Fighting spam by finding and listing Exploitable Servers.
What’s all the Fuss about…? Further problems and liabilities. Further problems and liabilities. Common Mail Configurations. Common Mail Configurations. Backscatter and Mailbombs. Backscatter and Mailbombs. SORBS Mail Configuration. SORBS Mail Configuration. Stopping Spam by RBL. Stopping Spam by RBL. Stopping Spam by Filtering. Stopping Spam by Filtering. Virus handling and blocking. Virus handling and blocking.
Fighting spam by finding and listing Exploitable Servers. security, what is it? security, why bother...? security, why bother...? Viruses and Trojans, why stop them? Viruses and Trojans, why stop them? Spam, why not just press delete? Spam, why not just press delete?
Fighting spam by finding and listing Exploitable Servers. Security is about stopping spam and viruses. Security is about protecting the enduser (the company, as well as the individual) from the Internet. Security is about protecting the Internet from the enduser! Security is about stopping unauthorised distribution of internal documents and user access details.
Fighting spam by finding and listing Exploitable Servers. Have you considered what would happen if the staff payroll got accidentally ed to competitor…? Have you considered what happens when a very religious person (eg a devout Muslim) receives X-rated porn? Have you considered what happens to your trade secrets when a disgruntled employee decides to leave?
Fighting spam by finding and listing Exploitable Servers. The obvious answer of course is to protect your users…. However, why do we not just educate them..? The ‘I love you’ experience… IT Manager of large corporate in the UK opened the “I Love You” Trojan as Administrator on the corporate Exchange server..! Outlook/Outlook Express, why do we call it LookOut, or OutBreak? Mozilla and its derivitives, what makes them different?
Fighting spam by finding and listing Exploitable Servers. Outlook/Outlook Express, why do we call it LookOut, or OutBreak?
Fighting spam by finding and listing Exploitable Servers. The Mozilla way...
Fighting spam by finding and listing Exploitable Servers. Time to be fair to Microsoft Outlook
Fighting spam by finding and listing Exploitable Servers. Spammers are telling us we should “Just press delete”. So the question to ask - “Why not?” Resources are all ready consumed. Tracking information will mean more spam. Just opening the message will pay the spammer. How much is your time worth…? An approximation for The University of Queensland if we weren’t using filtering: 8000 Staff $20/hour average wage spams per day per staff member (average) 10 seconds to ‘Just press delete’ Simple calculation: 8000 x 10 x 200 = 16m seconds lost to spam per day Cost: ( 16,000,000 / 3600 ) * 20 = $88, per day in lost time.
Fighting spam by finding and listing Exploitable Servers. Backups (Storage and Time). Backups (Storage and Time). Sexual Harassment and protection of minors. Sexual Harassment and protection of minors. Key Logging: The obvious. Key Logging: The obvious. Key Logging: The Risks. Key Logging: The Risks. Hacking of other machines. Hacking of other machines. Denial of Service attacks. Denial of Service attacks.
Fighting spam by finding and listing Exploitable Servers. Cost of media (Online Storage). Cost of media, initial and incremental backups. Cost of hardware (drives do wear out). 16 hours to backup data at UQ. 2 days to restore the same data.
Fighting spam by finding and listing Exploitable Servers. Porn spam to women has been recognised as a possible harassment suit waiting to happen, but it is not limited to women. Men do have the right to sue though currently they are less likely to get visibility. In the educational environment minors are not uncommon and therefore by law they have to be protected from R-rated material. The good news is it only has to be seen that the institute is taking reasonable steps to prevent minors receiving inappropriate material. Similar reasonable steps can avoid judgements against in Sexual Harassment issues.
Fighting spam by finding and listing Exploitable Servers. The Risks: User/Pass interception. User/Pass interception. Personal or Corporate Banking Information. Personal or Corporate Banking Information. Credit card details. Credit card details. Unauthorised use of resources. Unauthorised use of resources. Onward attacks (local and remote). Onward attacks (local and remote). Services down (local and remote). Services down (local and remote). Privacy issues. Privacy issues.
Fighting spam by finding and listing Exploitable Servers. The Risks: Identity Theft/Fraud Identity Theft/Fraud Pre-patent Information. Pre-patent Information. addresses of all staff. addresses of all staff. addresses of all customers. addresses of all customers. Customer account details. Customer account details. Customer Banking Information. Customer Banking Information. Corporate accounting information. Corporate accounting information.
Fighting spam by finding and listing Exploitable Servers. Getting infected with a Trojan or Virus can have knock on consequences: Hackers can hide themselves in your network Hackers can hide themselves in your network Hackers can sniff passwords and protocols of Hackers can sniff passwords and protocols of more secure machines. Hackers can install ‘Bouncers’ (proxies). Hackers can install ‘Bouncers’ (proxies). Not all break ins are hackers at work. Not all break ins are hackers at work. “Skript Kiddies” are a lot more dangerous. “Skript Kiddies” are a lot more dangerous.
Fighting spam by finding and listing Exploitable Servers. “Skript Kiddies”, how do they get in? “Skript Kiddies”, what do they want? The effects of DDoS attacks can be widespread: Attacks on SORBS caused core routers in Attacks on SORBS caused core routers in AAPT Connect to reboot disconnecting all of Queensland. Outgoing traffic when a DoS client can be Outgoing traffic when a DoS client can besignificant. Legal liability when destroying servers. Legal liability when destroying servers.
