Firewall Wizards mailing list archives
Re: regarding spam...
From: "Echo OnLine Administration (K.H)" <admin () eol ca>
Date: Wed, 3 Apr 2002 21:27:51 -0800
I've read over some of the comments on the list regarding Sapm an intrusion protection and figured I would share some of what we do and are implementing. For Spam we have personally had good luck using a third part called Postini (http://www.postini.com) They do basically exactly what everyone is describing. The problem is they are fairly expensive. Their filters catch 80-90% of the Spam when set to agressive and all options are turned on. They are missing a few key items for Spam filtering that i have asked them to add months ago but haven't seen yet. 1) The option to reject all mail if the sender is NOT in your address book. 2) The ability to require a password for those not in your address book i.e reject the mail asking to resend with XXX in the subject. Auto change the daily, weekly monthy or as needed. 3) reject all messages where you are not in the to: or cc list. (I know this causes problems with mailing lists and Bcc but some people dont use mailing lists and Bcc's especially for personal mail Other Items that are a problems 1) spammer started bypassing the MX servers with postini mentioned so I had to remove my local fall back MX 2) Spammers started address the machine directly (had to block all SMTP that did not come from a local address or postini 3) Delay in getting email sometime mail is delayed upto 5 minutes when arriving but not that often. (usually when they are hit with an attack but then again if we took the attack it would probably still happen) For intrusion detection we are trying to use Snort (http://www.snort.org) What we want to do is have Snort log to a database and have our services filter against this database. Example. If someone hits the mail threshhold it will log the incident in a MySQL table. The mail server will query this MySQL table for IP's to deny (Postfix support MySQL acces lists). If the IP is listed postfix rejects the mail. The challenge is over ride lists so you can allow certain hosts to have higher limits (you can do this with local rules in snort but thats a pain), reset the SMTP count when a user logs off a port (on radius disconnect delete entry for local dial-up port) and database maintenance scripts to delete entries after a period of time. We plan to do similar things with all of our services. Preventing local abuse SMTP. (what we plan to do) 1) redirect all outgoing SMTP to a local server (using layer 4 switch) 2) have that local server impose number of recipient and size limits etc. 3) Limit each user for the number of messages they can send per day. 4) Block ALL incoming SMTP to dynamic IP clients 5) Block incoming SMTP to static IP clients who have not passes an open relay test Problems to overcome 1) Data harvesting when we receive a defined number of failed "rcpt to: commands from an IP we need to drop the session and block future connects for X period of time (snort solution may handle if we can get a working snort rule written) 2) Better ability to count messages per customer. You can count by IP but that desn't count by user unless it is a static IP customer. I need to be able to sumarize from multiple sessions 3) Better logs. Which IP sent that message. The mail logs show a process ID you then have to go back further in the log to find the IP associated with that process (need a goog log summerizer) Others 1) Limit all outgoing packets to source IP's that belong in your network (i.e block spoofed IP's) 2) Rate limit ICMP to a reasonable amount 3) Block ICMP redirect and source routed packets 4) Block / filter bad packets incoming and outgoing (bad check sums, fragmented, to large, bad offsets etc) Kelvin _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: regarding spam..., (continued)
- Re: regarding spam... Ryan Russell (Apr 03)
- Re: regarding spam... Adam Shostack (Apr 03)
- Re: regarding spam... Rick Murphy (Apr 02)
- Re: Re: regarding spam... Andrew Fremantle (Apr 03)
- Re: regarding spam... Mikael Olsson (Apr 03)
- Re: regarding spam... Crispin Cowan (Apr 03)
- RE: regarding spam... Rama Kant (Apr 03)