Build Your Own Spam Firewall


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Build Your Own Spam Firewall

  1. 1. Build Your Own Spam Firewall Using Postfix & SpamAssassin Zach Levow, vp engineering April 20, 2005 / SecureIT
  2. 2. Agenda <ul><li>Introduction to Barracuda Networks (10 Min) </li></ul><ul><li>Building a security appliance using open source technologies (10 Min) </li></ul><ul><li>Anti-Spam technologies (40 Min) </li></ul><ul><li>System considerations (10 Min) </li></ul><ul><li>Q/A </li></ul>
  3. 3. Company Background <ul><li>Mission </li></ul><ul><ul><li>Deliver easy to use and cost effective solutions for protecting email servers </li></ul></ul><ul><li>Founded December 2002 </li></ul><ul><ul><li>Research and development since 2001 </li></ul></ul><ul><li>Barracuda Spam Firewall Launch October 2003 </li></ul><ul><li>Barracuda Spyware Firewall Launch April 2005 </li></ul><ul><li>Headquarters in Cupertino, California </li></ul><ul><ul><li>Offices in Europe (UK), China (Shanghai), Canada, Australia, India, Pakistan, United Arab Emirates (Dubai), and USA </li></ul></ul><ul><ul><li>100+ employees worldwide </li></ul></ul><ul><ul><li>Experienced management & development team </li></ul></ul><ul><li>Privately Funded </li></ul><ul><ul><li>Profitable </li></ul></ul><ul><li>Market Leader </li></ul><ul><ul><li>14,000 customers worldwide </li></ul></ul>
  4. 4. Barracuda Spam Firewall <ul><li>Comprehensive email protection </li></ul><ul><ul><li>Blocks spam and virus </li></ul></ul><ul><ul><li>Integrated hardware and software solution </li></ul></ul><ul><li>Ease of use </li></ul><ul><ul><li>Plug-and-play </li></ul></ul><ul><ul><li>No changes needed to email servers </li></ul></ul><ul><li>Enterprise Features </li></ul><ul><ul><li>Reliable and Robust </li></ul></ul><ul><li>Aggressively Priced </li></ul><ul><ul><li>No per user licensing fees </li></ul></ul><ul><li>Market leading anti-spam appliance </li></ul>Launched Oct. 13, 2003
  5. 5. Barracuda Spam Firewall - Outbound Edition <ul><li>Comprehensive MTA </li></ul><ul><li>Includes Barracuda Spam Firewall Features </li></ul><ul><ul><li>Easy to use and Configure (web interface) </li></ul></ul><ul><ul><li>Secure </li></ul></ul><ul><ul><li>Reporting and logging </li></ul></ul><ul><li>Stops Virus Proliferation </li></ul><ul><li>Enforces Corporate & Regulatory Policies </li></ul><ul><ul><li>Foul language and security </li></ul></ul><ul><ul><li>HIPAA, Sarbanes-Oxley </li></ul></ul><ul><li>Prevents Spamming & Open Relay Function </li></ul>Launched Jan. 17, 2005
  6. 6. Barracuda Spyware Firewall Features <ul><li>Gateway appliance </li></ul><ul><li>Powerful, easy to use & install </li></ul><ul><ul><li>Intuitive user interface </li></ul></ul><ul><li>Affordable </li></ul><ul><ul><li>Prices starting at $1,999 </li></ul></ul><ul><li>Available in five models: </li></ul><ul><ul><li>Spyware Firewall 210 ($1,999) </li></ul></ul><ul><ul><li>Spyware Firewall 310 ($ 3,299) </li></ul></ul><ul><ul><li>Spyware Firewall 410 ($ 5,999 ) </li></ul></ul><ul><li>Inline hardware appliance </li></ul><ul><li>Complete scalability for growing organizations </li></ul>
  7. 7. Customers
  8. 8. Cardinal Rules of Spam Filtering <ul><li>No false positives! </li></ul><ul><li>A false positive where the sender is not notified is even worse </li></ul><ul><li>Reject rather than bounce </li></ul><ul><li>Don’t assume everyone’s mail looks like yours </li></ul>
  9. 9. Open Source Technical Issues <ul><li>Immature products: One size does not fit all </li></ul><ul><li>Mature products: Bloated codebase – hard to maintain </li></ul><ul><li>Security issues </li></ul><ul><ul><li>Pro: an active community will find and fix security issues. </li></ul></ul><ul><ul><li>Con: an active community will introduce security flaws. </li></ul></ul><ul><ul><li>Con: publishing your source does expose you to more exploits. Hackers go for the lowest common denominator. </li></ul></ul><ul><ul><li>Chroot, chroot, chroot – it’s always worth it. </li></ul></ul>
  10. 10. Open Source Business Issues <ul><li>Giving back to the community </li></ul><ul><ul><li>Many changes aren’t for everyone </li></ul></ul><ul><ul><li>Extra time to polish changes for contribution </li></ul></ul><ul><li>Separating proprietary technology </li></ul><ul><ul><li>Configuration files are yours </li></ul></ul><ul><ul><li>Absolutely no linking if you don’t want to share. </li></ul></ul>
