waikato linux users group monday 27 th october 2003 craig box http www wlug org nz craigbox l.
Skip this Video
Loading SlideShow in 5 Seconds..
Anti-Virus and Anti-Spam PowerPoint Presentation
Download Presentation
Anti-Virus and Anti-Spam

Loading in 2 Seconds...

play fullscreen
1 / 17

Anti-Virus and Anti-Spam - PowerPoint PPT Presentation

  • Uploaded on

Waikato Linux Users Group Monday 27 th October 2003 Craig Box http://www.wlug.org.nz/CraigBox Anti-Virus and Anti-Spam Happy Birthday To Me Synopsis Why viruses in Linux are not an issue Setting up a mail server with virus and spam filtering Client side filtering

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Anti-Virus and Anti-Spam' - RexAlvis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
waikato linux users group monday 27 th october 2003 craig box http www wlug org nz craigbox
Waikato Linux Users Group

Monday 27th October 2003

Craig Box


Anti-Virus and Anti-Spam
  • Why viruses in Linux are not an issue
  • Setting up a mail server with virus and spam filtering
  • Client side filtering
    • Bayesian filtering & Mozilla Mail
    • SpamAssassin in Evolution/KMail
  • Using DNS to stop spam
  • Virus scanning of cached web pages
  • Not a threat
  • Viruses in the wild: Near to none
    • Staog – attempted root exploits
    • Bliss - “polite” virus
    • Slapper – exploits Apache
  • Virus must
    • run
    • be able to write to executables
    • spread
    • This is why Unix users claim LindowsOS is broken
viruses 2
Viruses 2
  • A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread.
  • If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning -- even before news reports start to raise the awareness level of potential victims.
why do i bother then
Why do I bother then?
  • Windows viruses
    • Sophos: “87% of all reports of infections during 2002 concerned Windows viruses.”
    • 7,189 new viruses/worms/trojans – total of more than 78,000. On average, the Sophos virus labs produce detection routines for more than 25 new viruses each day.
    • Most are variants but still very deadly
  • The Wildlist – 248 viruses currently “in the wild”
unix virus scanners
Unix virus scanners
  • Many commercial vendors have a product
  • Open source open definitions – ClamAV
    • The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is kept up to date
  • ClamAV currently detects 9886 viruses
    • Updates are regular and definition distribution method is sensible (unlike some AV vendors!)
protecting windows networks
Protecting Windows networks
  • Linux firewall stops gateway worms
    • Inherent gain from NAT, but many losses
  • Electronic Mail
  • Web browsing
email scanning on linux
Email Scanning on Linux
  • Run this on your gateway machine
  • Easy to protect a SMTP network by changing MX records
  • Easy to protect a POP3 server by running fetchmail and a simple mail server such as Courier IMAP
  • Debian Woody + Exim 3 + Amavis:
    • http://ente.limmat.ch/linux/exim_v3_-_amavisd-new.html
fetching mail with debian
Fetching mail with Debian
  • Install Courier IMAP
  • Install SpamAssassin & Amavis from aurel32 backport repository
  • Amavis vs. MailScanner
    • MailScanner is tidier, more maintained and does other useful things (eg. regexp checking)
    • Amavis only requires a single queue so fits into Exim's model more and is simpler
  • To get the mail into this system, get Fetchmail and point your email client to your new local mail server
client side filtering
Client side filtering
  • Server must apply all spam filtering rules to all users
    • Not everyone gets the same spam – filtering words with predefined score fails in some cases
  • Allows you to do Bayesian filtering
    • Per user
    • Works based on word frequency in pre-seeded spam/non-spam (“ham”)
  • Paul Graham's “A Plan for Spam”
    • No longer the best method but a very interesting read
evolution filtering
Evolution Filtering
  • SpamAssassin can be plugged into Evolution via email filters
  • Server output:
    • filter on X-Spam-Flag contains YES
  • Running on local machine
    • spamassassin -P -e > /dev/null
    • Returns 1 if spam
    • But does not score spam in headers
  • Very similar for Kmail – see Wiki for link
procmail method
Procmail method


"|exec /usr/bin/procmail"


SHELL = /bin/sh


LOGFILE = _logfile



PATH = /bin:/usr/bin:/sbin:/usr/sbin

# If the mail is larger than 255k than skip spamassasin

:0fw: spamassassin.lock

* < 256000

| /usr/bin/spamc

# Move very large spam out before I see it =20


* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*


bayesian filtering
Bayesian Filtering
  • Natively implemented in:
    • MacOS X's Mail.app
    • Mozilla Mail (Cross platform)
    • Outlook – SpamBayes plugin
    • Popfile
  • Buttons in the mail client
    • Mark as junk
    • Mark as not junk
extra for experts
Extra for experts
  • Using DNS to stop spam
    • Basic idea: only the authorative person for a domain can decide who can send messages appearing from that domain
    • Domains publish "reverse MX" records to tell the world what machines send mail from the domain.
    • People can still spam from their own domain, but it can be accurately traced, and few ISPs legitimately allow spammers
virus scanning web pages
Virus scanning Web pages
  • Use a caching proxy server & content filter
    • Squid
    • DansGuardian
  • Anti-Virus patch
    • Downloads each page and then scans it
    • Uses MailScanner's engine
    • Supports F-Prot and ClamAV
see also
See also
  • Viruses
    • Staog - http://www.f-secure.com/v-descs/staog.shtml
    • Bliss - http://math-www.uni-paderborn.de/~axel/bliss/
    • Slapper - http://www.sophos.com/virusinfo/analyses/linuxslappera.html
    • ELF Virus Writing HOWTO - http://www.lwfug.org/~abartoli/virus-writing-HOWTO/_html/
    • Windows vs. Linux Viruses: http://librenix.com/?inode=21
    • Windows vs. Linux Viruses: http://www.theregister.co.uk/content/56/33226.html
    • The Wild List - http://www.wildlist.org/
  • Amavis
    • A Mail Anti-Virus Scanner: http://www.amavis.org/
    • Debian Amavis/SpamAssassin HOWTO: http://ente.limmat.ch/linux/exim_v3_-_amavisd-new.html
  • ClamAV
    • Clam Anti-Virus: http://clamav.elektrapro.com/
    • Web based submission test: http://www.gietl.com/test-clamav/
  • Bayesian Filtering
    • A Plan For Spam: http://www.paulgraham.com/spam.html
    • Mozilla's built in bayesian filtering: http://www.mozilla.org/mailnews/spam.html
  • Client Side Filtering with SpamAssassin
    • Evolution: http://krath.dk/linux/evolution_spamfilter/
    • Kmail: http://kmail.kde.org/tools.html
  • DNS based prevention
    • Proposals for DNS based email acceptance: http://www.irtf.org/asrg/survey_of_proposals.htm
    • Senders Permitted From: http://spf.pobox.com/
  • Web scanning
    • Dans Guardian AV plugin: http://www.pcxperience.org/dgvirus/