fighting spam spamassassin
Download
Skip this Video
Download Presentation
Fighting SPAM Spamassassin

Loading in 2 Seconds...

play fullscreen
1 / 21

Fighting SPAM Spamassassin - PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on

Fighting SPAM Spamassassin. Statistical based on factors such as banned words and acronyms None plane text or strange ascii coding in mail header HTML body with pictures and links. Sending/Recieving User exists

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Fighting SPAM Spamassassin' - deborah-wilder


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
fighting spam spamassassin
Fighting SPAM Spamassassin
  • Statistical based on factors such as

banned words and acronyms

  • None plane text or strange ascii coding in mail header
  • HTML body with pictures and links.
  • Sending/Recieving User exists
  • File attachement, extra inspection by external program for viruses and trojans
  • Black DNS, blacklisted domains/IP/hosts
  • E-Mails per second, DOS/SPAM
  • Email Relaying and hops
  • Help from external databases like: Pyzor Razor
  • Spamassassin does not delete mail, it marks mail as SPAM and classify the severity
downloading and installing spamassassin rpm
Downloading And Installing Spamassassin RPM
  • From sources: http://spamassassin.apache.org/
  • From rpm:
  • Starting Spamassassin at boot
  • Startup Spamassassin
  • Spamassassin configuration sit in /etc/mail/spamassassin and /usr/share/spamassassin/

local.cf and init.pre

  • Spamassassin comes preconfigured
  • If you install from sources, dont install from RPM first!

# rpm –ivh perl-Digest-HMAC-1.01-495.i586.rpm

# rpm –ivh perl-HTML-Tagset-3.04-3.i586.rpm

# rpm –ivh perl-HTML-Parser-3.45-3.i586.rpm

# rpm –ivh perl-Net-DNS-0.48-3.i586.rpm

# rpm –ivh perl-spamassassin-3.0.2-4.i386.rpm

# rpm –ivh spamassassin-3.0.2-4.i386.rpm

# rpm –ivh spamassassin-3.0.2-4.i386.rpm

# insserv spamd on

# /etc/init.d/spamd start

configuring spamassassin
Configuring Spamassassin
  • The spamassassin main configuration file is named
          • /etc/mail/spamassassin/local.cf
  • A full listing of all the options available

in the local.cf file can be found in the

Linux man pages using the following

command

  • The spamassassin plugins file init.pre
  • Spamassassin searches /etc/mail/spamassassin and /usr/share/spamassassin for .pre and .cf files to read in
  • All users home can contain $HOME/.spamassassin/
  • Spamassassin is written in PERL
  • Spamassasin is 2 components the server spamd and client spamc

required_hits 5.0

whitelist_from *home.se

rewrite_subject 1

subject_tag *****SPAM*****

report_safe 1

use_terse_report 0

use_bayes 1

auto_learn 1

skip_rbl_checks 0

use_razor2 1

use_dcc 1

use_pyzor 1

ok_languages en

ok_locales en sv fi

# man Mail::SpamAssassin::Conf

loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

loadplugin Mail::SpamAssassin::Plugin::Hashcash

loadplugin Mail::SpamAssassin::Plugin::SPF

testing spamassassin
Testing spamassassin
  • Test the validity of your local.cf and the other files
  • Startup spamassassin
    • If you installed from ”source” you will need to write a proper start and stop script yourself
  • Tuning spamassassin by adjusting the required_hits value in the local.cf file
  • Sample mail header tagged by spamassassin, here nigerian scam

# spamassassin -d –lint

Created user preferences file: /root/.spamassassin/user_prefs config: SpamAssassin failed to parse line, skipping: use_terse_report 0 config: SpamAssassin failed to parse line, skipping: auto_learn 1 lint: 2 issues detected. please rerun with debug enabled for more information.

# /etc/init.d/spamd start

required_hits 5.0

X-Spam-Status: Yes, score=20.1 required=2.1 tests=DEAR_FRIEND, DNS_FROM_RFC_POST,FROM_ENDS_IN_NUMS,MSGID_FROM_MTA_HEADER,NA_DOLLARS, NIGERIAN_BODY1,NIGERIAN_BODY2,NIGERIAN_BODY3,NIGERIAN_BODY4, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBL,RISK_FREE,SARE_FRAUD_X3, SARE_FRAUD_X4,SARE_FRAUD_X5,US_DOLLARS_3 autolearn=failed version=3.0.4

the rules du jour spamassassin tool
The Rules du Jour Spamassassin Tool
  • Rules Du Jour is a script who downloads filtering rules for Spamassassin.
  • The script is available here: http://sandgnat.com/rdj/rules_du_jourand it is intended to be run from a cron job on daily basis.
  • The /etc/rulesdujour/config Configuration File
    • SA_DIR path to spamassassin
    • MAIL_ADDRESS who recieves status messages
    • SA_RESTART howto restart spamassassin after new rules is installed
    • TRUSTED_RULESETSspace delimited line with filter rules to use

