May 23, 20031 Filtering Emails for Viruses and Spam at DESY Wolfgang Friebel.

Slides:

Advertisements

Similar presentations

Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3

Advertisements

1 Effective, secure and reliable hosted security and continuity solution.

Justin Mason, SpamAssassin Project & Deersoft

Basic Communication on the Internet:

Fighting spam: the thin grey line Alun Jones,

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Dealing With Spam The kind, not the Food product.

Methods for Stopping Spam James Lick

INTERNET INFORMATION ACCESS How to avoid and eliminate common problems confronting usage of modern resources to access the Internet.

Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.

IMF Mihály Andó IT-IS 6 November Mihály Andó 2 / 11 6 November 2006 What is IMF? Intelligent Message Filter provides server-side message filtering,

Extras Plus! Pepper. Objectives extra knowledge Cookies Picture handling when creating site.

Staff Computer Training Exchange 2003: More User Friendly Vicki Hecht Cherry Delaney ITaP Luncheon October 14, 2003.

May 22, eWin Presented by Ben Serebin Combating Spam Server-side Purpose : to provide insight into the steps an organization.

Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest.

Fighting Spam Enterprise Spam Filtering Using Open Source Tools.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

Spam Reduction Techniques Using greylisting and SpamAssassin.

Managing and Avoiding Junkmail. Junk  Where does Junk Mail come from? People with whom you do business  Pepsi Friends of people with whom you.

Exchange deployment at CERN and new ideas for SPAM fighting Michel Christaller, Emmanuel Ormancey, Alberto Pace.

This is the first page of the log in, this is were you enter your unique details.

CT NIKHEF Nov Mail NIKHEF CT system support.

1 Computer Security: Protect your PC and Protect Yourself.

Filtering with Open Source Software OLUG – June 7, 2005.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

AND SPAM BY OLUWATOBI BAKARE

Information Technology Services 1 Copyright Copyright Marc Wallman and Theresa Semmens, This work is the intellectual property of the authors. Permission.

Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen

ITIS 2110 Class # No home network devices devices devices devices devices devices devices 9.

The Linux Operating System Lecture 7: Tonga Institute of Higher Education.

IST346 – Servies Agenda  What is ?  Policies  The technical side of  Components  Protocols  architecture  Security.

CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.

Chapter 3.  Help you understand different types of servers commonly found on a network including: ◦ File Server ◦ Application Server ◦ Mail Server ◦

Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.

Name: Ryan Lugg Form: 10B . How can businesses make use of . (P) can be a very useful tool, it can be very cost effective and efficient.

The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .

Nov 1, 2000Site report DESY1 DESY Site Report Wolfgang Friebel DESY Nov 1, 2000 HEPiX Fall

Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-

SharePoint document libraries I: Introduction to sharing files Sharjah Higher Colleges of Technology presents:

Protecting Students on the School Computer Network Enfield High School.

1 Electronic Messaging Module - Electronic Messaging ♦ Overview Electronic messaging helps you exchange messages with other computer users anywhere in.

SPAM Settings. The ExchangeDefender Admin Site is a powerful tool that gives you access to all of the benefits ExchangeDefender has to offer, from the.

Filtering Mail with Mail::Audit and Mail::SpamAssassin Creede Lambard penguinsinthenight.com 20 August 2002.

Anti-Spam Tagging Al Lilianstrom. Spam Tagging The Computing Division is testing a Spam Tagging solution Based on SpamAssassin All incoming mail to the.

What’s New in WatchGuard XCS v9.1 Update 1. WatchGuard XCS v9.1 Update 1  Enhancements that improve ease of use New Dashboard items  Mail Summary >

Whitelist Management. The ExchangeDefender Admin Site is a powerful tool that gives you access to all of the benefits ExchangeDefender has to offer, from.

SpamAssassin Filter Rodney Weakly April 26, 2006.

1 Adding Secure and Collaboration to Your Business with SCOoffice Server 4.1.

Diagnostic Pathfinder for Instructors. Diagnostic Pathfinder Local File vs. Database Normal operations Expert operations Admin operations.

Update on  Mail Gateways  Servers  Spam Tagging  Anti-Virus  IMAP  Web Mail  LISTSERV  POP.

