1 / 14

Combating E-mail Abuse

Combating E-mail Abuse. Brian Nisbet NOC Manager HEAnet. Introduction. SMTP was never expected to handle this. Huge volume of email, huge volume of email abuse. Not restricted to just spam. Viruses Phishing Malware Links. General Principles.

Download Presentation

Combating E-mail Abuse

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Combating E-mail Abuse Brian Nisbet NOC Manager HEAnet

  2. Introduction • SMTP was never expected to handle this. • Huge volume of email, huge volume of email abuse. • Not restricted to just spam. • Viruses • Phishing • Malware Links

  3. General Principles • “Be liberal in what you accept, be conservative in what you send.” – Jon Postel • Also, your network, your rules. • Multiple areas to consider: • Technical measures • Education • Policies & Procedures • Tools

  4. Technical Measures • Realtime Block Lists • DNS based, some free, some charge. • HEAnet Anti-Spam service offers Trend Micro ERS and Spamhaus Zen service. • http://www.spamhaus.org • Spamcop - bl.spamcop.net • combined.njabl.org • Checked in order, rejected on first match. • Check early, at Connect or Mail From: • Make your own! • Port 25 outbound!

  5. Restrict SMTP connection volumes. • Make sure to reserve some for internal users. • Close open relays! • Rules based system/spam heuristics. • Spamassassin - http://spamassassin.apache.org/ • Rules need constant monitoring/adjustment. • Maintain spam corpus for checking. • Whitelists vital. • Tailor score to suit individual needs. • Mark at one score, filter at another.

  6. Reject mail from sources that announce with a single word. • Beware of mailservers claiming to be you! • Authorised users only. • Secure connections. • Greylisting • Delaying mails and waiting for resend. • Accepts ‘known’ mail immediately. • Rather controversial. • Tarpitting

  7. Backup MX • Backup MXs used to be vital. • Now more likely to be a vector for abuse. • Recommendation is to only use MXs you control. • Need to have exactly the same filters in place. • Modern Internet substantially more secure. • Mailservers resend for 2 – 4 days before abandoning. • Consider a virtual machine.

  8. Anti-Virus • Anti-virus on your MX a must. • AV that isn’t updated, isn’t AV. • Once per hour is good, once per day is maybe ok. • Block “dangerous” extensions. • Multiple lists, mainly executables. Keep updated. • SMTP is not a file transfer protocol. • Quarantine and release systems are questionable.

  9. Phishing & Links • Servers and clients beginning to detect this. • Also detectable with programs like Spamassassin. • Main tool is education. • Also change message to remove clickable links.

  10. DKIM, SPF etc • Various systems in the wild to prove the sender is who they say they are, and often to assign a reputation. • Worth configuring SPF to make sure of deliverability. • Much discussion about usefulness for receiving. • Spammers (either intentional or bots) often are who they say they are. • Websites: • http://www.openspf.org • http://www.dkim.org/

  11. Education • Users should feel safe when online, but not too safe! • You wouldn’t give your credit card number to someone you bumped into in town? • Some users will always think “Maybe this time it’s real?” • Make sure you never send out a real mail that looks phishy. • Never: • Ask for passwords. • Put in a link to a login page in an unsolicited mail. • Offer millions of dollars in exchange for a bank a/c number.

  12. Policies & Procedures • Abuse contacts must be published & monitored. • Reports must be acted on as a matter of urgency. Systems taken offline, a/cs closed. • Users and machines must be traceable. • Allegedly legitimate outbound mail must comply with laws and general standars of good behaviour. • http://www.ripe.net/ripe/docs/ripe-409.html

  13. Irish law on spam is encoded in SI 535 of 2003. • Personal addresses (mary.kelly@eircom.net) are opt-in. • Business addresses (brian.nisbet@heanet.ie) are opt-out. • Many SMTP server operators are more stringent than this. • Decide on and publish your own code of practice. This may be part of a larger AUP.

  14. Tools & Resources • Vast number of SMTP and AV programs. • No official HEAnet recommendation. • Remember HEAnet Tech list. • Spamhaus (http://www.spamhaus.org) • RIPE Anti-Abuse WG • http://www.ripe.net/ripe/wg/anti-abuse/index.html • RIPE Resource Explainer • http://labs.ripe.net/content/rex-resource-explainer • noc@heanet.ie!

More Related