Malware

When e-mail attacks!


Spam, viruses, and malware: the bane of any network administrator's life. This is not only due to the inherent risk they pose to overall network security, but also because of the additional load they place on your network.The detection and processing of junk e-mail puts quite a bit of stress on mail systems; some people claim the extra burden doubles their load. I wouldn't be at all surprised if that were accurate. But not only do these threats place additional load on servers, they also put stress on the network; the bandwidth consumed by unsolicited bulk mail and worms can be quite substantial. If you notice that your Internet connection seems to be a little slow, then check your mail logs-it's likely you're being hit by a dictionary spammer trying to deliver image spam!

I think there are two ways to approach the problem of junk e-mail:

  • Run antispam and antivirus software on smart-gateway

    o Build a custom gateway

    o Buy an appliance
  • Run antispam and antivirus software on mail server

In my opinion, it's best to tackle this problem with a balanced combination of both of these strategies. A smart mail gateway is essential if you want to stop your mail system from being bogged down with processing junk. Depending on your configuration, the gateway can bounce messages to invalid addresses before processing any of its content and deny SMTP sessions to IPs known to be used by spammers and botnets. Spam and viruses can be identified and quarantined without touching your mail servers, which keeps things tidy and gives at least some peace of mind.

While a smart gateway will be able to filter out almost all incoming threats, I would always want to run virus protection software on the servers holding user mailboxes. It could well be that the antivirus on your mail server never fires, but, if something were to slip through the gateway or enter the system internally then you'd be glad of the additional protection.

I'm currently using a custom built mail gateway; it runs on a Linux base with Postfix, amavisd, ClamAV, SpamAssassin, and Policyd. By combining these relatively simple apps, I have a powerful e-mail defence system which has yet to hit a false positive. When I introduced grey-listing via Policyd, it had a huge impact on both the amount of spam slipping through and the load put on the gateway. Grey-listing meant that spam messages, which would normally be processed by SpamAssassin, were being dropped before they hit the antispam engine.

Ready-built appliances are becoming more and more popular these days. I think the biggest reason for their popularity is the reduction in the amount of administrative attention required -- once the initial setup has been done, the gateway will pretty much look after itself. I have been interested in the Barracuda Spam Firewall for quite some time and will soon be replacing my custom gateway. Why the Barracuda? Used by the U.S. Treasury department, IBM, and NASA, the Barracuda Spam Firewall has taken home numerous awards; it won the Windows IT Pro ‘Community Choice Award' and the Lotus Advisor Magazine Editors' Choice for two years running.

Features offered by the Barracuda appliance include:

  • Graphical reporting
  • Automatic updates
  • Rate Control
  • IP Reputation Analysis
  • Sender Authentication
  • Recipient Verification
  • Virus Scanning
  • Spam Fingerprint Check
  • Intent Analysis
  • Image Analysis
  • Bayesian Analysis
  • Rule-based Scoring
  • Single sign-on with Active Directory integration
  • Per-user, user managed quarantine

I'm looking forward to getting my hands on the Barracuda Spam Firewall and will report back once I've had a chance to check it out properly. If you're using one of these already, then I'd love to hear your experiences; leave a comment and let me know how you've gotten on.

Maybe you've chosen to take a completely different approach to dealing with spam and e-mail borne threats? Again, leave a comment and share your views.

38 comments
hmmmmm!
hmmmmm!

THE REAL SOLUTION would be to somehow have ALL of the congrssional sites opened up as is most email.. let the folks the passed the this Bill will make spam illegal" get a dose of what people and buiness get each day.. as an ISP tech told me one day.. they passed the law but it has not teeth.. only way to get it fixed is to be able to pass the spam on to DC or somehow send it back.. and that would tie up servers that send it.. and they KNOW they are sending spam, but we need not worry as congress passed a law to end it.. RIGHT? now if we could only forward ALL the spam and such to their reelection sites asking for money and their DC offices????

