WIXLIB

Anti-spam filtering techniquesStéphane BortzmeyerAFNIC (“.fr” registry)bortzmeyer@nic.frITU, 19 january 20061Anti-spam filtering techniques

Background on this workThis work started in the french Working Group on spam fighting,created by the government. The group includes actors from manysides. I manage the technical subgroup.2Anti-spam filtering techniques

Background on this workThis work started in the french Working Group on spam fighting,created by the government. The group includes actors from manysides. I manage the technical subgroup.This work was then sent to the OECD Task Force on spam(www.oecd-antispam.org) and later refined. It will be part ofthe OECD Anti-Spam Toolkit.“The OECD Anti-Spam Tookit is a first step in a broader initiativeto help policy makers, regulators and industry players orient theirpolicies relating to spam solutions and restore trust in the Internetand e-mail.”2Anti-spam filtering techniques

Background on this workThis work started in the french Working Group on spam fighting,created by the government. The group includes actors from manysides. I manage the technical subgroup.This work was then sent to the OECD Task Force on spam(www.oecd-antispam.org) and later refined. It will be part ofthe OECD Anti-Spam Toolkit.The final french report should be out this month. This talk ismostly a summary of the technical part of the report.2Anti-spam filtering techniques

The work and its resultsWe focused on incoming spam. Outgoing spam is a differentproblem (to be addressed later).3Anti-spam filtering techniques

The work and its resultsWe focused on incoming spam. Outgoing spam is a differentproblem (to be addressed later).The emphasis is on practical advices. We care for the poor systemadministrator, overwhelmed by work and who is asked to fightspam too.3Anti-spam filtering techniques

The work and its resultsWe focused on incoming spam. Outgoing spam is a differentproblem (to be addressed later).The emphasis is on practical advices. We care for the poor systemadministrator, overwhelmed by work and who is asked to fightspam too.There are many anti-spam solutions. We keep only the good ones.3Anti-spam filtering techniques

The work and its resultsWe focused on incoming spam. Outgoing spam is a differentproblem (to be addressed later).The emphasis is on practical advices. We care for the poor systemadministrator, overwhelmed by work and who is asked to fightspam too.There are many anti-spam solutions. We keep only the good ones.We fully recognize that spam requires a multi-thing approach:technical, legal and social solutions are necessary and discussed inthe full report. We just focus in this talk on the technical part.3Anti-spam filtering techniques

Background on securitySpam is just a branch of the vast domain of network security. Itraises exactly the same issues as other security problems: tradeoffsbetween efficiency and cost, collateral damages, mix of technicaland social issues, etc.4Anti-spam filtering techniques

Background on securitySpam is just a branch of the vast domain of network security. Itraises exactly the same issues as other security problems: tradeoffsbetween efficiency and cost, collateral damages, mix of technicaland social issues, etc.Security is a process, not a productDo not think you will be safe because you bought Anti-SpamPlatinum Gold 3.04Anti-spam filtering techniques

Background on securitySpam is just a branch of the vast domain of network security. Itraises exactly the same issues as other security problems: tradeoffsbetween efficiency and cost, collateral damages, mix of technicaland social issues, etc.Security is a process, not a productDo not think you will be safe because you bought Anti-SpamPlatinum Gold 3.0Security is a tradeoffYes, we could suppress all the spam. Just shut off the computers.4Anti-spam filtering techniques

Background on securitySpam is just a branch of the vast domain of network security. Itraises exactly the same issues as other security problems: tradeoffsbetween efficiency and cost, collateral damages, mix of technicaland social issues, etc.Security is a process, not a productDo not think you will be safe because you bought Anti-SpamPlatinum Gold 3.0Security is a tradeoffYes, we could suppress all the spam. Just shut off the computers.In the real world, the question is not “How to suppress spam?” but“How to limit spam without killing email?”4Anti-spam filtering techniques

The perfect solution5Anti-spam filtering techniques

The perfect solution1. No false negative: catches all the spam5Anti-spam filtering techniques

The perfect solution1. No false negative2. No false positive: catches only the spam5Anti-spam filtering techniques

The perfect solution1. No false negative2. No false positive3. Low cost: small price, runs on small computers, blocks thespam before transmission, saving bandwidth5Anti-spam filtering techniques

The perfect solution1. No false negative2. No false positive3. Low cost4. No change: installs on the current systems, require no changein habits5Anti-spam filtering techniques

The perfect solution1. No false negative2. No false positive3. Low cost4. No change5. Based on open standards: no vendor lock-in, ability tounderstand what it does, preferably free (as in free speech)software5Anti-spam filtering techniques

The perfect solution1. No false negative2. No false positive3. Low cost4. No change5. Based on open standardsThis solution does not existBut this checklist is a good method to evaluate imperfect solutions.5Anti-spam filtering techniques

State of the artToday, almost no spam gets in the default mailbox, if everything isconfigured with state-of-the-art tools.6Anti-spam filtering techniques

State of the artToday, almost no spam gets in the default mailbox, if everything isconfigured with state-of-the-art tools.Yes, today, the spam never reaches usersBut it has a cost: computers, bandwidth, engineers. And it requiresto use tools choosen by the experts, not snake-oil sold by salesmen.6Anti-spam filtering techniques

