Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3

Slides:

Advertisements

Similar presentations

LAL Site Report Michel Jouvin LAL / IN2P3

Advertisements

SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3

Classification & Your Intranet: From Chaos to Control Susan Stearns Inmagic, Inc. E-Libraries E204 May, 2003.

Basic Communication on the Internet:

Paul Vanbosterhaut Managing Director, Vircom Europe January 2007 ModusGate™ 4.4 Smart Assurance Gateway Not Just Warmed-over Open Source Technology…

CSCI 6962: Server-side Design and Programming Input Validation and Error Handling.

Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

Dealing With Spam The kind, not the Food product.

LAL Site Report Michel Jouvin LAL / IN2P3

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

AVG Internet Security 7.5 Product presentation.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

6/1/2015 Spam Filtering - Muthiyalu Jothir 1 Spam Filtering Computer Security Seminar N.Muthiyalu Jothir – Media Informatics.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Defense System (a.k.a. Junk mail & Virus Filtering at the Server level)

August 15 click! 1 Basics Kitsap Regional Library.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Fighting Spam Enterprise Spam Filtering Using Open Source Tools.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

Exchange deployment at CERN and new ideas for SPAM fighting Michel Christaller, Emmanuel Ormancey, Alberto Pace.

Belnet Antispam Pro A practical example Belnet – Aris Adamantiadis BNC – 24 November 2011.

Filtering with Open Source Software OLUG – June 7, 2005.

Anti-Spam & Anti-Virus WiscMail Implementation University of Wisconsin - Madison CSG Workshop September 21, 2004.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Antispam GARR Michele Michelotto Hepix Karlsruhe, 11 May 2005.

Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.

Information Technology Services 1 Copyright Copyright Marc Wallman and Theresa Semmens, This work is the intellectual property of the authors. Permission.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

Presented By: Product Activation Group Syndication.

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Sending Mark Kruger Coldfusionmuse.com Cfwebtools.com.

Sun One IMAP & Microsoft Exchange Coexistence Dan Oberst Princeton University CSG 9/21/04.

Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.

Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.

Securing Your Home Computer Securing Your Home Computer Jay Ferron ADMT, CISM, CISSP, MCDBA, MCSE, MCT, NSA-IAM.

Module 9 Configuring Messaging Policy and Compliance.

The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .

Module 6 Planning and Deploying Messaging Security.

Microsoft Office Outlook 2013 Microsoft Office Outlook 2013 Courseware # 3252 Lesson 6: Organizing Information.

What’s New in WatchGuard XCS v9.1 Update 1. WatchGuard XCS v9.1 Update 1  Enhancements that improve ease of use New Dashboard items  Mail Summary >

Update on  Mail Gateways  Servers  Spam Tagging  Anti-Virus  IMAP  Web Mail  LISTSERV  POP.

Marketing Amanda Freeman. Design Guidelines Set your width to pixels Avoid too many tables Flash, JavaScript, ActiveX and movies will not.

Security Unix Mail Services David Funk Systems Administrators Computer Systems Support COE, University of Iowa.

6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Import Testing Data Presented by: Adrian Ruiz Presented by: Adrian Ruiz.

“SaaS secure web and gateways frequently provide efficiency and cost advantages, and a growing number of offerings are delivering an improved.

Module 8 : Configuration II Jong S. Bok

1 Information Systems 2/26/03 Tom Coppeto Mark Silis MIT Mail System Update 26 February 2003.

Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard XCS What’s New in version 10.1.

David Lawrence 7/8/091Intro. to PHP -- David Lawrence.

Managing Your Inbox. Flagging Messages Message requires a specific response or action from the recipient Flagging draws attention to your request Quick.

Security fundamentals Topic 9 Securing internet messaging.

CHAPTER 7 Unexpected Input. INTRODUCTION What is Unexpected Input? Something (normally user-supplied data) that is unexpected happen to an application.

LAL Site Report Michel Jouvin LAL / IN2P3

CERN - IT Department CH-1211 Genève 23 Switzerland t OIS Update on the anti spam system at CERN Pawel Grzywaczewski, CERN IT/OIS HEPIX fall.

[1] Control Spam by the Use of Greylisting Torgny Hallenmark LDC - Computing Center Lund University, Sweden TERENA Networking.

Outlook / Exchange Training. Outlook / Exchange: Agenda What Can Microsoft Exchange Do / How works at UST? and Inbox Mailbox Quota Archiving.

Information explosion 1.4X 44X Protect communications.

Windows Vista Configuration MCTS : Productivity Applications.

