Filtragem Email
Filtragem de Email
com RedHat Linux
Ruben Oliveira
RHCE RHCX MCSE MCITP
Filtragem Email
Conteúdos
• RedHat Linux
• SMTP - Simple Mail Transfer Protocol
• A evolução do SPAM
• Spam Bad Guys
• DNS Block Lists
• SPF Sender ID DomainKeys
• Greylisting
• Pattern Rules
• Bayes
• DCC Pyzor Razor
• OCR
• AV
• Soluções de Segurança
Filtragem Email
Linux Origins
1984: The GNU Project and the Free Software Foundation
Creates open source version of UNIX utilities
Creates the General Public License (GPL)
1991: Linus Torvalds
Creates open source, UNIX-like kernel, released under the GPL
Today:
Linux kernel + GNU utilities = complete, open source, UNIXlike operating system
Packaged for targeted audiences as distributions
Filtragem Email
Red Hat Enterprise Linux
•
•
•
•
•
Enterprise-targeted operating system
Focused on mature open source technology
18-24 month release cycle
Certified with leading OEM and ISV products
Purchased with one year Red Hat Network subscription
and support contract
• Support available for seven years after release
• Up to 24x7 coverage plans available
Filtragem Email
The Fedora Project
• Red Hat sponsored open source project
• Focused on latest open source technology
• Rapid four to six month release cycle
• Available as free download from the Internet
CentOS
• Created from the RedHat Linux OpenSource Software
• No Support from RedHat
• Community Supported
• Rebranded RHEL Clone without the trademarks or RHN
Filtragem Email
SMTP (Simple Mail Transfer Protocol)
• protocolo baseado em texto
•
• Protocolo funciona na porta 25 numa rede TCP.
• Simples : telnet servidor 25
Filtragem Email
Exemplo de uma sessão SMTP
telnet smpt.dominio.pt 25
S: 220 smtp.dominio.pt ESMTP Postfix
C: HELO dominio2.pt
S: 250 Hello dominio2.pt
C: MAIL FROM: [email protected]
S: 250 Ok
C: RCPT TO: [email protected]
S: 250 Ok
C: DATA
S: 354 End data with <CR><LF>.<CR><LF>
C: Subject: Mensagem de Teste
C:
C: Olá.
C: .
S: 250 Ok: queued as 12345
C: quit
S: 221 Bye
Filtragem Email
Filtragem Email
Qual a razão do email
comercial não solicitado ser
conhecido como SPAM ?
Filtragem Email
SPAM
spiced ham famoso na 2ª guerra mundial
Monty Python
sketch 1970 menu
Filtragem Email
The Evolution of Spam
The development of spammer techniques
Direct mailing
– Spammers Ingénuos
– Fácil de Filtrar
Open Relay
– Erro de configuração
Zombie or bot networks
- Internet popular
- Updates ou Anti Virus deficientes
- Utilizadores ingénuos
Filtragem Email
•The Evolution of Spam
•The development of spam content
•
•
•
•
Simple text and HTML
Personalised mail
Random text strings
Graphics or PDF
Filtragem Email
Empresas de Marketing Directo
Afirmam que só enviam emails com o
consentimento do destinatário.
Como exemplo, Target, Virid,
VirtualTarget, BrasilBiz,
Spinletter.net
Filtragem Email
Email Marketers
Jeanne Jennings is a leading authority and independent
consultant with over 15 years of experience in the e-mail and
online realm. She specializes in all aspects of e-mail
marketing and publishing, from strategy through design and
metrics analysis. Jeanne works with medium- to enterprisesized organizations and is expert at helping her clients
become more effective and more profitable online. She is the
author of "The Email Marketing Kit: The Ultimate Email
Marketer’s Bible" (SitePoint, 2007) and publisher of "The
Jennings Report," a free e-mail newsletter for online marketing
professionals. Visit her online at JeanneJennings.com.
http://www.clickz.com/showPage.html?page=3622788
Filtragem Email
march folded the wavy chestnut lock, andnot buy it back; and faith
in one another madethe students pay some money for the dance?
cloud of pink and white lace that lay upon have stared straight
before you, utterly right, for i'm all in a tangle now with doubts
then the mournful
Filtragem Email
Filtragem Email
•
•
•
•
•
http://www.darknet.org.uk/2008/01/uber-spammer-alan-ralsky-back-in-the-news/
The 41-count indictment, unsealed in a Detroit federal court, claims Ralsky, 52,
and his fellow defendants operated a wide-ranging international fraud scheme
involving millions of illegal e-mails touting thinly-traded Chinese penny
stocks. Ralsky profited by selling the stock at artificially inflated prices.
