Embed Size (px)
DESCRIPTION
James Lick [email protected]. Methods for Stopping Spam. AOL blocks 780,000,000 spams each day (Feb 2003) I am sent ~900 spams each day (Jan 2003). The Problem. Methods for Stopping Spam. Security Policy Enforcement Blocking Filtering Avoidance. No method will block all spam - PowerPoint PPT Presentation
Citation preview
The Problem
• AOL blocks 780,000,000 spams each day (Feb 2003)
• I am sent ~900 spams each day (Jan 2003)
Methods for Stopping Spam
● Security● Policy Enforcement● Blocking● Filtering● Avoidance
Disclaimer
• No method will block all spam
• Every method will sometimes block real mail• Spammers always get more aggressive• These tools are just a sample• Combining tactics works best• Blocking/Filtering hides extent of problem
Security
● Make sure you aren't part of the problem● Check infrastructure and customers:
– Open relays– Open proxies– Use of latest security patches
● A lot of spam is sent through security holes● Notify authorities for extreme cases
Policy Enforcement
● Have a reasonable AUP● Have users agree to it (legal contract)● Enforce it!
– This is a contract, lack of spam law is no excuse– Don't give second chances too easily
● Respond to complaints
Policy Enforcement (cont)
● If you get a reputation of soft on spam:– You will get more spamming customers!– Your mail will be blocked more and more– You lose customers– You go out of business
● The earlier you address problems, the easier it is to solve
● Policy enforcement is an ongoing responsibility
Blocking
● Bad sender address● Spam Source lists● Open Relay lists● Open Proxy lists● Dialup/Dynamic IP lists● Other● Local blocks
Bad sender
● Most spam is sent with forged sender● Look up sender domain
– Reject message if it doesn't exist– Defer message if lookup fails
● Supported by most mail servers● Default in modern sendmail● You can also check sending hostname, but this is
not reliable as spam sign
Spam Source lists
● Lists IP addresses which belong to spammers● MAPS RBL (www.mail-abuse.org)● Spamhaus BL (www.spamhaus.org)● Sometimes widens block to whole networks, but
usually in extreme cases
Open Relay lists
● Blocks mail from old servers which allow anyone to send mail through them
● MAPS RSS (www.mail-abuse.org)● ORDB (www.ordb.org)● Can block real mail from insecure sites● Sometimes listings are based on old information
Open Proxy lists
● Blocks mail from insecure open proxies● OPM (www.blitzed.org/opm/)● Usually doesn't block any real mail● Most lists incomplete – finding open proxies is
hard
Dialup/Dynamic IP lists
● Blocks direct mail from dialups and dynamic IP addresses
● Be sure to whitelist your own customers!● Dynamic clients should use ISP mail server to
send mail● SMTP MSP can be used to send mail remotely
safely● Usually does not block real mail
Dialup/Dynamic IP lists (cont)
● MAPS DUL (www.mail-abuse.org)● PDL (www.pan-am.ca/pdl/)● Dynablock (basic.wirehub.nl/dynablocker.html)
Other
● As spammers get more aggressive, anti-spammers get more aggressive in blocking
● Blocking is often done by:– Any IP sending any spam ever– Countries/regions perceived as soft on spam– Networks perceived as soft on spam– Faulty methods of identifying spam– Other forms of 'spite' listings
Other (cont)
● Most of these methods are not used widely● As spam problem gets worse, these methods may
become more widespread.● Before using a blocking service
– Make sure their policies match your expectation– Make sure it is reputable– Test it out first
Local blocks
● Setup your own local blocks (access_db, local dnsbl)
● Requires diligence and upkeep● Do it only if you can devote resources to it every
day!● Better yet, get involved with contributing to
public blocking lists
Filtering
● Analyze content, not where it came from– Pattern matching– Bulk detection
Pattern Matching
● Spams have common 'spam signs'– Common types of header forgery– Common disclaimers– Common wording of sales pitch– Garbage strings, header style, etc.
● Filters can detect and score based on how many spam signs are in a message
Spam Assassin(www.spamassassin.org)
● Has a set of rules, each with a score● If a message scores over a threshold, marked as
spam● Can also use bulk detection, blocking lists● Uses a lot more CPU
– Can scale to large mail loads by using a cluster of cheap servers running SA's spamd
● Can be run on a client system too
Spam Assassin 2.50
● Just out!● Adds Bayesian filtering● Bayesian filtering statistically analyzes what
content shows up in spam more often than real mail
● For best results, needs training on what is and isn't spam
● SA 2.50 auto-trains based on SA scoring
Bulk Detection
● Razor (razor.sourceforge.net) aka SpamNet (www.cloudmark.com)
● DCC (www.rhyolite.com/anti-spam/dcc)● Reliably detects messages sent in bulk● Razor designed to detect unsolicited bulk● Not perfect, sometimes blocks large mailing lists
(recently Crypto-Gram)
Avoidance
● Try not to expose email addresses– Don't publish user directories– Give users help and tools to do filtering
● Advise users– Use spam filtering software (in addition to ISP)– Don't give out email address freely– Use disposable email addresses– Change email addresses periodically
Q&A
• Questions
• Answers• Discussion
![Improving Knowledge Based Spam Detection Methods: The ...power, user time and work productivity [7]. According to Kaspersky’s security bulletin, during 2013 spam counted for ~70%](https://img.dokumen.tips/doc/110x75/5f0a25617e708231d42a3c26/improving-knowledge-based-spam-detection-methods-the-power-user-time-and-work.jpg)
