Basic methods of protection against spam. What methods exist to combat spam? What to do if spam no longer lets you breathe?

The following technologies are used to protect mail servers:

There are two main methods of protecting spam: protecting against the arrival of spam when the mail is received by the server, and separating spam from the rest of the mail after receipt.

Blacklists. IP addresses from which spam is sent are blacklisted.

Gray lists or greylisting. The principle of operation of gray lists is based on spamming tactics. As a rule, spam is sent in a very short time in large quantities from any server. The work of a gray list is to deliberately delay the receipt of letters for some time. In this case, the address and time of forwarding are entered into the gray list database. If remote computer is a real mail server, it must store the letter in a queue and resend it within five days. Spambots, as a rule, do not save letters in the queue, so after a short time they stop trying to forward the letter. When resending a letter from the same address, if the required amount of time has passed since the first attempt, the letter is accepted and the address is entered into the local White list for a sufficiently long period of time.

DNSBL (DNS blacklist)– lists of hosts stored using the DNS system. The mail server contacts the DNSBL and checks it for the IP address from which it is receiving the message. If the address is in this list, then it is not accepted by the server, and a corresponding message is sent to the sender

Message limit. Setting a limit on the number of messages.

Program SpamAssasin(SA) allows you to analyze the contents of an already delivered letter. SpamAssassin comes with large set rules that determine which emails are spam and which are not. Most rules are based on regular expressions, which are matched to the message body or header, but SpamAssassin also uses other techniques. In the SpamAssassin documentation these rules are called "tests".

Each test has some "cost". If the message passes the test, this "cost" is added to the overall score. The value can be positive or negative, positive values ​​are called "spam", negative values ​​are called "ham". The message goes through all the tests and a total score is calculated. The higher the score, the more likely the message is spam.

SpamAssassin has a configurable threshold, above which a letter will be classified as spam. Typically the threshold is such that the letter must meet several criteria; triggering only one test is not enough to exceed the threshold.

The following technologies are used to protect websites from spam:

1. Captcha picture. Those. the user is shown arbitrary text that the user must enter to perform some action.

2. Text captchas– the subscriber must enter the answer to the proposed question to confirm his actions.

3. Interactive captcha– a less common, but very useful type of protection. For example, to confirm actions, the user will be asked to solve an easy puzzle - for example, assemble a picture from three or four parts.

Modern spam mailings are distributed in hundreds of thousands of copies in just a few tens of minutes. More often spam is coming through user computers infected with malware - zombie networks. What can be countered to this onslaught? The modern IT security industry offers many solutions, and anti-spammers have various technologies in their arsenal. However, no existing technology is a magic “silver bullet” against spam. There is simply no universal solution. Most modern products use multiple technologies, otherwise the effectiveness of the product will not be high.

The most well-known and common technologies are listed below.

Blacklists

They are also DNSBL (DNS-based Blackhole Lists). This is one of the oldest antispam technologies. Block mail coming from IP servers listed in the list.

• Pros: The blacklist 100% blocks mail from a suspicious source.
• Minuses: They give high level false positives, so should be used with caution.

Crowd control (DCC, Razor, Pyzor)

The technology involves identifying mass messages in the mail flow that are absolutely identical or differ only slightly. To build a working “mass” analyzer, huge mail flows are required, so this technology is offered by large manufacturers who have significant volumes of mail that they can analyze.

• Pros: If the technology worked, then it was guaranteed to detect a mass mailing.
• Minuses: Firstly, a “large” mailing may not be spam, but quite legitimate mail (for example, Ozon.ru, Subscribe.ru send thousands of almost identical messages, but this is not spam). Secondly, spammers know how to “break through” such protection using intelligent technologies. They use software that generates various content - text, graphics, etc. - in every spam letter. As a result, crowd control does not work.

Checking Internet Message Headers

Spammers write special programs to generate spam messages and distribute them instantly. At the same time, they make mistakes in the design of headers; as a result, spam does not always comply with the requirements of the RFC mail standard, which describes the header format. These errors can be used to identify a spam message.

• Pros: The process of recognizing and filtering spam is transparent, regulated by standards and quite reliable.
• Minuses: Spammers are learning quickly, and spam header errors are becoming fewer and fewer. Using this technology alone will allow you to stop no more than a third of all spam.

