NBLUG Presentation: Dealing with spam

July 11, 2003 @ 7:30PM, General Meeting

Speakers:

Dealing with spam: Overview of Presentation

What is spam? (M.E.)
Categories of methods to deal with spam (E.E)
Avoiding spam (F.B., M.E.)
Incoming spam (F.B., M.E., E.E.)
Dealing with spam after receipt (M.E.)
Conclusions (F.B., M.E., E.E.)
Questions (F.B., M.E., E.E.)
Links (F.B., M.E., E.E.)

Dealing with spam: What is spam?

M.E.: What is spam? (problems with these)
- "Any mail that I don't want" is a good definition, but how can an algorithm or heuristic system be setup to meet this?
- "All Commercial E-mail" , but there are problems with this definition for most people.
- "Unsolicited Commercial E-mail" (UCE), this definition works better for many more people, but also is not perfect.
- "Unsolicited Bulk E-mail" (UBE) This is an alternate for UCE.
  - Or: "Unsolicited Bulk E-mail" Alteranate Definition
- "the same article (or essentially the same article) posted an unacceptably high number of times..."CONTENT IS IRRELEVANT. 'spam' doesn't mean "ads." It doesn't mean "abuse." It doesn't mean "posts whose content I object to."
- A canned meat product from Hormel: If you wish to refer to Hormel's product, then call it SPAM. If you wish to refer to UCE/UBE/etc. then call it spam.
M.E.: What is ham?
- SpamAssassin "sa-learn" defines ham as non-spam. Be careful with this naming convention, since SPAM was named as such by taking the first two letters from "SPiced" and the last two letters from "hAM" and putting them together to make "SPAM" (the Hormel canned food product.)
- ham is also a meat from pigs
Grey Areas:
- Political Content
- Surveys
- Chain letters
- Anti-chain letters
- Jokes
- NPO asking for money
- "virus/trojan" announcements (user-level viruses)
- others?

Dealing with spam: Categories of Anti-spam tools

Ideal is to receive no spam in your inbox, no network traffic from spam and no false positives. Unfortunately, this probably isn't possible.
If you can, you want to let spam use as few resources as possible.
If your machine accepts the mail (layer 6+) you want to do your best to identify the mail as spam, usually placing it into a special inbox that you only review occassionally.

General categories of anti-spam techniques (EE)
		Total Block	Manual Lists	Automatic Lists	Static Analysis	Dynamic Analysis	Other
		You wish or 100% false positive	You update; whitelists; blacklists; both.	Everybody updates	Coded heuristics	Intelligent updating	Mostly designed to raise spammers' costs above 50/cent
layer 0:	Before they even try to spam you	Don't do email. Don't give your address to spammers. Make it hard to automatically figure out your address. Make the address temporary.
layer 1/2 (physical/link):	Impractical, Difficult or Impossible.	Unplug your net cable: no email, no spam. Unplug spammer: moves or replaced.
layer 3 (network (IP)):	Good for spam havens; Invisible; no transfer; bounces.		IP via iptables/ipchains.	RBL, DUL, SPEWS, ORBS in routing table (etc.).			tarpitting techniques.
layer 4 (transport (TCP)):	Spam havens; Visible; no transfer; bounces.		hosts.allow, mail/access or similar MTA mechanisms.	RBL, DUL, SPEWS, ORBS in MTA (refuse connection).			tarpitting techniques.
		Total Block	Manual Lists	Automatic Lists	Static Analysis	Dynamic Analysis	Other
layer 5 (session (SMTP)):	Individual email addresses or entire domains. Good for "legit" spammers. Visible; minimal transfer; bounces.		mail/access.	uncommon (easy to forge); easynet	naive rules looking for "spammer-like" addresses.		soft rejects
layer 6 (presentation (email headers)):	Giveaway headers, incorrect headers, obvious subjects. Less effective as spammers get smarter. "Legit" spammers often easier. Transfer; no bounce.		Greylists.	Shared online lists of spam checksums; Razor, Pyzor, etc.	Rules-based analysis; procmail, spamassassin	Bayesian analysis
layer 7 (application (body)):	HTML mail; advertising phrases, disguised URLs, etc. Transfer; no bounce.			Shared online lists of spam checksums; Razor, Pyzor, etc.	Rules-based analysis; procmail, spamassassin	Bayesian analysis	Reply required: TMDA. Inconvenient for legit senders
layer 8 (social):	Laws, morals, ethics, shame and other non-computerized solutions	legislation; imperfect, non-universal, may supplement other techniques. Worst spammers could get imprisoned. "Legit" spammers might include filterable giveaways.				Hire a human; almost perfect	Reply required: TMDA. Inconvenient for legit senders
		Total Block	Manual Lists	Automatic Lists	Static Analysis	Dynamic Analysis	Other

