Overview of the Kaspersky Anti-Spam spam protection system. Methods to combat spam Checking Internet notification headers

The current spam feed is expanding into hundreds of thousands of examples for just a few dozen dollars. Most often, spam comes through the computers of private owners infected with bad programs - zombie networks. What can you do to resist this onslaught? The current IT security industry promotes a no-nonsense solution, and anti-spammers have a variety of technologies in their arsenal. However, the same technology does not provide a magic bullet against spam. There is simply no universal solution. Most current products rely on a variety of technologies, otherwise the effectiveness of the product will not be high.

The greatest knowledge and expansion of technology are less over-inflated.

black lists

DNSBL (DNS-based Blackhole Lists) stinks. This is one of the oldest anti-spam technologies. Block mail coming from IP servers that have been added to the list.

• pros: The black list includes 100% mail from a suspicious person.
• cons: They give a high rate of mercy requests, so they must be careful.

Mass control (DCC, Razor, Pyzor)

The technology transmits messages in a stream of mass messages that are absolutely identical or vary slightly. To create a useful “mass” analyzer, large volumes of mail are required, this technology is being introduced by great distillers to produce significant amounts of mail, which can be analyzed.

• pros: If the technology worked, then it was guaranteed to mean the mass distribution.
• cons: First of all, a “great” mailing list may appear not as spam, but as entirely legitimate mail (for example, Ozon.ru, Subscribe.ru send thousands of messages, but not spam). In another way, spammers try to “break through” such protection using additional intelligent technologies. You should be victorious about software that generates various content - text, graphics, etc. - in every spam list. The pouch does not require mass control.

Checking Internet headlines for notifications

Spammers write special programs to generate spam notifications and their mitt extensions. Whenever changes are made in the formatted headers, the result is that spam will not always comply with the postal standard RFC, which describes the header format. For these favours, you can count the spammer message.

• pros: The process of recognition and filtering of spam is insightful, regulated by standards and is completely reliable.
• cons: Spammers are starting to creep in, and there are fewer and fewer references to spam in the headlines. With the help of this technology, we can eliminate no more than a third of all spam.

thematic filtering

Also one of the old, revised technologies. The spam notification is checked for the presence of spam-specific words, text fragments, pictures and other characteristic spam images. Thematic filtering began with the analysis of the content and small parts of the text (plain text, HTML), before spam filters check all the details, including graphic inserts.

As a result of the analysis, a text signature or the formation of “spamming” messages may be generated.

• pros: Flexibility, possibility of quick “fine” tuning. Systems that operate on such technology can easily adapt to new types of spam and rarely suffer from spam and normal mail.
• cons: Call for upgrade needs. Filter adjustments are carried out by special people, sometimes by antispam laboratories. This kind of support comes at a high cost, which is indicated by the spam filter. Spammers come up with special tricks to circumvent this technology: introducing random “noise” into spam, which makes it difficult to detect and evaluate spammer characteristics. For example, you can use non-literal symbols in words (the axis is like this, for example, you can see when you use the word Vikoristan: vi_a_gra or [Email protected]@), Generate variable color background in images, etc.

Thematic filtering: Bayes

Statistical Bayesian algorithms are also used for content analysis. Bayesian filters do not require continuous adjustment. All they need is the first step. After this, the filter is adjusted to the subject of the sheets, typical for this particular account. Tim himself, since a professional works in the system to educate and conduct training, then especially in this area, this topic will not be recognized as spam. For those who do not need training, the statistical filter will result in such notifications as spam.

• pros: Personalization.
• cons: It focuses most on individual mail flow. Setting up Bayes on a corporate server with a variety of messages is a difficult and difficult task. Golovnya, that the final result will be much worse, less for individual screenshots. If the filter is lazy and does not start the filter, then the technology will not be effective. Spammers make a special effort to bypass Bayesian filters and get away with it.

graylisting

Timchasova Vidmova welcomes the message. Vidmova comes with the pardon code, which understands all postal systems. After about an hour, the stench re-intensifies the memory. And with programs that send spam, do not resend the sheet in such a situation.

