Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Stages of spam-prevention Where can spam be controlled? Split anti spam measures SMTP Session Control Content Control Integrating amavid-new into Postx smtpd_proxy_lter content_lter Where is the difference? The nature of content control Risks Requirements amavisd-new History Architecture
T-System Business Services & state of mind
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Implementations Typical Mailserver Typical Mailgateway A dedicated Scanhost Basic Setup Logging Virus Scanners Spam Scanners Quarantine Notication Housekeeping Quarantine Management Quarantine Notication Quarantine Release Log analysis and statistics
T-System Business Services & state of mind
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Beyond the standard stuff Keeping SpamAssassin up to date Extending SpamAssassins rules Extending ClamAV patterns Pen-Pals p0f - passive operating system ngerprinting DKIM - Domainkeys Identied Mail
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Content scanning is resource expensive. Dont let the full load hit the content scanner
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis T-System Business Services & state of mind
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Reject early! Use SMTP Session Control to minimize the mail that hits after queue measures
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis T-System Business Services & state of mind
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Limitations of Before-Queue-Scanning
In a perfect world content inspection takes place before queuing, but clients may run into a timeout.
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis T-System Business Services & state of mind
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Best practices require RFC compliance from your senders require RFC compliance rst kill spam later order restrictions from cheap to expensive allow for exceptions!
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
smtpd_recipient_restrictions I
Cheap restrictions:
smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_client_access cdb:/etc/postfix/mynetworks permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, ...
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
smtpd_recipient_restrictions II
Cheap restrictions:
... check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_invalid_helo_hostname reject_non_fqdn_helo_hostname check_recipient_access cdb:/etc/postfix/roleaccount_exceptions, check_sender_access cdb:/etc/postfix/sender_checks check_sender_access pcre:/etc/postfix/sender_checks.pcre ...
Were checking the HELO for obvious signs of forgery and block some senders.
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
smtpd_recipient_restrictions III
Expensive restrictions:
... check_client_access check_sender_mx_access check_sender_ns_access check_sender_mx_access check_sender_mx_access check_sender_mx_access check_client_access
The checks using cidr:/etc/postfix/drop.cidr check if a sender domains MX or NS record point to networks controlled by spammers. This cidr:/etc/postfix/bogon_networks.cidr check if a sender domains MX record points to private netspace. . . .
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis T-System Business Services & state of mind
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
smtpd_recipient_restrictions IV
Expensive restrictions:
... reject_unknown_reverse_client_hostname reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client b.barracudacentral.org check_sender_access cdb:/etc/postfix/rhsbl_exceptions reject_rhsbl_sender dsn.rfc-ignorant.org
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Consequences
Postx rejects a lot of connections early content_filter and smtpd_proxy_filter are relieved from a lot of load (90% rejection rate)
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
header_checks
/^Received: from .*by nomail\.charite\.de/ REJECT Fake nomail.charite.de Received: Header found /Date:.*([3-9].:..:|2[4-9]:..:|:[6-9].:|:..:6[1-9])/ REJECT Invalid time "${1}" in Date header
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
mime_header_checks
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
body_checks
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
smtpd_proxy_lter
Accept mail from the internet, pass it on to the lter on [127.0.0.1]:10025 Caution Enable XFORWARD this allows amavisd-new to see the actual client instead of just 127.0.0.1.
smtp -o -o -o -o inet n receive_override_options=no_address_mappings smtpd_authorized_xforward_hosts=127.0.0.0/8 smtpd_authorized_xclient_hosts=127.0.0.0/8 smtpd_proxy_filter=[127.0.0.1]:10025 smtpd
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Reinjection
Accept the mail back into Postx after amavisd-new is done with it: Caution Disable lter on reentry!
localhost:10026 inet n smtpd -o smtpd_proxy_filter= -o content_filter= -o receive_override_options=no_unknown_recipient_checks -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_authorized_xclient_hosts=127.0.0.0/8 -o mynetworks=127.0.0.0/8 -o smtpd_recipient_restrictions=permit_mynetworks,reject -o syslog_name=reinjection
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
content_lter
Accept mail from the internet, pass it on to the lter on [127.0.0.1]:10025 Caution Enable XFORWARD this allows amavisd-new to see the actual client instead of just 127.0.0.1.
smtp -o -o -o -o inet n receive_override_options=no_address_mappings smtpd_authorized_xforward_hosts=127.0.0.0/8 smtpd_authorized_xclient_hosts=127.0.0.0/8 content_filter=smtp:[127.0.0.1]:10025 smtpd
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
with smtpd_proxy_filter the mail is processed as it arrives (just in time-scanning) with content_filter the mail is queued rst and scanned later Caution Clients may not be patient enough to wait until your system is willing to accept and process mail.
