SlideShare a Scribd company logo

An Effective Spam Protection System

A
Apollo_n

The document proposes an effective spam protection system for a small business network. It discusses strategies like gathering intelligence on spammers' techniques, using network-level defenses like access control lists before content-based filtering to reduce load, and employing techniques like greylisting, blacklisting, and whitelisting. The proposed system architecture separates the internal Microsoft Exchange server network from an external DMZ handled by the more customizable Exim mail server and Linux, and implements authentication and encryption between components.

1 of 35
Download to read offline
An Effective Spam Protection System Wael Alnemer 100416646
Introduction : What would you do to stop spam? Before : Firewalls have basic rules Job is done Internal Network, why should I care !?, spam is coming from outside Software : maybe Windows Server / Exchange or Linux/ Spamassassin ... Does it make any difference ? Imagine : you are responsible to protect a small business network against spam . Exchange Server Internal Firewall External Firewall ? ? ? ? ? ? ?
Introduction : Think again Wait ... Have you thought of Budget ? .. Maybe they can’t afford your solution Content-based filter limitations (e.g.,Spamassassin) ? Spam is not always unsolicited message, it could carry malware as well. Hardware and other resources limitations ? Was your solution itself secured ? Network Infrastructure ? .. Maybe the environment is heterogeneous Do you know that your opponents have successfully hacked a bigger organization than yours (e.g., Sony Pictures Entertainment ) Job is NOT done ? ? ? ? ? ?
Introduction : Strategic Planning Don’t surrender Change your Approach Strategic plan : Set goals, then determining the required actions to achieve these goals, and mobilizing whatever resource in your sphere of control to execute the actions. The heart of your defense strategy should based on knowing your opponents’ techniques, intentions, maneuvers and tricks.
You can know about them from different resources Honeybot projects www.honeynet.org Security labs Research papers Cybercriminal takes up to 20 different measures to hide his identity. Gathering information about your enemy waelnemer alnemer alner welcome home the project must finish this time waelnemer alnemer alnemer welcome home , the fig is a little messy Kaspersky labs OpenDNS security labs C. Dietrich, C. Rossow, F. Freiling, H. Bos,M. Steen,and N. Pohlmann, ” On Botnets that use DNS for Command and Control”
Increase the rate of readiness It’s not a matter of if you’re going to be compromised, the real questions are, when and how long it takes you to notice. The best strategy to prepare for cyber-attack, is to eliminate the element of surprise. Why use Spamassassin as first line of defense ,when 75% of all spam could easily be dismissed by ACL. Why use Windows OS as a platform for your defenses, when statistically, the majority of malware were designed to exploit Windows OS vulnerabilities. Why not using high port numbers , whenever possible, to hide our services from being detected. ? ? ?
The whole picture Update Hot-fix Logs/Audit Debugging EthicalHackingSecuritytoolsNewideasSecurityLabsHotfix,patches andupdates SecurityPolicyIncrease Protection Discover Securityholes Rearrange Priorities Effective Investigation Experience HoneybotResearch Resources Benefitsandpracticalusage
Background: SMTP SMTP (Simple Mail Transfer Protocol ) is a text-based protocol, in which a mail sender communicates with a mail receiver by issuing command. If you think SMTP is inherently insecure , you are right. Today Extended SMTP RFC [2821] is what we use. Conceived in 1982 RFC [821]. Simple so it can be deployed on a huge scale, and on various platforms. To put it simply : No SMTP = No email. Thunderbird / telnet exim.mailexample.out 25 Code : 220 , Hello Code : 250 , This is a list of my services EHLO : Hello, I support service extension requests DATA Hello , Blah blah blah. MAIL FROM: wael@mailexample.out Code : 250 , OK RCPT TO: Admin@mailexample.out Code : 250 , Accepted Code : 250 , OK Code : 354 , Start mail input; end with“ . ” code : 0221 mailexample.out Service closing transmission channel QUIT SessioninitiationClientInitiationMailtransactionsSessiontermination
Email delivery network SMTP : 587 SMTP : 25 MUA MSA/MTA MTA MDA MUA SMTP : 25 SMTP : 25 SMTP : 25 MX records DNS:53 DNS Server Internet TCP port 587 was dedicated for SMTP mail submission RFC[6406] Mail User Agent (MUA) Mail Submission Agent (MSA) Mail Transfer Agent (MTA) Mail delivery Agent (MUA) Many ISP block port 25, as part of an effort to reduce the amount of spam that is sent through their networks.
SMTP authentication Windows Domain controller ActiveDirectory Linux/Ubuntu Exim Deliver Tickets Access LDAP as a service LDAP/TLS Bind Received SMTP command SSSD KDC LDAP Users Keytab OPEN PAM SASL LDAP NSS Kerberos 5 Enterprise SubCA SIDUID,GID SMTP Auth RECP TO 2 SMTP Session 1 SMTP authentication based on SASL (Simple Authentication and Security Layer) concept RFC [4422] Authentication mechanisms supported by SASL PLAIN and LOGIN base64 encoded. CRAM-MD5 RFC [2195]. Cyrus SASL the GNU SASL. GSSAPI, geared for Kerberos V5 RFC [4752]. In this project we’ve deployed LDAP/LTS against AD. 1 2 System Security Services Daemon (SSSD) to verify the recipient’s existence.
