GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING Greg Woods National Center for Atmospheric Research Scientific Computing Division Boulder, CO Postfix Guru: Rich Johnson

OVERVIEW ● Goals ● Choice of hardware and software ● Cluster design ● Mail system design ● User interface ● Effectiveness ● Technical details

GOALS ● Low cost ● Scalability ● Reliability ● Flexibility – Virus Scanning – Centralized Alias Database – PER-USER spam blocking

SYSTEM CHOICE ● PC cluster ● Linux Virtual Server (LVS) ● Heartbeat ● Postfix ● DNS-based blocklists ● SpamAssassin ● F-PROT ● LDAP

Director LINUX VIRTUAL SERVER Heartbeat Backup Director Node1Node2Node3Node4

MAIL PATH Postfix Recipient/ Blocklist check Port 25 Receiver (smtpd) Localhost Receiver Alias Expansion Scanner Input Queue Attscand Cluster Node Scanner Output Queue Quarantine Reinjectd LDAP Server In Out smapq

DNS BLOCKLISTS ● Occurs while SMTP connection still open, after RCPT is given ● User spam block class looked up in LDAP ● Determines which DNS blocklists to use ● Originating IP address checked against blocklists ● Match results in a 550 refused message error ● If message refused, never receive message content! ● Passed messages placed in scanner input queue

BLOCKLISTS (2) ● Level 0: no blocking, all IP's OK ● Level 1: Block only misconfigured hosts (open relays and proxies) ● Default: Almost level 2, applied to any address not specifically listed in LDAP database ● Level 2: Block misconfigured hosts plus known spam sources ● Level 3, or “internal only”: block entire Internet outside of our IP space

SMAPQ ● Called by Postfix smptd once message passes blocklist check ● Writes queue file which contains original message plus SMTP envelope information ● Uses “x” bit lock protocol

QUEUE FILE LOCKING ● Uses “x” permission bit ● Explicitly set when done writing queue file ● Daemons ignore files in queue without “x” set ● Daemons remove “x” bit first thing, before processing file ● Used by smapq, attscand, and reinjectd

ATTACHMENT SCANNER ● Use F-PROT to scan for known viruses/worms – Can even examine files within ZIP archive ● Use grep to scan for executable MIME attachment types – This addition kept out Sobig.F ● Add SpamAssassin headers – No quarantining based on SpamAssassin; headers are there if end user wants to use them; again avoid content filtering

REINJECT DAEMON ● Takes messages from scanner output queue ● Send back to localhost listener, which is programmed for normal delivery ● Localhost listener does alias expansion via LDAP, then sends message on to next hop

USER INTERFACE ● 15-year-old ASCII screen-based interface ● Sends to database maintainers ● Flat files sent out twice daily; scripts update LDAP database from these ● Forwarding address updated immediately, anything else takes ½ a working day ● Development of direct web-to-LDAP interface in progress

EFFECTIVENESS ● Very few false positives – One major incident: Osirusoft DoS ● Filter effectiveness generally good, but varied – Some users report little reduction in spam – Others report total or near elimination of spam – Personal godsend: from hundreds of spams daily down to less than half a dozen

TECHNICAL DETAILS ● How LVS director works ● Heartbeat ● Postfix main receiver and localhost receiver ● Postfix blocklists ● Postfix LDAP lookups ● Virus scanning script ● Reinjector daemon ● System monitoring

LINUX VIRTUAL SERVER Tricks with ARP DirectorNode1Node2 RS1 RS2 VS Router VS = Virtual Server RS = Real Server

HEARTBEAT ● Uses dedicated ethernet crossover AND serial links ● If primary server stops responding to heartbeat, secondary takes over ● Config files tell which IP addresses and which services to take over ● For LVS director, secondary takes over VS and the director function

POSTFIX BLOCKLISTS ● smtpd_restriction_classes = class_prospam_blocks, class_easynet,.... (declare classes) ● class_prospam_blocks = class_easynet,... ● lookup_easynet = blackholes.easynet.nl 554 \$client_address dnsbl listed by easynet Blackholes. See. See

POSTFIX RECEIVERS ● SMTP Port 25 – smtp inet n - n - - smtpd -o content_filter=smapq – smapq unix - n n - 5 pipe flags=q user=smap argv=/local/sbin/smapq ${sender} ${recipient} ● Localhost only, port 1075 – localhost:1075 inet n - n - - smtpd -o content_filter= – smtp inet n - n - - smtpd -o content_filter=smapq – smapq unix - n n - 5 pipe flags=q user=smap argv=/local/sbin/smapq ${sender} ${recipient} ● Localhost only, port 1075

POSTFIX LDAP SEARCHES smtpd_client_restrictions = permit_mynetworks,...., check_recipient_access ldap:spam spam_search_base = ou=spamblock,dc=ucar,dc=edu spam_server_host = spam_server_port = 389 spam_query_filter = (sn=%s) spam_result_attribute = spam alias_maps = ldap:alias alias_search_base = ou=aliases,dc=ucar,dc=edu alias_server_host = alias_server_port = 389 alias_query_filter = (sn=%s) alias_result_attribute = fwd

VIRUS SCANNER ● F-PROT run, exit status checked ● grep -f pattern-file message-file ● If virus or executable attachment found, write to quarantine directory and exit – No longer send warnings, sender is always forged ● Add SpamAssassin headers ● Write to output queue (using “x” bit locking) filename[ ]*=.*\.exe"*$ ^[ ]*name[ ]*=.*\.exe[ "]*$

REINJECTD ● Reads from virus scanner output queue (using “x” bit locking) ● Preserves original envelope FROM/RCPT ● Connects to localhost:1075 and initiates SMTP transaction ● Always passes permit_mynetworks ● Normal delivery now occurs

SYSTEM MONITORING ● Qmond script monitors queue directories ● Work in progress ● Reports when message has been in queue too long ● Needs to have a “memory” implemented of what has already been reported, to avoid an overwhelming number of reports when system is slow – Large numbers of reports add to problem