State of the artToday, almost no spam gets in the default mailbox, if everything isconfigured with state-of-the-art tools.Yes, today, the spam never reaches usersBut it has a cost: computers, bandwidth, engineers. And it requiresto use tools choosen by the experts, not snake-oil sold by salesmen.Also, we cannot be sure it will stay that way in the future: theresearch must go on.6Anti-spam filtering techniques

Reminder: email architectureMSA (sendmail, postfix)SubmissionSMTPMUA(mutt, Eudora, Thunderbird)MDA(procmail)POP, IMAP7Misc.protocolsSMTPMTA(sendmail, postfix,courier)UseDNS MX recordsto find the next MTAAnti-spam filtering techniques

Good practices8Anti-spam filtering techniques

Good practices1. Greylisting http://www.greylisting.org/8Anti-spam filtering techniques

Good practices1. Greylisting2. Heuristic filters, with scores computed against real spam andham SpamAssassin http://www.spamassassin.org/8Anti-spam filtering techniques

Good practices1. Greylisting2. Heuristic filters, with scores computed against real spam andham SpamAssassin3. Bayesian filters on the user’s desktop like bogofilterhttp://www.bogofilter.org/8Anti-spam filtering techniques

Good practices1. Greylisting2. Heuristic filters, with scores computed against real spam andham SpamAssassin3. Bayesian filters on the user’s desktopThis group of three kills almost all the spam with very little falsepositives. It “just” requires big machines (spam is a big plague inthe countries of the South).8Anti-spam filtering techniques

GreylistingDeliberately returns a temporary error when receiving email froma new machine.The typical spammer software does not retry. A legitimate MTAdoes.Surprisingly effective and very simple to deploy.9Anti-spam filtering techniques

Heuristic filtersStarts from spamicity tests:IAttempts to disguise the word ’viagra’IHTML has very strong ”shouting” markupIClaims you can opt-outI.A score is then computed automatically (humans can be wrongon the spamicity of something) for each test.Tests are applied to the message and a total “spam score” isproduced.The better known one is SpamAssassin, from the ApacheFoundation. Many anti-spam appliances use it.10Anti-spam filtering techniques

Bayesian filtersStarts from nothing: they have no prejudice.Human users trains the filter by giving it spam and ham.The filter learns the vocabulary of each.Then, it can calculate a spam score for the message, using Bayesstatistics.Proper training is importantSo there is a user interface and user training issue.They are the most efficient filters today. But no solution is perfectalone: you need to combine several techniques.11Anti-spam filtering techniques

bogofilter in practiceAnalysis of one message with bogofilter -v :" 99"n8pgood0.000275pbad0.002554fw0.901823pbad “spamicity”. fw probability of being a spam. The string99 is a good spam mark.You can also display the whole database with bogoutil :Viagra 88 0 20041116Viagra was in 88 spams and no ham (a doctor would have differentresults: this is my personal database).13Anti-spam filtering techniques

Less good practicesThere are other methods but either unrealistic, harmful orquestionable. Since we emphasize practical advices, we mentionshortly these techniques in the report.Not specific technique mentioned here, to be reserved fordiscussion.14Anti-spam filtering techniques

The issue of authenticationAuthentication is not an anti-spam technique by itself (spammercan have a passport, too).But it may help:1. Better accountability may deter spammers,2. Whitelisting cannot work without authentication.15Anti-spam filtering techniques

Authentication techniquesA lot of unsolved questions: what to authenticate? (Whichidentity?)Also, there is no common identity service (the Internet has nogovernment).16Anti-spam filtering techniques

Authentication techniquesA lot of unsolved questions: what to authenticate? (Whichidentity?)Also, there is no common identity service (the Internet has nogovernment).1. SPF, Sender Policy Framework: the sender indicates in theDNS which machines can send mail on its behalf. Since it isthe DNS, it authenticates a domain, not an user.16Anti-spam filtering techniques

Authentication techniquesA lot of unsolved questions: what to authenticate? (Whichidentity?)Also, there is no common identity service (the Internet has nogovernment).1. SPF, Sender Policy Framework2. DKIM, Domain Keys Identified Mail, IETF Working Groupsecurity/dkim: the sender cryptographically signs the headers.The key is typically a domain key, not an user key. The keycan be retrieved by various means, including the DNS.16Anti-spam filtering techniques

Authentication techniquesA lot of unsolved questions: what to authenticate? (Whichidentity?)Also, there is no common identity service (the Internet has nogovernment).1. SPF, Sender Policy Framework2. DKIM, Domain Keys Identified Mail, IETF Working Groupsecurity/dkim3. PGP, Pretty Good Privacy: very good system for userauthentication, only deployed in limited communities.16Anti-spam filtering techniques

What to do with spam?Once it is detected by the heuristic filter or the bayesian filter,what do we do with spam?Technical hint: rejection during the SMTP session is an interestingsolution because you never took responsability for the mail. Notalways easy to do and has its own problems.17Anti-spam filtering techniques

What to do with spam?Once it is detected by the heuristic filter or the bayesian filter,what do we do with spam?1. Tell the sender? No, most spams are joe jobs (the address isforged).Technical hint: rejection during the SMTP session is an interestingsolution because you never took responsability for the mail. Notalways easy to do and has its own problems.17Anti-spam filtering techniques