SA_DIR="/etc/mail/spamassassin" MAIL_ADDRESS="[email protected]" SA_RESTART="service spamd restart" TRUSTED_RULESETS="TRIPWIRE SARE_ADULT SARE_OBFU SARE_URI0 SARE_URI1 ANTIDRUG SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_FRAUD SARE_HEADER0 SARE_HEADER2 SARE_HTML0 SARE_SPECIFIC SARE_BML SARE_GENLSUBJ0 SARE_GENLSUBJ2 SARE_WHITELIST"

installing rules du jour
Installing Rules du Jour

1) Download the rules_du_jour script with the wget command, make it executable and place it in the /usr/local/bin directory. The script is available here: http://sandgnat.com/rdj/rules_du_jourand it is intended to be run from a cron job on daily basis.

2) Create and edit your /etc/rulesdujour/config configuration file.

3) Run the rules_du_jour script, and then run spamassassin in lint mode to test for errors. There should be none.

4) The final step is to add /usr/local/bin/rules_du_jour to your cron table. In this case, crontab –e

# wget http://sandgnat.com/rdj/rules_du_jour

# chmod 700 rules_du_jour

# mv rules_du_jour /usr/local/bin

# mkdir -p /etc/rulesdujour

# vi /etc/rulesdujour/config

# /usr/local/bin/rules_du_jour

0 23 * * * root /usr/local/bin/rules_du_jour

setting up procmail for spamassassin
Setting up procmail for spamassassin
  • Procmail is a mail processor it can search the mail header and body for patterns, keys and attributes
  • Procmail uses regular expressions to find or extract keys
  • Procmail can move/trunctate/delete andmake calls to external programs based on conditions
  • Procmail has a mandatory file used in situations where individual users does not have one, /etc/procmailrc
  • The user configurable procmail file is $HOME/.procmail
  • Procmail ”home” is very helpful tolearnmoreabout the powerful procmail: http://www.procmail.org/
getting procmail installed
Getting procmail installed
  • Install procmail from RPM
  • Download procmail source
  • Build procmail source
  • Inspect procmail builded appz
  • Install procmail sources (all the new/ -files)

# rpm –ivh procmail-3.22-41

# rpm –ivh procmail-debuginfo-3.22-41

# cd /usr/local/src ; wget http://www.procmail.org/procmail-3.22.tar.gz

# cd procmail-3.22 ; make

. . .

# make install

# ls new/

# make install-suid

Or type

# make install

procmail configuration for spamassassin
Procmail configuration for Spamassassin
  • Procmail comes unconfigured as RPM and Sources
  • If you install procmail from source you have sample configuration to start with in the sourcetree /usr/local/src/procmail-3.22/examples
  • You will need to modify the sample config or re do everything from scratch
    • Here we first copy one of the examples to the mandatory procmail settings
    • Secondly we copy it into user root’s personal settings
  • Procmail haves to configuration sets:
    • Mandatory default procmailrc
    • Personal .procmailrc

# cp examples/3procmailrc /etc/procmailrc

# cp examples/3procmailrc ~root/.procmailrc

procmail mandatory etc procmailrc
Procmail mandatory /etc/procmailrc
  • Procmailrc has a number of settings & enviroment vars
    • DROPPRIVS =YES lower priviledges to recieving user level
    • VERBOSE=ON log level details
    • MAILDIR=$HOME/Mail User home maildir
    • DEFAULT=$MAILDIR/mbox User home mail database file
    • LOGFILE=$MAILDIR/from where to log procmail activities
    • LOCKFILE=$HOME/lockmail protect procmail processing
    • COMPANY=PHW General enviroment variable
  • Procmail is driven by regular expressions

This very first rule starts spamc if email

size is less than 256000 bytes

The last rule will move the 

Email if X-Spam-Status: Yes

is set in the email header

:0fw

* < 256000

| /usr/bin/spamc -f

:0:

{

EXITCODE=$?