• pros: So, this is the decision.
• cons: Problems with mail delivery. For rich people, such a decision is unpleasant.

To protect mail servers, the following technologies are used:

There are two main methods for stopping spam: stopping spam from being picked up by the server and separating spam from other mail after the pick-up.

Black lists. Blacklists contain IP addresses from which spam can be sent.

Siri lists or greylisting. The principle of creating gray lists is based on spam piping tactics. As a rule, spam dissipates in a very short hour on a large number of servers. The work of the gray list lies in the idling period of tearing off sheets for about an hour. When this happens, the address and the hour of transfer will be entered into the gray list database. If the remote computer has a functioning mail server, you must save the sheet after and repeat the forwarding within five days. Spam bots, as a rule, do not save sheets of paper, so they will try to forward the sheet after an inconvenient hour. When a sheet is sent again from the same address, since the first attempt has passed the required number of hours, the sheet is accepted and the addresses are added to the local white list for this trivial term.

DNSBL (DNS blacklist)- lists of hosts, savings from the DNS system. The mail server goes up to the DNSBL and checks for the presence of the IP address from which it receives the notification. If the addresses are on this list, they are not accepted by the server, and the sender is required to receive daily notifications

Limit to inform. Setting the limit to the quantity is notified.

program SpamAssasin(SA) allows you to perform an analysis instead of an already delivered sheet. SpamAssassin comes with a large set of rules that indicate which messages are spam and what are not. Most of the rules are based on regular expressions, such as the body or header of the notification, and SpamAssassin and other methods. In the SpamAssassin documentation these rules are called “tests”.

The skin test may indicate “vartіst”. If you successfully pass the test, this “variety” will lead to the gala ball. Variety can be positive or negative, positive meanings are called “spam”, negative ones “ham”. Committed to going through all the testing, preparing for the gala ball. The higher the score, the greater the credibility of spam notifications.

SpamAssassin also sets a threshold that, if any sheet is exceeded, will be considered spam. Set the threshold such that the sheet must meet several criteria; asking just one test is not enough to exceed the threshold.

To protect sites from spam, we use the latest technologies:

1. Captcha picture. Then the correspondent will be shown a complete text, which correspondent must enter to carry out any action.

2. text captchas- the subscriber is required to enter a confirmation on the confirmed power supply to confirm his actions.

3. Interactive captcha- little widening, but a very dark-colored appearance of the zakhistu. For example, to confirm the action, ask the student to complete an easy puzzle - for example, pick a picture with three or four pieces.

Today, according to statistics, more than 80 hundreds of malicious programs penetrate the local network themselves through electronic mail. The mail server itself can serve as a tool for hackers - by denying access to these resources, the attacker gains new access to archives of electronic sheets and lists of email addresses, which allows you to access a wealth of information about your life There are companies that are working on their projects and robots. It is illegal to create lists of email addresses and contacts that can be sold to spammers or wikis to discredit the company by launching attacks on those addresses or creating fragmented lists.

Spam is, at first glance, a lesser threat than a virus. ale:

• A great flow of spam drives the spyers out of their task and leads to an increase in unprecedented costs. For certain data, after reading one sheet of workbook, up to 15 minutes are required to get into a working rhythm. If more than a hundred unexpected notifications come in a day, then their need to review them completely disrupts the ongoing work plans;
• spam allows the penetration of corrupt programs into the organization, disguised as archives or malicious programs for mail clients;
• The large flow of sheets that pass through the mail server not only wastes its efficiency, but also leads to a change in the available part of the Internet channel, increasing costs to pay for this traffic.

Additional spam may be followed by various types of attacks, such as social engineering methods, or phishing attacks, when messages arrive disguised under the guise of a number of legitimate individuals or authorities. Here's how to do anything - for example, enter a password for your bank card.

