E-MAIL GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING Greg Woods National Center for...
-
Upload
philomena-doreen-king -
Category
Documents
-
view
217 -
download
3
Transcript of E-MAIL GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING Greg Woods National Center for...
E-MAIL GATEWAY WITH PER-USER SPAM BLOCKING AND VIRUS SCANNING
Greg WoodsNational Center for Atmospheric Research
Scientific Computing DivisionBoulder, CO
Postfix Guru:Rich Johnson
OVERVIEW
● Goals● Choice of hardware and software● Cluster design● Mail system design● User interface● Effectiveness● Technical details
GOALS
● Low cost● Scalability● Reliability● Flexibility
– Virus Scanning– Centralized Alias Database– PER-USER spam blocking
SYSTEM CHOICE
● PC cluster● Linux Virtual Server (LVS)● Heartbeat● Postfix● DNS-based blocklists● SpamAssassin● F-PROT● LDAP
Director
LINUX VIRTUAL SERVER
Heartbeat
BackupDirector
Node1 Node2 Node3 Node4
MAIL PATH
Postfix
Recipient/Blocklist check
Port 25 Receiver(smtpd)
Localhost Receiver
Alias Expansion
Scanner Input Queue
Attscand
Cluster Node
Scanner Output Queue
Quarantine
ReinjectdLDAPServer
In
Out
smapq
DNS BLOCKLISTS
● Occurs while SMTP connection still open, after RCPT is given
● User spam block class looked up in LDAP● Determines which DNS blocklists to use● Originating IP address checked against blocklists● Match results in a 550 refused message error● If message refused, never receive message
content!● Passed messages placed in scanner input queue
BLOCKLISTS (2)
● Level 0: no blocking, all IP's OK● Level 1: Block only misconfigured hosts (open
relays and proxies)● Default: Almost level 2, applied to any address
not specifically listed in LDAP database● Level 2: Block misconfigured hosts plus known
spam sources● Level 3, or “internal only”: block entire Internet
outside of our IP space
SMAPQ
● Called by Postfix smptd once message passes blocklist check
● Writes queue file which contains original message plus SMTP envelope information
● Uses “x” bit lock protocol
QUEUE FILE LOCKING
● Uses “x” permission bit● Explicitly set when done writing queue file● Daemons ignore files in queue without “x” set● Daemons remove “x” bit first thing, before
processing file● Used by smapq, attscand, and reinjectd
ATTACHMENT SCANNER
● Use F-PROT to scan for known viruses/worms– Can even examine files within ZIP archive
● Use grep to scan for executable MIME attachment types– This addition kept out Sobig.F
● Add SpamAssassin headers– No quarantining based on SpamAssassin; headers are
there if end user wants to use them; again avoid content filtering
REINJECT DAEMON
● Takes messages from scanner output queue● Send back to localhost listener, which is
programmed for normal delivery● Localhost listener does alias expansion via
LDAP, then sends message on to next hop
USER INTERFACE
● 15-year-old ASCII screen-based interface● Sends e-mail to database maintainers● Flat files sent out twice daily; scripts update
LDAP database from these● Forwarding address updated immediately,
anything else takes ½ a working day● Development of direct web-to-LDAP interface in
progress
EFFECTIVENESS
● Very few false positives– One major incident: Osirusoft DoS
● Filter effectiveness generally good, but varied– Some users report little reduction in spam– Others report total or near elimination of spam– Personal godsend: from hundreds of spams daily
down to less than half a dozen
TECHNICAL DETAILS
● How LVS director works● Heartbeat● Postfix main receiver and localhost receiver● Postfix blocklists● Postfix LDAP lookups● Virus scanning script● Reinjector daemon● System monitoring
LINUX VIRTUAL SERVER Tricks with ARP
Director Node1 Node2
RS1 RS2VS
VSVS
http://www.linuxvirtualserver.org
Router VS = Virtual ServerRS = Real Server
HEARTBEAT
● Uses dedicated ethernet crossover AND serial links
● If primary server stops responding to heartbeat, secondary takes over
● Config files tell which IP addresses and which services to take over
● For LVS director, secondary takes over VS and the director function
http://www.linux-ha.org
POSTFIX BLOCKLISTS
● smtpd_restriction_classes = class_prospam_blocks, class_easynet, .... (declare classes)
● class_prospam_blocks = class_easynet,...● lookup_easynet = blackholes.easynet.nl 554 \
$client_address dnsbl listed by easynet Blackholes. See <http://blackholes.easynet.nl/errors.html>. See <http://www.ucar.edu/nospam>
POSTFIX RECEIVERS
● SMTP Port 25– smtp inet n - n - - smtpd -o
content_filter=smapq– smapq unix - n n - 5 pipe
flags=q user=smap argv=/local/sbin/smapq ${sender} ${recipient}
● Localhost only, port 1075– localhost:1075 inet n - n - - smtpd -o content_filter=
POSTFIX LDAP SEARCHESsmtpd_client_restrictions = permit_mynetworks, ...., check_recipient_access ldap:spam
spam_search_base = ou=spamblock,dc=ucar,dc=eduspam_server_host = 127.0.0.1spam_server_port = 389spam_query_filter = (sn=%s)spam_result_attribute = spam
alias_maps = ldap:aliasalias_search_base = ou=aliases,dc=ucar,dc=edualias_server_host = 127.0.0.1alias_server_port = 389alias_query_filter = (sn=%s)alias_result_attribute = fwd
VIRUS SCANNER
● F-PROT run, exit status checked● grep -f pattern-file message-file
● If virus or executable attachment found, write to quarantine directory and exit– No longer send warnings, sender is always forged
● Add SpamAssassin headers
● Write to output queue (using “x” bit locking)
filename[ ]*=.*\.exe"*$^[ ]*name[ ]*=.*\.exe[ "]*$
REINJECTD
● Reads from virus scanner output queue (using “x” bit locking)
● Preserves original envelope FROM/RCPT● Connects to localhost:1075 and initiates SMTP
transaction● Always passes permit_mynetworks● Normal delivery now occurs
SYSTEM MONITORING
● Qmond script monitors queue directories● Work in progress● Reports when message has been in queue too long● Needs to have a “memory” implemented of what
has already been reported, to avoid an overwhelming number of reports when system is slow– Large numbers of reports add to problem