DoubleJava
DoubleJava

The best anti-spam solution I've found is RedCondor. I used to use Barracuda, and before that I tried several others; however, I've found that RedCondor has much lower false-positives, and its spam catching ability is a bit better than the others. It's also very easy to setup and maintain. On top of that the pricing is very attractive. You can get it as an appliance version or you can use their hosted solution. They don't currently offer anything for ISP-based mailbox users (i.e. hotmail, yahoo, gmail, etc.) - you need to have your own domain name in order to use either the appliance or the hosted solution. It has a feature that you can enable called the Daily Digest, which sends the user a single email each day that lists all of the email messages that were destined to that user but which were blocked. This feature allows you to quickly scan down a list to see if something was blocked that shouldn't have been. I initially had this feature turned on, but I eventually turned it off after several months, since I never had any false-positives. In addition to global white lists and black lists, each user can have their own individual white and black lists as well. All of the management is done via webpages. The administrator uses a web-based admin console to setup and maintain the global settings, and each mailbox user has thier own web-based dashboard where they can do things like: manage their individual white and black lists, release messages from quarantine, unsubscribe from the Daily Digest, subscribe to reports, etc. This is great because it keeps me from having to tweak all of this stuff...the users can "self service". Of course, you can disable the user's dashboards if you want to play God.

hmmmmm!
hmmmmm!

THE BIG ITEM none seem to want to address is FIRST how to sort the REAL message from the SPAM, etc. I have seem a lot of NEEDED messages ate by spam virus protections.. and that to business is the big issues.. as get a 100 spams and in middle is ONE IMPORTANT MESSAGE and a "situation occurs" How are most addressing that issue?

tim
tim

We have used Commtouch for years and are very pleased with the results. With 120 mailboxes, we received 884,000 pieces of email in the last 30 days, 94% of which was spam blocked by Commtouch so we never see it. It features both a system-wide quarantine and user quarantines. In the three years we have been running it I have only had one occurence of a false positive which I quickly released from the system quarantine. The users love it because it just works. They can receive a daily report of what's in their individual quarantine but most users turn it off. It's a little pricy - $1,000 for the initial outlay and less than $30 a year per user. It's comparable to Postini in that it is an outside service. For AV, we use Symantec AV Corporate on our gateway, email server and all the workstations. For malware we use Windows Defender on all the computers.

jmarkovic32
jmarkovic32

Surfcontrol (recently acquired by Websense) makes excellent web-filtering and email filtering appliances and software. I use Surfcontrol's SMTP Filter on my Exchange server (small organization) and I have damn near 100% spam filtering with no false positives/negatives so far. Within Surfcontrol I use a combination of filters to achieve those results. At the "gateway" I do three checks: Directory Harvesting check, a weak SPF check and a blacklist filter (3 blacklists). Once the mail comes in, I filter it 11 times. Once the mail gets through, it gets passed to Symantec Antivirus for a virus check and then it goes to the user's mailbox. We only get around 1,000 emails a day so I can do all of this on one (beefy) server. For web filtering I use a Barracuda 210. 'Cuda's do the job but they're buggy as hell from what I can see. Every week it seems there is a new firmware update and when you install it, it bricks your box in some way. When it works though, it works great and it works fast. It's louder than the devil though and if you want a relatively inexpensive appliance, the Barracuda appliances are where it's at. If you need a little better functionality and better Active Directory/LDAP integration with more robust reporting and deeper features, the St. Bernard iPrism series is the best choice. You'll pay a little more, but it's worth the price. Surfcontrol (Websense) appliances also do a better job, but are rather pricey. But as far as filtering goes, a couple of dedicated appliances will do the job as well as antivirus software on servers and desktops. To protect against spoofed spam, you may want to look into getting an SPF record for your domain. Check out http://www.openspf.org for information and tools to accomplish this.

BrannenT
BrannenT

If I don't expect any legitimate traffic from Africa - if I don't serve users there, or don't care someone can see my web server, or send me email, then why just not drop the 41/8 network from AfriNIC? I could drop it with an ACL or route it to null0 So, I just drop huge networks I have no interest in having a connection from. Of course there are ways around this (Onion routing) - but this would get rid of some low hanging fruit at my network edge - so it doesn't traverse my firewalls, spam filters, or email boxes. Does anyone else do this? Here's a list of the /8's http://www.iana.org/assignments/ipv4-address-space

bblackmoor
bblackmoor

I appreciate all of these server-side anti-spam measures, but even after implementing all of them I get hundreds of spam every day. I use Vanquish's vqME to handle the rest.

Bacon 3000
Bacon 3000

What do you want for your old custom built mail gateway? Seriously.