In connection with all that has been said, the e-mail service requires protection in the obligatory order and in the first place.

description of the decision

The proposed solution will ensure the protection of the postal system of the business:

• protection from computer viruses and other nasty software that is available through electronic mail;
• Protects against spam, both reaching the company via e-mail and distributed throughout the local network.

In the number of additional modules of the protection system, modules can be installed;

• protection against edge attacks on the mail server;
• anti-virus protection of the mail server itself.

components of the solution

The postal service protection system can be implemented in a number of ways. The choice of the appropriate option depends on:

• the information security policy adopted by the company;
• Vykoristovuyutsya in the company of operating systems, management features, security systems;
• limit the budget.

The correct choice allows you not only to create a reliable protection scheme, but also to protect a significant number of costs.

How to use the "Economic" and "Standard" options

Option "Economic" based on the Linux operating system and maximum availability of excellent products. Warehouse options:

• virus and spam protection subsystem based on products from Kaspersky Lab, Dr.Web, Symantec. If your company is located in the demilitarized zone, it is recommended to introduce a postal traffic control system into it. It is necessary to note that products designed for operation in the demilitarized zone have great functionality and great capabilities for detecting spam and attacks, lower than standard ones, which will reduce the security of the barrier;
• cross-border shielding subsystem based on the iptables2 firewall and management features standard for the Linux operating system;
• attack detection subsystem based on Snort.

Analysis of the postal server's vulnerability to possible behavior using Nessus

The solution based on the "Standard" option includes the following subsystems:

• subsystem for protecting mail server services and mail gateway from harmful programs based on solutions from Kaspersky Lab, Dr.Web, Eset, Symantec or Trend Micro;
• cross-border shielding subsystem and detection of attacks based on Kerio Firewall and Microsoft ISA.

Analysis of the vulnerability of the mail server can be performed using XSpider

Please note that our options do not include modules for protecting meeting notifications and webmails.
Both the “Economic” option and the “Standard” option can be implemented on the basis of certified FSB and FSTEC software products, which allows them to be delivered to government installations and companies with a high level of ability bake.

Advantages of the proposed decision

• The solution will ensure reliable protection against the penetration of unwanted programs and spam;
• The optimal selection of products allows us to implement a treatment plan that meets the needs of a specific client.

It is important to note that a full-fledged security system can only function if the company has an information security policy and a number of other documents. In connection with this, the Azone IT company offers services not only in the distribution of software products, but also in the development of regulatory documents and auditing.

For more detailed information about the services you expect, you can get in touch with our company's representatives.

Introduction to the problem

We all know what spam is, because we have either encountered it or read about it. We all know how spammers collect addresses for distribution networks. It’s no secret that spam is hard to overcome. The problem lies in how to maximally protect the users from depriving them of their contact coordinates on your site, with minimal effort.

Previously tried methods of healing

The greatest threat to email screenshots is programs, downloading websites and taking email addresses from the text of pages. They download either your site or roam, like search engines, all over the world. If your site is small, the following autocorrect text is completely sufficient:

] + Href \u003d) ([ ""]?) Mailto: (+) () @ ".
"() (+. (2,4)) 2 ([\u003e]) ~ i", "1" mailto: [Email protected]"
onMouseover \u003d "this.href \u003d" mai "+" lto: 3 "+" 4 "+"% 40 "+" 5 "+" 6 ";" 7", $text);?\u003e

It’s a pity, I won’t say anything, because you have a great site. Let's say, spectator.ru, the author of which is one of the first to become a vikorist of this method. If I were a spammer, I would go into my personal settings, check the box “do not show comments”, 1000 views on the page, and catch cookies with Proxomitron. Then, using a rocker or a php script, download bi pages with comments (substituting cookies with settings) and for with the help of regular viraza, having obtained addresses, having cut out a small base for advertising distribution.

