Fighting spam spamassassin
Download
1 / 21

Fighting SPAM Spamassassin - PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on

Fighting SPAM Spamassassin. Statistical based on factors such as banned words and acronyms None plane text or strange ascii coding in mail header HTML body with pictures and links. Sending/Recieving User exists

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Fighting SPAM Spamassassin' - deborah-wilder


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Fighting spam spamassassin
Fighting SPAM Spamassassin

  • Statistical based on factors such as

    banned words and acronyms

  • None plane text or strange ascii coding in mail header

  • HTML body with pictures and links.

  • Sending/Recieving User exists

  • File attachement, extra inspection by external program for viruses and trojans

  • Black DNS, blacklisted domains/IP/hosts

  • E-Mails per second, DOS/SPAM

  • Email Relaying and hops

  • Help from external databases like: Pyzor Razor

  • Spamassassin does not delete mail, it marks mail as SPAM and classify the severity


Downloading and installing spamassassin rpm
Downloading And Installing Spamassassin RPM

  • From sources: http://spamassassin.apache.org/

  • From rpm:

  • Starting Spamassassin at boot

  • Startup Spamassassin

  • Spamassassin configuration sit in /etc/mail/spamassassin and /usr/share/spamassassin/

    local.cf and init.pre

  • Spamassassin comes preconfigured

  • If you install from sources, dont install from RPM first!

# rpm –ivh perl-Digest-HMAC-1.01-495.i586.rpm

# rpm –ivh perl-HTML-Tagset-3.04-3.i586.rpm

# rpm –ivh perl-HTML-Parser-3.45-3.i586.rpm

# rpm –ivh perl-Net-DNS-0.48-3.i586.rpm

# rpm –ivh perl-spamassassin-3.0.2-4.i386.rpm

# rpm –ivh spamassassin-3.0.2-4.i386.rpm

# rpm –ivh spamassassin-3.0.2-4.i386.rpm

# insserv spamd on

# /etc/init.d/spamd start


Configuring spamassassin
Configuring Spamassassin

  • The spamassassin main configuration file is named

    • /etc/mail/spamassassin/local.cf

  • A full listing of all the options available

    in the local.cf file can be found in the

    Linux man pages using the following

    command

  • The spamassassin plugins file init.pre

  • Spamassassin searches /etc/mail/spamassassin and /usr/share/spamassassin for .pre and .cf files to read in

  • All users home can contain $HOME/.spamassassin/

  • Spamassassin is written in PERL

  • Spamassasin is 2 components the server spamd and client spamc

  • required_hits 5.0

    whitelist_from *home.se

    rewrite_subject 1

    subject_tag *****SPAM*****

    report_safe 1

    use_terse_report 0

    use_bayes 1

    auto_learn 1

    skip_rbl_checks 0

    use_razor2 1

    use_dcc 1

    use_pyzor 1

    ok_languages en

    ok_locales en sv fi

    # man Mail::SpamAssassin::Conf

    loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

    loadplugin Mail::SpamAssassin::Plugin::Hashcash

    loadplugin Mail::SpamAssassin::Plugin::SPF


    Testing spamassassin
    Testing spamassassin

    • Test the validity of your local.cf and the other files

    • Startup spamassassin

      • If you installed from ”source” you will need to write a proper start and stop script yourself

    • Tuning spamassassin by adjusting the required_hits value in the local.cf file

    • Sample mail header tagged by spamassassin, here nigerian scam

    # spamassassin -d –lint

    Created user preferences file: /root/.spamassassin/user_prefs config: SpamAssassin failed to parse line, skipping: use_terse_report 0 config: SpamAssassin failed to parse line, skipping: auto_learn 1 lint: 2 issues detected. please rerun with debug enabled for more information.

    # /etc/init.d/spamd start

    required_hits 5.0

    X-Spam-Status: Yes, score=20.1 required=2.1 tests=DEAR_FRIEND, DNS_FROM_RFC_POST,FROM_ENDS_IN_NUMS,MSGID_FROM_MTA_HEADER,NA_DOLLARS, NIGERIAN_BODY1,NIGERIAN_BODY2,NIGERIAN_BODY3,NIGERIAN_BODY4, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBL,RISK_FREE,SARE_FRAUD_X3, SARE_FRAUD_X4,SARE_FRAUD_X5,US_DOLLARS_3 autolearn=failed version=3.0.4


    The rules du jour spamassassin tool
    The Rules du Jour Spamassassin Tool

    • Rules Du Jour is a script who downloads filtering rules for Spamassassin.