Content filtering

Also one of the old, proven technologies. The spam message is checked for the presence of spam-specific words, text fragments, pictures and other characteristic spam features. Content filtering began with the analysis of the message subject and those parts of it that contained text (plain text, HTML), but now spam filters check all parts, including graphic attachments.

As a result of the analysis, a text signature can be built or the “spam weight” of a message can be calculated.

• Pros: Flexibility, ability to quickly fine-tune. Systems running on this technology easily adapt to new types of spam and rarely make mistakes in distinguishing between spam and normal mail.
• Minuses: Updates are usually required. Filter settings are carried out by specially trained people, sometimes by entire antispam laboratories. Such support is expensive, which affects the cost of the spam filter. Spammers invent special tricks to circumvent this technology: they introduce random “noise” into spam, making it difficult to find spam characteristics of a message and evaluate them. For example, they use non-literal symbols in words (this is how, for example, the word viagra may look when using this technique: vi_a_gra or vi@gr@), generate variable colored backgrounds in images, etc.

Content filtering: Bayes

Statistical Bayesian algorithms are also designed for content analysis. Bayesian filters do not require constant tuning. All they need is prior training. After this, the filter is adjusted to the email topics that are typical for this particular user. Thus, if a user works in the education system and conducts training, then personally messages on this topic will not be recognized as spam. For those who do not need offers to attend training, the statistical filter will classify such messages as spam.

• Pros: Customization.
• Minuses: Works best on individual mail flow. Setting up Bayes on a corporate server with heterogeneous mail is a difficult and thankless task. The main thing is that the end result will be much worse than for individual boxes. If the user is lazy and does not train the filter, then the technology will not be effective. Spammers specifically work to bypass Bayesian filters, and they succeed.

Greylisting

Temporary refusal to receive a message. The refusal comes with an error code that is understood by all mail systems. After some time they resend the message. And programs that send spam do not resend the letter in this case.

• Pros: Yes, this is also a solution.
• Minuses: Delay in mail delivery. For many users, this solution is unacceptable.

This is a new Kaspersky Lab product designed for comprehensive protection home computer. This program provides simultaneous reliable protection against viruses, hackers and spam. The Kaspersky Anti-Spam module is one of the elements of this home computer protection system. First of all, it should be noted that Kaspersky Anti-Spam is not an independent product and does not work separately from Kaspersky Personal Security Suite. To some extent, this can be called a disadvantage, since users cannot use Kaspersky Anti-Spam separately, but comprehensive protection also has its undoubted advantages.

Anti-virus protection and firewall have been discussed more than once on the pages of our publication. Therefore, in this article we will look exclusively at the operation of the antispam module.

The basis of Kaspersky Anti-Spam is the intelligent SpamTest technology, which provides: fuzzy (that is, triggered even if there is an incomplete match) comparison of the letter being checked with samples - letters previously identified as spam; identification of phrases characteristic of spam in the text of the letter; detection of images previously used in spam emails. In addition to the criteria listed above, spam is also used to identify formal parameters, among which:

• "black" and "white" lists that the user can maintain;
• various header features mail message, characteristic of spam, - for example, signs of falsification of the sender's address;
• techniques used by spammers to deceive mail filters - random sequences, replacing and doubling letters, white-on-white text, and others;
• checking not only the text of the letter itself, but also attached files in plain text, HTML, MS Word, RTF and other formats.

Installation of the antispam module

The module is installed during installation of Kaspersky Personal Security Suite. When choosing installation options, a user who uses email clients other than Microsoft email programs may not install the module for Microsoft Outlook.

It should be noted that Kaspersky Anti-Spam scans any correspondence received via postal protocol SMTP. Thanks to this, it can filter out spam in any email program, but more on that below.

Integration into Microsoft Outlook Express

The program does not have its own interface as such. At Microsoft Outlook Express The Kaspersky Anti-Spam module is integrated as a menu and as an additional panel.

One may note some inconvenience when using this panel, although it has nothing to do with the antispam module itself. Due to the principles of operation of the mechanism Microsoft programs Outlook Express Kaspersky Anti-Spam panel cannot be docked in a convenient place for the user. Each time you start the program, the panel will appear third. You will have to constantly move it to a convenient place or come to terms with this state of affairs.