There were a couple more ways to protect it, in which the mailto message was automatically replaced with something else, otherwise the effect was lost - when pressed on it, the system client created a sheet for the required address. The criticism did not carry the stench of offense.

You know: hedgehog mittens

Obviously, it is difficult to come up with another method of protection other than what has already been tried - providing a form on the website for sending notifications. Let's get busy with the design. The advantages of the method are obvious: no one will be able to get the addresses for their spam database from your website. You won’t be able to contact notifications that have entered your address to prevent spammers - the web server will fix its IP address. Lists of public anonymous proxy servers are regularly updated, and blocking access from them is easy.

Form sender

Well, of course, because it’s the most expensive part.

When installing a form sender on the site, it is important to protect yourself from these types of hooligan attacks, which may be just as much as spam. Then we will have the opportunity to report to the great zushil directly.

First of all, let’s get rid of the bad pressures and the impersonality of new requests. The idea is this: the receipt will not be sent, since before this you will not have to open the side with the form, but, having opened the side with the form, you can send the notification only once. You can get help with getting started in PHP sessions. When the page with the form is opened, we will launch a session, in order to save it, let's say $ flag. The session identifier is indicated as the entry element at the very end of the form. The customer enters the information and submits the form. By opening the form, the script starts a session and checks the presence and value of the $flag variable. If the change does not occur, it means that after pressing again, the sheet is not pressed and a notice about the change appears. If it is changed, and the form data was given to us (required fields are filled in), the script adds the sheet and deletes the session.

In another way, we will protect ourselves from reasonable hooligans by recording logs. As soon as the user submits the form correctly, the script will appear in the logs and check what is there. So, it is necessary to protect

* Send notifications to the same address more often than not
* Send the same text to different addresses
* І just too often to submit the form sender - let’s say, no more than 10 submission notifications per submitter

The session ID is displayed at the very end of the form, so that the hacker needs to capture the entire form and parse it, more simply, than simply send HTTP requests. Naturally, the form sender of the notification about the amends in the written notification can indicate the return address, etc.

The code of the form sender has become very important in order to enter it in the text. Placed in the archives on the site. First, the script runs and sends notifications.

Replacing the address in the text

Now the form sender is ready, and you need to replace all emails with sent to new ones. Of course, I’ll hand it over to you. For myself, I wrote a script that automatically replaces the addresses with those sent to the form sender.

... Minuses: more than an hour to arrange the post (compensated by the catalog post), koristuvach, hovering the cursor over the post, do not ask for which address you can search for. (Dmitro Smirnov, “Ideal author’s project, hypertextuality”)

It’s easy to sort out all the clues, if you use a code similar to the one I’ll describe and show in a moment.

There’s nothing complicated here, since once it’s sent, it doesn’t take “more than an hour to set it up.” On my site, I create a script engine that is used on all sides, so there is no problem adding in or clicking on the code that replaces the addresses. Mailing addresses, as they were written, are written directly in the text of the pages, unless they are replaced with the required text before being displayed. Compile the database or postal address, which will not cause problems.

Well, why bother asking for a replacement address? It looks for “mailto:” in the message text, selects addresses from them, sends the query to the database to save (count (*)), how many addresses from those on the page are in a special table. If new addresses appear on the site, their number will be greater, and the result will be written below. In this situation, enter a prompt in which a significant address is selected, and those already in the table are excluded from the list. Once the list is missing, it is sent to the table using an INSERT query.

If there is an ID address, then, in my opinion, it is better to vikorystovat that the site cannot be accepted. You see that the form sender received a message /email.php?id\u003d10? As soon as possible, put 11, 12, etc. there. And try to send them a message. Therefore, as an identifier, I chose to use an md5 hash as an address. It’s unlikely that anyone will be able to select a hash. At the end of the mailing directory, you can access the ID, otherwise you will have to select all the values ​​from the database, and to replace the address with their hashes, everything is much simpler.