    • The script is available here: http://sandgnat.com/rdj/rules_du_jourand it is intended to be run from a cron job on daily basis.

    • The /etc/rulesdujour/config Configuration File

      • SA_DIR path to spamassassin

      • MAIL_ADDRESS who recieves status messages

      • SA_RESTART howto restart spamassassin after new rules is installed

      • TRUSTED_RULESETSspace delimited line with filter rules to use

    SA_DIR="/etc/mail/spamassassin" MAIL_ADDRESS="[email protected]" SA_RESTART="service spamd restart" TRUSTED_RULESETS="TRIPWIRE SARE_ADULT SARE_OBFU SARE_URI0 SARE_URI1 ANTIDRUG SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_FRAUD SARE_HEADER0 SARE_HEADER2 SARE_HTML0 SARE_SPECIFIC SARE_BML SARE_GENLSUBJ0 SARE_GENLSUBJ2 SARE_WHITELIST"


    Installing rules du jour
    Installing Rules du Jour

    1) Download the rules_du_jour script with the wget command, make it executable and place it in the /usr/local/bin directory. The script is available here: http://sandgnat.com/rdj/rules_du_jourand it is intended to be run from a cron job on daily basis.

    2) Create and edit your /etc/rulesdujour/config configuration file.

    3) Run the rules_du_jour script, and then run spamassassin in lint mode to test for errors. There should be none.

    4) The final step is to add /usr/local/bin/rules_du_jour to your cron table. In this case, crontab –e

    # wget http://sandgnat.com/rdj/rules_du_jour

    # chmod 700 rules_du_jour

    # mv rules_du_jour /usr/local/bin

    # mkdir -p /etc/rulesdujour

    # vi /etc/rulesdujour/config

    # /usr/local/bin/rules_du_jour

    0 23 * * * root /usr/local/bin/rules_du_jour


    Setting up procmail for spamassassin
    Setting up procmail for spamassassin

    • Procmail is a mail processor it can search the mail header and body for patterns, keys and attributes

    • Procmail uses regular expressions to find or extract keys

    • Procmail can move/trunctate/delete andmake calls to external programs based on conditions

    • Procmail has a mandatory file used in situations where individual users does not have one, /etc/procmailrc

    • The user configurable procmail file is $HOME/.procmail

    • Procmail ”home” is very helpful tolearnmoreabout the powerful procmail: http://www.procmail.org/


    Getting procmail installed
    Getting procmail installed

    • Install procmail from RPM

    • Download procmail source

    • Build procmail source

    • Inspect procmail builded appz

    • Install procmail sources (all the new/ -files)

    # rpm –ivh procmail-3.22-41

    # rpm –ivh procmail-debuginfo-3.22-41

    # cd /usr/local/src ; wget http://www.procmail.org/procmail-3.22.tar.gz

    # cd procmail-3.22 ; make

    . . .

    # make install

    # ls new/

    # make install-suid

    Or type

    # make install


    Procmail configuration for spamassassin
    Procmail configuration for Spamassassin

    • Procmail comes unconfigured as RPM and Sources

    • If you install procmail from source you have sample configuration to start with in the sourcetree /usr/local/src/procmail-3.22/examples

    • You will need to modify the sample config or re do everything from scratch

      • Here we first copy one of the examples to the mandatory procmail settings

      • Secondly we copy it into user root’s personal settings

    • Procmail haves to configuration sets:

      • Mandatory default procmailrc

      • Personal .procmailrc

    # cp examples/3procmailrc /etc/procmailrc

    # cp examples/3procmailrc ~root/.procmailrc


    Procmail mandatory etc procmailrc
    Procmail mandatory /etc/procmailrc

    • Procmailrc has a number of settings & enviroment vars

      • DROPPRIVS =YES lower priviledges to recieving user level

      • VERBOSE=ON log level details

      • MAILDIR=$HOME/Mail User home maildir

      • DEFAULT=$MAILDIR/mbox User home mail database file

      • LOGFILE=$MAILDIR/from where to log procmail activities

      • LOCKFILE=$HOME/lockmail protect procmail processing

      • COMPANY=PHW General enviroment variable

    • Procmail is driven by regular expressions

      This very first rule starts spamc if email

      size is less than 256000 bytes

      The last rule will move the 

      Email if X-Spam-Status: Yes

      is set in the email header

    :0fw

    * < 256000

    | /usr/bin/spamc -f

    :0:

    {

    EXITCODE=$?