FNAL Central Systems Jack Schmidt, Al Lilianstrom, Ray Pasetes, and Kevin Hill (Fermi National Accelerator Laboratory) Introduction The FNAL .

TMG Client Protection 6NPS – Session 7.

A Study On Solutions To Spam

Spam Fighting at CERN 12 January 2019 Emmanuel Ormancey.

Do humans beat computers at pattern recognition? Andra Miloiu Costina

Spam control Old emphasis: detect spam

Presentation transcript:

Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 LAL Context Message Router : Sendmail –Milter API to call an external program for filtering before delivery Message Store : Execmail IMAP –Derived from Cyrus v1 Mail clients capable of message filtering –Mulberry, Pine, Outlook, Netscape/Mozilla, Entourage…

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Policy Decisions… Do virus and SPAM detection at server level Let the user choose final processing if not a security problem –Only for SPAM, not for virus Virus : forbidden extensions rather than antivirus –Virus main threat during first hours/days : antivirus not up to date –+ : Proactive, low resource consumption –- : some useful extensions (ex :.zip) –Anti-virus run on desktop SPAM : tagged at server level with a SPAM probability (score) –Some predefined filters proposed for supported clients

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 … Policy Decisions Avoid black / grey list –Effective no more than a few months (work around by spammers) –Negative side effects on users (black listed ISPs) –Relying on an uncontrolled critical service (black list maintainer)

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Virus Protection : MIMEDefang Configured to remove suspect parts based on their extensions –Recipient still receive a message with a text replacing the attachment –One header (X-MIMEdefang-action) added to help filtering 2 classes of suspect extensions –Always junk mails (.scr,.pif…) : just thrown away… –Sometimes useful (.exe,.zip) : quarantined, retrieval possible MIMEDefang can call other modules –Embedded Perl interpreter to ease call of external modules –Can be used to call Amavis (Antivirus), SpamAssassin… –Can restrict call of external modules to certain messages Dont call SpamAssassin for large messages (> 100K) : never a SPAM Provides significant performance enhancement

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 SPAM Detection : SpamAssassin... At LAL : Perl module called by MIMEDefang –No extra process, no starting cost for every message –Dependent on other Perl modules Experienced a bad problem with HTML because of an old HTML::Parse Several types of filtering –Rules based –Bayesian analysis : based on message tokenization and statistics –Black / grey lists

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 … SPAM Detection : SpamAssassin Compute a score (probability to be a SPAM) –Score >= 5 can be considerered as SPAM –Very few false positive : always related to misconfigured clients Add headers (X-Spam-Score/Status) and attachement (SpamAssasin.Report) –Header and attachment lists the reasons behind the score –Possibility to modify the subject LAL : prefix the subject with (SPAM ****) : number of * = score / 5 –Efficient filtering possible looking at the headers

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Bayesian Analysis… Rules based analysis less and less efficient –Spammers very responsive to rules improvements –LAL : 30% of undetected SPAM last winter Bayesian analysis inactive because of some misconfiguration Bayesian analysis : based on an (old) text analysis method –Message is tokenized : tokens in one set of chars, token separator in another set –Learning phase : for each token, counts everytime it appears in a SPAM or HAM (non SPAM), compute a probability (stored in a DB) –Analysis : compute a probability for the message according to the probability of each token in the message

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 … Bayesian Analysis Uses message headers and content –Important to teach the filter with original (not forwarded) message Not language sensitive Very difficult for spammers to work it around –Every token database is unique Very few false positive –False positive : valid message with score >= 5 –LAL : no false positive so far (a few weeks)

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Bayesian Filter Administration Learning phase is critical –Initial learning with 1000s of SPAM ad HAM LAL initial set of message : 5000 messages (2/3 HAM, 1/3 SPAM) –Must cover message diversity to avoid side effect (language, topic…) –Messages used for learning must be (manually) carefully sorted between SPAM and HAM Learning must be renewed periodically –Token expiration protects against evolving patterns and limits DB size –Auto-learn feature helps maintain the database accurate –Need to manually feed the filter with incorrectly detected SPAMs to refine the database (false positive or false negative)

26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Conclusions Pattern matching not enough, Bayesian looks promising –Raised SPAM detection efficiency to > 90% with initial learning –Hope to reach at least 95% while refining learning Take time to converge, dont make changes every day –SPAM profile / volume not the same every day –Need time to stabilize (auto-learning curve) Validate changes –Keep a reference set of SPAM and HAM (need to be updated) Administration load still a question –How to collect / process false positive / negative from users ?