Download
waikato linux users group monday 27 th october 2003 craig box http www wlug org nz craigbox n.
Skip this Video
Loading SlideShow in 5 Seconds..
Anti-Virus and Anti-Spam PowerPoint Presentation
Download Presentation
Anti-Virus and Anti-Spam

Anti-Virus and Anti-Spam

615 Views Download Presentation
Download Presentation

Anti-Virus and Anti-Spam

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Waikato Linux Users Group Monday 27th October 2003 Craig Box http://www.wlug.org.nz/CraigBox Anti-Virus and Anti-Spam

  2. Happy Birthday To Me

  3. Synopsis • Why viruses in Linux are not an issue • Setting up a mail server with virus and spam filtering • Client side filtering • Bayesian filtering & Mozilla Mail • SpamAssassin in Evolution/KMail • Using DNS to stop spam • Virus scanning of cached web pages

  4. Viruses • Not a threat • Viruses in the wild: Near to none • Staog – attempted root exploits • Bliss - “polite” virus • Slapper – exploits Apache • Virus must • run • be able to write to executables • spread • This is why Unix users claim LindowsOS is broken

  5. Viruses 2 • A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread. • If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning -- even before news reports start to raise the awareness level of potential victims.

  6. Why do I bother then? • Windows viruses • Sophos: “87% of all reports of infections during 2002 concerned Windows viruses.” • 7,189 new viruses/worms/trojans – total of more than 78,000. On average, the Sophos virus labs produce detection routines for more than 25 new viruses each day. • Most are variants but still very deadly • The Wildlist – 248 viruses currently “in the wild”

  7. Unix virus scanners • Many commercial vendors have a product • Open source open definitions – ClamAV • The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is kept up to date • ClamAV currently detects 9886 viruses • Updates are regular and definition distribution method is sensible (unlike some AV vendors!)

  8. Protecting Windows networks • Linux firewall stops gateway worms • Inherent gain from NAT, but many losses • Electronic Mail • Web browsing

  9. Email Scanning on Linux • Run this on your gateway machine • Easy to protect a SMTP network by changing MX records • Easy to protect a POP3 server by running fetchmail and a simple mail server such as Courier IMAP • Debian Woody + Exim 3 + Amavis: • http://ente.limmat.ch/linux/exim_v3_-_amavisd-new.html

  10. Fetching mail with Debian • Install Courier IMAP • Install SpamAssassin & Amavis from aurel32 backport repository • Amavis vs. MailScanner • MailScanner is tidier, more maintained and does other useful things (eg. regexp checking) • Amavis only requires a single queue so fits into Exim's model more and is simpler • To get the mail into this system, get Fetchmail and point your email client to your new local mail server

  11. Client side filtering • Server must apply all spam filtering rules to all users • Not everyone gets the same spam – filtering words with predefined score fails in some cases • Allows you to do Bayesian filtering • Per user • Works based on word frequency in pre-seeded spam/non-spam (“ham”) • Paul Graham's “A Plan for Spam” • No longer the best method but a very interesting read

  12. Evolution Filtering • SpamAssassin can be plugged into Evolution via email filters • Server output: • filter on X-Spam-Flag contains YES • Running on local machine • spamassassin -P -e > /dev/null • Returns 1 if spam • But does not score spam in headers • Very similar for Kmail – see Wiki for link

  13. Procmail method .forward: "|exec /usr/bin/procmail" .procmailrc: SHELL = /bin/sh MAILDIR = $HOME/Mail LOGFILE = _logfile VERBOSE = no LOGABSTRACT = all PATH = /bin:/usr/bin:/sbin:/usr/sbin # If the mail is larger than 255k than skip spamassasin :0fw: spamassassin.lock * < 256000 | /usr/bin/spamc # Move very large spam out before I see it =20 :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\* caughtspam

  14. Bayesian Filtering • Natively implemented in: • MacOS X's Mail.app • Mozilla Mail (Cross platform) • Outlook – SpamBayes plugin • Popfile • Buttons in the mail client • Mark as junk • Mark as not junk

  15. Extra for experts • Using DNS to stop spam • Basic idea: only the authorative person for a domain can decide who can send messages appearing from that domain • Domains publish "reverse MX" records to tell the world what machines send mail from the domain. • People can still spam from their own domain, but it can be accurately traced, and few ISPs legitimately allow spammers

  16. Virus scanning Web pages • Use a caching proxy server & content filter • Squid • DansGuardian • Anti-Virus patch • Downloads each page and then scans it • Uses MailScanner's engine • Supports F-Prot and ClamAV

  17. See also • Viruses • Staog - http://www.f-secure.com/v-descs/staog.shtml • Bliss - http://math-www.uni-paderborn.de/~axel/bliss/ • Slapper - http://www.sophos.com/virusinfo/analyses/linuxslappera.html • ELF Virus Writing HOWTO - http://www.lwfug.org/~abartoli/virus-writing-HOWTO/_html/ • Windows vs. Linux Viruses: http://librenix.com/?inode=21 • Windows vs. Linux Viruses: http://www.theregister.co.uk/content/56/33226.html • The Wild List - http://www.wildlist.org/ • Amavis • A Mail Anti-Virus Scanner: http://www.amavis.org/ • Debian Amavis/SpamAssassin HOWTO: http://ente.limmat.ch/linux/exim_v3_-_amavisd-new.html • ClamAV • Clam Anti-Virus: http://clamav.elektrapro.com/ • Web based submission test: http://www.gietl.com/test-clamav/ • Bayesian Filtering • A Plan For Spam: http://www.paulgraham.com/spam.html • Mozilla's built in bayesian filtering: http://www.mozilla.org/mailnews/spam.html • Client Side Filtering with SpamAssassin • Evolution: http://krath.dk/linux/evolution_spamfilter/ • Kmail: http://kmail.kde.org/tools.html • DNS based prevention • Proposals for DNS based email acceptance: http://www.irtf.org/asrg/survey_of_proposals.htm • Senders Permitted From: http://spf.pobox.com/ • Web scanning • Dans Guardian AV plugin: http://www.pcxperience.org/dgvirus/