Exchange 2003 and SPAM Fighting - PowerPoint PPT Presentation

About This Presentation
Title:

Exchange 2003 and SPAM Fighting

Description:

The mail service was running since many years, was modified by many different ... 25% of mails that we currently accept could be rejected with this rule. ... – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 16
Provided by: rafal6
Learn more at: https://www.racf.bnl.gov
Category:
Tags: spam | exchange | fighting | mail

less

Transcript and Presenter's Notes

Title: Exchange 2003 and SPAM Fighting


1
Exchange 2003 andSPAM Fighting
  • Emmanuel Ormancey, Rafal Otto
  • Internet Services Group
  • Department of Information Technology
  • CERN
  • 28 December 2011

2
Agenda
  • Exchange 2003 upgrade
  • Mail Gateways upgrade
  • Spam Fighting Evolution

3
Status of the update
  • Update of server software started during summer
  • 2000 (15) users moved to the new servers
  • Migration should end this year
  • Transparent users warned by email to close their
    client during the night

4
New Features
  • Webmail
  • New interface, display and navigation speed was
    improved.
  • New features, like creating server side filtering
    rules (useful for IMAP users).
  • Mobile features
  • Pocket PC can synchronize directly with server.
  • Cached mode
  • Download headers only (useful when slow
    connection).
  • RPC over HTTP
  • Connect from outside CERN, without VPN or ISA
    Server.
  • Using HTTP over SSL, secure connection.

5
Agenda
  • Exchange 2003 upgrade
  • Mail Gateways upgrade
  • Spam Fighting Evolution

6
Why a new architecture ?
  • Spam and virus attacks were dramatically
    increasing, something had to be done.
  • Floods happened more and more often
  • Detection of problems must be quick, and raise
    alarms when manual intervention is needed.
  • Old architecture was very complex, any
    modification could create unexpected side
    effects.
  • Running on old servers, new hardware was needed.
  • The mail service was running since many years,
    was modified by many different teams, many
    different features were added, stores were
    migrated to MMM, giving this architecture

7
Old architecture
Exchange Back Ends
Other Sendmail
Listbox4
Mmm (Front Ends)
smtp4 / mint
mail5
mail8
mail7
Antivirus
Antivirus
smtp3 / smtp
mail6
mail3
Outside Cern
Users
8
New architecture
Exchange Back Ends
Other Sendmail
Listbox4
Trusted host
Mmm (Front Ends)
cernmxlb
cernmx01 to 06, load balanced Antivirus,
Antispam, Antiflood.
Authenticated
Outside Cern
Users
9
Feature Overview
Mail from Internet
Reject
Internet / Outside CERN
Exchange Back-Ends / Other CERN Mail Servers
Clean mail with Spam header
Reject
Reject
If score too high
If 500 mails in 10 minutes
10
Technical Overview
Incoming Mail
Command
Event Sink action
HELO / EHLO
  • Nothing done at this level, Sinks dont provide
    information on senders IP.

MAIL FROM
  • If IP is Back-End server, abort checks.
    (currently all CERN IPs).
  • IP checks
  • Reject if IP is listed in IPBadBoys.
  • Reject if no Reverse DNS configured for IP.
  • Reject if domain (given by reverse DNS) if
    listed in SpamDomains.
  • Reject if IP is currently Flooding.
  • From (envelope From) checks
  • Reject if From listed in Spammers.
  • Reject if no MX configured for From domain.
  • Reject if From is currently Flooding.
  • Reject if no Reverse SMTP Connect.

RCPT TO
  • If IP is Back-End server, abort checks.
  • To checks
  • Reject if domain not listed in RelayDomains.
  • Reject if To listed in SpamDests.
  • Reject if To is currently Flooding.

_EOD
End Of Data
  • If IP is Back-End server, abort checks, log
    outgoing message.
  • From (real displayed From) checks
  • Reject if From listed in Spammers.
  • Reject if no MX configured for From domain.
  • Reject if From is currently Flooding.
  • Add X-External header if IP not listed in Inside
    CERN IP.
  • Send mail to SpamKiller servers
  • Write score in Keywords header.
  • If Spam rewrite subject if recipient match
    configuration.
  • If Spam change recipient if match configuration.

11
Benefits
  • SMTP Gateways have a 100 uptime, due to load
    balancing.
  • Floods (everyday!) are automatically detected and
    blocked.
  • Automatic generated graphics and mail queues
    monitoring show quickly any problem.
  • Configuration and log files can easily be checked
    by Helpdesk, if any problem is raised.

12
Gateways statistics
1 day statistics on SMTP gatewaysCERN receives
84 of Spam (92 on Week Ends) !But 81 is
rejected.
Huge increase of mails rejected due to forbidden
attachments, from 15pm to 3am. This is a virus
attack !
Classic day, No Reverse DNS reject reason is
number one, except when a flood is detected.
13
Agenda
  • Exchange 2003 upgrade
  • Mail Gateways upgrade
  • Spam Fighting Evolution

14
Current Status
  • Content based detection is not worth improving
  • Increasing 1 requires lot of work, and may
    produce false positives.
  • Focus on low level Spam Rejection
  • Reverse DNS activated on 15th June increase of
    Spam rejection from 55 to 85.
  • Reverse SMTP connect rule activated on 6th
    October.
  • Next steps
  • Try and identify new techniques SPF, SenderID,
    DomainKeys.
  • Try to reject evident Spams, detected by
    SpamKiller, CERN Content based Spam detection
    engine.

15
Reverse SMTP Connect
  • Reverse SMTP Connect process
  • CERN mail gateway receives a mail from
    bob_at_domain.com
  • CERN mail gateway will simulate a reply to the
    bob_at_domain.com, by trying to connect to the SMTP
    server responsible for domain.com (MX)
  • If connection succeeds, the mail is accepted.
  • If connection fails, mail is rejected with a
    temporary error, if the remote server has
    temporary problems, the mail will be resent.
  • 25 of mails that we currently accept could be
    rejected with this rule.
  • No false positives detected.

16
Future Standards
  • Solutions being investigated
  • SPF (Sender Policy Framework), Unified SPF
    evolution (main problem of SPF is that it does
    not support forwarding).
  • SenderID merge of SPF and MS Caller-ID.
  • DomainKeys proposed by Yahoo
  • Google put this idea into production TODAY!
  • All these new standards allow to detect mail
    sender forgery
  • They will not block Spam
  • A validated check DOES NOT mean it is not a Spam.
Write a Comment
User Comments (0)
About PowerShow.com