1 / 15

Exchange 2003 and SPAM Fighting

Exchange 2003 and SPAM Fighting. Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 7 September 2014. Agenda. Exchange 2003 upgrade Mail Gateways upgrade Spam Fighting Evolution. Status of the update.

signa
Download Presentation

Exchange 2003 and SPAM Fighting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Exchange 2003 andSPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 7 September 2014

  2. Agenda • Exchange 2003 upgrade • Mail Gateways upgrade • Spam Fighting Evolution Rafal Otto (IT/IS)

  3. Status of the update • Update of server software started during summer • ~2000 (15%) users moved to the new servers • Migration should end this year • Transparent: users warned by email to close their client during the night Rafal Otto (IT/IS)

  4. New Features • Webmail: • New interface, display and navigation speed was improved. • New features, like creating server side filtering rules (useful for IMAP users). • Mobile features: • Pocket PC can synchronize directly with server. • Cached mode: • Download headers only (useful when slow connection). • RPC over HTTP: • Connect from outside CERN, without VPN or ISA Server. • Using HTTP over SSL, secure connection. Rafal Otto (IT/IS)

  5. Agenda • Exchange 2003 upgrade • Mail Gateways upgrade • Spam Fighting Evolution Rafal Otto (IT/IS)

  6. Why a new architecture ? • Spam and virus attacks were dramatically increasing, something had to be done. • Floods happened more and more often • Detection of problems must be quick, and raise alarms when manual intervention is needed. • Old architecture was very complex, any modification could create unexpected side effects. • Running on old servers, new hardware was needed. The mail service was running since many years, was modified by many different teams, many different features were added, stores were migrated to MMM, giving this architecture… Rafal Otto (IT/IS)

  7. Old architecture Exchange Back Ends Other Sendmail Listbox4 Mmm (Front Ends) smtp4 / mint mail5 mail7 mail8 Antivirus Antivirus mail6 smtp3 / smtp mail3 Users Outside Cern Rafal Otto (IT/IS)

  8. New architecture Exchange Back Ends Other Sendmail Listbox4 Trusted host Mmm (Front Ends) cernmxlb cernmx01 to 06, load balanced Antivirus, Antispam, Antiflood. Authenticated Users Outside Cern Rafal Otto (IT/IS)

  9. Low level Spam Filter ESRE Evident Spam Rejection based on Envelope DNS checks Internal Blacklists Content Spam Filter Anti Flood System SpamKiller Content based Intelligent Detection Virus Scanning IFD Intelligent Flood Detection Add header with Spam Detection Score Symantec Symantec Antivirus for Exchange IP From To Clean viruses, remove un-cleanable files. Feature Overview Mail from Internet Reject Internet / Outside CERN Exchange Back-Ends / Other CERN Mail Servers Clean mail with Spam header Reject Reject If 500 mails in 10 minutes If score too high Rafal Otto (IT/IS)

  10. Benefits • SMTP Gateways have a 100% uptime, due to load balancing. • Floods (everyday!) are automatically detected and blocked. • Automatic generated graphics and mail queues monitoring show quickly any problem. • Configuration and log files can easily be checked by Helpdesk, if any problem is raised. Rafal Otto (IT/IS)

  11. Gateways statistics 1 day statistics on SMTP gateways:CERN receives 84% of Spam (92% on Week Ends) !But 81% is rejected. Huge increase of mails rejected due to forbidden attachments, from 15pm to 3am. This is a virus attack ! Classic day, ‘No Reverse DNS’ reject reason is number one, except when a flood is detected. Rafal Otto (IT/IS)

  12. Agenda • Exchange 2003 upgrade • Mail Gateways upgrade • Spam Fighting Evolution Rafal Otto (IT/IS)

  13. Current Status • Content based detection is not worth improving • Increasing 1% requires lot of work, and may produce false positives. • Focus on low level Spam Rejection • Reverse DNS activated on 15th June: increase of Spam rejection from 55% to 85%. • Reverse SMTP connect rule activated on 6th October. • Next steps: • Try and identify new techniques: SPF, SenderID, DomainKeys. • Try to reject evident Spams, detected by SpamKiller, CERN Content based Spam detection engine. Rafal Otto (IT/IS)

  14. Reverse SMTP Connect • Reverse SMTP Connect process: • CERN mail gateway receives a mail from bob@domain.com • CERN mail gateway will simulate a reply to the bob@domain.com, by trying to connect to the SMTP server responsible for domain.com (MX): • If connection succeeds, the mail is accepted. • If connection fails, mail is rejected with a temporary error, if the remote server has temporary problems, the mail will be resent. • 25% of mails that we currently accept could be rejected with this rule. • No false positives detected. Rafal Otto (IT/IS)

  15. Future “Standards” • Solutions being investigated • SPF (Sender Policy Framework), Unified SPF evolution (main problem of SPF is that it does not support forwarding). • SenderID: merge of SPF and MS Caller-ID. • DomainKeys proposed by Yahoo • Google put this idea into production TODAY! • All these new standards allow to detect mail sender forgery • They will not block Spam • A validated check DOES NOT mean it is not a Spam. Rafal Otto (IT/IS)

More Related