. 2 Fortinet Technologies Protection Profiles Protection profiles control t the type of traffic protected t HTTP t FTP t IMAP t POP3.
1 北區機房 IP 維運處暨 IDC 維運組 鄭任峰 郵件系統維運 課程 : Sendmail 與 postfix 的設定與比較 北區機房 IP 維運處暨 IDC 維運組 鄭任峰.
Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.
Electronic Mail Originally –Memo sent from one user to another Now –Memo sent to one or more mailboxes Mailbox –Destination point for messages.
Copyright © 2007 by Scott Orr and the Trustees of Indiana University
1 Module 5 Securing SCOoffice Server. 2 3 Outlook 21 * 25 80/443* 110/ / /636 * Not used by Outlook Express External Firewall Configuration.
CSIE 1 Filtering mail Speaker: Chung yu Wu Adviser: Quincy Wu Date: 2005/12/07.
© Toronto Area Security Klatch 2007 A drop-in anti-spam solution A 15 minute speed talk by Paul Wouters.
Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.
Advanced Topics of Mail Service
The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .
Introduction to Internet Mail Abridged & Updated by Hervey Allen Noah Sematimba Based on Materials by Philip Hazel.
Mail Service Mail Service using Postfix Campus-Booster ID : **XXXXX
Filtering spam at the ISP Patrick J Okui Ayitey Bulley (Liberal Borrowing from Brian Candler)
What is and How Does it Work?  Electronic mail ( ) is the most popular use of the Internet. It is a fast and inexpensive way of sending messages.
Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-
NA Homework 4+5 Postfix + DNS. 2 Demo >Setup everything before Demo, or you ’ ll get no point if something don ’ t work. >Show your mail functions to.
Mailserver. Why Postfix ? Sendmail’s legacy Built from ground up Central queue-ing More future-proof Exim4 default of debian, but...
1 Electronic Messaging Module - Electronic Messaging ♦ Overview Electronic messaging helps you exchange messages with other computer users anywhere in.
1 SMTP - Simple Mail Transfer Protocol –RFC 821 POP - Post Office Protocol –RFC 1939 Also: –RFC 822 Standard for the Format of ARPA Internet Text.
Topics Sending an Multipart message Storing images Getting confirmation Session tracking using PHP Graphics Input Validators Cookies.
Silicon & Software Systems (S3)‏ Copyright © Silicon & Software Systems Limited Antispam protection IT Department 20/03/2008 Ondrej Valousek.
GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING Greg Woods National Center for Atmospheric Research Scientific Computing Division Boulder,
Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject.
LinxChix And Exim. Mail agents MUA = Mail User Agent Interacts directly with the end user  Pine, MH, Elm, mutt, mail, Eudora, Marcel, Mailstrom,
Homework 04 Mail System. Computer Center, CS, NCTU 2 Architecture SMTP POP3/IMAP domain.tld Internet Users sub.domain.tld Mail Server.
SMTP Tapu Ahmed Jeremy Nunn. Basics Responsible for electronic mail delivery. Responsible for electronic mail delivery. Simple ASCII protocol that runs.
A Quick Look At How Works Understanding the basics of how works can make life a lot easier for any user. Especially those who are interested.
Sender policy framework. Note: is a good reference source for SPFhttp://
CS440 Computer Networks 1 Neil Tang 12/01/2008.
Linux Operations and Administration Chapter Twelve Configuring a Mail Server.
Discussion of OCP/SMTP profile and some Use cases Presented by Abbie Barbir
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
[1] Control Spam by the Use of Greylisting Torgny Hallenmark LDC - Computing Center Lund University, Sweden TERENA Networking.
FNAL Central Systems Jack Schmidt, Al Lilianstrom, Ray Pasetes, and Kevin Hill (Fermi National Accelerator Laboratory) Introduction The FNAL .
sender policy framework
lctseng / Liang-Chi Tseng
SMTP - Simple Mail Transfer Protocol POP - Post Office Protocol
Postfix.
Network Administration Practice Homework4 – Mail System
Postfix pmli.
Networking CS 3470, Section 1 Sarah Diesburg
Unix System Administration
Postfix chenshh.
William Stallings Data and Computer Communications
This is the Sign In page for the Dashboard
Unit – 4 Chap - 2 Mail Delivery System
Presentation transcript:

Handling Spam in Postfix

Computer Center, CS, NCTU 2 Nature of Spam  Spam UBE – Unsolicited Bulk UCE – Unsolicited Commercial  Spam There is no relationship between receiver and  Sender  Message content Opt out instruction Conceal trail  False return address  Forged header information Use misconfigured mail system to be an accomplice Circumvent spam filters either encode message or insert random letters

Computer Center, CS, NCTU 3 Problems of Spam  Cost Waste bandwidth and disk space DoS like side-effect Waste time and false deletion Bounce messages of nonexistent users  Nonexistent return address  Forged victim return address  Detection Aggressive spam policy may cause high false positive

Computer Center, CS, NCTU 4 Anti-Spam – Client-Based Detection (1)  Client-blocking Use IP address, hostnames or address supplied by clients when they connect to send a message Compared with Spammer list Problems  IP address, hostname, address are forged  Innocent victim open relay host  DNSBL (DNS-based Blacklist) Maintain large database of systems that are known to be open relays or that have been used for spam