Roger99a
Roger99a

I like the Open Source roll-your-own method you used. Very clever. ASSP has the same features and would be easier to setup.. and runs on Linux or Windows.

rwright142
rwright142

Sorry for the 2nd duplicated message.

rwright142
rwright142

Sorry for the duplicate reply - the server displayed an error so I thought it did not post.

rwright142
rwright142

We use a service called SpamSoap that filters our incoming email before our Exchange server even receives them. Users get a report if a SPAM message or virus is suspected. They get an overview in their Outlook and can delete it from there, allow emails from the sender, or allow from the sender's domain. They can visit their web based console and adjust settings they feel are appropriate for them. The service can be set to sync with our Exchange server so whenever a new user/group is created on the domain it is also created on their end. If email is sent to an invalid user, our Exchange server never gets the email. It also has automatic failover. If our email server is unreachable, they queue the messages until the server is back up. I have it set to email my Yahoo! email address when this happens so I have some type of notification. It has worked very well for us, reduces network bandwidth, and is cost effective considering how much IT admin time it saves.

John.M
John.M

I just finished an eval period followed by the purchase of a SPAM appliance. I eval'd Barracuda, Sophos and Ironport. Sophos and Ironport ran nose-2-nose in performance. The Sohpos lacked a robust end-user quarantine search feature, so I chose the Ironport. Really nice product, well-built and excellent support. The Barracuda on the other hand, although feature rich, the GUI was downright awful.

The Listed 'G MAN'
The Listed 'G MAN'

I setup a combination of Untangle as a gateway device and the built in Exchange IMF. Very few fault positives and so far I am delighted.

The Listed 'G MAN'
The Listed 'G MAN'

and don't accept mail from any blacklisted servers. If a legitimate company is on a blacklist that is their issue not mine.

Photogenic Memory
Photogenic Memory

I'll probably have to set something like this with similar functionality in the future. I was wondering how I could do it and you've got a great example to follow. Thank you for posting. Now I have figure out if I can do this with as much free software as possible. I hope it's possible.

chiefywiggum
chiefywiggum

i've been using barracuda's spam appliance for 3 years or so, it does a decent job. i've been using barracuda's web filter also for a year. they've both had hardware failure and had to be replaced, so i'd suggest going with the "instant replacement" plan. it wasn't so bad when the webfilter failed, but the spam failure was. the exchange server we have wasn't setup well (sending out NDR's, etc.). we have 150 or so users, at one point was receiving 15,000 emails an hour and had thousands of NDR's sitting in the que.

Dr Dij
Dr Dij

kaspersky also published a list of 5 isps that host bulk of malware / phishing sites. If you could get the ISPs address range you could block both email and web site access to these ranges.

picknelly
picknelly

Been using it for several years now and has several up-to-date methods of dealing with spam. When properly set up it is better than the commercial solutions I looked at.

C J
C J

If you're working with an Exchange Server, check out Ninja from Sunbelt Software. Priced per mailbox, very easy to configure (they'll even run a remote session with you if you like and show you the tips in about a half hour.) Our server has gone from staggering like a punch-drunk boxer to actually serving email without lewd suggestions and foreign correspondence. Took about an hour to configure and test, and voila! we're happy here now.

bway
bway

We (state govt agency) are using Barracuda. It just got installed a couple of weeks ago so it is still "learning" and some junk is still getting through. I agree though ... the GUI is UUUUUGGLY!

V.H. Scarpacci
V.H. Scarpacci

We have been using a Barracuda Spam Filter 300 in my company for over three years and in that time the firmware updates have only made it more useful. When we first brought this device online we only blocked 30% of incoming mail with no false positives. Now with fine tuning the cuda blocks 95% of incoming e-mail about 40-50 thousand a day and still we only have 1 or 2 false positive per month. We haven't stopped with the spam appliance and are running Symantec Antivirus on the Exchange server. Now we are looking into a Webfilter to stop users from being drawn into sites that collect information to send spam.

