AsyncOS 5.

1 C-Series Configuration

Module 6 Anti-Spam

Module Objectives
At the conclusion of this module you will be able to:
Identify the IronPort approach for defending against spam
How the Appliance recognizes spam

Configure and use the SenderBase Reputation filters Configure and Use IronPort Anti-Spam for spam defense

Module Map
The SenderBase Network IronPort Anti-Spam Configuring and using SenderBase Reputation Filters (SBRF) Configuring and using IronPort Anti-Spam (IPAS)

Spam Defense Overview

IronPort uses two methods to defend against spam:
Reputation Filters (connection based) IronPort Anti-Spam (content based)

Reputation Filters

IronPort Anti-Spam

Connection Based

Content Based

IronPort SenderBase Network

First, Biggest, Best Email & Web Traffic Monitoring Network

View into over 25% of email traffic 20M+ IP addresses tracked globally Data from 100,000+ sources; 8 of the 10 largest ISPs Millions of human reporters & spamtraps
5

SenderBase Network

SpamCop, SpamHaus (SBL), NJABL, Bonded Sender Spam, phishing, virus reports Complaint Reports IP Blacklists & Whitelists

Spamvertized URLs, Domain Blacklists phishing URLs, spyware sites & Safelists

SpamCop, ISPs, customer contributions

Spam Traps

Compromised Host Lists

SORBS, OPM, DSBL

Message size, attachment volume, attachment types, URLs, host names

Message Composition Data

Web site Composition Data

Downloaded files, linking URLs, threat heuristics

Global Volume Data Over 100,000 organizations, email traffic, web traffic

Other Data Fortune 1000, length of sending history, location, where the domain is hosted, how long has it been registered, how long has the site been up

First to combine email & web data Over 90 email and 20 web parameters tracked

Preventive Anti-Spam Defense: IronPort Reputation Filters

Known good is delivered Suspicious is rate limited & spam filtered

Reputation Filtering

Anti-Spam Engine

Incoming Mail
Good, Bad, and Grey or Unknown Email

Known bad is deleted/tagged

Stop 80% Hostile Mail at the Door.

7

How SenderBase Works

Data Makes the Difference

150 Parameters

Threat Prevention in Realtime

Complaint Reports Spam Traps Message Composition Data Global Volume Data URL Lists Compromised Host Lists Web Crawlers IP Blacklists & Whitelists Additional Data

SenderBase Data

Data Analysis/ Security Modeling

SenderBase Reputation Scores -10 to +10

What SenderBase Scores Mean

An IP on one or more reliable blacklists or belonging to a suspicious new sender with some complaints and spamtrap hits. Still sending mostly spam.

An IP address controlled by a spam house or a known open proxy generating massive volume of complaints and hitting many spamtraps. Definitely sending primarily spam.

Some sending history, low or moderate complaints.

A known enterprise, or sender who has undergone third-party certification, with no complaints and a long sending history.

-10

-5

+5

+10

Spam houses generating complaints and hitting spam traps. IP listed on one or more open proxy lists. Still guaranteed to be spam.
9

May be a dynamic IP (e.g., dialup) sending direct to Internet or an email marketer with poor practices, or a legitimate enterprise with an open server. Possibly spam

Long sending history, few complaints.

Becoming a SenderBase Participant

10

Module Map

The SenderBase Network IronPort Anti-Spam Configuring and using SenderBase Reputation Filters (SBRF) Configuring and using IronPort Anti-Spam (IPAS)

11

IronPort Anti-Spam - Powerful 2nd Layer Defense

1. SenderBase IronPort

2. IronPort Threat Operations Center

SECURITY MODELING SECURITY ANALYSTS

Machine Generated Rules

Threat Evidence Clustering

Human Generated Rules 24 x 7, 32 languages

Over 100,000 updates daily

Customer Site

3. Context Adaptive Scanning Engine

Who? How?

Score CASE
What? Where?