Computer Center, CS, NCTU 5 Anti-Spam – Client-Based Detection (2)  What DNSBL maintainers do Suppose csie has a Blacklist DNS database  Suppose DNSBL Domain “ dnsbl.cs.nctu.edu.tw ” If is detected as open relay  There will be a new entry in cs ’ s blacklist DB – dnsbl.cs.nctu.edu.tw When we receive a connection from  Compose dnsbl.cs.nctu.edu.tw  DNS query for this hostname –Successful means this IP address is suspicious –Failed means ok  Using DNSBL Review their service options and policies carefully

Computer Center, CS, NCTU 6 Anti-Spam – Content-Based Detection  Spam patterns in message body  Detection difficulties Embed HTML codes within words of their message to break up phrases Randomly inserted words Content-based detection is slower

Computer Center, CS, NCTU 7 Anti-Spam – Action  When you detect a spam, you can: Reject immediately during the SMTP conversation Save spam into a suspected spam repository Label spam and deliver it with some kind of spam tag Ex:  X-Spam-Status: Yes, hits= tagged_above=3 required=6.3  X-Spam-Level: ******************  X-Spam-Flag: YES

Computer Center, CS, NCTU 8 Postfix Anti-Spam configuration  The SMTP Conversation  smtp.example.com 

Computer Center, CS, NCTU 9 Postfix Anti-Spam configuration – Client Detection Rules (1)  Four rules in relative detection position Rules and their default values  smtpd_client_restrictions =  smtpd_helo_restrictions =  smtpd_sender_restrictions =  smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination Each restriction check result can be:  OK(Accept in this restriction)  REJECT(Reject immediately without further check)  DUNNO(do next check) There are 5 types of restrictions

Computer Center, CS, NCTU 10 Postfix Anti-Spam configuration – Client Detection Rules (2) 1.Access maps List of IP addresses, hostnames, addresses Can be used in: smtpd_client_restrictions = check_client_access hash:/etc/access smtpd_helo_restrictions = check_helo access hash:/usr/local/etc/postfix/helohost smtpd_sender_restrictions = check_sender_access hash:/usr/local/etc/postfix/sender_access smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/recipient_access Actions  OK, REJECT, DUNNO  FILTER(redirect to content filter)  HOLD(put in hold queue)  DISCARD(report success to client but drop)  4xx message or 5xx message

Computer Center, CS, NCTU 11 Postfix Anti-Spam configuration – Client Detection Rules (3) Example of access maps  check_client_access hash:/etc/access nctu.edu.twOK OK REJECT  check_helo access hash:/postfix/helohost greatdeals.example.comREJECT oreillynet.comOK  check_sender_access hash:/usr/local/etc/postfix/sender_access viagra.com553 Please contact Invalid MAIL FROM Invalid MAIL FROM Invalid MAIL FROM  check_recipient_access hash:/usr/local/etc/postfix/recipient_access Invalid RCPT TO command Invalid RCPT TO command Invalid RCPT TO command

Computer Center, CS, NCTU 12 Postfix Anti-Spam configuration – Client Detection Rules (4) 2.Special client-checking restrictions permit_auth_destination  Mostly used in “ smtpd_recipient_restrictions ”  Permit request if destination address matches: –The postfix system ’ s final destination setting »mydestination, inet_interfaces, vitual_alias_maps, virtual_mailbox_maps –The postfix system ’ s relay domain »relay_domains  Found  OK, UnFound  DUNNO reject_unauth_destination  Opposite to permit_auth_destination  Found  REJECT, UnFound  DUNNO permit_mynetworks  Allow a request if interest IP match any address in “ mynetworks ” –Used in smtpd_recipient_restrictions –Used in smtpd_client_restrictions

Computer Center, CS, NCTU 13 Postfix Anti-Spam configuration – Client Detection Rules (5) 3.Strict syntax restrictions >Restrictions that does not conform to RFC reject_invalid_hostname  Reject hostname with bad syntax reject_non_fqdn_hostname  Reject hostname not in FQDN format reject_non_fqdn_sender reject_non_fqdn_recipient  For “ MAIL FROM ” and “ RCPT TO ” command respectively

Computer Center, CS, NCTU 14 Postfix Anti-Spam configuration – Client Detection Rules (6) 4.DNS restrictions >Make sure that clients and envelope addresses have valid DNS information >reject_unknown_client >Reject if the client IP has no DNS PTR record – IN PTR nabsd.cs.nctu.edu.tw. >reject_unknown_hostname >Reject if EHLO hostname has no DNS MX or A record >reject_unknown_sender_domain >Reject if MAIL FROM domain name has no DNS MX or A record >reject_unknown_recipient_domain >Reject if RCPT TO domain name has no DNS MX or A record