    }

    :0:

    * ^X-Spam-Status: Yes

    $HOME/IMAP-$COMPANY/SPAM


    Procmail userdefine home procmailrc
    Procmail userdefine $HOME/.procmailrc

    • This rule will move all files with lastnames to directory illegal-attach

    • All email less than 250K is

      processed by spamc

    • All email marked with

      spamlevel greater than 15

      is moved to directory

      almost-certenly-spam

    • All mail who accumulated

      more than required_hits

      is moved to directory probely-spam

    • All mail who has subject

      *****SPAM***** is moved to

      directory subject-spam

    :0 B

    * ^Content-Type:.*

    * ^.*name=.*\.(hta|com|pif|vbs|vbe|js|jse|exe|bat|cmd|vxd|scr|shm|dll|SCR)

    illegal-attach

    :0fw

    * < 256000

    | /usr/bin/spamc -f

    :0:

    * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

    almost-certainly-spam

    :0:

    * ^X-Spam-Status: Yes

    probably-spam

    :0:

    * ^Subject: \*\*\*\*\*SPAM\*\*\*\*\*

    subject-spam


    Procmail is now ready for action
    Procmail is now ready for action

    • Now it is left to add procmail support in /etc/mail/sendmail.mc

    • Procmail specified attributes (optional)

      -t try later, do not bounce

      -YBerkeley mailbox format

      -a argument added from sendmail enviroment

      -d delivery mode, set userid $u (from sendmail)

    • Make the sendmail.mc

    • Last add the .procmailrc to /etc/skel

      • So all future users added will have

        .procmailrc as default

    define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl

    FEATURE(local_procmail)dnl

    MAILER(procmail)dnl

    FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl

    # cd /etc/mail ; m4 sendmail.mc > sendmail.cf

    # rcsendmail restart

    # cp ~root/.procmail /etc/skel


    Using greylisting
    Using Greylisting

    • Spammers try to send email as quickly as possible

    • Bouncing mails is removed from their mailing lists

    • Mailserver can ask the sender to try again later if mails coming in tofast

    • Spam emails that need to be resent are usually abandoned

    • With greylisting, sources are just asked to resend and thereby getting rid of spam

    • The most popular greylist mail filter (milter) products is the milter-greylist package

    • Drawback is mail-flow can become slower


    Downloading and installing milter greylist
    Downloading and Installing milter-greylist

    • You will have to first install the sendmail-devel software package

      • You already have it if you installed sendmail from sources

      • You can get it as optional RPM, as we installed in beginning of this chapter

    • Download greylist-milter

    • Untar milter-greylist

    • Configure and make milter-greylist

    • More info can be found at: http://hcpnet.free.fr/milter-greylist/

    # cd /usr/local/src

    # wget ftp://ftp.espci.fr/pub/milter-greylist/milter-greylist-2.0.2.tgz

    # tar -xzvf milter-greylist-2.0.2.tgz

    # ./configure && make && make install


    Configuring milter greylist
    Configuring milter-greylist

    • Add the milter-greylist statements listed in the README file to your /etc/mail/sendmail.mc file:

    • Copy the correct version to your /etc/init.d and prepare it to start at boot

    • Edit the /etc/mail/greylist.conf configuration file, add modify:

      Here we set the “try again later” to five minutes

      Deactivate the timer for trusted networks so that mail is delivered immediately

    • Start the milter:

    INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock') define(`confMILTER_MACROS_CONNECT', `j, {if_addr}') define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}') define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}') define(`confMILTER_MACROS_ENVRCPT', `{greylist}')

    # cp rc-suse.sh /etc/init.d/milter-greylist

    # chmod 755 /etc/init.d/milter-greylist

    # insserv milter-greylist

    greylist 5m

    acl whitelist addr 192.168.0.0/16

    # ln –s /etc/init.d/milter-greylist /usr/sbin/rcmilter-greylist

    # rcmilter-greylist start ; rcsendmail restart


    Configuring milter greylist contined
    Configuring milter-greylist, contined

    • The /var/log/mail* files should be used to determine what is happening to your mail

    • A request is sent to the sender to resend the email in five minutes

    • Here email from a source is autowhitelisted for 24 hours

    • We are now done with milter greylist setup!

    Dec 24 00:32:31 mail sendmail[28847]: jBO8WVnG028847: Milter: to=<[email protected]>, reject=451 4.7.1 Greylisting in action, please come back in 00:05:00

    Dec 23 20:40:21 mail milter-greylist: jBO4eF2m027418: addr 211.115.216.225 from <[email protected]> rcpt <[email protected]>: autowhitelisted for 24:00:00


    Installing your pop imap server
    Installing Your POP/IMAP Server

    • There are several much more powerful IMAP/POP servers than the one we install. This is for demonstration only. Usally we install UW-IMAP or similar.