12

Machine Generated Rules

FROM: Header

SECURITY MODELING

Mail Server Location

Sender Reputation

Mutating spam outbreaks randomize message content Threat Evidence Clustering identifies nontransient elements Over 100,000 message attributes are examined

FROM: Header

URL

NEW RULES
FROM: Header Web Server Owner

COMBINED EVIDENCE
Ergonomic Mouse

Mail Server Location

Sender Reputation

Ergonomic Mouse

13

Human Generated Rules

Powered By Threat Operations Analysts

Monitor SenderBase Network & profile new attacks 24 x 7 real-time Outbreak Rules Rapid closed loop verification of reports Maintain real-time, globally representative email corpus

INSIDE THE TOC

Jan Mak, Manager Threat Operations Center

Expert team of skilled analysts Staffed 24 x 7 x 365 32 languages spoken Documented & verified processes State-of-the-art tools & techniques

14

Image Spam Example

HOW? Message leaves trace of spamware tool WHAT? All text inside an image Random dots appear within the message Nearly identical color scheme in 100,000s spamtrap msgs WHERE? WHO? IP address recently started sending email Message originated from dial-up IP address Sending IP address located in Russia

Verdict BLOCK BLOCK

15

Module Map

The SenderBase Network IronPort Anti-Spam Configuring and using SenderBase Reputation Filters (SBRF) Configuring and using IronPort Anti-Spam (IPAS)

16

Getting Started
Define Mail Flow Policies
Conservative Moderate Aggressive

Define which Sender Groups to use

Assign sender group policies

Assign Reputation Scores Configure Reputation Scores Configure IronPort Anti-Spam

17

Recommended Best Practices

HAT Policies determine SBRS
An overly aggressive policy can lead to a false positive

bp c

Policy
Conservative bo th Moderate va phi
tch cc

Blocked
-10 to -7 -10 to -4 -10 to -2

Throttle
-7 to -2 -4 to -1 -2 to -.05

Accepted
-2 to 7 -1 to 6 0.4 to 4

Trusted
7 to 10 6 to 10 4 to 10

Aggressive

18

Using SBRS Scores in the HAT

Sender Group

Phase 1 Policy/Action (New Setup Wizard Defaults)

BLOCKED/Reject [ -10.0 : -3.0 ] THROTTLED/ratelimit [ -3.0 : -1.0 ]

Phase 2 Policy/Action (Recommended For All Customers)

BLOCKED/Reject [ -10.0 : -2.0 ] THROTTLED/ratelimit [ -2.0 : -1.0 ] TRUSTED/Accept [ 9.0 : 10.0 ]

BLACKLIST SUSPECTLIST WHITELIST

In the Basic User Guide, IronPort recommends Aggressive settings for blocking and Moderate settings for throttling, similar to the values shown above
19

Assigning Reputation Score Range per Sender Group

Q: If you want to throttle senders with an SBRS score between -7 and -2, where does that go in the HAT? A: Add an SBRS range to a Sender Group.
We could make a new SG; instead well add to BLACKLIST

GUI: Mail Policies - HAT Overview

20

Assigning Reputation Score Range per Sender Group (cont.)

Select the Suspect sender group Click on Edit Settings

21

Assigning Reputation Score Range per Sender Group (cont.)

SBRS allows you to watch out for sites without reputation scores Remember to click on Commit Changes
22

Bypassing Spam Filtering in Mail Flow Policies

Performance and false positives are reasons you might want to do that
Default HAT for a Public Listener
Sender Group
WHITELIST BLACKLIST SUSPECTLIST

Policy Name
$TRUSTED $BLOCKED $THROTTLED

Action
ACCEPT REJECT ACCEPT ACCEPT ACCEPT

Inbound Anti-spam Anti-virus Throttling

NO N/A YES Moderate Moderate NO N/A YES YES YES YES N/A YES YES YES

UNKNOWNLIST $ACCEPTED ALL $ACCEPTED

Default HAT for a Private Listener

Sender Group
RELAYLIST ALL
23

Policy Name
$RELAYED $BLOCKED

Action
ACCEPT REJECT

Inbound Anti-spam Anti-virus Throttling

NO N/A NO N/A YES N/A

Module Map

The SenderBase Network IronPort Anti-Spam Configuring and using SenderBase Reputation Filters (SBRF) Configuring and using IronPort Anti-Spam (IPAS)

24

Recommended IronPort Anti-Spam Settings

Spam Method 1 Actions (Aggressive) Method 2 Actions (Conservative)

Positively Identified

Drop

Deliver with [Positive Spam] added to the subject of messages Deliver with [Suspected Spam] added to the subject of messages