For each category provide an example app/tool

Also cover what these are:

blacklist
whitelist
bayes

Something about how Bayes works.

Dealing with spam: Avoiding spam

F.B, M.E.: Prevention <F.B.>
1. Never respond to spam - it validates your email address - you get more spam - F.B.
2. Never buy anything advertised in spam. Doing so encourages spammers.
3. Never go to a site to "Opt Out"
  - it validates your email address
  - you often get more spam
  - some opt outs are legitimate, some aren't and you can't tell which are which.
4. HTML spam with images make money for the spammer if you look at it with a web browser that displays the image - the spammer gets paid every time an image loads.
5. Some e-mail messages reference images through a server cgi or application that is passed unique strings to identify one spam message as a message sent to your address vs. one sent to any other address. From these unique strings, they can identify who has opened one of their e-mail messages and figure who to targent more often. This also gives them feedback for what techniques work to get customers to open e-mail. (M.E. explain this better in presentation.)
6. Consider filling in fake e-mail addresses when you don't want to get any information from the provider. (Even though a service claims tey will not sell your address for spam, does not mean they are telling the truth. Also, when businesses are liquidated in bankruptcy, mailing lists can be sold without the required licensing, since the business who arranged for the license will not exist.)
7. If you own your own domain, you can create custom aliases for delivery to check to see who sells your address to spammers. For instance, "e-Commerce-1.com" wants you to register your address with them. Create an alias e-mail address that points to you, like "e-Commerce-1.com@yourdomain.com".
8. Consider using free "throw-away" accounts for untrusted services or in places where an e-mail address is required.
9. Special disposable email forwarding services, such as jetable.org exist, too.
10. .mailcap: text/html ; lynx -dump -force_html -localhost %s ; copiousoutput
11. If you must post your address on your website obfuscate it. "spambots" harvest email addresses from webpages. Change frankb@sonic.net to:
  - frankb@sonic.net
  - frankb@sonic.net
  - frankb@sonic.net
  - Use a graphic image to display the email address
    - not readable by the blind
    - not readable with text browsers like lynx
    - not readable by machines, including spambots (DTS Agent, etc.)
  - HTML Codes - Characters and symbols
  - poisoning spambot databases:
    - SugarPlum
    - Example of SugarPlum
    - Web Poison, also does tar pitting
    - example of Web Poison
12. Any email address used when posting to USENET and NewsGroups will get major spammage.
  - obfuscate with frankb-at-sonic-dot-net or some other text based method.
13. Don't give your e-mail address without knowing how it will be used. </F.B.>
14. When forwarding any e-mail messages (jokes, etc.) strip out all valid e-mail addresses in the message for others who have forwarded the message. M.E.
15. When you want to send a joke to others, use BCC for most addresses to try to protect disclosure of addresses. Also encourage others that your correspond with to do the same. M.E. (explain why: hotmail recipients and next item.)
16. Avoiding sending e-mail to users using mail accounts at providers who are known to have sold e-mail addresses of people sending e-mail to their users. Some "free" e-mail account services are known to harvest e-mail addresses from messages sent to their "free subscribers'" accounts. M.E.
17. When you sign up for responsible commercial services that send e-mail (such as Amazon, HP, BestBuy and others,) you can often specify what kinds of e-mail you wish to receive in a web-based profile editor. M.E.
18. When required to register software, be careful and locate any boxes or options that permit the vendor to send you more e-mail or "offer you exceptional promotions from partner companies." M.E.
Dealing with spam: Incoming spam