Fighting spam by finding and listing Exploitable Servers.
What is Backscatter? Virus bounces a problem? Virus bounces a problem? Spam bounces a problem? Spam bounces a problem? What is a mailbomb? Computer destroying explosion? Computer destroying explosion? Archive bomb? Archive bomb? Something else? Something else? What is the difference? Why should we do something about it? What can we do about?
Fighting spam by finding and listing Exploitable Servers. Return-Path: Received: (qmail invoked from network); 5 Jan :05: Received: from host pool8021.interbusiness.it (HELO mail-kr3.gulli.com) ( ) by sub.gulli.com with SMTP; 5 Jan :05: Message-ID: From: Gea To: Subject: Fw: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_ " X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V Return-Path: Received: (qmail invoked from network); 5 Jan :06: Received: from unknown (HELO mail.zoomshare.com) ( ) by taxis.dwdata.com with SMTP; 5 Jan :06: Message-ID: From: Gea To: Subject: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_ " X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V
Fighting spam by finding and listing Exploitable Servers. Return-Path: Received: (qmail invoked from network); 5 Jan :56: Received: from host pool8021.interbusiness.it (HELO mail-kr3.gulli.com) ( ) by sub.gulli.com with SMTP; 5 Jan :56: Message-ID: From: Gea To: Subject: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_ " X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V Return-Path: Received: (qmail invoked from network); 5 Jan :59: Received: from unknown (HELO mail.superava.it) ( ) by mail.supereva.it with SMTP; 5 Jan :59: Message-ID: From: Gea To: Subject: Buon Natale! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_ " X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V
Fighting spam by finding and listing Exploitable Servers. Received: from mail.od2.com ([ ]) by mail.od2.co.uk with Microsoft SMTPSVC( ); Wed, 5 Jan :49: Message-ID: From: "Gea" To: Subject: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_ " X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft Exchange V Return-Path: X-OriginalArrivalTime: 05 Jan :49: (UTC) FILETIME=[BC755980:01C4F335] Return-Path: Received: (qmail invoked from network); 5 Jan :14: Received: from host pool8021.interbusiness.it (HELO mail.malaguti.org) ( ) by server11.ehostsource.com with SMTP; 5 Jan :14: Message-ID: From: Gea To: Subject: Re: Merry Christmas! Date: mer, 05 gen 2005 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_884_3821_ " X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V
Fighting spam by finding and listing Exploitable Servers.
How effective are they? Which ones to use? Spamhaus Spamhaus MAPS MAPS SORBS SORBS DSBL DSBL NJABL NJABL How do you want to use them? Block or Weight? Block or Weight?
Fighting spam by finding and listing Exploitable Servers.
AHBLThe Abusive Hosts Blocking ListHits: % BOGONScompletewhois.com: Bogon IP'sHits: 1441% BOPMBlitzed Open Proxy MonitorHits: 5106% CBLComposite Blocking ListHits: % DRBLDistributed Realtime Blocking ListHits: % DSBLDistributed Server Boycott ListHits: % FIVETENLocal Blackholes at Five-TenHits: % JIPPGMAJIPPG's Relay Blackhole ListHits: 1421% NJABLNot Just Another Bogus ListHits: % NOMOREdr. Jørgen Mash's DNSblHits: 3383% ORDBOpen Relay DataBaseHits: 1670% PSBLPassive Spam Block ListHits: 11619% SBLSpamhaus Block ListHits: 6986% SORBSSpam and Open Relay Blocking SystemHits: % SPAMBAGSpambagsHits: % SPAMCOPSpamCopHits: % SPAMRBLHits: 90% SPAMSITESpamware Peddler and SpamservicesHits: 50% SPEWSSpam Prevention Early Warning SystemHits: % UCEPROTHits: 8808% WPBLWeighted Private Block ListHits: 7787% Which shows statistics mean nothing!
Fighting spam by finding and listing Exploitable Servers. How not to use RBLs…. RFC 821 & RFC 2821 should be considered…. 6.1 Reliable Delivery and Replies by When the receiver-SMTP accepts a piece of mail (by sending a "250 OK" message in response to DATA), it is accepting responsibility for delivering or relaying the message. It must take this responsibility seriously. It MUST NOT lose the message for frivolous reasons, such as because the host later crashes or because of a predictable resource shortage. If there is a delivery failure after acceptance of a message, the receiver-SMTP MUST formulate and mail a notification message. This notification MUST be sent using a null ("<>") reverse path in the envelope. The recipient of this notification MUST be the address from the envelope return path (or the Return-Path: line). However, if this address is null ("<>"), the receiver-SMTP MUST NOT send a notification. Remember the Backscatter issue….?
Fighting spam by finding and listing Exploitable Servers. SpamAssassin for filtering? Greylisting? SORBS spam filter? Bayesian filters? RegEx’s?Sieve? How not to filter messages….! Remember RFC ? Remember the Backscatter issue….?
Fighting spam by finding and listing Exploitable Servers. Open Source, or not? Reject, delete, or disinfect messages? Do you notify the sender…? Do you notify the sender…? Do you notify the receiver...? Do you notify the receiver...? Remember the RFCs…? Remember the Backscatter issue…?
Fighting spam by finding and listing Exploitable Servers.