Suspected

Deliver with [Suspected Spam] added to the subject of messages

25

Controlling IPAS Policy in Three Places

Match HAT Mail Flow Policy Skip Anti-Spam in HAT? No Skip Anti-Spam in filter? No Is Anti-Spam enabled? No Yes Apply Anti-Spam settings in matched Mail Policy Yes Continue in Pipeline but flag to skip Anti-Spam Yes Continue in Pipeline but flag to skip Anti-Spam

Match Scriptable Message Filters

Match Mail Policy

26

Once a message is flagged to skip Anti-Spam, no successive policy will change that

Continue to next step in Pipeline

Configuring IronPort Anti-Spam

IronPort Anti-Spam has very few global settings

27

Choosing Mail Policy Spam Settings

1

28

Choosing Mail Policy Spam Settings (cont.)

Modify Modifythe themessage message ififyou want to you want todeliver deliver suspected spam suspected spamand and mark it somehow mark it somehow You Youhave havethe thesame same choices for Spam choices for Spamand and Suspected Spam Suspected Spam

Override Default policy

Redirect , ,quarantine , ,or Redirect quarantine or archive the message if archive the message if you youwant wantto toavoid avoidnormal normal delivery delivery

29

Logging of SBRS and IronPort Anti-Spam

Info: New SMTP ICID 27150 interface Data 1 (192.35.195.42) address 200.42.233.54 Info: Start MID 28786 ICID 27150 Info: MID 28786 ICID 27150 From: <c.bower_sh@emb.de> Info: MID 28786 ICID 27150 RID 0 To: <zendelshabraouy571@scu.com> Info: MID 28786 Message-ID '<201f01c5995b$d8701fb8$3bbc4b03@bdznpmb>' Info: MID 28786 Subject "Get Cia'lis soft.tabs - no prior pr.escription needed" Info: MID 28786 ready 907 bytes from <c.bower_sh@emb.de> Info: MID 28786 matched all recipients for per-recipient policy SCU.COM Recipients Info: MID 28786 using engine: CASE spam positive Info: Message aborted MID 28786 Dropped by CASE Info: Message finished MID 28786 done Info: ICID 27150 close Info: CASE - engine (25372) : [MID 28754] case-daemon: checking message <01LREQ5WU8ZM9IAUF4@Opus1.COM> for (unknown):783 Info: CASE - engine (25372) : [MID 28754] case-daemon: clean message (0.0/5.0) for (unknown):783 in 0.1 seconds, 3590 bytes. Info: CASE - engine (25372) : [MID 28754] case-daemon: result: . 0 - SUCCESS scantime=0.1,size=3590,user=(unknown),uid=783,required_score=5.0,rhost=local Info: CASE update - Checking for CASE Update Info: CASE utility - processed 4351 entries, changed 1364 removed 1410 added 1577 Info: CASE update - Restarting daemons - updated uridb_updates from package 20050803_231014
30

Using Headers for Tracking and Testing Spam

Name
Tracker header

Example
X-IronPort-Anti-Spam-Result: AISrAr..

Use
Troubleshooting - IronPort Support can decipher this to understand the verdict on a message Troubleshooting - Confirm message was scanned by AntiSpam Testing - Used to trigger a spam positive verdict Testing - Used to trigger a suspected spam verdict Testing - Insert in body to trigger a spam positive verdict

X-IronPort-Anti-Spam-Filtered: true

Status header Definite spam X-advertisement: spam header Suspect spam X-advertisement: suspect spam header Definite spam *GTUBE-STANDARD-ANTI-UBEbody TEST-EMAIL*C.34X
31

XJS*C4JDBQADN1.NSBN3*2IDNEN

Module 6 Lab: Implement Anti-Spam using SenderBase and IronPort AntiSpam

Use SenderBase Reputation Scores and IronPort Anti-Spam filtering to reduce spam Configure your HAT to inform spammers of their reputation score. Enable IronPort Anti-Spam filter.

32

Module 6 Lab: Implement Anti-Spam using SenderBase and IronPort AntiSpam

33

Module 6 Lab: Implement Anti-Spam using SenderBase and IronPort AntiSpam

34

Module Summary
You are now able to: Identify the IronPort approach for defending against spam
How the Appliance recognizes spam

Configure and use the SenderBase Reputation filters Configure and use IronPort Anti-Spam for spam defense

35

36