Program operation

When receiving mail, Kaspersky Anti-Spam analyzes incoming correspondence. If spam is detected, the letter is marked with a special label [!! SPAM] in the "Subject" field and placed in the "Deleted Items" folder. Messages recognized as not spam are not marked with anything and are processed by mail program in accordance with established rules. If the program is not sure that the letter is spam, then the [?? Probable Spam] and the letter is placed in the Inbox for the user to make a final decision. In addition, the program uses two more types of labels: - for letters with obscene content and - for automatically generated letters, for example letters from email robots.

Thanks to such labels, you can organize the work of Kaspersky Anti-Spam with any other email program. It is enough to create rules in mail client to sort emails by these tags. In Microsoft Outlook itself, such folders are created with one click of a button in the antispam module settings window.

Training program

The program can be trained in two ways: by classifying messages received by the user as spam - not spam, and by downloading updates from the Laboratory server. The first method allows you to train the program under personal mail user, the second is to quickly respond to massive spam events on the Internet.

At the first launching Kaspersky Anti-Spam will extract from address book Microsoft Outlook all addresses to add them to the "Friends List". All letters from these recipients will be perceived by the antispam module as not spam and will be passed through without checking. Subsequently, the user can edit this list by adding or removing recipients to it. In addition to the "Friends List" there is also a "Enemies List". Any correspondence received from recipients on the Enemy List will be clearly classified as spam.

Adding recipients to your friends or enemies lists is done by simply clicking a special button on the Kaspersky Anti-Spam panel. Training is also carried out there. If you miss a spam email, you just need to click the “This is spam” button. A window will appear in which the user must tell the program what to do with this message.

The “Send as an example of spam” command generates a letter to Kaspersky Lab with a message about spam for further training. This command can be ignored. You can neglect adding the author to the enemies, but you should definitely add the letter to the spam samples. This is how the program is trained for personal correspondence.

Since Kaspersky Anti-Spam does not integrate into other email clients, its training in these programs is only possible through updates received from the Laboratory server. Unfortunately, this training option does not make it possible to train the program for the specifics of personal mail.

Settings

In the program settings you can: specify the location of the module databases, if the user wants them to be stored in a non-standard location; disable or enable filtering; set update parameters and view statistics.

The Kaspersky Anti-Spam module provides fairly complete protection of user mail from spam. Like any other program, it requires training. And while this learning is taking place, correct emails may be mistakenly recognized as spam and vice versa. A relative disadvantage is that the module does not allow you to delete messages on the server that are obvious spam. The user still has to spend his traffic on these unnecessary letters. On the other hand, with this approach to spam filtering, not a single valuable message will be lost. In all other respects, Kaspersky Anti-Spam deserves the most serious attention, especially considering the integration of the module with other programs that ensure the security of the user’s computer.

According to statistics, more than 80 percent malware penetrate into local network precisely through email. The mail server itself is also a tasty morsel for hackers - by gaining access to its resources, the attacker gets full access to the archives emails and lists email addresses, which allows you to get a lot of information about the life of the company, the projects and work carried out in it. After all, even lists of email addresses and contacts can be sold to spammers or used to discredit a company by launching attacks on those addresses or composing fake emails.

At first glance, spam is a much lesser threat than viruses. But:

• A large flow of spam distracts employees from performing their tasks and leads to an increase in non-production costs. According to some data, after reading one letter, an employee needs up to 15 minutes to get into a working rhythm. If more than a hundred unwanted messages arrive per day, then their need to view them significantly disrupts current work plans;
• spam facilitates the penetration of malware into the organization, disguised as archives or exploiting vulnerabilities of email clients;
• a large flow of letters passing through the mail server not only degrades its performance, but also leads to a decrease in the available part of the Internet channel and an increase in the cost of paying for this traffic.

Spam can also be used to carry out some types of attacks using social engineering methods, in particular phishing attacks, when the user receives letters disguised as messages from completely legal individuals or organizations, asking them to perform some action - for example, enter a password for their account. bank card.

In connection with all of the above, the service Email requires protection without fail and in the first place.

Description of the solution

The proposed solution for protecting an enterprise's email system provides:

• protection from computer viruses and other malicious software, distributed via email;
• protection against spam, both arriving to the company by e-mail and distributed over the local network.

Modules can be installed as additional modules of the protection system;

• protection against network attacks on the mail server;
• antivirus protection itself mail server.