}

:0:

* ^X-Spam-Status: Yes

$HOME/IMAP-$COMPANY/SPAM

procmail userdefine home procmailrc
Procmail userdefine $HOME/.procmailrc
  • This rule will move all files with lastnames to directory illegal-attach
  • All email less than 250K is

processed by spamc

  • All email marked with

spamlevel greater than 15

is moved to directory

almost-certenly-spam

  • All mail who accumulated

more than required_hits

is moved to directory probely-spam

  • All mail who has subject

*****SPAM***** is moved to

directory subject-spam

:0 B

* ^Content-Type:.*

* ^.*name=.*\.(hta|com|pif|vbs|vbe|js|jse|exe|bat|cmd|vxd|scr|shm|dll|SCR)

illegal-attach

:0fw

* < 256000

| /usr/bin/spamc -f

:0:

* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

almost-certainly-spam

:0:

* ^X-Spam-Status: Yes

probably-spam

:0:

* ^Subject: \*\*\*\*\*SPAM\*\*\*\*\*

subject-spam

procmail is now ready for action
Procmail is now ready for action
  • Now it is left to add procmail support in /etc/mail/sendmail.mc
  • Procmail specified attributes (optional)

-t try later, do not bounce

-YBerkeley mailbox format

-a argument added from sendmail enviroment

-d delivery mode, set userid $u (from sendmail)

  • Make the sendmail.mc
  • Last add the .procmailrc to /etc/skel
    • So all future users added will have

.procmailrc as default

define(`PROCMAIL_MAILER_PATH\',`/usr/bin/procmail\')dnl

FEATURE(local_procmail)dnl

MAILER(procmail)dnl

FEATURE(local_procmail,`\',`procmail -t -Y -a $h -d $u\')dnl

# cd /etc/mail ; m4 sendmail.mc > sendmail.cf

# rcsendmail restart

# cp ~root/.procmail /etc/skel

using greylisting
Using Greylisting
  • Spammers try to send email as quickly as possible
  • Bouncing mails is removed from their mailing lists
  • Mailserver can ask the sender to try again later if mails coming in tofast
  • Spam emails that need to be resent are usually abandoned
  • With greylisting, sources are just asked to resend and thereby getting rid of spam
  • The most popular greylist mail filter (milter) products is the milter-greylist package
  • Drawback is mail-flow can become slower
downloading and installing milter greylist
Downloading and Installing milter-greylist
  • You will have to first install the sendmail-devel software package
    • You already have it if you installed sendmail from sources
    • You can get it as optional RPM, as we installed in beginning of this chapter
  • Download greylist-milter
  • Untar milter-greylist
  • Configure and make milter-greylist
  • More info can be found at: http://hcpnet.free.fr/milter-greylist/

# cd /usr/local/src

# wget ftp://ftp.espci.fr/pub/milter-greylist/milter-greylist-2.0.2.tgz

# tar -xzvf milter-greylist-2.0.2.tgz

# ./configure && make && make install

configuring milter greylist
Configuring milter-greylist
  • Add the milter-greylist statements listed in the README file to your /etc/mail/sendmail.mc file:
  • Copy the correct version to your /etc/init.d and prepare it to start at boot
  • Edit the /etc/mail/greylist.conf configuration file, add modify:

Here we set the “try again later” to five minutes

Deactivate the timer for trusted networks so that mail is delivered immediately

  • Start the milter:

INPUT_MAIL_FILTER(`greylist\',`S=local:/var/milter-greylist/milter-greylist.sock\') define(`confMILTER_MACROS_CONNECT\', `j, {if_addr}\') define(`confMILTER_MACROS_HELO\', `{verify}, {cert_subject}\') define(`confMILTER_MACROS_ENVFROM\', `i, {auth_authen}\') define(`confMILTER_MACROS_ENVRCPT\', `{greylist}\')

# cp rc-suse.sh /etc/init.d/milter-greylist

# chmod 755 /etc/init.d/milter-greylist

# insserv milter-greylist

greylist 5m

acl whitelist addr 192.168.0.0/16

# ln –s /etc/init.d/milter-greylist /usr/sbin/rcmilter-greylist

# rcmilter-greylist start ; rcsendmail restart

configuring milter greylist contined
Configuring milter-greylist, contined
  • The /var/log/mail* files should be used to determine what is happening to your mail
  • A request is sent to the sender to resend the email in five minutes
  • Here email from a source is autowhitelisted for 24 hours
  • We are now done with milter greylist setup!

