Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-MAIL GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING Greg Woods National Center for Atmospheric Research Scientific Computing Division Boulder,

Published byPhilomena Doreen King Modified over 9 years ago

Similar presentations

Presentation on theme: "E-MAIL GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING Greg Woods National Center for Atmospheric Research Scientific Computing Division Boulder,"— Presentation transcript:

1

2 E-MAIL GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING Greg Woods National Center for Atmospheric Research Scientific Computing Division Boulder, CO woods@ucar.edu Postfix Guru: Rich Johnson rjohnson@ucar.edu

3 OVERVIEW ● Goals ● Choice of hardware and software ● Cluster design ● Mail system design ● User interface ● Effectiveness ● Technical details

4 GOALS ● Low cost ● Scalability ● Reliability ● Flexibility – Virus Scanning – Centralized Alias Database – PER-USER spam blocking

5 SYSTEM CHOICE ● PC cluster ● Linux Virtual Server (LVS) ● Heartbeat ● Postfix ● DNS-based blocklists ● SpamAssassin ● F-PROT ● LDAP

6 Director LINUX VIRTUAL SERVER Heartbeat Backup Director Node1Node2Node3Node4

7 MAIL PATH Postfix Recipient/ Blocklist check Port 25 Receiver (smtpd) Localhost Receiver Alias Expansion Scanner Input Queue Attscand Cluster Node Scanner Output Queue Quarantine Reinjectd LDAP Server In Out smapq

8 DNS BLOCKLISTS ● Occurs while SMTP connection still open, after RCPT is given ● User spam block class looked up in LDAP ● Determines which DNS blocklists to use ● Originating IP address checked against blocklists ● Match results in a 550 refused message error ● If message refused, never receive message content! ● Passed messages placed in scanner input queue

9 BLOCKLISTS (2) ● Level 0: no blocking, all IP's OK ● Level 1: Block only misconfigured hosts (open relays and proxies) ● Default: Almost level 2, applied to any address not specifically listed in LDAP database ● Level 2: Block misconfigured hosts plus known spam sources ● Level 3, or “internal only”: block entire Internet outside of our IP space

10 SMAPQ ● Called by Postfix smptd once message passes blocklist check ● Writes queue file which contains original message plus SMTP envelope information ● Uses “x” bit lock protocol

11 QUEUE FILE LOCKING ● Uses “x” permission bit ● Explicitly set when done writing queue file ● Daemons ignore files in queue without “x” set ● Daemons remove “x” bit first thing, before processing file ● Used by smapq, attscand, and reinjectd

12 ATTACHMENT SCANNER ● Use F-PROT to scan for known viruses/worms – Can even examine files within ZIP archive ● Use grep to scan for executable MIME attachment types – This addition kept out Sobig.F ● Add SpamAssassin headers – No quarantining based on SpamAssassin; headers are there if end user wants to use them; again avoid content filtering

13 REINJECT DAEMON ● Takes messages from scanner output queue ● Send back to localhost listener, which is programmed for normal delivery ● Localhost listener does alias expansion via LDAP, then sends message on to next hop

14 USER INTERFACE ● 15-year-old ASCII screen-based interface ● Sends e-mail to database maintainers ● Flat files sent out twice daily; scripts update LDAP database from these ● Forwarding address updated immediately, anything else takes ½ a working day ● Development of direct web-to-LDAP interface in progress

15 EFFECTIVENESS ● Very few false positives – One major incident: Osirusoft DoS ● Filter effectiveness generally good, but varied – Some users report little reduction in spam – Others report total or near elimination of spam – Personal godsend: from hundreds of spams daily down to less than half a dozen

16 TECHNICAL DETAILS ● How LVS director works ● Heartbeat ● Postfix main receiver and localhost receiver ● Postfix blocklists ● Postfix LDAP lookups ● Virus scanning script ● Reinjector daemon ● System monitoring

17 LINUX VIRTUAL SERVER Tricks with ARP DirectorNode1Node2 RS1 RS2 VS http://www.linuxvirtualserver.org Router VS = Virtual Server RS = Real Server

18 HEARTBEAT ● Uses dedicated ethernet crossover AND serial links ● If primary server stops responding to heartbeat, secondary takes over ● Config files tell which IP addresses and which services to take over ● For LVS director, secondary takes over VS and the director function http://www.linux-ha.org