Only two of the defendants appeared in court Jan. 3 for arraignment. Ralsky is
reportedly at large in Europe.
According to the indictment, Ralsky and his group earned approximately $3
million on the scheme during the summer of 2005. Ralsky faces charges
including conspiracy, fraud in connection with electronic mail, computer fraud,
mail fraud, wire fraud and money laundering.
The illegal e-mail practices cited in the indictment include evading spamblocking devices, falsifying headers and domain names, using proxy
computers to distribute the spam and misrepresenting the advertising content
in the actual e-mail.
Filtragem Email
Inside the "Ron Paul" Spam Botnet
http://www.secureworks.com/research/threats/ronpaul
SecureWorks would like to thank our colleagues at myNetWatchman, IronPort
and Spamhaus for their invaluable assistance in the investigation of this botnet.
Tracking the Spam email headers vary but some static elements
The Reactor Core
written in the Python language. Examining these showed that the Srizbi botnet
is actually a working component of a piece of spamware known as “Reactor
Mailer”. Reactor Mailer has been around at least since 2004, and is in its third
major version. It was created along with Srizbi, the bot that actually does the
mailing.
Reactor Mailer is the brainchild of a spammer who goes by the pseudonym
“spm”. He calls his company “Elphisoft”, and has even been interviewed about
his operation by the Russian hacker website xakep.ru.
Filtragem Email
Filtragem Email
http://spamtrackers.eu/wiki/index.php?title=Spamit
Spamit is the alternate name for the Glavmed sponsorship, responsible for lots of illegal spamming of
Canadian Pharmacy and US Pharmacy websites.
Following the same example as SanCash and GenBucks, this follows the pattern of having a publicfacing, wide-open entity (ie: GenBucks / Glavmed) which makes no mention of email spamming, or
hijacking of servers, coupled with a very secretive, underground Affiliate program (ie: SanCash / Spamit)
which is invitation only, password protected, and never mentioned anywhere in public, via any means .
Filtragem Email
Filtragem Email
Filtragem Email
Dark Mailer
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK72
84
What is ROKSO?
The Register of Known Spam Operations (ROKSO) is a register
of spam senders and spam services that have been thrown off
Internet Service Providers 3 times or more in connection with
spamming or providing spam services, and are therefore repeat
offenders. Spamhaus believes that these known determined
professional spam operations are responsible for approximately
80% of spam on the Internet.
Filtragem Email
• Planeamento e Gestão da Filtragem de Email
– Filtragem de conexões
– Filtragem por análise de conteúdo
Filtragem Email
DNSBL DNS Block List
Spamhaus Zen SBL XBL PBL
identificam IPs que foram usados para envio de
SPAM
alvo de tentativas de DoS
Filtragem Email
Filtragem Email
http://www.dnsbl.com/
* PSBL (psbl.surriel.com)
* FIVETEN (blackholes.five-ten-sg.com)
* ZEN (zen.spamhaus.org)
* APEWS (www.apews.org)
* SORBS (dnsbl.sorbs.net)
* Spamcop (bl.spamcop.net)
* CBL (cbl.abuseat.org)
* korea.services.net
* UBL (ubl.unsubscore.com)
Filtragem Email
Sender Policy Framework ou "Estrutura de Politicas de Remetente"
• Para que Serve ?
Identificar os servidores legítimos que podem enviar email de um
domínio.
• Como se configura ?
No servidor de DNS num record TXT
Ex: IN TXT "v=spf1 mx -all"
todos os MX do dominio são os únicos que devem enviar email
• Cabe ao servidor receptor a recusa ou não de processar o email
•http://www.openspf.org/
Filtragem Email
Sender ID
•Patrocinado pela Microsoft semelhante ao Sender Policy Framework
•Purported Responsible Address
Filtragem Email
DomainKeys
Yahoo
When the recipient gets the message, they'll be able to:
• verify the domain name of the sender.