Computer Center, CS, NCTU 15 Postfix Anti-Spam configuration – Client Detection Rules (7) 5.Real-time blacklists Check with DNSBL services reject_rbl_client domain.tld  Reject if client IP is detect in DNSBL reject_rhsbl_client domain.tld  Reject if client hostname has an A record under specified domain reject_rhsbl_sender domain.tld  Reject if sender domain in address has an A record under specified domain smtpd_client_restrictions = hash:/etc/access, reject_rbl_client relays.ordb.org smtpd_sender_restrictions = hash:/usr/local/etc/postfix/sender_access, reject_rhsbl_sender dns.rfc- ignorant.org

Computer Center, CS, NCTU 16 Postfix Anti-Spam configuration – Client Detection Rules (8) 6.Policy Service Postfix SMTP server sends in a delegated SMTPD access policy request to one special service (policy serivce). Policy service replies actions allowed in Postfix SMTPD access table. Usage:  check_policy_service servicename Example: Grey Listing (Using Postgrey)  Postgrey daemon runs on port:10023  In main.cf: smtpd_recipient_restrictions = check_policy_service inet: :10023

Computer Center, CS, NCTU 17 Postfix Anti-Spam configuration – Client Detection Rules (8)  smtpd_client_restrictions check_client_access reject_unknown_client permit_mynetworks reject_rbl_client reject_rhsbl_client  smtpd_helo_restrictions check_helo_access reject_invalid_hostname reject_unknown_hostname reject_non_fqdn_hostname  smtpd_sender_restrictions check_sender_access reject_unknown_sender_domain reject_rhsbl_sender  smtpd_recipient_restrictions check_recipient_access permit_auth_destination reject_unauth_destination reject_unknown_recipient_domain reject_non_fqdn_recipient check_policy_service

Computer Center, CS, NCTU 18 Postfix Anti-Spam configuration  The SMTP Conversation  smtp.example.com 

Computer Center, CS, NCTU 19 Postfix Anti-Spam configuration – Content-Checking rules (1)  4 rules header_checks  Check for message headers mime_header_checks  Check for MIME headers nested_header_checks  Check for attached message headers body_check  Check for message body  All rules use lookup tables Ex: header_checks = regexp:/usr/local/etc/postfix/header_checks body_checks = pcre:/usr/local/etc/postfix/body_checks

Computer Center, CS, NCTU 20 Postfix Anti-Spam configuration – Content-Checking rules (2)  Content-checking lookup table Regular_ExpressionAction  Actions REJECT message WARN message  Logs a rejection without actually rejecting IGNORE  Delete matched line of headers or body HOLD message DISCARD message  Claim successful delivery but silently discard FILTER message  Send message through a separate content fileter

Computer Center, CS, NCTU 21 Postfix Anti-Spam configuration – Content-Checking rules (3)  Example of header check header_checks = regexp:/usr/local/etc/postfix/header_checks In /usr/local/etc/postfix/header_checks /take advantage now/REJECT /repair your credit/REJECT  Example of body check body_checks = regexp:/usr/local/etc/postfix/body_checks In /usr/local/etc/postfix/body_checks /lowest rates.*\!/REJECT /[:alpha:] [:alpha:]/REJECT

Computer Center, CS, NCTU 22 External Filters  Filtering can be done on MTA MDA MUA ※ Combination of MTA and MUA  Adding some extra headers or modifying subject in MTA, and filtering in MUA.  External filters for postfix Command-based filtering  New process is started for every message  Accept message from STDIN Daemon-based filtering  Stay resident  Accept message via SMTP or LMTP

Computer Center, CS, NCTU 23 Command-Based Filtering (1)  Usage Postfix delivers message to this filter via “pipe” mailer Program that accepts content on its STDIN Program gives the filtered message back to Postfix using the “sendmail” command

Computer Center, CS, NCTU 24 Command-Based Filtering (2)  Configuration Prepare your filter program(/usr/local/bin/simple_filt) Modify master.cf #========================================================================== # service type private unpriv chroot wakeup maxproc command + args #========================================================================== filter unix - n n - - pipe flags=Rq user=filter argv=/usr/local/bin/simple_filt -f ${sender} - -${recipient} smtpd inet n - n - - smtpd -o content_filter=fileter:

Computer Center, CS, NCTU 25 Daemon-Based Filtering (1)  Usage Message is passed back and forth between Postfix and filtering daemon via SMTP or LMTP

Computer Center, CS, NCTU 26 Daemon-Based Filtering (2)  Configuration Install and configure your content filter  /usr/ports/security/amavisd-new  Modify amavisd.conf to send message back –$forward_method = 'smtp: :10025'; Edit main.cf to let postfix use filtering daemon content_filter = smtp-amavis:[ ]:10024 Edit master.cf to add two additional services smtp-amavis unix - - n - 10 smtp -o smtp_data_done_timeout=1200s -o smtp_never_send_ehlo=yes -o notify_classes=protocol,resource,software :10025 inet n - n - - smtpd -o content_filter= -o mynetworks= /8 -o local_recipient_maps= -o notify_classes=protocol,resource,software -o myhostname=localhost -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject

Computer Center, CS, NCTU 27 Daemon-Based Filtering (3) Anti-virus filtering  amavisd-new supports lots of anti-virus scanner  = ( # ['Sophie', # \&ask_daemon, ["{}/\n", '/var/run/sophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], );