Solution Components

The mail service protection system can be implemented in several ways. The choice of the appropriate option is based on:

• accepted company policy information security;
• operating systems, management tools, security systems used in the company;
• budget restrictions.

The right choice allows you not only to build a reliable protection scheme, but also to save a significant amount of money.

As examples, we give the options “Economy” and “Standard”

The “Economy” option is built on the basis operating system Linux and maximum use free products. Composition of the variant:

• anti-virus and anti-spam subsystem based on products from Kaspersky Lab, Dr.Web, Symantec. If your company uses a demilitarized zone, it is recommended to move the mail traffic protection system into it. It should be noted that products designed to work in the demilitarized zone have greater functionality and greater capabilities for detecting spam and attacks than standard ones, which improves network security;
• firewall subsystem based on iptables2 firewall and management tools standard for the Linux operating system;
• attack detection subsystem based on Snort.

Mail server security analysis can be done using Nessus

The solution based on the “Standard” option includes the following subsystems:

• subsystem for protecting mail server and mail gateway services from malware based on solutions from Kaspersky Lab, Dr.Web, Eset, Symantec or Trend Micro;
• firewall and attack detection subsystem based on Kerio Firewall or Microsoft ISA.

Mail server security analysis can be done using XSpider

Both of the above options do not include security modules by default instant messages and webmail
Both the “Economic” option and the “Standard” option can be implemented on the basis of certified FSB and FSTEC software products, which allows them to be supplied to government agencies and companies with an increased level of security requirements.

Advantages of the proposed solution

• the solution provides reliable protection against the penetration of malware and spam;
• Optimal selection of products allows you to implement a protection scheme that takes into account the needs of a specific client.

It should be noted that a full-fledged security system can only function if the company has an information security policy and a number of other documents. In this regard, the Azone IT company offers services not only for the implementation of software products, but also for the development regulatory documents and conducting audits.

More detailed information You can learn about the services provided by contacting the specialists of our company.

Blacklists

Blacklists include IP addresses from which spam is sent.

To configure, go to the section Spam protection-> Blacklists and click the "Create" button. In field Sender specify the IP address of the mail server (or the first digits of this address), the mail domain, or a separate email address for which mail forwarding will be prohibited (depending on the installed mail client, the entry formats will vary).

Greylisting

The principle of operation of gray lists is based on spamming tactics. As a rule, spam is sent in a very short time in large quantities from some server. The work of a gray list is to deliberately delay the receipt of letters for some time. In this case, the address and time of forwarding are entered into the gray list database. If the remote computer is a real mail server, then it must store the letter in a queue and resend it within five days. Spambots, as a rule, do not save letters in the queue, so after a short time they stop trying to forward the letter. When resending a letter from the same address, if the required amount of time has passed since the first attempt, the letter is accepted and the address is added to the local white list for a sufficiently long period. One of the disadvantages of the method is the possibility of a mail delivery delay of 15 minutes or more, depending on the sender’s server settings.

Greylisting is configured in the Greylisting module, where you need to specify the required parameters. Greylisting in the ISPmanager panel works through two applications - Milter-greylisting and Postgrey, which must first be activated in the Features section.

dnslb blocking

DNSBL (DNS blacklist) - lists of hosts stored using the DNS system. The mail server contacts the DNSBL and checks it for the IP address from which it is receiving the message. If the address is in this list, then it is not accepted by the server, and a corresponding message is sent to the sender

In chapter Spam protection select dnsbl blocking, click "Create" button and add new list dnsbl blocking. In field Block list please indicate Domain name block list. This server will request information about the presence of a particular mail server on the black list.

Here you can find the most common block lists: http://www.dnsbl.info/dnsbl-list.php

Message limit

Another way to combat spam is to set a limit on the number of messages.

This functionality is available if you have Exim installed.

SpamAssasin

The SpamAssasin (SA) program allows you to analyze the contents of an already delivered letter. You can add appropriate lines to the message headers, and the user, based on mail filters in the mail client, can filter mail according to required folders mail program.

To be able to use SA in the ISPmanager panel, activate it in the Capabilities module. By default, after activation, the automatic self-learning function will be enabled, but, in addition, the effectiveness of spam retention can be significantly increased using “manual” filter training.

Setting up a mailbox and mail domain

For complete shutdown check for Greylisting for any recipient address or domain (for example, if you do not want the mail to be subject to this check), go to the module