Vikonivaetsya team mind

] + Href \u003d) "." ([ ""]?) Mailto :( [Email protected]+ ".". (2,4)) 2 (. *?\u003e) ~ Ie "," "12" /email.php?email\u003d ". Urlencode (md5 (" 3 "))." "4" " , $text);?\u003e

... which replaces addresses with their hashes. Other addresses that are in the text, I did not dare to replace them with sent, but simply replaced them with addresses like vasya_at_pupkin_dot_ru. The autochanger code is in the archive.

pouch

It's easy to find mailing addresses from your suppliers. The auto-correct mechanism does not require additional effort, and you can write pages to the site as if nothing had happened. Folders crash when the form sender is blocked from web hooligans. This protection brings great strength and collapsible code, so I have not yet become a vikorist on the code writing site. You can download the archives with a substitute address and form sender, but I ask you: do not put it on your site in the same way as you downloaded, I don’t know how reliable it is.

What methods are there to combat spam?

There are two main methods for protecting the mail server from spam: protecting against spam at the stage of being rejected by the mail server, and “spam detection” from other mail after it has been rejected by the mail server.

Among the first methods, the most popular are methods such as violating DNS Black List (DNSBL), Greylisting and various delays when sending mail; the use of various technical features, such as checking the server’s origin on the sending side (callback), checking the “correctness” of servers using such methods as the presence of a record in the reverse DNS zone, the legality of the name when installing and SMTP sessions (helo), verification of SPF records (for robot whose DNS record about the vikorist host contains a counterpart record about the legitimate directory servers).

Among the methods of analysis instead of the sheet, the most popular methods are verification of various algorithms, such as the search for special keywords of an advertising nature or based on Bayes' theorem. An algorithm based on Bayes' theorem incorporates elements of the theory of veracity, and immediately begins to appear on the sheets that appear to be spam and further monitors the characteristic warning signs of spam.

So, let’s take a closer look at the methods of filtering electronic mail.

Black lists or DNSBL (DNS Black Lists)

Blacklists contain addresses that are likely to be sent spam. Lists such as “unlocked relays” and “unlocked proxies” and various lists of dynamic addresses, which are seen by providers for end-user clients, are widely used. Due to the simplicity of implementation, the implementation of these blacklists is carried out through the DNS service.

Siri lists or Greylisting

The principle of gray lists (Greylisting) is based on the tactic of sending spam. As a rule, spam dissipates in a very short hour on a large number of servers. The work of the gray list lies in the idling period of tearing off sheets for about an hour. When this happens, the address and the hour of transfer will be entered into the gray list database. If the remote computer has a functioning mail server, you must save the sheet after and repeat the forwarding within five days. Spam bots, as a rule, do not save sheets of paper, so after an hour they try to forward the sheet. It has been established experimentally that in the middle hour of delivery, spam lasts a little more than a year. When a sheet is sent again from the same address, since the first attempt has passed the required number of hours, the sheet is accepted and the addresses are added to the local white list for this trivial term.

effectiveness analysis

The first two methods allow you to eliminate nearly 90% of spam at the stage of delivery to the postal screen. Already delivered mail can be analyzed using analysis methods instead of a sheet, for example, the vikoryst program SpamAssassin. This product allows, based on special algorithms, to add subordinate rows to the headers of sheets, and the user, based on mail filters in the mail client, can filter mail into the required folders of the mail program.

visnovok

Obviously, there are other ways to stop spam that are more effective, unfortunately, at the moment there are preventive approaches so as not to deprive your real email account on websites, forums and boards. or for similar needs time-hour addresses, which are in succession can be deleted if there is a need to publish a postal screenshot on the site instead of text, use graphic images and similar entries.

You can connect and configure GreyListing through the ISPmanager panel in the "Possibilities" section

More information about setting up methods to combat spam through the control panel can be found here DNSBL and here Greylisting.