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Risks
Content contains malware Content may decompress without bounds (compression bombs) Content cannot be scanned (encrypted) Content cannot be categorized
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Requirements
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
A brief history
Shell script that pipes mail to a scanner (1997) First Perl program (2000) Perl daemon (2001) Modular Design (2002) Perl daemon, pre-fork, NET::Server (2002 - 2003) by Marc Martinec Add internal Anti Spam methods (2006) Add p0f, pen-pals (2007) Add DKIM (2008)
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Decomposing E-Mail
Save resources! Decompose once, analyze multiple times Conguration settings $MAXLEVELS $MAXFILES $MIN_EXPANSION_QUOTA $MAX_EXPANSION_QUOTA
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Adding Information
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Content Inspection
SpamAssassin is the default Anti-Spam tool Adding dspam is optional ClamAV is the default Anti-Virus tool Internal Methods
Inspect MIME types Check if sufx is black-/whitelisted
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Content Classication
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Actions
Store (bad) message in quarantine Archive any message that ows through the system Reinject message into SMTP transport Notify sender/recipient about the message status D_REJECT a message D_DISCARD a message D_BOUNCE a message D_PASS a message
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
DKIM Signing
... a domain-level authentication framework for email using public-key cryptography and key server technology to permit a signing domain to assert responsibility for a message, thus protecting message signer identity and the integrity of the messages ... Generate private key and public certicate Provide a per-domain/per-user list of DKIM signature options Add DKIM signatures to outgoing messages
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Typical Mailserver
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Typical Mailgateway
The gateway examines content. Follow-Up systems only do SMTP session control.
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis T-System Business Services & state of mind
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
A dedicated Scanhost
Gateways do SMTP session control. Content control is done by a dedicated Content Inspection server.
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis T-System Business Services & state of mind
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Logging
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Virus Scanners
primary scanners are/should be daemons secondary scanners are scripts They are called only if primary scanners are not available Both groups allow to dene a chain of scanners @av_scanners dening ClamAV access parameters [ClamAV-clamd, \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ]
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis T-System Business Services & state of mind
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Spam Scanners
amavisd-new uses Mail::SpamAssassin as default spam scanner dspam can be used as an alternative amavisd-new only congures/controls a few SpamAssassin parameters Additional SpamAssassin conguration makes SA more efcient Caution amavisd-new does not use spamc or spamd!
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Quarantine
Quarantine destinations are send message to a mailbox store message in a le store message in a SQL server
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Notication
sender and recipients can be notied about a messages status notications can be enabled on a global, a per-domain or on a per-user basis transport method can be set separately from the regular $forward_method powerful macros and templates customize notication messages
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Quarantine Management
amavisd-release releases messages from quarantine Messages can be sent as attachments amavisd-release is not enabled by default Enabling amavisd-release in amavisd.conf $interface_policy{SOCK} = AM.PDP; $policy_bank{AM.PDP} = {protocol=>AM.PDP}; $unix_socketname=/var/amavis/amavisd.sock;
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Quarantine Notication
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
p@mail:~$ sudo amavisd-release virus-MOnrPcyyy3Wo [sudo] password for p: 250 2.0.0 Ok: queued as A974B820007
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Know your enemy! mailgraph overall picture at a glance amavisd-nanny gives you info about what the processes are doing amavisd-agent gives SNMP-style statistics amavisd-logwatch catch trends, document daily work manual inspection inspect manually
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
amavisd-nanny
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
mailgraph
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
mailgraph II
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
amavisd-agent
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
amavisd-logwatch
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Individualization I
Problem amavisd-new carries lots of legacy code! amavisd-new started as a single user script multi user environment requires individual settings newer groups of parameters wrap around older groups like layers of onion skin Map Types Single setting Lists Regular Expression
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis T-System Business Services & state of mind
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Individualization II
Layers of onion skin # Check for viruses @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re ); # Check for spam @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re );
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis T-System Business Services & state of mind
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Maps
amavisd-new has a map for nearly everything ... Example
@local_domains_maps @mynetworks_maps @newvirus_admin_maps @banned_filename_maps @spam_quarantine_bysender_to_maps @spam_tag_level_maps @spam_tag2_level_maps @spam_tag3_level_maps @spam_kill_level_maps @spam_modifies_subj_maps @spam_subject_tag_maps @spam_subject_tag2_maps @spam_subject_tag3_maps @spam_dsn_cutoff_level_maps @spam_dsn_cutoff_level_bysender_maps @spam_crediblefrom_dsn_cutoff_level_maps @spam_crediblefrom_dsn_cutoff_level_bysender_maps @spam_quarantine_cutoff_level_maps @whitelist_sender_maps @blacklist_sender_maps @score_sender_maps @author_to_policy_bank_maps @signer_reputation_maps @message_size_limit_maps @debug_sender_maps @bypass_virus_checks_maps @bypass_spam_checks_maps @bypass_banned_checks_maps @bypass_header_checks_maps @viruses_that_fake_sender_maps @virus_name_to_spam_score_maps ...