SpamAssassin An Introduction PacNOG I Workshop June 20, 2005 Nadi, Fiji Hervey Allen.

Security Unix Mail Services David Funk Systems Administrators Computer Systems Support COE, University of Iowa.

GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING Greg Woods National Center for Atmospheric Research Scientific Computing Division Boulder,

Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject.

August 28, 1998Handling requests with a trouble ticket system at DESY Zeuthen1 Wolfgang Friebel Motivation The req/reqng request tracking system Enhancements.

LinxChix And Exim. Mail agents MUA = Mail User Agent Interacts directly with the end user  Pine, MH, Elm, mutt, mail, Eudora, Marcel, Mailstrom,

PINE. What is PINE? PINE is a light weight yet very powerful open source console based client developed by the University of Washington. It has.

554 Access Denied Fermilab’s Experiences with Spamcop.net Kevin Hill Ray Pasetes Jack Schmidt.

[1] Control Spam by the Use of Greylisting Torgny Hallenmark LDC - Computing Center Lund University, Sweden TERENA Networking.

Outlook / Exchange Training. Outlook / Exchange: Agenda What Can Microsoft Exchange Do / How works at UST? and Inbox Mailbox Quota Archiving.

FNAL Central Systems Jack Schmidt, Al Lilianstrom, Ray Pasetes, and Kevin Hill (Fermi National Accelerator Laboratory) Introduction The FNAL .

Anti-Spam Updates Activity Coordination Meeting March 2006 Kevin Hill.

WWW and HTTP King Fahd University of Petroleum & Minerals

Networking CS 3470, Section 1 Sarah Diesburg

Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.

Optimize Your Java Code By Tools

Networking CS 3470, Section 1 Sarah Diesburg

Spam Fighting at CERN 12 January 2019 Emmanuel Ormancey.

Cpanel for the CS Officer

Management Suite v2.0 DoubleCheck Manager Management Suite v2.0.

Presentation transcript:

May 23, Filtering s for Viruses and Spam at DESY Wolfgang Friebel

May 23, Contents ● Background information: size of the problem ● Virus filtering ● Spam tagging ● Evaluation of different tools ● Present status of filtering at DESY

May 23, Spam mail statistics ● Mails received at Zeuthen in 2003

May 23, Spam mail statistics (2) ● Spam Mails I received since Jan 2000 ● 1 day/year lost assuming 50 spams/day at 3s/spam

May 23, Virus mail statistics ● Number of quarantined mails at DESY in the last month (from approx 20-30k mails/day)

May 23, Filtering mail for Viruses ● Problems to be solved – Keep virus signatures up to date – Handle quarantined mail properly – Find viruses even in nested archives – Well behaving servers under high load – Opting out desirable (UNIX users)

May 23, Tools for finding viruses in at DESY ● Two different approaches were tried – Integrated commercial solution: Mimesweeper (Hamburg) using F-Prot Scanner – Commercial scanner (McAfee) within open source tool amavisd (Zeuthen) ● Mimesweeper in production (Hamburg) – Very good at finding viruses within nested archives – Users get notified of quarantined , will be deleted after notification (kept 30 days) – Load distributed among 3 machines

May 23, Tools for finding viruses (2) ● amavisd/McAfee evaluated, currently not used (Zeuthen) – Windows computers at Zeuthen are managed centrally and do have running virus scanners – Filtering for viruses would generate additional load on the mail server which is close to its limit – Additional security comes at a high price – Will definitely give it another try when users migrated to new mail server, then opt in/opt out using amavisd is envisaged

May 23, Identifying spam mails ● Mail tagging – Mails from other sites get tagged (Zeuthen: all mails) – Only for mails < 250 kbytes – Product used: Spamassassin – additional mechanisms provided by Mimesweeper in HH ● No mail filtering – No mails will be thrown away – Decision to filter is left to the user – Several mechanisms (see later)

