Re: regarding spam...

["Echo OnLine Administration (K.H)" <admin () eol ca>]

I've read over some of the comments on the list regarding Sapm an intrusion
protection and figured I would share some of what we do and are
implementing.


For Spam we have personally had good luck using a third part called Postini
(http://www.postini.com) They do basically exactly what everyone is
describing.  The problem is they are fairly expensive. Their filters catch
80-90% of the Spam when set to agressive and all options are turned on.
They are missing a few key items for Spam filtering that i have asked them
to add months ago but haven't seen yet.
1) The option to reject all mail if the sender is NOT in your address book.
2) The ability to require a password for those not in your address book i.e
reject the mail asking to resend with XXX in the subject.  Auto change the
daily, weekly monthy or as needed.
3) reject all messages where you are not in the to: or cc list. (I know this
causes problems with mailing lists and Bcc but some people dont use mailing
lists and Bcc's especially for personal mail

Other Items that are a problems
1) spammer started bypassing the MX servers with postini mentioned so I had
to remove my local fall back MX
2) Spammers started address the machine directly (had to block all SMTP that
did not come from a local address or postini
3) Delay in getting email sometime mail is delayed upto 5 minutes when
arriving but not that often. (usually when they are hit with an attack but
then again if we took the attack it would probably still happen)



For intrusion detection we are trying to use Snort  (http://www.snort.org)
What we want to do is have Snort log to a database and have our services
filter against this database.

Example.  If someone hits the mail threshhold it will log the incident in a
MySQL table.  The mail server will query this MySQL table for IP's to deny
(Postfix support MySQL acces lists). If the IP is listed postfix rejects the
mail.  The challenge is over ride lists so you can allow certain hosts to
have higher limits (you can do this with local rules in snort but thats a
pain), reset the SMTP count when a user logs off a port (on radius
disconnect delete entry for local dial-up port) and database maintenance
scripts to delete entries after a period of time.

We plan to do similar things with all of our services.


Preventing local abuse SMTP. (what we plan to do)
1) redirect all outgoing SMTP to a local server (using layer 4 switch)
2) have that local server impose number of recipient and size limits etc.
3) Limit each user for the number of messages they can send per day.
4) Block ALL incoming SMTP to dynamic IP clients
5) Block incoming SMTP to static IP clients who have not passes an open
relay test

Problems to overcome
1) Data harvesting when we receive a defined number of failed "rcpt to:
commands from an IP we need to drop the session and block future connects
for X period of time (snort solution may handle if we can get a working
snort rule written)
2) Better ability to count messages per customer.  You can count by IP but
that desn't count by user unless it is a static IP customer. I need to be
able to sumarize from multiple sessions
3) Better logs. Which IP sent that message.  The mail logs show a process ID
you then have to go back further in the log to find the IP associated with
that process (need a goog log summerizer)

Others
1) Limit all outgoing packets to source IP's that belong in your network
(i.e block spoofed IP's)
2) Rate limit ICMP to a reasonable amount
3) Block ICMP redirect and source routed packets
4) Block / filter bad packets incoming and outgoing (bad check sums,
fragmented, to large, bad offsets etc)


Kelvin

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards