Académique Documents
Professionnel Documents
Culture Documents
from Spam
David J. Young
Introduction
History
Spam
Terminology
ASSP
Benchmarks
Demo
Questions
History
Scene: A cafe. One table is occupied by a group of Vikings wearing horned helmets. Whenever
the word "spam" is repeated, they begin singing and/or chanting. A man and his wife enter. The
man is played by Eric Idle, the wife is played by Graham Chapman (in drag), and the waitress is
played by Terry Jones, also in drag.
Man:You sit here, dear.Wife:All right.Man:Morning!Waitress:Morning!Man:Well, what've you
got?Waitress:Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and
spam; egg bacon sausage and spam; spam bacon sausage and spam; spam egg spam spam bacon
and spam; spam sausage spam spam bacon spam tomato and spam;Vikings:Spam spam spam
spam...Waitress:...spam spam spam egg and spam; spam spam spam spam spam spam baked
beans spam spam spam...Vikings:Spam! Lovely spam! Lovely spam!Waitress:...or Lobster
Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and
aubergines garnished with truffle pate, brandy and with a fried egg on top and spam.Wife:Have
you got anything without spam?Waitress:Well, there's spam egg sausage and spam, that's not got
much spam in it.Wife:I don't want ANY spam!Man:Why can't she have egg bacon spam and
sausage?Wife:THAT'S got spam in it!Man:Hasn't got as much spam in it as spam egg sausage and
spam, has it?Vikings:Spam spam spam spam... (Crescendo through next few lines...)Wife:Could
you do the egg bacon spam and sausage without the spam then?Waitress:Urgghh!Wife:What do
you mean 'Urgghh'? I don't like spam!Vikings:Lovely spam! Wonderful spam!Waitress:Shut
up!Vikings:Lovely spam! Wonderful spam!Waitress:Shut up! (Vikings stop) Bloody Vikings! You
can't have egg bacon spam and sausage without the spam.Wife:I don't like spam!Man:Sshh, dear,
don't cause a fuss. I'll have your spam. I love it. I'm having spam spam spam spam spam spam
spam beaked beans spam spam spam and spam!Vikings:Spam spam spam spam. Lovely spam!
Wonderful spam!Waitress:Shut up!! Baked beans are off.Man:Well could I have her spam instead
of the baked beans then?Waitress:You mean spam spam spam spam spam spam... (but it is too
late and the Vikings drown her words)Vikings:Spam spam spam spam. Lovely spam! Wonderful
spam! Spam spa-a-a-a-a-am spam spa-a-a-a-a-am spam. Lovely spam! Lovely spam! Lovely spam!
Lovely spam! Lovely spam! Spam spam spam spam!
Spam Spam Spam lyrics
Lovely spam, wonderful spa-a-m,
Lovely spam, wonderful S Spam,
Spa-a-a-a-a-a-a-am,
Spa-a-a-a-a-a-a-am,
SPA-A-A-A-A-A-A-AM,
SPA-A-A-A-A-A-A-AM,
LOVELY SPAM, LOVELY SPAM,
LOVELY SPAM, LOVELY SPAM,
LOVELY SPA-A-A-A-AM...
SPA-AM, SPA-AM, SPA-AM, SPA-A-A-AM!
What is spam?
Unsolicited Bulk e-mail (UBE)
Unsolicited Commerical Email (UCE)
Not SPAM
False Negative
(Negative) True Negative
(*****SPAM*****)
Honeypot
Postmaster
Bayesian
MTA
MUA
SMTP
Processing matrix
-- wikipedia.org
Theory of Operation
When you install ASSP a colony of super-
intelligent thermophilus bacteria takes up
residence on your CPU and begin reading all your
email. They communicate using radio waves
directly with the CPU and interface with the ASSP
software choosing between spam and nonspam
mail.
If you choose to read further this myth will be
sadly dispelled, and I take no responsibility for
the consequences.
However, you can always refer your users to this
slide to prove to them that their email is actually
being filtered by super-intelligent bacteria.
True Theory of Operation
ASSP uses three complementary strategies to allow good
email and to block unsolicited email
• Whitelisting
• Spambuckets
• Bayesian filtering
Local mail domain users are not whitelisted
ASSP Implementation
Version 1.2.5
It is a single Perl script
360 KB
10,000 lines
attack strategies
Require low maintenance after initial
setup
Main ASSP capabilities
Automatic Whitelisting
Spam Traps
Bayesian filtering
Greylist
Whitelist RE Matching
Email interface
Mail Analyzer
Automatic Statistics
SPF (Sender Policy Framework)
DNSBL (DNS Black Lists)
ClamAV virus scanner
Mail host Headers
ASSP Features
Uses existing MTA and MUA’s
Runs on Linux, Unix, Windows, OS X, and more
Automatic whitelist – no-one you email will ever be blocked
Redlist keeps an address off the whitelist
Uses honeypot type spambucket addresses to automatically recognize
spam and update your spam database
Bayesian filter intelligently classifies email into spam and non-spam
Supports site-defined regular expressions to identify spam or non-spam
email
Accepts whitelist submissions and spam error reports by authorized email
Browser based setup
Keeps spam statistics for your site
Recognizes Mime encoded and other camouflaged spam
Can listen on more than one smtp port
Basic anti-virus filtering using the ClamAV virus databases
Optionally blocks no mail but adds an email header and/or updates the
message subject (*****SPAM*****)
Can block spam-bombs (when spammers forge your domain in the from
field)
More
ASSP Flexibility
Whitelist-only mode
Don’t filter, just tag subject line
domains
Web based configuration
ASSP Mail Processing
What order does ASSP process mail to check if it is spam?
1. Local or whitelisted?
2. Blacklisted Domain?
3. Spam Helo?
4. Addressed to spam-bucket?
5. Mail bomb?
6. Blocked attachment?
7. Matches expression to identify non-spam?
8. Matches expression to identify spam?
9. Bayesian evaluation
with ASSP
GroupWise/
Internet ASSP MTA Exchange Clients Inbound
GroupWise/ Outbound
Internet MTA ASSP Exchange Clients
smtp0
25 125
in ASSP MTA out
POA
This is an email
that is being
sent to the
Internet. Th
This is an email
that is
2003
DNS
Block Internet MTA
GroupWise
List
Virtuser
aliases
table
POA
2004
Internet MTA SpamAssassin GroupWise
Virtuser
aliases
table
SpamAssassin POA
Internet
2006
Internet MTA SpamAssassin GroupWise
Virtuser
aliases
table
SpamAssassin POA
ASSP
Internet
ASSP sendmail
Virtuser
aliases
table
SpamAssassin POA
ASSP
Internet
ASSP sendmail
with “Greylisting”
Use of DNSBL is discouraged (If a
False Negatives: To report a spam that got through, simply forward the mail to
assp-spam@yourdomain.com. It's best to forward it as an attachment, but you can
just forward it normally if you must. In a short time you will receive a confirmation.
False Positives: The process is the same to report a miscategorized spam, but send
it to assp-notspam@yourdomain.com.
Spam Report
Benchmarks
Spam Bucket
Ex-employee that left the company 5
years ago
Receives 50-80 spam mails per day
Filter effectiveness
SpamAssassin 60-65% effective in 2004
Deteriorated to 11% by 2006
(267 of 2238 True Positives)
ASSP in first 3 weeks of operation 99.7%
(1336 of 1340 True Positives)
ASSP vs SpamAssassin
SpamAssassin
• is difficult to install
• great investment in hand-made regular expressions and
header analysis to identify spam
• Hand-crafted expressions are brittle as spammers adjust
their strategies
• Requires frequent updates to accurately identify spam
ASSP
• is low maintenance
• is easy to install
• is a complete spam blocking solution, not just a filter
that must be integrated into your MTA
• works with nearly every MTA on any OS
• Poorly documented
Before ASSP
Turning ASSP on
With ASSP
stat.pl Statistics
[root@smtp]# perl stat.pl /tmp/m.log
As of Mon Jan 22 21:48:46 2007 the mail logfile shows:
0 proxy / smtp connections
253 were dropped for attempted relays (0.0% of total).
even if whitelisted
Be very careful what you put in the
threaded
Utilities
rebuildspamdb.pl
repair.pl
move2num.pl
stat.pl
Demo
Web configuration
Mail analyzer
Resources on the Internet
http://www.spamland.com
http://antispam.yahoo.com
http://www.openspf.org
Questions