SMTP with TLS Code : 250 , This is a list of my services including STARTTLS Code : 220 , Go ahead EHLO : Hello, I support service extension requests ClientInitiation Mail transactions Code : 250 , This is a list of my services negotiating TLS-encrypted connection STARTTLS STARTTLS SMTPS Client Server AUTH LOGIN Code : 250 , This is a list of my services EHLO : Hello, I support service extension requests Session initiation stunnel exim.mailexample.out 465 negotiating TLS-encrypted connection Thunderbird : 465 AUTH LOGIN
Certification Authority TCP Session establishment CA Server Certificates In this project were self-signed issued by MS (Root CA - Subordinate CA) format The certificates were used to establish SMTP-TLS and LDAP-TLS. There is no way for client’s OS to verify self-signed certificates, hence the trust must be made in advance, by importing the related server certificate and store it in client machine.
Botnet is a group of compromised computers (Bots), exploited without their owners realizing that their computers are performing additional tasks. Botnet under the command and control of a malicious botmaster. 80% of all spam in 2010 were sent from botnets. Other cybercriminals’ techniques are not trivial, but rather less critical. Botnet is the most vicious technology at cybercriminal disposal. Botnets is a very serious security issue; almost all Governments have shown a profound concern about it. Spamming Methods
Botmaster C&C Server Access Com m ands Commands Commands 1 2 3 5 4 Personal identities. Credit card. Bank information . Platform for information dispersion: Platform for other purposes : Platform for collecting sensitive information Distribute spam ,and launch DoS attacks Click fraud Botnet threats 1 2 3 5 4
Botnet protocols : Botnet topology : Centralized : bot needs C&C server(s) to establish reliable channels, and receive the commands from it. Distributed: no need for C&C server, bot acts as clients and server . Internet Relay Chat(IRC) HTTP and DNS (first fully DNS based botnet discovered in 2011) Botnet topology and protocols C&C Exploiting the already established infrastructure. Eggdrop was the first bot, developed in 1993 for good intention. Camouflage their genuine intentions. Difficult to be detected,easily vanished into daily traffics. 1 2 2 1
Typical Bot Life Cycle 1 2 3 4 5 6 DNS Server Botmaster C&C Bot software DNS IRC HTTP Scan to discover and exploit a vulnerable host. Download and install a copy of the bot software. DNS lookup. Declaring it’s readiness to C&C. Botmaster sends his commands to the C&C server. C&C server forwards the commands to all bots. 1 2 3 5 4 6
Fast-Flux Service Networks : Botnets Facilitator DNS Flux Agents/proxies Botmaster Control Center Web Server IP 1 IP 2 IP 3 IP 4 1 3 4 5 6 7 2 67.10.117.xxx 66.229.133.xxx 74.67.113.xxx 70.244.2.xxx ns.ouit.ca .ca root FstFx.ouit.ca Ask IP address of the DNS responsible for ouit.ca. FFSN used to hide the real source of bogus websites even C&C real IP address Get IP address of ns.ouit.ca Ask Authoritative DNS for IP address of bogus FstFx.ouit.ca. IP address belong to one of the flux agent pool with very short TTL . Initiate a communication with the alleged web-server through proxy. Flux agent requests the contents of FstFx.ouit.ca from the web-server Flux agent redirects the response from the genuine web-server to the victim 1 2 3 5 4 6 7
Anti-spam measures Many different anti-spam measures have evolved over the years Laws and regulations (e.g.,Canada’s Anti-Spam Law (CASL)) Behavioral measures Economic measures Technological measures. The technological approach in fighting the spams Content-based filter (e.g., Spamassassin) Network-level Anti-spam techniques(e.g., Mailbox dispatcher)
There are three lists in Mail Box Dispatcher: Blacklist, Whitelist, and Greylist. Blacklists : Can come in many forms, when they are DNS-based; they are called Domain Name System Blacklists (DNSBLs). Data has to be distributed among MTAs from specific provider (e.g., Spamhaus). DNS would returned a specific A record If the host was in the list (e.g.,Spamhaus would return 127.0.0.2). Greylist : Is temporary in nature. Has two time-out settings. Any sender who didn’t retry or attempts a retry too soon will be refused. Mailbox dispatcher
Mailbox dispatcher : process summery Is sender on Black list Is sender on Grey list Is sender on White list Sender delivery Ask the sender to Try again later Time passed since last Add sender to Gery list , Reject Yes Yes Yes No Too Soon Noresponse-TooLong No No Accept Delivery
Content-based filter Signature-based filter Work like Anti-virus software , Assign a signature to well known spam. Signature is a unique identifier obtained by assigning a value to each character in the email,all values are totaled, creating the spam signature. Bayesian filtering Scans the contents of each message searching for words, phrases and formats common to Spammers. The search then assigns a score. Is forward-looking, it has the abilities to predict whether the email is spam or not, based on probability. Fewer emails passing the filter for inspection mean more time the filter needs to build its own database and be effective.
Exim Access Control List After the firewall, Exim Access Control Lists (ACL) is the first line of defense in our attempt to fight spam. It might considered as most sophisticated and flexible mechanism for SMTP real-time filtering , though it’s more than firewall set of rules than a filter governed by probabilities or signatures. With ACL we can force the spammer to obey the rules. When String expansions combine with ACL ,the result is a powerful weapon against spammers. String expansion required user’s familiarity with regular expression (e.g., Perl, JavaScript). The main idea of ACLs is to control Exim’s behavior when it receives certain SMTP commands.