May 23, Mail tagging ● Still trying to find the optimum solution: [SPAM] in the Subject: line (Hamburg) – good visibility, easy filtering, problems when forwarding mail misclassified as spam X-Spam-Level: extra header line (Zeuthen) – normally not visible (use e.g. roles in pine), more fine grained control for filtering, forwarding is ok Altering the mail body (Hamburg) – Again good for visibility, but changes content (bad for filtering tools at other sites)

May 23, Interaction with the MTA ● Different solutions for different MTA's – MTA usually cannot call spamassassin directly – A call to spamassassin is starting perl ● Multithreading daemon prevents forking perl ● For sendmail the milter interface is used – miltrassassin as glue between sendmail and spamd – mime-defang is a milter and calls spamassassin directly, no need to use spamd, used for virus filtering as well

May 23, Interaction with the MTA (2) ● Postfix can use filters (modifying the ) – amavisd is very powerful and flexible, handles also virus scanners, allows for opt in/out, when used with sendmail no mail tagging possible ● Solutions for other MTA's exist (qmail, exim, Exchange) but were not looked at ● Zeuthen: sendmail+miltrassassin+spamd ● Hamburg: Mimesweeper (calls spamassassin) ● Both sites plan to use postfix+amavisd in the near future

May 23, Results of the spam tagging ● Concern: good mails tagged as spam (false positives) ● spamassassin improved a lot since Nov '02 ● Rate of false positives decreased after tuning – enabling network tests within spamassassin – switching on bayes filters and autolearning – Whitelisting in pathological cases ● Rate of false positives in Zeuthen << 1: (1 mail with score 5.0 reported during last two months) ● Rate of false positives in Hamburg higher (less tuning)

May 23, False positives Did you receive good mails in the SPAM folder recently? I'm very happy with the SPAM filter, I haven't seen one false positive ! das ist nicht der Fall. 433 spam s, keine davon missinterpretiert No. The spam filter works well. Seit März noch nie eine fehlgeleitete "gute" mail bei mir war bis jetzt keine einzige 'gute' Mail im SPAM-Ordner. Approximately zero Not a single godd mail! No trace of ham in my spambox. seit dem hatte ich keine gute mail im Spam Folder. In der ganzen Zeit ist nicht eine gute mail im SPAM Folder gelandet bei mir war aller Inhalt ausnahmslos wirklicher spam

May 23, Bayes filtering in spamassassin ● Spamassassin has a so called bayes filter implemented – Based on the frequency of words within good mails vs. frequency of words within bad mails – Calculates a probability for mail being spam ● Autolearning assumes, that all mails below/above a certain score are good/bad mails (we are using -5/+10) – Does already a good job – Help it by sending misclassified mails with all headers to special addresses (will be processed in a cron job)

May 23, Tagging statistics ● At score=5 roughly 5 percent spam in good mails, no good mail with score > 5

May 23, Filtering Spam mails ● Two choices: – Let the mail server (calling procmail) do the work and have a spam folder besides the INBOX on the server – Do the filtering in the mail reader, i.e. set up a filtering rule The second option is preferred (less labour intensive for admins) ● Recipes on DESY web pages describe how to set up filters for pine, netscape and outlook

May 23, Precautions against spammers ● Open the LDAP port to selected sites only ● The LDAP servers at HEP sites are being abused! ● No personal URL's on web sites ● But a picture showing it is safe ● Close security holes in web browsers ● Close protocols like identd to the outside ● Avoid “free” services where you have to register by

May 23, Next steps ● Upgrade spamassassin to latest version ● Zeuthen is using 2.53, latest is 2.54 ● Weighting of tests adapted to patterns of spammers ● Use more network tests ● Since Apr 26 many RBL's included ● Since May 15 razor2 included ● First numbers suggest 97.5 percent suppression at score level 5 (recommended by us) ● Reject incoming with a higher score level (e.g. 8) ● Already at MTA level, similat to e.g. 'user unknown'

May 23, Conclusion ● Virus filtering well established (Hamburg only) ● Spam tagging still somewhat experimental ● Currently recognition of spam is at the 95 percent level with an extremely low error rate (false positives) ● Users are very positive about the implemented methods ● No central mail filtering is done (but under discussion) – Users need to set up filters to let filtering take place – Still too much responsibility left to users – need to respect the strict german laws