19 POSTFIX BLOCKLISTS ● smtpd_restriction_classes = class_prospam_blocks, class_easynet,.... (declare classes) ● class_prospam_blocks = class_easynet,... ● lookup_easynet = blackholes.easynet.nl 554 \$client_address dnsbl listed by easynet Blackholes. See. See

20 POSTFIX RECEIVERS ● SMTP Port 25 – smtp inet n - n - - smtpd -o content_filter=smapq – smapq unix - n n - 5 pipe flags=q user=smap argv=/local/sbin/smapq ${sender} ${recipient} ● Localhost only, port 1075 – localhost:1075 inet n - n - - smtpd -o content_filter= – smtp inet n - n - - smtpd -o content_filter=smapq – smapq unix - n n - 5 pipe flags=q user=smap argv=/local/sbin/smapq ${sender} ${recipient} ● Localhost only, port 1075

21 POSTFIX LDAP SEARCHES smtpd_client_restrictions = permit_mynetworks,...., check_recipient_access ldap:spam spam_search_base = ou=spamblock,dc=ucar,dc=edu spam_server_host = 127.0.0.1 spam_server_port = 389 spam_query_filter = (sn=%s) spam_result_attribute = spam alias_maps = ldap:alias alias_search_base = ou=aliases,dc=ucar,dc=edu alias_server_host = 127.0.0.1 alias_server_port = 389 alias_query_filter = (sn=%s) alias_result_attribute = fwd

22 VIRUS SCANNER ● F-PROT run, exit status checked ● grep -f pattern-file message-file ● If virus or executable attachment found, write to quarantine directory and exit – No longer send warnings, sender is always forged ● Add SpamAssassin headers ● Write to output queue (using “x” bit locking) filename[ ]*=.*\.exe"*$ ^[ ]*name[ ]*=.*\.exe[ "]*$

23 REINJECTD ● Reads from virus scanner output queue (using “x” bit locking) ● Preserves original envelope FROM/RCPT ● Connects to localhost:1075 and initiates SMTP transaction ● Always passes permit_mynetworks ● Normal delivery now occurs

24 SYSTEM MONITORING ● Qmond script monitors queue directories ● Work in progress ● Reports when message has been in queue too long ● Needs to have a “memory” implemented of what has already been reported, to avoid an overwhelming number of reports when system is slow – Large numbers of reports add to problem

Download ppt "E-MAIL GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING Greg Woods National Center for Atmospheric Research Scientific Computing Division Boulder,"

Similar presentations

Static Routing Exercise AFNOG 2003/ Track 2 # 1 Static Routing Exercise u Unix network interface configuration u Cisco network interface configuration.

Static Routing Exercise AFNOG 2003/ Track 2 # 1 Static Routing Exercise u Unix network interface configuration u Cisco network interface configuration.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
IP Forwarding Relates to Lab 3.

IP Forwarding Relates to Lab 3.
Static Routing Exercise. What will the exercise involve?  Unix network interface configuration  Cisco network interface configuration  Static routes.

Static Routing Exercise. What will the exercise involve?  Unix network interface configuration  Cisco network interface configuration  Static routes.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Dr. Zahid Anwar. Simplified Architecture of Linux Cluster Simplified Architecture of a Single Computer Simplified architecture of an enterprise cluster.

Dr. Zahid Anwar. Simplified Architecture of Linux Cluster Simplified Architecture of a Single Computer Simplified architecture of an enterprise cluster.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.

TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.
Chapter 30 Electronic Mail Representation & Transfer

Chapter 30 Electronic Mail Representation & Transfer
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Internet Basics.

Internet Basics.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
E-mail-I CS-3505 Wb_e-mail-I.ppt. Email 4 The most useful feature of the internet 4 Lots of different email programs, but most of them can talk to each.

-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
ABC Co. Network Implementation High reliability is primary concern – near 100% uptime required –Customer SLA has stiff penalty clauses –Everything is designed.

ABC Co. Network Implementation High reliability is primary concern – near 100% uptime required –Customer SLA has stiff penalty clauses –Everything is designed.
CT NIKHEF Nov 2003 1 Mail NIKHEF CT system support.

CT NIKHEF Nov Mail NIKHEF CT system support.

Similar presentations

Ads by Google