ACL structure Action verb Sample : Sample :Statement #1 SMTP Commands Statement #2 acl_smtp_connect acl_smtp_data acl_smtp_helo acl_smtp_rcpt acl_smtp_auth RCPT_acl Predefined variable deny discard drop require defer warn accept Special variables Condition Modifier Modifier String expansions control delay Log messages Error messages $acl_c $acl_m authenticated domains dnslists verify Expansion operators Expansion items Expansion conditions Expansion variables Action verb Condition deny domains = *.dom.example ! verify = recipient message = can’t verify recipient ${hmac ${certextract ${filter ${lookup ${base62:<digits>} ${domain:<string>} ${md5:<string>} ${randint:<n>} isip {<string>} ge {<string1>}{<string2> def:<variable name> $domain match {<string1>}{<string2>} $home $host $interface_address ACLComplexityACLstatement
The email system should be able to eliminate spam. Email system should work properly under pressure and heavy network traffic. Email system should be simple in design, affordable yet resilient and easy to maintain. The email system should be heterogeneous. And finally the email system itself should be protected against viruses and misuse. System objectives The email system should handle large volume of traffic with minimum delay.
First and second Objectives Sp m Yes No Spam Positive SMTP session Pipe transport Triggered by Unknown sender Check the sender Check the sender Inbound SMTP Blacklist Mail Box Dispatcher ACL LiteSQL Greylist Whitelist Virus Positive ? ? ? Greylisted Mail DB Known resenders DB hybrid anti-spam filter Next stage in mail delivery
Why Anti-virus and other content examiner filter were pushed to the final stage ? Content-based filter (e.g., spamassassin) are memory hog, consume a lot of CPU bandwidth and time. Reduce the rate of false positive generated by spamassassin –or any content examiner filter –dramatically. ACL is lightweight network-level anti-spam countermeasure, with other network-level techniques; they are responsible of rejecting the majority of the spam,without consuming a lot of system resources. Due to Spamassassin’s high resources consumption it might leave the system vulnerable to DoS attack. First and second Objectives ?
Third Objective LiteSQL Greylisted Mail DB Known resenders DB Greylist Mail Box Dispatcher Trigger ACL ? Greylisting is responsible for most of the delay. Being less restricted by triggering Greylisting less often (Caution : Unknown senders will be in the whitelist) Resender-database list the hosts that are known to retry sending (caution : tedious job )
Forth and Fifth Objectives Unfortunately, it’s difficult to design a network that is simultaneously simple and heterogeneous (e.g., SSSD, Open LDAP, Kerberos) It’s not easy to design an affordable network without reducing the effectiveness of fighting the spam especially at the home front Why the network has to be heterogeneous in the first place ? Our design consisted of two important parts: Internal network : MS Exchange is very popular ; widely used for intranets. DMZ : Taking advantage of Exim Internet gateway capabilities, flexibility and ACL. Linux is a free software Microsoft is more customer support oriented MS windows servers are easier to install and configure Linux servers is more customizable than MS servers ?
Sixth Objective Linux is highly customizable; kernel could be modified to accomplish only certain tasks related to the mail services, hence better protection and smaller TCB (Trusted Computing Base ). Updating Exim regularly with the latest releases and patches (e.g., Exim 4.32 header_syntax function buffer overflow)
System Architecture Windows Domain controller ActiveDirectory Linux/Ubuntu ToMSExchangeServer DNS sssd_pam module sssd_nss module SMTP:STARTTLS Deliver Tickets 192.168.1.10 192.168.8.100 192.168.8.50 Ticket is neededAccess LDAP as a serviceLDAP/TLS Bind SSSD Sharing files and services KDCLDAP Users OPEN PAM SASL LDAP NSS Kerberos 5 RR Access Service Router Stand-Alone Root-CA Enterprise SubCA Pass_to_Exchange SMTP Transport ACL Local smtp SID UID,GID Keytab ldap.conf krb5.conf sssd.conf exim4.conf Mail Box Dispatcher PIPE Transport Sp m Router Pass_to_SPMFlt Exim SSSD will access LDAP as a service, hence requires Kerberos service ticket Spamassassin check won’t take place in Exim itself but as a separate and independent process
192.168.1.20 192.168.1.10 192.168.8.50 192.168.8.100 Exchange Server 2013 DNS Server VM 1 VM 2 VM 3 Iptables 192.168.1.0/24 192.168.8.0/24 192.168.8.150 Internal Firewall External Firewall DMZInternal Network Windows Server 2012 Firewall Routing and Remote Access Service Certification Authority Exim Server OpenLDAP MIT Kerberos SSSD Resembling the network by virtual machines
Testing the network infrastructure Windows Domain Controller validate user’s credentials Telnet:SMTP instructions
Testing the network infrastructure...continued Successful delivery to the recipient
Conclusion and discussion Defense lines were placed to take action in sequence. In a busy network, we would imagine giving high priority to tasks involving fighting the spam on network-level, and more time in updating the anti-virus on personal level. DNS functions and purposes would have severely underestimated in fighting the spam, had we chosen to focus on one anti-spam techniques. Most of the complexity comes from Linux/MS windows interoperability; one have to build the infrastructure only once. highlights of our approach
Question ? ?

