Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3

Published byFaith Andersen Modified over 10 years ago

Similar presentations

Presentation on theme: "Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3"— Presentation transcript:

1 Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3 jouvin@lal.in2p3.fr

2 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 LAL Context Message Router : Sendmail –Milter API to call an external program for filtering before delivery Message Store : Execmail IMAP –Derived from Cyrus v1 Mail clients capable of message filtering –Mulberry, Pine, Outlook, Netscape/Mozilla, Entourage…

3 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Policy Decisions… Do virus and SPAM detection at server level Let the user choose final processing if not a security problem –Only for SPAM, not for virus Virus : forbidden extensions rather than antivirus –Virus main threat during first hours/days : antivirus not up to date –+ : Proactive, low resource consumption –- : some useful extensions (ex :.zip) –Anti-virus run on desktop SPAM : tagged at server level with a SPAM probability (score) –Some predefined filters proposed for supported clients

4 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 … Policy Decisions Avoid black / grey list –Effective no more than a few months (work around by spammers) –Negative side effects on users (black listed ISPs) –Relying on an uncontrolled critical service (black list maintainer)

5 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Virus Protection : MIMEDefang Configured to remove suspect parts based on their extensions –Recipient still receive a message with a text replacing the attachment –One header (X-MIMEdefang-action) added to help filtering 2 classes of suspect extensions –Always junk mails (.scr,.pif…) : just thrown away… –Sometimes useful (.exe,.zip) : quarantined, retrieval possible MIMEDefang can call other modules –Embedded Perl interpreter to ease call of external modules –Can be used to call Amavis (Antivirus), SpamAssassin… –Can restrict call of external modules to certain messages Dont call SpamAssassin for large messages (> 100K) : never a SPAM Provides significant performance enhancement

6 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 SPAM Detection : SpamAssassin... At LAL : Perl module called by MIMEDefang –No extra process, no starting cost for every message –Dependent on other Perl modules Experienced a bad problem with HTML because of an old HTML::Parse Several types of filtering –Rules based –Bayesian analysis : based on message tokenization and statistics –Black / grey lists

7 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 … SPAM Detection : SpamAssassin Compute a score (probability to be a SPAM) –Score >= 5 can be considerered as SPAM –Very few false positive : always related to misconfigured clients Add headers (X-Spam-Score/Status) and attachement (SpamAssasin.Report) –Header and attachment lists the reasons behind the score –Possibility to modify the subject LAL : prefix the subject with (SPAM ****) : number of * = score / 5 –Efficient filtering possible looking at the headers

8 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Bayesian Analysis… Rules based analysis less and less efficient –Spammers very responsive to rules improvements –LAL : 30% of undetected SPAM last winter Bayesian analysis inactive because of some misconfiguration Bayesian analysis : based on an (old) text analysis method –Message is tokenized : tokens in one set of chars, token separator in another set –Learning phase : for each token, counts everytime it appears in a SPAM or HAM (non SPAM), compute a probability (stored in a DB) –Analysis : compute a probability for the message according to the probability of each token in the message

9 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 … Bayesian Analysis Uses message headers and content –Important to teach the filter with original (not forwarded) message Not language sensitive Very difficult for spammers to work it around –Every token database is unique Very few false positive –False positive : valid message with score >= 5 –LAL : no false positive so far (a few weeks)

10 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Bayesian Filter Administration Learning phase is critical –Initial learning with 1000s of SPAM ad HAM LAL initial set of message : 5000 messages (2/3 HAM, 1/3 SPAM) –Must cover message diversity to avoid side effect (language, topic…) –Messages used for learning must be (manually) carefully sorted between SPAM and HAM Learning must be renewed periodically –Token expiration protects against evolving patterns and limits DB size –Auto-learn feature helps maintain the database accurate –Need to manually feed the filter with incorrectly detected SPAMs to refine the database (false positive or false negative)

11 26/5/2004 Anti-SPAM at LAL - HEPix - Edinburgh 2004 Conclusions Pattern matching not enough, Bayesian looks promising –Raised SPAM detection efficiency to > 90% with initial learning –Hope to reach at least 95% while refining learning Take time to converge, dont make changes every day –SPAM profile / volume not the same every day –Need time to stabilize (auto-learning curve) Validate changes –Keep a reference set of SPAM and HAM (need to be updated) Administration load still a question –How to collect / process false positive / negative from users ?

Download ppt "Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3"

Similar presentations

LAL Site Report Michel Jouvin LAL / IN2P3

LAL Site Report Michel Jouvin LAL / IN2P3
SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3

SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3
Classification & Your Intranet: From Chaos to Control Susan Stearns Inmagic, Inc. E-Libraries E204 May, 2003.

Classification & Your Intranet: From Chaos to Control Susan Stearns Inmagic, Inc. E-Libraries E204 May, 2003.
Basic Communication on the Internet:

Basic Communication on the Internet:
Paul Vanbosterhaut Managing Director, Vircom Europe January 2007 ModusGate™ 4.4 Smart Email Assurance Gateway Not Just Warmed-over Open Source Technology…

Paul Vanbosterhaut Managing Director, Vircom Europe January 2007 ModusGate™ 4.4 Smart Assurance Gateway Not Just Warmed-over Open Source Technology…
CSCI 6962: Server-side Design and Programming Input Validation and Error Handling.

CSCI 6962: Server-side Design and Programming Input Validation and Error Handling.
Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.

Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
Dealing With Spam The email kind, not the Food product.

Dealing With Spam The kind, not the Food product.
LAL Site Report Michel Jouvin LAL / IN2P3

LAL Site Report Michel Jouvin LAL / IN2P3
----Presented by Di Xu 17.12.2010.  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
6/1/2015 Email Spam Filtering - Muthiyalu Jothir 1 Email Spam Filtering Computer Security Seminar N.Muthiyalu Jothir – 271120 Media Informatics.

6/1/2015 Spam Filtering - Muthiyalu Jothir 1 Spam Filtering Computer Security Seminar N.Muthiyalu Jothir – Media Informatics.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
E-mail Defense System (a.k.a. Junk mail & Virus Filtering at the Server level)

Defense System (a.k.a. Junk mail & Virus Filtering at the Server level)
August 15 click! 1 Email Basics Kitsap Regional Library.

August 15 click! 1 Basics Kitsap Regional Library.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Similar presentations

Ads by Google