F.B.: Brief examination of e-mail header.
```
Received: from pop.sonic.net [209.204.190.2]
        by localhost with POP3 (fetchmail-5.9.11)
Received: from 12-249-60-91.client.attbi.com (12-249-60-91.client.attbi.com [12.249.60.91])
        by turbo.sonic.net (8.11.6p2/8.8.5) with SMTP id h5RDb2f08984

Received: from nortelnetworks.com (lsanca2-ar37-4-62-193-080.lsanca2.dsl-verizon.net [4.62.193.80])
        by sub.sonic.net (8.11.6p2/8.8.5) with SMTP id h5R9OjR13319;

Received: from 131.ts8.increments.net ([69.41.70.131])
        by turbo.sonic.net (8.11.6p2/8.8.5) with SMTP id h5RAL8f30190

Received: from 61.84.0.139 (cs242770-143.houston.rr.com [24.27.70.143])
        by sub.sonic.net (8.11.6p2/8.8.5) with SMTP id h5RN24g02665

Received: from rafgkcg (12-210-226-149.client.attbi.com [12.210.226.149])
        by ultra.sonic.net (8.11.6p2/8.8.5) with SMTP id h5SGYor02370

Received: from 216.204.151.29 ([216.204.151.29])
        by turbo.sonic.net (8.11.6p2/8.8.5) with SMTP id h5SJexp23730
```
Tools:
- whois (any *nix)
- jwhois (Debian, RedHat 9) much nicer than whois, source code is here: www.frankb.us/stuff/
- web based whois tool: Geek Tools whois
- APNIC Asia Pacific
- RIPE Europe
- LACNIC Central & South America
- ARIN USA, Canada, various other areas
- IPV4 address space
- country codes
- netmask (Debian), rpm is here: www.frankb.us/stuff/rpms/
- M.E.: procmail
  - Discuss man pages to examine
    - procmail - autonomous mail processor
    - procmailex - procmail rcfile examples
    - procmailrc - procmail rcfile
    - procmailsc - procmail weighted scoring technique
  - Difference between mbox/Maildir and procmail
  - Some common "flags" or "args" for each procmail entry, what they mean,
  - A sample .procmailrc in use in a user account at passwall.com. This is setup to use maildir format folders.
  - Show how spamc can be called per client by procmail if not called by system for all e-mail.
  - Args:
    - H (search header-default)
    - B (search body)
    - D (case sensitive searches)
    - A ("and" for chained requirements)
    - .... many more (see man procailrc)
  - E.E.: SpamAssassin
    - What is SpamAssassin?
      - filter: mail gets fed in and comes back out with markup. You use another tool to dispose of spam.
      - scoring: gives a "score" -- higher score means more likely to be spam.
      - rules-based: series of rules that email goes through, each matching rule adds to the score or subtracts from the score.
      - Perl.
      - Modular (plugins) designed to be easy to add things to and can be plugged into other software easily.
      - Whitelists, blacklists, automatic lists.
      - Learning
        
        Automatic whitelists automatically assign a lower score to senders that previously sent you ham and a higher score to senders that previously sent you spam — adjustment grows the more they send.
        Uses distributed lists of IPs, such as RBL to adjust score.
        Uses distributed databases of spam (Vipul's Razor, Distributed Checksum Clearinghouse (DCC) and Pyzor) to adjust score
        Bayesian analysis
        