  11. 11. Anti-spam Technologies <ul><li>Intent Analysis </li></ul><ul><ul><li>Open alternative: SURBL – Bill Stearns’ URL Blacklist </li></ul></ul><ul><ul><li>Real-time query performance issues </li></ul></ul><ul><li>RBLs </li></ul><ul><ul><li>Spamhaus – only list with minimal false positives </li></ul></ul><ul><li>SpamAssassin </li></ul><ul><ul><li>Rules Updates </li></ul></ul><ul><li>SPF </li></ul><ul><li>Rate Control/Throttling </li></ul><ul><li>Virus scanning </li></ul><ul><ul><li>Several fairly good open source solutions… </li></ul></ul><ul><ul><li>No one solution catches all… </li></ul></ul><ul><ul><li>Combine them </li></ul></ul>
  12. 12. Anti-Spam Technologies (Cont.) <ul><li>Bayesian </li></ul><ul><ul><li>International Charsets </li></ul></ul><ul><ul><ul><li>IBM’s ICU library very efficient </li></ul></ul></ul><ul><ul><ul><li>Token Chaining Crucial </li></ul></ul></ul><ul><ul><li>Per-user Bayes very important </li></ul></ul><ul><ul><li>Noise reduction very helpful </li></ul></ul><ul><ul><li>Pro: most proactive anti-spam technique </li></ul></ul><ul><ul><li>Con: Troubleshooting is usually a nightmare! </li></ul></ul><ul><ul><li>Make user classification easy </li></ul></ul>
  13. 13. Controversial Anti-Spam Techniques <ul><li>Graylisting </li></ul><ul><ul><li>Pro: Very effective at blocking spam </li></ul></ul><ul><ul><li>Con: Potentially delays all messages from new senders by several hours </li></ul></ul><ul><ul><li>Con: Spammers know how to defeat it, but most don’t yet </li></ul></ul><ul><li>Tarpitting </li></ul><ul><ul><li>Pro: effective at slowing down dictionary attacks </li></ul></ul><ul><ul><li>Con: Will bury a busy system if a process or thread is required per connection. </li></ul></ul><ul><li>Challenge-response </li></ul><ul><ul><li>Increases internet chatter </li></ul></ul><ul><ul><li>Unless linked to outbound SMTP, can lead to “Deadlock” </li></ul></ul>
  14. 14. DNS MX Records <ul><li>Example MX record </li></ul><ul><li> MX preference = 10, mail exchanger = </li></ul><ul><li> MX preference = 10, mail exchanger = </li></ul><ul><li>SMTP is great to load-balancing/failover </li></ul><ul><ul><li>Put as many systems as you like at the same “Preference” and all known clients will round-robin until they find an available system </li></ul></ul><ul><ul><li>DON’T LEAVE YOUR MAIL SERVER AS A BACKUP MX FOR YOUR SPAM FILTER!! Spammers will attack it directly </li></ul></ul>
  15. 15. Phishing <ul><li>No link should ever say that it is HTTPS in a message and then actually link to a non-HTTPS page </li></ul><ul><li>Relatively small list of known scams – fairly easy to keep up with if you have a good sample of email. It is worth the effort. </li></ul>
  16. 16. Quarantine <ul><li>Effective tool for reducing “False Positives” while increasing catch rate. </li></ul><ul><li>Best if integrated with directory services so that a user with multiple email addresses only has one quarantine box. </li></ul><ul><li>No perfect open-source solution: </li></ul><ul><ul><li>Need web interface </li></ul></ul><ul><ul><li>Should send daily digest </li></ul></ul>
  17. 17. Per-User Settings <ul><li>Major reduction in administration if users can update personal allow/block lists, passphrases, etc. </li></ul><ul><li>Again, best when integrated with directory services. </li></ul><ul><li>User interface issues. </li></ul>
  18. 18. System Considerations <ul><li>Databases: </li></ul><ul><ul><li>Most open source databases are great for low-volume, general purpose applications. </li></ul></ul><ul><ul><li>In high load situations they all break down – specialized databases become necessary. </li></ul></ul><ul><li>High-availability </li></ul><ul><ul><li>Syncing of configurations (meta-data) </li></ul></ul><ul><ul><li>Syncing of quarantine information (data) </li></ul></ul>
  19. 19. System Considerations (Cont.) <ul><li>Hard drives </li></ul><ul><ul><li>Typical drives will last 6-12 months under a constant and steady mail load. </li></ul></ul><ul><ul><li>Use Raid </li></ul></ul><ul><ul><li>Turn off write cache (hdparm) </li></ul></ul><ul><li>Filesystems </li></ul><ul><ul><li>Use Journaling Filesystem </li></ul></ul><ul><ul><ul><li>Ext3: slow, but robust </li></ul></ul></ul><ul><ul><ul><li>XFS/ReiserFS: faster, but less robust </li></ul></ul></ul><ul><ul><ul><li>Mount with synchronous I/O (sync) </li></ul></ul></ul>
  20. 20. Fighting Spam Can Be Effective <ul><li>False positives are not acceptable or necessary. </li></ul><ul><li>Keep your spam rules and virus definitions up to date. </li></ul><ul><li>Reduce your administration load and false positives/negatives by giving control to your users through personal settings and quarantine. </li></ul>
  21. 21. Q/A