build your own spam firewall
TRANSCRIPT
Build Your Own Spam FirewallUsing Postfix & SpamAssassin
Zach Levow, vp engineering
April 20, 2005 / SecureIT
2
Agenda Introduction to Barracuda Networks (10 Min) Building a security appliance using open source
technologies (10 Min) Anti-Spam technologies (40 Min) System considerations (10 Min) Q/A
3
Company Background Mission
Deliver easy to use and cost effective solutions for protecting email servers Founded December 2002
Research and development since 2001 Barracuda Spam Firewall Launch October 2003 Barracuda Spyware Firewall Launch April 2005 Headquarters in Cupertino, California
Offices in Europe (UK), China (Shanghai), Canada, Australia, India, Pakistan, United Arab Emirates (Dubai), and USA
100+ employees worldwide Experienced management & development team
Privately Funded Profitable
Market Leader 14,000 customers worldwide
4
Barracuda Spam Firewall Comprehensive email protection
Blocks spam and virus Integrated hardware and software solution
Ease of use Plug-and-play No changes needed to email servers
Enterprise Features Reliable and Robust
Aggressively Priced No per user licensing fees
Market leading anti-spam appliance
Launched Oct. 13, 2003
5
Barracuda Spam Firewall - Outbound Edition
Comprehensive MTA Includes Barracuda Spam Firewall Features
Easy to use and Configure (web interface) Secure Reporting and logging
Stops Virus Proliferation Enforces Corporate & Regulatory Policies
Foul language and security HIPAA, Sarbanes-Oxley
Prevents Spamming & Open Relay Function
Launched Jan. 17, 2005
6
Barracuda Spyware Firewall Features Gateway appliance Powerful, easy to use & install
Intuitive user interface
Affordable Prices starting at $1,999
Available in five models: Spyware Firewall 210 ($1,999)
Spyware Firewall 310 ($3,299) Spyware Firewall 410 ($5,999)
Inline hardware appliance Complete scalability for growing organizations
7
Customers
8
Cardinal Rules of Spam Filtering No false positives! A false positive where the sender is not notified is even
worse Reject rather than bounce Don’t assume everyone’s mail looks like yours
9
Open Source Technical Issues Immature products: One size does not fit all Mature products: Bloated codebase – hard to maintain Security issues
Pro: an active community will find and fix security issues. Con: an active community will introduce security flaws. Con: publishing your source does expose you to more exploits.
Hackers go for the lowest common denominator. Chroot, chroot, chroot – it’s always worth it.
10
Open Source Business Issues Giving back to the community
Many changes aren’t for everyone Extra time to polish changes for contribution
Separating proprietary technology Configuration files are yours Absolutely no linking if you don’t want to share.
11
Anti-spam Technologies Intent Analysis
Open alternative: SURBL – Bill Stearns’ URL Blacklist Real-time query performance issues
RBLs Spamhaus – only list with minimal false positives
SpamAssassin Rules Updates
SPF Rate Control/Throttling Virus scanning
Several fairly good open source solutions… No one solution catches all… Combine them
12
Anti-Spam Technologies (Cont.) Bayesian
International Charsets IBM’s ICU library very efficient Token Chaining Crucial
Per-user Bayes very important Noise reduction very helpful Pro: most proactive anti-spam technique Con: Troubleshooting is usually a nightmare! Make user classification easy
13
Controversial Anti-Spam Techniques Graylisting
Pro: Very effective at blocking spam Con: Potentially delays all messages from new senders by
several hours Con: Spammers know how to defeat it, but most don’t yet
Tarpitting Pro: effective at slowing down dictionary attacks Con: Will bury a busy system if a process or thread is required
per connection.
Challenge-response Increases internet chatter Unless linked to outbound SMTP, can lead to “Deadlock”
14
DNS MX Records Example MX recordbarracudanetworks.com MX preference = 10, mail exchanger = barracuda2.barracudanetworks.com
barracudanetworks.com MX preference = 10, mail exchanger = barracuda.barracudanetworks.com
SMTP is great to load-balancing/failover Put as many systems as you like at the same
“Preference” and all known clients will round-robin until they find an available system
DON’T LEAVE YOUR MAIL SERVER AS A BACKUP MX FOR YOUR SPAM FILTER!! Spammers will attack it directly
15
Phishing No link should ever say that it is HTTPS in a
message and then actually link to a non-HTTPS page
Relatively small list of known scams – fairly easy to keep up with if you have a good sample of email. It is worth the effort.
16
Quarantine Effective tool for reducing “False Positives” while
increasing catch rate. Best if integrated with directory services so that a user
with multiple email addresses only has one quarantine box.
No perfect open-source solution: Need web interface Should send daily digest
17
Per-User Settings Major reduction in administration if users can update
personal allow/block lists, passphrases, etc. Again, best when integrated with directory services. User interface issues.
18
System Considerations Databases:
Most open source databases are great for low-volume, general purpose applications.
In high load situations they all break down – specialized databases become necessary.
High-availability Syncing of configurations (meta-data) Syncing of quarantine information (data)
19
System Considerations (Cont.) Hard drives
Typical drives will last 6-12 months under a constant and steady mail load.
Use Raid Turn off write cache (hdparm)
Filesystems Use Journaling Filesystem
Ext3: slow, but robust XFS/ReiserFS: faster, but less robust Mount with synchronous I/O (sync)
20
Fighting Spam Can Be Effective False positives are not acceptable or necessary. Keep your spam rules and virus definitions up to
date. Reduce your administration load and false
positives/negatives by giving control to your users through personal settings and quarantine.
21
Q/A