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Maps
Uses for maps domains create a list of domains amavisd is responsible for exclusion exclude someone from a check exception deliver mail even if it is banned
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Maps: Domains
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Maps: Exclusion
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Maps: Domains
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
LDAP I
Benets Enterprise ready Single conguration backend Simplify user administration Fast read access
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
LDAP II
Enabling and conguring LDAP lookups in amavisd-new
# Enable LDAP $enable_ldap = 1; # LDAP access $default_ldap = { hostname => localhost, port => 389, version => 3, timeout => 120, tls => 0, base => ou=people,dc=example,dc=com, scope => sub, query_filter => (&(objectClass=amavisAccount)(mail=%m)), bind_dn => cn=amavis,ou=services,dc=example,dc=com, bind_password => secret, };
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Run one instance of amavisd-new Offer different behaviours (policies) Use port and/or client IP to identify policy bank
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Spammers use SpamAssassin to optimize their spam Patterns start to get old the day you download them Use sa-update to update your SpamAssassin rules sa-update creates a new directory SpamAssassin rst loads the packaged rules and then the updated ones
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
The standard ruleset has a narrow score corridor Rules Emporium adds more weight to scores Rules Emporium adds spezialized rules Use sa-update to install and update these rules
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
ClamAV is just a content inspection engine Additional rule patterns add additional functionality Use http://www.sanesecurity.com/clamav/ for Phishing and Scam Signatures ...
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Pen-Pals
Question Is it spam if you start talking about sex and your friend replies? amavisd-new can track who started a discussion apply lower scores to replies in a discussion that had been started by you
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
p0f is a passive OS ngerprinting tool identies the OS (type, version, patch level, etc.) on machines that connect to your box (SYN mode)
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
p0f-analyzer.pl
amavisd-new queries p0f via the p0f-analyzer.pl script passes the OS information as a header eld to SpamAssassin SpamAssassin rules apply scores depending on the OS detected Invocation of p0f # Query p0f-analyzer.pl $os_fingerprint_method = p0f:*:2345;
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Some statistics collected from Marcs logs in February 2006: p0f OS guess ham : spam ----------------------------Windows-XP 0.7 % : 99.3 % Windows-2000 5.8 % : 94.2 % UNKNOWN 16.5 % : 83.5 % Linux 58.8 % : 41.2 % Unix 80.3 % : 19.7 % (Unix+Linux 66.5 % : 33.5 %) ham mail with score below 3 spam score above 6
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
describe L_P0F_Unix Remote system is running Linux header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /\ALinux/m score L_P0F_Linux -0.1
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
private key
options
/var/db/dkim/a.key.pem
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis
Stages of spam-prevention Integrating amavid-new into Postx The nature of content control amavisd-new Implementations Ba
Questions?
Ralf Hildebrandt ralf@python.org Patrick Ben Koetter patrick@python.org Slides http://postfix.state-of-mind.de/ amavisd.pdf
Ralf Hildebrandt, Patrick Ben Koetter Controlling mail message ow by content analysis