Recommended

TLS, SPF, DKIM, DMARC, authenticated email
TLS, SPF, DKIM, DMARC, authenticated emailTLS, SPF, DKIM, DMARC, authenticated email
TLS, SPF, DKIM, DMARC, authenticated email
rinnocente
 
What You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationWhat You Need to Know About Email Authentication
What You Need to Know About Email Authentication
Kurt Andersen
 
透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.ppt
wei mingyang
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
amiable_indian
 
XST
XSTXST
XSTAung Khant
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
David Sweigert
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-Ransomware
Dave Augustine
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
Zobair Khan
 

Recommended

TLS, SPF, DKIM, DMARC, authenticated email
TLS, SPF, DKIM, DMARC, authenticated emailTLS, SPF, DKIM, DMARC, authenticated email
TLS, SPF, DKIM, DMARC, authenticated email
rinnocente
 
What You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationWhat You Need to Know About Email Authentication
What You Need to Know About Email Authentication
Kurt Andersen
 
透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.ppt
wei mingyang
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
amiable_indian
 
XST
XSTXST
XSTAung Khant
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
David Sweigert
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-Ransomware
Dave Augustine
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
Zobair Khan
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration Testing
Jeffery Brown
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacks
Ch Anas Irshad
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
IntruGuard
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Vitor Jesus
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
Manish Luintel
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
Ozkan E
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
leminhvuong
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
Devang Badrakiya
 
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Suhail Khan
 
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric VanderburgEthical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
Eric Vanderburg
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
amiable_indian
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
chris zlatis
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
Gopi Krishnan S
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Professor Lili Saghafi
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
amiable_indian
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)
webhostingguy
 

More Related Content

What's hot

Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration Testing
Jeffery Brown
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacks
Ch Anas Irshad
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
IntruGuard
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Vitor Jesus
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
Manish Luintel
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
Ozkan E
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
leminhvuong
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
Devang Badrakiya
 
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Suhail Khan
 
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric VanderburgEthical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
Eric Vanderburg
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
amiable_indian
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
chris zlatis
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
Gopi Krishnan S
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Professor Lili Saghafi
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
amiable_indian
 

What's hot (20)

Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration Testing
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacks
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
 
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
 
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric VanderburgEthical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
 