    • Install the dovecot IMAP/POP server

    • Activate dovecot at boot

    • Start dovecot now

    • Pop and Imap is purposed to serve users and clients with centralized email in a comfortable way.

    • Pop and Imap can be both run as cleartext and cryptated

    # rpm –ivh dovecot-debuginfo-0.99.14.rpm

    # rpm –ivh mysql-shared-4.1.10a-3.i586.rpm# rpm –ivh postgresql-libs-8.0.1-6.i586.rpm

    # rpm –ivh dovecot-0.99.14-3.i586.rpm

    # insserv dovecot

    # rcdovecot start


    Configuring your pop imap server
    Configuring Your POP/IMAP Server

    • Protocol selection in /etc/dovecot/dovecot.conf

    • Check that dovecot is listening:

    • Going from insecure pop/imap to secure, make the certificate

    • Change settings to

      secure pop/imap

    # Protocols we want to be serving:

    # imap imaps pop3 pop3s

    protocols = imap pop3

    netstat -a | egrep -i 'pop|imap'

    tcp 0 0 *:pop3 *:* LISTEN

    tcp 0 0 *:imap *:* LISTEN

    # cd /usr/share/doc/packages/dovecot

    # chmod a+x mkcert.sh ; ./ mkcert.sh

    protocols = pop3s imaps

    ssl_disable = no

    ssl_cert_file = /etc/ssl/certs/dovecot.pem

    ssl_key_file = /etc/ssl/private/dovecot.pem

    ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat

    disable_plaintext_auth = no

    login_chroot = yes

    auth_mechanisms = plain


    Secure your pop imap server
    Secure Your POP/IMAP Server

    • Check that dovecot is listening on the secure ports:

    • Troubleshooting POP Mail, this example starts and makes a successful secure POP query from a remote POP client

    netstat -a | egrep -i 'pop|imap'

    tcp 0 0 *:pop3s *:* LISTEN

    tcp 0 0 *:imaps *:* LISTEN

    Aug 11 23:20:33 bigboy ipop3d[18693]: pop3s SSL service init from 172.16.1.103

    Aug 11 23:20:40 bigboy ipop3d[18693]: Login user=labmanager host=172-16-1-103.my-site.com [172.16.1.103] nmsgs=0/0

    Aug 11 23:20:40 bigboy ipop3d[18693]: Logout user=labmanager host=172-16-1-103.my-site.com [172.16.1.103] nmsgs=0 ndele=0

    Aug 11 23:20:52 bigboy ipop3d[18694]: pop3s SSL service init from 172.16.1.103

    Aug 11 23:20:52 bigboy ipop3d[18694]: Login user=labmanager host=172-16-1-103.my-site.com [172.16.1.103] nmsgs=0/0

    Aug 11 23:20:52 bigboy ipop3d[18694]: Logout user=labmanager host=172-16-1-103.my-site.com [172.16.1.103] nmsgs=0 ndele=0


    How to configure your windows mail programs
    How To Configure Your Windows Mail Programs

    • All your POP e-mail accounts are really only regular Linux user accounts in which sendmail has deposited mail.

    • You can now configure your e-mail client such as Outlook Express to use your use your new POP/SMTP mail server quite easily.

    • To configure POP Mail, set your POP mail server to be the IP address of your Linux mail server.

    • Use your Linux user username and password when prompted.

    • Next, set your SMTP mail server to be the IP address/domain name of your Linux mail server.

    • You can use similar setup for IMAP

    • For secure IMAP/POP you have to select SSL in advanced settings for incoming e-mail.


    Conclusions
    Conclusions

    • Sendmail is the most used mailserver

    • The macrofile sendmail.mc is used togeather with m4 to make sendmail.cf

    • Sendmail configuration lives in /etc/mail

    • The mailserver keep all users inboxes in /var/spool/mail

    • To prevent SPAM and unauthorized access RELAY is used for allowed sites in /etc/access

    • You have to type make and newaliases after editing sendmail configuration

    • Sendmail can use dns blacklists to prevent spam directly

    • Spamassassin can be used to wash mail from SPAM, but Spamassassin does only MARK and classify mail.

    • Rules Du Jour can update Spamassassin filters automatically

    • Procmail is used to process the mail, like dropping, moving, trunctating and is driven by regular expressions

    • Greylisting is a complementing SPAM blocking mechanism based on email resend due to heavy load messages.

    • IMAP/POP can be used to server users with centralized e-mail in a comfortable way.


    ad