teguh.umar
teguh.umar

I used to use Fortimail400, almost 1 year, and it sucks, 7 month after we bought, it crash often, and took us to wait for repair about 2 months. The support for me is bad, they almost did not want to direct assist to end user, they want end user to call the reseller first, after that they will cantact end user via reseler, and now after the repaired, it still dead, the av engine can not load, etc etc. beacuse of it our email got full of spam. I don't know who is sucks here the FM suport or the reseller. After searching the open source we found that ClarckConnect that we use for almost 5 months is also can be use as smtp gateway filter, and now it works almost no spam come to our email, its easy to tuning, it came with clamav, dansguardian, spamassasin, etc. 2 year back we try baracuda, and we did not like the results. Sory if i hurt somebody feeling, couse it came from my true experiences. sory again for bad english

gkrew
gkrew

We use gateway servers running Linux with SpamAssasin,amavisd,ClamAV, Razor and Postfix with McAfee's SpamKiller for Exchange on the Exchange Server. SpamKiller uses the SpamAssasin Engine and Bayesian filtering to analyze spam. It is configured to tag the subject line and route to user's Outlook Junk Mail folder. I am willing to try Policyd on the gateway servers and see how it works.

elkfeva
elkfeva

Is the built in IMF for exchange part of the Untagle software suite? So you install Untangle and tehn the IMF client is totaly free? thanks

elkfeva
elkfeva

G-Man, I'm curious... what kind of configuration do you run using Untange?.... inline before router? on a dmz? Also what kind of hardware verses the size of your messaging infrastructure are you running? I think im going to put an untangele install on a clone machine on my public block of IP's outside my router that handles all SMTP. Gotta do something more to stop these F***ing spammers from hogging my processing power. thanks ElkFeva

hmmmmm!
hmmmmm!

You thing of "if they are on a black listed sever their issue not mine" is exaclty why IT and business dept clash. IT IS YOUR business to assure ALL needed email gets though to run the business.. you work for the business not other way about. this is why the issue of how to not take out NEEDED business email is a big problem most have not yet found a solution.. and any IT type that stands up in a business and says. Sorry we lost business by they were on a server I do not want used. maybe be on the street. comes down to how does IT help..not how does IT support rule.

BrannenT
BrannenT

iPowerWeb 216.69.226.0/24 Layered Technologies 72.232.0.0/16 Layered Technologies 72.233.0.0/17 ThePlanet.com 70.84.0.0/14 Chinanet-GD 219.128.0.0/13 Internap Networking Services 64.94.0.0/15 Internap Networking Services 64.94.4.192/28

wolftalamasca
wolftalamasca

Barracudas are a wonderful solution.. plug it in, let it learn for a while, and blamo, spam does nearly disappear. I do feel, though, that they are far, far too expensive for the average small business or small ISP. Plus, they are not magic black boxes, they are simply inline SMTP (*nix?) based gateways running on standard hardware, possibly less capable than the hardware you are currently using for your mail/hosting system. I super simple, free (more or less) system I have been using to amazing success is MailScanner, on exim in my case as it is a Cpanel based *nix box. It uses clamav, but I also have it running sophos as I adore their service. Add to this spamassassin, a BruteForceDetection system, rules du jour, Login Failure Daemon, RBL blackhole lists, DCC, and a firewall with updated listings of spam blocks, etc... and you have a massively effective spam filtering system. You can have all this installed for you on any Cpanel box by the folks at Way to the Web, btw. The firewalling and RBLs deny mail from ever bothering your box, and can cut your mail server load by rather -huge- amounts, if you are under attack from one of the listed bombing gateways. (Personally, shifting to this method initially cut my spam load during an attack on one of my systems from >50k spam attempts/hour to

Roger99a
Roger99a

if your not blocking 99% or better you're using the wrong product.

The Listed 'G MAN'
The Listed 'G MAN'

It's on a DMZ hanging of a current firewall. It is the primary MX for incoming mail but not the sender of mail (only receives) - secondary & territory send mail. I also use it as a filer for all web traffic from the LAN - but not as a default gateway from the machines. The internal LAN proxy server (an IPCop hybrid) passes all web traffic through to Untangle & to the Web. It is running on a VMWare ESX3 server as the only hardware I had available was an old Dell 1600Sc server. Untangle will not install on old Dell hardware for some reason. It services about 100 mailboxes with hardware set to 2.8 Ghz Xeon with 2Gb of Ram. Anything missed is normally caught by the exchange servers IMF which I can view with IMFCompanion.

hmmmmm!
hmmmmm!