Similar to An Effective Spam Protection System

Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)
webhostingguy
 
Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)
webhostingguy
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
Greater Noida Institute Of Technology
 
Hacking
HackingHacking
Hacking
rameswara reddy venkat
 
Hacking
HackingHacking
Hacking
Roshan Chaudhary
 
Hack the hack
Hack the hackHack the hack
Hack the hack
Shakti Ranjan
 
Protecting your business from ddos attacks
Protecting your business from ddos attacksProtecting your business from ddos attacks
Protecting your business from ddos attacks
Saptha Wanniarachchi
 
Windows network security
Windows network securityWindows network security
Windows network security
Information Technology
 
Short Term Effects Of Cocaine Essay
Short Term Effects Of Cocaine EssayShort Term Effects Of Cocaine Essay
Short Term Effects Of Cocaine Essay
Melissa Luster
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
Windows network
Windows networkWindows network
Windows network
Jithesh Nair
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
Tenet Systems Pvt Ltd
 
OS Fingerprinting
OS FingerprintingOS Fingerprinting
OS Fingerprinting
Rashmika Nawaratne
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
Alexander Kot
 
Tips to prevent your email ip being blacklisted
Tips to prevent your email ip being blacklistedTips to prevent your email ip being blacklisted
Tips to prevent your email ip being blacklisted
Dryden Geary
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHacking
Ave Nawsh
 

Similar to An Effective Spam Protection System (20)

Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)
 
Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)Symantec AntiSpam Complete Overview (PowerPoint)
Symantec AntiSpam Complete Overview (PowerPoint)
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Hack the hack
Hack the hackHack the hack
Hack the hack
 
Protecting your business from ddos attacks
Protecting your business from ddos attacksProtecting your business from ddos attacks
Protecting your business from ddos attacks
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Short Term Effects Of Cocaine Essay
Short Term Effects Of Cocaine EssayShort Term Effects Of Cocaine Essay
Short Term Effects Of Cocaine Essay
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Windows network
Windows networkWindows network
Windows network
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
OS Fingerprinting
OS FingerprintingOS Fingerprinting
OS Fingerprinting
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Tips to prevent your email ip being blacklisted
Tips to prevent your email ip being blacklistedTips to prevent your email ip being blacklisted
Tips to prevent your email ip being blacklisted
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHacking
 