        What SpamAssassin does is similar to "Naive Bayesian", but usually called Bayesian.
        Tokenizes an email (breaks it up into "words")
        When you tell it "this is spam" or "this is ham", it saves a record of each token. "ham" tokens are given a greater weight.
        As you train it more, it has a growing record of how often given tokens appear in "spam" or in "ham".
        When analyzing an incoming message, it uses those frequencies to calculate a score for every token in the email; something that appeared in a hundred spams and no hams would be 0.9999; something unseen would be 0.50; something in a hundred hams and never in spam would be 0.0001. Takes the most extreme (<0.10 or >0.90 with a max count (15?)) and calculates a score from that and then uses it as a percentage.
        Bayesian analysis percentage is fed back to SpamAssassin as a rule which adjusts the overall score.
        simple math, simple code and plan, improved version, other ideas.
    - Basic setup, how to install and run
      - If you're using Debian or RedHat 9, there's a "spamassassin" package already.
      - You'll probably also want to install Vipul's Razor — not today.
      - perl -MCPAN -e shell cpan> install Net::Ping Digest::MD5 Digest::SHA1 Digest::HMAC HTML::Parser HTML::Tagset IO::Stringy MIME::Base64 Mail::Internet MIME::Entity Net::DNS Time::HiRes Mail::Audit cpan> install Mail::SpamAssassin
      - Or download tarballs, untar, cd, "perl Makefile.PL && make && make test && make install".
      - Next you need to actually start using it.
      - Simple version on most systems is a rule in ~/.procmailrc like:
        :0fw | /usr/bin/spamassassin
        Though I prefer:
        # spamassassin with autowhitelist :0fw | /usr/bin/spamassassin -a # /dev/null for score 25 and higher :0 * X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* /dev/null # spambox for score 10 and higher :0 * X-Spam-Level: \*\*\* \*\*\* \*\*\* \* $HOME/Mail/spam/ # Default is regular inbox
    - E.E.: Bayes (me suggests applications "sa-learn", "sa-forget", "sa-nonspam", "sa-learn-rebuild", "sa-learn-spam". Really, they just need to know "sa-forget" and "sa-learn"...
      - To be most useful, it needs to be trained.
      - Save spam and ham to separate mailboxes and run "sa-learn --mbox --spam" and "sa-learn --mbox --ham" on each sometime later.
      - "spamassassin --report" will send the spam to Vipul's Razor (and others) as well as train the Bayes rule. "spamassassin --revoke" does the same in reverse; run on anything that's flagged as spam, but isn't.
      - Or you can program your mailer to have easy "training" keys.
        # ~/.muttrc # Makes these easier to run on multiple tagged messages: set pipe_split # Report spam and train bayes as spam; also deletes mail: macro index \es "|spamassassin --report\nd" macro pager \es "|spamassassin --report\nd" # un-SPAM this one; either accidentally ran previous or SA thought it was # spam: macro index \ew "|spamassassin --revoke\n" macro pager \ew "|spamassassin --revoke\n" # ham and spam(junk). Run "sa-learn --rebuild" sometime later. macro index h "|sa-learn --ham --no-rebuild --single\n" macro pager h "|sa-learn --ham --no-rebuild --single\n" macro index j "|sa-learn --spam --no-rebuild --single\n" macro pager j "|sa-learn --spam --no-rebuild --single\n"
    - M.E.: Blacklist: sample blacklist for download
    - M.E.: URL scanning rules to increase spamassassin score: sample custome filter rules available for download searches URI included in e-mail looking for domains included in the blacklist above.
    - M.E.: Whitelist: Good idea to add people in your addressbook to your whitelist to ensure their messages won't be marked as spam.
    - M.E.: It is possible to blacklist and whitelist a person resulting in a net "0" score addition, be careful.
    - M.E.: Languages (usefulness)
    - M.E.: Locales (why?)
    - M.E.: Demo Blacklist, Whitelist, Languages, Locales settings with SM.