ur note Sound absurd? I do so very much hope so Not really absurd... as it maybe much closer then most want to admit.. as it has to be a sorry joke that spammers ISP's "not aware of the spmamers"??? there remains the filters that cut both ways... to much and lose data to little and spamed out. We unfortunately during business day get BUSINESS emails that are sent via "private,not business email".. nd there is no way other then to check most of the data, yea na as to spam. It consumes time.. we wish spent elsewhere..but we cannot afford to miss some emails.. So until congress and such REALLY make laws about spam..and even allow us to hit "Return" on spams.. and tie up the isps of spammers. the risk remains. filter to what level and risk how much business.. as the profits are the key that must be protected. As said..until we can get congress opened up to spam.. not much will change.. just wish I could forward each days spam to them..

wolftalamasca
wolftalamasca

Business is Business, and yes, every email may count. If that is the case with the business you are hosting or managing, then yes, you cannot use any and every blackhole list out there. Also, you cannot just use firewall filtering of many Asiatic registered /8's for example, especially if your business is international. But, as some businesses must pay for security (ie. police, alarms, fire protection, insurance, cameras, extra staff) then they must also figure such things into their email security as well, if said email is a lifeline to their business. It is a balance of costs vs. convenience. If you decide to open your system to accept a tremendous amount of risk from spam&viruses, then you must pay for that risk in some way, such as a higher grade spam filter, the annoyance of hand filtering your spam, or having a dedicated receptionist for filtering all emails to your general departments by hand for you... or your secretary, if you are so inclined. A much worse hidden danger is the fact that spam is a business, not only ones trying to sell things.. apparently to utter idiots, considering the bulk of the spam I've seen lately... but if you think about it, what *IS* most of this spam being sent? Can you actually purchase the "product" they are selling? Is there any way to contact them at all? What the hell is the point of it? Dwell on that question for a while... Perhaps waste a little time and really look at the spam being sent. Could you buy it, if you wanted to? How? Where? Why hasn't it stopped because they have no business... or because they have been hit with lawsuits for what is, apparently, illegal in enough areas to facilitate that? What about all the spam that has no product and is pointless gibberish? Has anyone considered the far fetched idea that there are companies benefiting from just the sheer annoyance and bulk of spam out there, and may even be contributing to the huge trash pile to gain business. Without pointing fingers, just take a little time and think about that. Long term... 1-2-5 years from now. If spam is wildly out of control, and every valid email box open to the world simply must have a filter capable of blocking such immense legions of trash mail. So much even someone with free time can't really pick the good mail out from the bad, and your own eyes lose your real mail. I've seen what that looks like first hand while adjusting a high rank domain hit by a spam bomb and turned off the filter. Who would benefit from such things? What players in the market these days, ones who have 1-2-5 year outlooks in their designs, would be able to leverage such an obscene thought? Could it even happen. All I can say is this; Business is Business, and everyone from organized crime to organized multi-billon dollar companies say the same. If they can make money off it, they will. If they can design it so that it makes money for them for a long period of time and people just look the other way, that is what they hope for. Apathy and acceptance. Imagine a world where a few large players hold "the key", a "subscription" to their own anti-spam lists.. only X dollars a month or you can just forget about a clean inbox. Or, multiple subscriptions because each company just doesn't block 'everything'. Or, even worse, more subscriptions because YOUR network is not legitimately accepted on THEIR network. Only X dollars a month for your server to be able to talk to the 50% of the 'internet' that THEY control. What? My email can't go through because you didn't pay your blackmai..er, subscription fees? Forget you, we're moving our email to THEIR company because they just don't have those problems. Sound absurd? I do so very much hope so.

The Listed 'G MAN'
The Listed 'G MAN'

If company A is stupid enough to get blacklisted then they are either incompetent or engaging in SPAM. I have seen what is blacklisted - I would not want any of it.

The Listed 'G MAN'
The Listed 'G MAN'

The setup evolved over time - IPcop was once the only system in place on an old server. Now IPcop is a Virtual Server installed on a current hi-spec 2003 box with extra nics - not willing to let a LAN box that close to the Internet. The IPcop install has additional logging features & a web cache installed that Untangle does not. Untangle has AV - Protcol - IDS & Spyware the IPcop does not. The setup works really well!

Dumphrey
Dumphrey

why do you go from the IPCop hybrid to the Untangle? Why not just use the IPCop filtering and lighten the load on the smap filter?