An Effective Spam Protection System

  • 1. An Effective Spam Protection System Wael Alnemer 100416646
  • 2. Introduction : What would you do to stop spam? Before : Firewalls have basic rules Job is done Internal Network, why should I care !?, spam is coming from outside Software : maybe Windows Server / Exchange or Linux/ Spamassassin ... Does it make any difference ? Imagine : you are responsible to protect a small business network against spam . Exchange Server Internal Firewall External Firewall ? ? ? ? ? ? ?
  • 3. Introduction : Think again Wait ... Have you thought of Budget ? .. Maybe they can’t afford your solution Content-based filter limitations (e.g.,Spamassassin) ? Spam is not always unsolicited message, it could carry malware as well. Hardware and other resources limitations ? Was your solution itself secured ? Network Infrastructure ? .. Maybe the environment is heterogeneous Do you know that your opponents have successfully hacked a bigger organization than yours (e.g., Sony Pictures Entertainment ) Job is NOT done ? ? ? ? ? ?
  • 4. Introduction : Strategic Planning Don’t surrender Change your Approach Strategic plan : Set goals, then determining the required actions to achieve these goals, and mobilizing whatever resource in your sphere of control to execute the actions. The heart of your defense strategy should based on knowing your opponents’ techniques, intentions, maneuvers and tricks.
  • 5. You can know about them from different resources Honeybot projects www.honeynet.org Security labs Research papers Cybercriminal takes up to 20 different measures to hide his identity. Gathering information about your enemy waelnemer alnemer alner welcome home the project must finish this time waelnemer alnemer alnemer welcome home , the fig is a little messy Kaspersky labs OpenDNS security labs C. Dietrich, C. Rossow, F. Freiling, H. Bos,M. Steen,and N. Pohlmann, ” On Botnets that use DNS for Command and Control”
  • 6. Increase the rate of readiness It’s not a matter of if you’re going to be compromised, the real questions are, when and how long it takes you to notice. The best strategy to prepare for cyber-attack, is to eliminate the element of surprise. Why use Spamassassin as first line of defense ,when 75% of all spam could easily be dismissed by ACL. Why use Windows OS as a platform for your defenses, when statistically, the majority of malware were designed to exploit Windows OS vulnerabilities. Why not using high port numbers , whenever possible, to hide our services from being detected. ? ? ?
  • 7. The whole picture Update Hot-fix Logs/Audit Debugging EthicalHackingSecuritytoolsNewideasSecurityLabsHotfix,patches andupdates SecurityPolicyIncrease Protection Discover Securityholes Rearrange Priorities Effective Investigation Experience HoneybotResearch Resources Benefitsandpracticalusage
  • 8. Background: SMTP SMTP (Simple Mail Transfer Protocol ) is a text-based protocol, in which a mail sender communicates with a mail receiver by issuing command. If you think SMTP is inherently insecure , you are right. Today Extended SMTP RFC [2821] is what we use. Conceived in 1982 RFC [821]. Simple so it can be deployed on a huge scale, and on various platforms. To put it simply : No SMTP = No email. Thunderbird / telnet exim.mailexample.out 25 Code : 220 , Hello Code : 250 , This is a list of my services EHLO : Hello, I support service extension requests DATA Hello , Blah blah blah. MAIL FROM: wael@mailexample.out Code : 250 , OK RCPT TO: Admin@mailexample.out Code : 250 , Accepted Code : 250 , OK Code : 354 , Start mail input; end with“ . ” code : 0221 mailexample.out Service closing transmission channel QUIT SessioninitiationClientInitiationMailtransactionsSessiontermination
  • 9. Email delivery network SMTP : 587 SMTP : 25 MUA MSA/MTA MTA MDA MUA SMTP : 25 SMTP : 25 SMTP : 25 MX records DNS:53 DNS Server Internet TCP port 587 was dedicated for SMTP mail submission RFC[6406] Mail User Agent (MUA) Mail Submission Agent (MSA) Mail Transfer Agent (MTA) Mail delivery Agent (MUA) Many ISP block port 25, as part of an effort to reduce the amount of spam that is sent through their networks.
  • 10. SMTP authentication Windows Domain controller ActiveDirectory Linux/Ubuntu Exim Deliver Tickets Access LDAP as a service LDAP/TLS Bind Received SMTP command SSSD KDC LDAP Users Keytab OPEN PAM SASL LDAP NSS Kerberos 5 Enterprise SubCA SIDUID,GID SMTP Auth RECP TO 2 SMTP Session 1 SMTP authentication based on SASL (Simple Authentication and Security Layer) concept RFC [4422] Authentication mechanisms supported by SASL PLAIN and LOGIN base64 encoded. CRAM-MD5 RFC [2195]. Cyrus SASL the GNU SASL. GSSAPI, geared for Kerberos V5 RFC [4752]. In this project we’ve deployed LDAP/LTS against AD. 1 2 System Security Services Daemon (SSSD) to verify the recipient’s existence.
  • 11. SMTP with TLS Code : 250 , This is a list of my services including STARTTLS Code : 220 , Go ahead EHLO : Hello, I support service extension requests ClientInitiation Mail transactions Code : 250 , This is a list of my services negotiating TLS-encrypted connection STARTTLS STARTTLS SMTPS Client Server AUTH LOGIN Code : 250 , This is a list of my services EHLO : Hello, I support service extension requests Session initiation stunnel exim.mailexample.out 465 negotiating TLS-encrypted connection Thunderbird : 465 AUTH LOGIN