    - E.E.: Mention Enterprise usefulness, SQL storage of Users' Settings
    - E.E.: Summary
  - F.B.: iptables/ipchains
    - spamassassin can be a major load on the mail server
    - filtering at the firewall or mailserver level is far more efficient
    - message is not accepted by the mailserver - your email address isn't validated
    - filtering at the firewall makes it look like the mailserver isn't working
    - filtering with the mailserver makes it appear that your email address is bogus
    - /sbin/ipchains -A input -p tcp -s 60.0.0.0/7 -d 0.0.0.0/0 1:1023 -l -j DENY
  - F.B.: postfix
    - /etc/postfix/access
```
64.239.9.181            	571 SPAM not welcome

# 193.230.240.0/24 Romainia .ro
193.230.240     		REJECT

# APNIC - Pacific Rim
60              571 mail not accepted from 60., too much spam!
61              571 mail not accepted from 61., too much spam!

userone@prodigy.net     	571 Sociopaths not welcome!
usertwo@aol.com     		REJECT

virtual-biz.net                 571 SPAM not welcome
online-shop-exchange.com        571 SPAM not welcome
```
    - /etc/postfix/regexp (regular expressions)
```
# APNIC - Pacific Rim
/\[(60|61)\./					REJECT

# 194.126.55.0 - 194.126.62.255 .kw Kuwait
/\[194\.126\.(5[5-9]|6[0-2])\./                 REJECT

# 212.33.64.0/20 .pl Poland 212.33.64.0-212.33.79.255
/^\[212\.33\.(6[0-4]|7[0-9])\.[0-9]{1,3}\]$/    REJECT

# 212.154.160.0/20 212.154.160.0-212.154.175.255 KAZAKHSTAN .kz
/\[212\.154\.(16[0-9]|17[0-5])\./               REJECT

# 216.139.168.0 - 216.139.170.255 Nigeria NG
/\[216\.139\.(168|169|170)\./                   REJECT
```
    - /etc/postfix/main.cf (main configuration file for postfix)
```
# client is IP address, known at time of connect
smtpd_client_restrictions = permit_mynetworks, 
        check_client_access hash:/etc/postfix/access-ip
# 
# HELO/EHLO is what the sending machine *tells* your machine it
# is.  It is easily spoofed and frequently mis-configured.
smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/access
# 
# Sender is the envelope-sender address, not the client 
# machine's address or the "From:"  field in the headers.  
# (Though envelope-sender may well match "From:".)
smtpd_sender_restrictions = 
        check_sender_access regexp:/etc/postfix/regexp-sender
        check_sender_access hash:/etc/postfix/access
# 
# parameter "smtpd_recipient_restrictions": specify at least one working instance of:
# check_relay_domains, reject_unauth_destination or reject.  Default:
#     smtpd_recipient_restrictions = permit_mynetworks, check_relay_domains
smtpd_recipient_restrictions =
                permit_mynetworks,
                check_recipient_access regexp:/etc/postfix/regexp-recipient
                check_relay_domains     
      
```
    - SMTP error codes:
      - 3 digits;
      - if first digit is a 5 it's a fatal error. 571 is a good one for spam.
      - if the first digit is a 4 the mailserver will try again later.
  - Other Bayesian filters we won't cover:
    - popfile
    - bogofilter
  - Audience suggestions?
- Dealing with spam: Spam after receipt
  
  M.E.: What to do after you get spam:
  - If it gets past your filters and into your inbox, consider "educating" your Bayes filters (like spamassassin with "sa-learn".) If you choose this route, save all of such spam into a special folder/dir until you can educate the bayes filters at once.
  - If there is a money scam, contact the Federal Trace Commission on the web or forward the email with full headers to UCE@FTC.GOV.
  - Report it to SpamCop.
- Dealing with spam: Conclusions
  
  F.B., M.E., E.E.:
  - Avoid spam
    - procedure list
  - Deal with incoming spam
    - tools list
  - Deal with spam after receipt
    - tools list
- Dealing with spam: Questions
  
  F.B., M.E., E.E.: Answer Questions from users
- Dealing with spam: Links

NBLUG Presentation: Dealing with spam

Dealing with spam: Overview of Presentation

F.B.: Brief examination of e-mail header.