Dec 24 00:32:31 mail sendmail[28847]: jBO8WVnG028847: Milter: to=<[email protected]>, reject=451 4.7.1 Greylisting in action, please come back in 00:05:00

Dec 23 20:40:21 mail milter-greylist: jBO4eF2m027418: addr 211.115.216.225 from <[email protected]> rcpt <[email protected]>: autowhitelisted for 24:00:00

installing your pop imap server
Installing Your POP/IMAP Server
  • There are several much more powerful IMAP/POP servers than the one we install. This is for demonstration only. Usally we install UW-IMAP or similar.
  • Install the dovecot IMAP/POP server
  • Activate dovecot at boot
  • Start dovecot now
  • Pop and Imap is purposed to serve users and clients with centralized email in a comfortable way.
  • Pop and Imap can be both run as cleartext and cryptated

# rpm –ivh dovecot-debuginfo-0.99.14.rpm

# rpm –ivh mysql-shared-4.1.10a-3.i586.rpm# rpm –ivh postgresql-libs-8.0.1-6.i586.rpm

# rpm –ivh dovecot-0.99.14-3.i586.rpm

# insserv dovecot

# rcdovecot start

configuring your pop imap server
Configuring Your POP/IMAP Server
  • Protocol selection in /etc/dovecot/dovecot.conf
  • Check that dovecot is listening:
  • Going from insecure pop/imap to secure, make the certificate
  • Change settings to

secure pop/imap

# Protocols we want to be serving:

# imap imaps pop3 pop3s

protocols = imap pop3

netstat -a | egrep -i \'pop|imap\'

tcp 0 0 *:pop3 *:* LISTEN

tcp 0 0 *:imap *:* LISTEN

# cd /usr/share/doc/packages/dovecot

# chmod a+x mkcert.sh ; ./ mkcert.sh

protocols = pop3s imaps

ssl_disable = no

ssl_cert_file = /etc/ssl/certs/dovecot.pem

ssl_key_file = /etc/ssl/private/dovecot.pem

ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat

disable_plaintext_auth = no

login_chroot = yes

auth_mechanisms = plain

secure your pop imap server
Secure Your POP/IMAP Server
  • Check that dovecot is listening on the secure ports:
  • Troubleshooting POP Mail, this example starts and makes a successful secure POP query from a remote POP client

netstat -a | egrep -i \'pop|imap\'

tcp 0 0 *:pop3s *:* LISTEN

tcp 0 0 *:imaps *:* LISTEN

Aug 11 23:20:33 bigboy ipop3d[18693]: pop3s SSL service init from 172.16.1.103

Aug 11 23:20:40 bigboy ipop3d[18693]: Login user=labmanager host=172-16-1-103.my-site.com [172.16.1.103] nmsgs=0/0

Aug 11 23:20:40 bigboy ipop3d[18693]: Logout user=labmanager host=172-16-1-103.my-site.com [172.16.1.103] nmsgs=0 ndele=0

Aug 11 23:20:52 bigboy ipop3d[18694]: pop3s SSL service init from 172.16.1.103

Aug 11 23:20:52 bigboy ipop3d[18694]: Login user=labmanager host=172-16-1-103.my-site.com [172.16.1.103] nmsgs=0/0

Aug 11 23:20:52 bigboy ipop3d[18694]: Logout user=labmanager host=172-16-1-103.my-site.com [172.16.1.103] nmsgs=0 ndele=0

how to configure your windows mail programs
How To Configure Your Windows Mail Programs
  • All your POP e-mail accounts are really only regular Linux user accounts in which sendmail has deposited mail.
  • You can now configure your e-mail client such as Outlook Express to use your use your new POP/SMTP mail server quite easily.
  • To configure POP Mail, set your POP mail server to be the IP address of your Linux mail server.
  • Use your Linux user username and password when prompted.
  • Next, set your SMTP mail server to be the IP address/domain name of your Linux mail server.
  • You can use similar setup for IMAP
  • For secure IMAP/POP you have to select SSL in advanced settings for incoming e-mail.
conclusions
Conclusions
  • Sendmail is the most used mailserver
  • The macrofile sendmail.mc is used togeather with m4 to make sendmail.cf
  • Sendmail configuration lives in /etc/mail
  • The mailserver keep all users inboxes in /var/spool/mail
  • To prevent SPAM and unauthorized access RELAY is used for allowed sites in /etc/access
  • You have to type make and newaliases after editing sendmail configuration
  • Sendmail can use dns blacklists to prevent spam directly
  • Spamassassin can be used to wash mail from SPAM, but Spamassassin does only MARK and classify mail.
  • Rules Du Jour can update Spamassassin filters automatically
  • Procmail is used to process the mail, like dropping, moving, trunctating and is driven by regular expressions
  • Greylisting is a complementing SPAM blocking mechanism based on email resend due to heavy load messages.
  • IMAP/POP can be used to server users with centralized e-mail in a comfortable way.
ad