Reclaiming the Inbox with
Open Source Tools for Email Systems

Sean Reifschneider

tummy.com, ltd.

Introduction

• Overview of spam
• Overview of techniques
• Details of 11 anti-spam techniques
• Oriented towards servers
• Mostly theory, little implementation
• Some final thoughts

What:

• Unwanted e-mail: UCE and Viruses
• Attack on the Internet
• 80 to 90% of e-mail traffic
• SMTP not up to the task but hard to replace

Why?

• Hard to block
• Cheap to send
• "Guaranteed" delivery
• It works
• Don't let it work

Terminology

• False Positive -- Non-spam marked as spam
• False Negative -- Spam that gets through
• Accuracy
• MUA/MTA
• Expensive -- Resources, not dollars

How to block it

• Server-side
• Client-side
• Third party/Outsourced

Techniques: Content-based

• Rules
• Distributed Checksum
• Bayesian/Learning
• Anti-virus
• DomainKeys/DKIM

Techniques: Connection-based

• Greylisting
• DNSBL
• Black/White Lists
• SPF

Techniques: Others

• Proof of Work
• Challenge/ACK (TMDA)
• Habeas
  http://habeas.com/

Greylisting

• http://greylisting.org/
• Description
• Self-tuning (mostly)
• Blocks spammers that try once
• Blocks broken mail servers
• Catches some viruses
• Allows time for DCC systems to work
• Low false-positive rate
• Cheap to run
• High rejection rate (85%)

DNSBL

• Many different lists to pick from
• Relies on network access to run
• Can introduce latencies
• Best as part of a weighting system
• Inexpensive in resources
• High False Positives

Black/White List

• Maintained by user, usually
• High accuracy
• Inexpensive to run
• Expensive to maintain

SPF

• http://spf.pobox.com/
• Incorporates E-mail CallerID
• Prevents spoofed sender addresses
• Domain owner publishes mail server information
• Problematic for forwarding mail
• Works around problems in SMTP
• Inexpensive to run
• Low to no false positives when set up properly

DomainKeys/DKIM

• http://antispam.yahoo.com/domainkeys
• http://www.elandsys.com/resources/sendmail/dkim.html
• Messages signed by domain owner
• E-mail servers sign outgoing messages
• Similar goals to SPF
• Works through forwarding
• Harder than SPF when third-parties send mail from your domain

Distributed Checksums

• Message signatures sent/checked
• Looks for similar messages sent widely
• Distributed Checksum Clearinghouse
  http://rhyolite.com/anti-spam/dcc/
• Vipul's Razor
  http://razor.sourceforge.net/
• Pyzor
  http://pyzor.sourceforge.net/

Bayesian/Learning

• DSPAM
  http://www.nuclearelephant.com/projects/dspam/
• CRM-114
  http://crm114.sourceforge.net/
• SpamBayes
  http://spambayes.sourceforge.net/
• Somewhat expensive to run
• Requires training
• Can have very high accuracy

Anti-virus

• ClamAV
  http://www.clamav.net/
• Many commercial offerings
• Low false positive rate
• Never send warning replies except in SMTP
• Expensive to run

Hashcash

• http://www.hashcash.org/
• Proof of work
• Few messages or many CPUs
• Low false positives
• Expensive to generate
• Cheap to check
• Can be added to MUAs or MTAs

Tagged Message Delivery Agent/Confirmation

• http://tmda.sourceforge.net/
• Whitelist addresses you send to
• Require sender to confirm messages
• Relies on envelope sender address
• Can lead to mailing loops
• Best when combined with other mechanisms
• Low false positives
• Expensive to run

Rules

• SpamAssassin
• Regular expressions and the like
• Easily fooled
• /\b(?:join|register|order|apply) .{0,10}(?-i:T)oday\b/i
• /\bunclaimed (?:funds|money|prizes?|rewards?)\b/i
• Expensive to run
• High falses
• Spammers regularly check their messages against these

SpamAssassin

• http://spamassassin.apache.org/
• Score-based
• Combination of Techniques:
  • DCC/Razor/Pyzor
  • DNSBL
  • Bayesian
  • Hashcash (26-bits gives -5 advantage)
  • SPF
  • Rules
• Good DNSBL Implementation
• Expensive to run
• Slow response to new messages
• High falses

Combination Approach

• Inexpensive, high accuracy checks first
• Run expensive checks later
• TMDA is a good replacement for quarantine
• Reject in SMTP where possible

Put Users in Control

• One size rarely fits all
• SquirrelMail Plugins (http://www.squirrelmail.org/)
• DSPAM phpControlCenter
  (http://www.michaelthompson.org/dspam/)
• SA-useradmin (http://www.gallowglass.org/)
• vPostMaster (http://www.tummy.com/Products/vpostmaster/)

Conclusion

• Many techniques
• Success is possible
• Every user is different

Thanks for Attending

• Please fill out talk surveys
• Slides at: http://www.tummy.com/Community/Presentations/