  • 12. Certification Authority TCP Session establishment CA Server Certificates In this project were self-signed issued by MS (Root CA - Subordinate CA) format The certificates were used to establish SMTP-TLS and LDAP-TLS. There is no way for client’s OS to verify self-signed certificates, hence the trust must be made in advance, by importing the related server certificate and store it in client machine.
  • 13. Botnet is a group of compromised computers (Bots), exploited without their owners realizing that their computers are performing additional tasks. Botnet under the command and control of a malicious botmaster. 80% of all spam in 2010 were sent from botnets. Other cybercriminals’ techniques are not trivial, but rather less critical. Botnet is the most vicious technology at cybercriminal disposal. Botnets is a very serious security issue; almost all Governments have shown a profound concern about it. Spamming Methods
  • 14. Botmaster C&C Server Access Com m ands Commands Commands 1 2 3 5 4 Personal identities. Credit card. Bank information . Platform for information dispersion: Platform for other purposes : Platform for collecting sensitive information Distribute spam ,and launch DoS attacks Click fraud Botnet threats 1 2 3 5 4
  • 15. Botnet protocols : Botnet topology : Centralized : bot needs C&C server(s) to establish reliable channels, and receive the commands from it. Distributed: no need for C&C server, bot acts as clients and server . Internet Relay Chat(IRC) HTTP and DNS (first fully DNS based botnet discovered in 2011) Botnet topology and protocols C&C Exploiting the already established infrastructure. Eggdrop was the first bot, developed in 1993 for good intention. Camouflage their genuine intentions. Difficult to be detected,easily vanished into daily traffics. 1 2 2 1
  • 16. Typical Bot Life Cycle 1 2 3 4 5 6 DNS Server Botmaster C&C Bot software DNS IRC HTTP Scan to discover and exploit a vulnerable host. Download and install a copy of the bot software. DNS lookup. Declaring it’s readiness to C&C. Botmaster sends his commands to the C&C server. C&C server forwards the commands to all bots. 1 2 3 5 4 6
  • 17. Fast-Flux Service Networks : Botnets Facilitator DNS Flux Agents/proxies Botmaster Control Center Web Server IP 1 IP 2 IP 3 IP 4 1 3 4 5 6 7 2 67.10.117.xxx 66.229.133.xxx 74.67.113.xxx 70.244.2.xxx ns.ouit.ca .ca root FstFx.ouit.ca Ask IP address of the DNS responsible for ouit.ca. FFSN used to hide the real source of bogus websites even C&C real IP address Get IP address of ns.ouit.ca Ask Authoritative DNS for IP address of bogus FstFx.ouit.ca. IP address belong to one of the flux agent pool with very short TTL . Initiate a communication with the alleged web-server through proxy. Flux agent requests the contents of FstFx.ouit.ca from the web-server Flux agent redirects the response from the genuine web-server to the victim 1 2 3 5 4 6 7
  • 18. Anti-spam measures Many different anti-spam measures have evolved over the years Laws and regulations (e.g.,Canada’s Anti-Spam Law (CASL)) Behavioral measures Economic measures Technological measures. The technological approach in fighting the spams Content-based filter (e.g., Spamassassin) Network-level Anti-spam techniques(e.g., Mailbox dispatcher)
  • 19. There are three lists in Mail Box Dispatcher: Blacklist, Whitelist, and Greylist. Blacklists : Can come in many forms, when they are DNS-based; they are called Domain Name System Blacklists (DNSBLs). Data has to be distributed among MTAs from specific provider (e.g., Spamhaus). DNS would returned a specific A record If the host was in the list (e.g.,Spamhaus would return 127.0.0.2). Greylist : Is temporary in nature. Has two time-out settings. Any sender who didn’t retry or attempts a retry too soon will be refused. Mailbox dispatcher
  • 20. Mailbox dispatcher : process summery Is sender on Black list Is sender on Grey list Is sender on White list Sender delivery Ask the sender to Try again later Time passed since last Add sender to Gery list , Reject Yes Yes Yes No Too Soon Noresponse-TooLong No No Accept Delivery
  • 21. Content-based filter Signature-based filter Work like Anti-virus software , Assign a signature to well known spam. Signature is a unique identifier obtained by assigning a value to each character in the email,all values are totaled, creating the spam signature. Bayesian filtering Scans the contents of each message searching for words, phrases and formats common to Spammers. The search then assigns a score. Is forward-looking, it has the abilities to predict whether the email is spam or not, based on probability. Fewer emails passing the filter for inspection mean more time the filter needs to build its own database and be effective.
  • 22. Exim Access Control List After the firewall, Exim Access Control Lists (ACL) is the first line of defense in our attempt to fight spam. It might considered as most sophisticated and flexible mechanism for SMTP real-time filtering , though it’s more than firewall set of rules than a filter governed by probabilities or signatures. With ACL we can force the spammer to obey the rules. When String expansions combine with ACL ,the result is a powerful weapon against spammers. String expansion required user’s familiarity with regular expression (e.g., Perl, JavaScript). The main idea of ACLs is to control Exim’s behavior when it receives certain SMTP commands.