• confirm the message content hasn't been altered.
• match the "from" address to the sender's domain name to prevent
forgeries.
• trace the message back to the sender's domain name.
Filtragem Email
Greylisting
Temporáriamente rejeita mensagem
Vantagens
Fácil implementar
Pouco CPU comparado com outras técnicas
Desvantagens
O primeiro email pode demorar
SMTP, Instant Messaging, Push Mail
Filtragem Email
Regras
Spamassassin
body LOCAL_DEMONSTRATION_RULE /test/
score LOCAL_DEMONSTRATION_RULE 0.1
describe LOCAL_DEMONSTRATION_RULE
This is a simple test rule
header LOCAL_DEMONSTRATION_SUBJECT
score LOCAL_DEMONSTRATION_SUBJECT
Subject =~ /\btest\b/i
0.1
Filtragem Email
Bayesian classifier
analisa conteúdos que lhe indicam como email legitimo ou spam
e “aprende”
Filtragem Email
Distributed signature systems
Pyzor
Razor
DCC
Filtragem Email
OCR
Fácil Instalar
Motores OCR gratuitos: gocr,ocrad
CPU intensive
HTML table slice
Filtragem Email
AntiVirus
Free
Clamav
BitDefender
MailScanner Supported
# sophos from www.sophos.com, or
# mcafee from www.mcafee.com, or
# command from www.command.co.uk, or
# bitdefender from www.bitdefender.com, or
# drweb from www.dials.ru/english/dsav_toolkit/drwebunix.htm, or
# kaspersky from www.kaspersky.com, or
# etrust from http://www3.ca.com/Solutions/Product.asp?ID=156, or
# inoculate from www.cai.com/products/inoculateit.htm, or
# inoculan from ftp.ca.com/pub/getbbs/linux.eng/inoctar.LINUX.Z, or
# nod32 for No32 before version 1.99 from www.nod32.com, or
# f-secure from www.f-secure.com, or
# f-prot from www.f-prot.com, or
# panda from www.pandasoftware.com, or
# rav
from www.ravantivirus.com, or
# antivir from www.antivir.de, or
# clamav from www.clamav.net, or
# trend from www.trendmicro.com, or
# norman from www.norman.de, or
# css
from www.symantec.com, or
# avg
from www.grisoft.com, or
# vexira from www.centralcommand.com, or
# symscanengine from www.symantec.com (Symantec Scan Engine, not CSS)
Filtragem Email
Exchange Anti-Spam :
Sender ID
IMF Inteligent Message Filtering
* Content Filtering
* IP Allow and Block List Provider
* Sender Filtering
* Sender Reputation
* SMTP Tarpiting
Filtragem Email
Forefront Security
Filtragem Email
Soluções Anti Spam Comerciais
Sonicwall www.qos.pt grupo Rumos
GFI MailEssential
Barracuda
IPBrick
EdgeBox
AnubisNetwork
Filtragem Email
http://news.bbc.co.uk/1/hi/business/3426367.stm
Spam will be a thing of the past in two years' time,
Microsoft boss Bill Gates has promised.
January 2004
Filtragem Email
Organizações que combatem o spam
Cauce (coallition against unsolicited commercial e-mail)
Http://www.Cauce.Org
Filtragem Email
• Concluindo,
•
NENHUMA técnica anti-spam funciona bem sozinha.
•
Os spammers estão sempre a inovar as suas técnicas, e
precisamos modernizar as nossas proprias técnicas de bloqueio.
•
Serviço Email tem importância vital na maioria das empresas.
•
O Spam pode ser reduzido a um mínimo aceitável.
•
Actualização Constante ! No software já usado e com
implementação de novas tecnologias.
Filtragem Email
Cursos:
• RH033 Red Hat Linux Essentials
• RH133 Red Hat Linux System Administration
• RH253 Red Hat Linux Network Services and Security
Administration
Filtragem Email
Obrigado
Coffee Break
Case Study I - PT Inovação
Case Study II - Divultec