  • 23. ACL structure Action verb Sample : Sample :Statement #1 SMTP Commands Statement #2 acl_smtp_connect acl_smtp_data acl_smtp_helo acl_smtp_rcpt acl_smtp_auth RCPT_acl Predefined variable deny discard drop require defer warn accept Special variables Condition Modifier Modifier String expansions control delay Log messages Error messages $acl_c $acl_m authenticated domains dnslists verify Expansion operators Expansion items Expansion conditions Expansion variables Action verb Condition deny domains = *.dom.example ! verify = recipient message = can’t verify recipient ${hmac ${certextract ${filter ${lookup ${base62:<digits>} ${domain:<string>} ${md5:<string>} ${randint:<n>} isip {<string>} ge {<string1>}{<string2> def:<variable name> $domain match {<string1>}{<string2>} $home $host $interface_address ACLComplexityACLstatement
  • 24. The email system should be able to eliminate spam. Email system should work properly under pressure and heavy network traffic. Email system should be simple in design, affordable yet resilient and easy to maintain. The email system should be heterogeneous. And finally the email system itself should be protected against viruses and misuse. System objectives The email system should handle large volume of traffic with minimum delay.
  • 25. First and second Objectives Sp m Yes No Spam Positive SMTP session Pipe transport Triggered by Unknown sender Check the sender Check the sender Inbound SMTP Blacklist Mail Box Dispatcher ACL LiteSQL Greylist Whitelist Virus Positive ? ? ? Greylisted Mail DB Known resenders DB hybrid anti-spam filter Next stage in mail delivery
  • 26. Why Anti-virus and other content examiner filter were pushed to the final stage ? Content-based filter (e.g., spamassassin) are memory hog, consume a lot of CPU bandwidth and time. Reduce the rate of false positive generated by spamassassin –or any content examiner filter –dramatically. ACL is lightweight network-level anti-spam countermeasure, with other network-level techniques; they are responsible of rejecting the majority of the spam,without consuming a lot of system resources. Due to Spamassassin’s high resources consumption it might leave the system vulnerable to DoS attack. First and second Objectives ?
  • 27. Third Objective LiteSQL Greylisted Mail DB Known resenders DB Greylist Mail Box Dispatcher Trigger ACL ? Greylisting is responsible for most of the delay. Being less restricted by triggering Greylisting less often (Caution : Unknown senders will be in the whitelist) Resender-database list the hosts that are known to retry sending (caution : tedious job )
  • 28. Forth and Fifth Objectives Unfortunately, it’s difficult to design a network that is simultaneously simple and heterogeneous (e.g., SSSD, Open LDAP, Kerberos) It’s not easy to design an affordable network without reducing the effectiveness of fighting the spam especially at the home front Why the network has to be heterogeneous in the first place ? Our design consisted of two important parts: Internal network : MS Exchange is very popular ; widely used for intranets. DMZ : Taking advantage of Exim Internet gateway capabilities, flexibility and ACL. Linux is a free software Microsoft is more customer support oriented MS windows servers are easier to install and configure Linux servers is more customizable than MS servers ?
  • 29. Sixth Objective Linux is highly customizable; kernel could be modified to accomplish only certain tasks related to the mail services, hence better protection and smaller TCB (Trusted Computing Base ). Updating Exim regularly with the latest releases and patches (e.g., Exim 4.32 header_syntax function buffer overflow)
  • 30. System Architecture Windows Domain controller ActiveDirectory Linux/Ubuntu ToMSExchangeServer DNS sssd_pam module sssd_nss module SMTP:STARTTLS Deliver Tickets 192.168.1.10 192.168.8.100 192.168.8.50 Ticket is neededAccess LDAP as a serviceLDAP/TLS Bind SSSD Sharing files and services KDCLDAP Users OPEN PAM SASL LDAP NSS Kerberos 5 RR Access Service Router Stand-Alone Root-CA Enterprise SubCA Pass_to_Exchange SMTP Transport ACL Local smtp SID UID,GID Keytab ldap.conf krb5.conf sssd.conf exim4.conf Mail Box Dispatcher PIPE Transport Sp m Router Pass_to_SPMFlt Exim SSSD will access LDAP as a service, hence requires Kerberos service ticket Spamassassin check won’t take place in Exim itself but as a separate and independent process
  • 31. 192.168.1.20 192.168.1.10 192.168.8.50 192.168.8.100 Exchange Server 2013 DNS Server VM 1 VM 2 VM 3 Iptables 192.168.1.0/24 192.168.8.0/24 192.168.8.150 Internal Firewall External Firewall DMZInternal Network Windows Server 2012 Firewall Routing and Remote Access Service Certification Authority Exim Server OpenLDAP MIT Kerberos SSSD Resembling the network by virtual machines
  • 32. Testing the network infrastructure Windows Domain Controller validate user’s credentials Telnet:SMTP instructions
  • 33. Testing the network infrastructure...continued Successful delivery to the recipient
  • 34. Conclusion and discussion Defense lines were placed to take action in sequence. In a busy network, we would imagine giving high priority to tasks involving fighting the spam on network-level, and more time in updating the anti-virus on personal level. DNS functions and purposes would have severely underestimated in fighting the spam, had we chosen to focus on one anti-spam techniques. Most of the complexity comes from Linux/MS windows interoperability; one have to build the infrastructure only once. highlights of our approach