SPAM prevention using DNS - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

SPAM prevention using DNS

Description:

SPAM prevention is the primary reason that rDNS and Sender ... Trend Micro. GFI MailEssentials. Sybari Antigen. Network Associates. SpamAssassin (open source) ... – PowerPoint PPT presentation

Number of Views:221
Avg rating:3.0/5.0
Slides: 26
Provided by: tvn2
Category:
Tags: dns | spam | micro | prevention | trend | using

less

Transcript and Presenter's Notes

Title: SPAM prevention using DNS


1
SPAM prevention using DNS
  • Implementing reverse domain name services (rDNS)
    and planning for Sender ID
  • Presented by Edward Horley
  • For TVNUG July 2004

2
Overview
  • SPAM prevention is the primary reason that rDNS
    and Sender ID will become de jure within
    approximately 1-2 years
  • Current methods for SPAM prevention are de facto
    solutions
  • Possible future solutions for SPAM prevention are
    DomainKeys and Puzzle Solution

3
Solutions Overview
  • Current de facto solutions
  • Blacklists (IP and DNS based)
  • rDNS (it is currently optional)
  • Anti-spam filtering (Bayesian and others)
  • Anti-spam services (Brightmail, etc)
  • Hardware appliance filters / services
  • Custom built scripts and applications

4
Solutions Used Today
  • Blacklists
  • SpamCop
  • MAPS
  • ORDB
  • SPAMhaus
  • Spews
  • SURBL
  • Mail-abuse
  • DSBL
  • DNSBL
  • DNSRBL
  • Client filters
  • Audiotrieve InBoxer
  • Cloudmark SpamNet
  • Lyris MailShield
  • McAfee SpamKiller
  • Aladdin SpamCatcher
  • Sunbelf IHateSpam
  • SpamBayes (open source)
  • Spam Bully
  • MailFrontier Matador
  • Cloudmark Spamnet

5
Solutions Used Today
  • Server filters
  • Exchange IMF
  • XWall
  • Vircom modusGate
  • Sophos PureMessage
  • Proofpoint Protection
  • SurfControl
  • Symantec
  • Trend Micro
  • GFI MailEssentials
  • Sybari Antigen
  • Network Associates
  • SpamAssassin (open source)
  • Declude JunkMail
  • Hardware Appliances
  • BorderWare MXtreme
  • IronPort C60
  • Barracuda 300
  • Tumbleweed
  • Subscription Services
  • Brightmail
  • Postini
  • Greenview Data
  • Katharion

6
The Proposed Solutions
  • Short term solutions
  • Internet Engineering Task Force (IETF) draft
    rfcs
  • Sender Policy Framework (SPF Classic)
  • Sender ID (new version of SPF)
  • DomainKeys
  • Long term solutions
  • Internet Research Task Force (IRTF)
  • New version of SMTP?

7
What to do now?
  • SMTP mail gateway filters
  • Consider a commercial service
  • Software e-mail client filters
  • Blacklists
  • rDNS
  • SPF Classic -gt Sender ID

8
Why you should do rDNS now
  • Easy to implement
  • It is used as one of several de facto methods to
    determine the likelihood of a server being a SPAM
    relay
  • Most Internet Service Providers are using this to
    determine legitimate mail servers
  • Reduces probability of being added to a Blacklist

9
What to plan for soon
  • SPF Classic Email caller ID Sender ID
  • SPF Classic used to be called Sender Permitted
    From and was changed to Sender Policy
    Framework
  • Now a Meng Wong and Microsoft submitted draft rfc
    it merged both solutions and is now called
    Sender ID
  • http//www.ietf.org/internet-drafts/draft-mengwong
    -spf-01.txt
  • Designates specific SMTP servers as being
    authorized to send for a FQDN
  • Each sub-domain must be configured specifically
  • Will become de jure within approximately 1-2
    years most popular filters are flagging this
    already
  • Most MTAs support SPF Classic or have plug-ins
    available
  • Backward compatible with existing technology

10
What is coming in a few years
  • DomainKeys
  • A Yahoo! submitted draft rfc
  • http//www.ietf.org/internet-drafts/draft-delany-d
    omainkeys-base-00.txt
  • Basically public/private keys for authenticating
    client mail and the servers along the path
  • Acts as a chain of custody from the source client
    machine to the destination client machine
  • Will require a major re-write of all MTAs to
    work 5 to 10 years if at all
  • Backward compatible with existing technology

11
What is coming continued
  • Puzzle Solution
  • Microsoft proposal
  • Sending mail server has to perform time consuming
    calculation for each mail sent
  • Assumes spammers cannot afford the computational
    costs to send out large bulk mailings
  • Will require a major re-write of all MTAs to
    work 5 to 10 years if at all
  • Backward compatible with existing technology

12
Future potential SPAM problems
  • Disposable Domain Names
  • Country Sanctioned Activity (Government for
    profit activity)
  • Large Zombie Farms controlling clients with legit
    relay access (University or corporate
    environments)

13
How to request rDNS for sub /24 address blocks
  • You will have to contact your ISP to request rDNS
    delegation do this via e-mail so you have a
    written trail of correspondence
  • You will likely have to talk to several
    departments to figure out who can actually do
    this for you
  • Typically, the DNS group handles the
    sub-delegation but not always
  • You will need to be patient but firm inform
    them that you need it for Anti-SPAM reasons for
    your mail server

14
Setting up rDNS Delegation
  • Example of 64.94.106.40/29 configuration by the
    provider
  • ORIGIN 106.94.64.in-addr.arpa.
  • zone delegation of 64.94.106.40/29
  • 40-47. IN NS ns1.j2global.com
  • 40-47. IN NS ns2.j2global.com
  • 40. IN CNAME 40.40-47.106.94.64.in-addr.arpa.
  • 41. IN CNAME 41.40-47.106.94.64.in-addr.arpa.
  • 42. IN CNAME 42.40-47.106.94.64.in-addr.arpa.
  • 43. IN CNAME 43.40-47.106.94.64.in-addr.arpa.
  • 44. IN CNAME 44.40-47.106.94.64.in-addr.arpa.
  • 45. IN CNAME 45.40-47.106.94.64.in-addr.arpa.
  • 46. IN CNAME 46.40-47.106.94.64.in-addr.arpa.
  • 47. IN CNAME 47.40-47.106.94.64.in-addr.arpa.

15
Setting up the rDNS Zone
  • Example of 64.94.106.40/29 configuration on
    hosting rDNS server
  • ORIGIN 40-47.106.94.64.in-addr.arpa.
  • zone delegation of 64.94.106.40/29
  • _at_ IN NS ns1.j2global.com.
  • _at_ IN NS ns2.j2global.com.
  • _at_ IN TXT "j2 Global Communications, Inc."
  • 40 IN PTR 64.94.106.40.efax.com.
  • 41 IN PTR 64.94.106.41.efax.com.
  • 42 IN PTR 64.94.106.42.efax.com.
  • 43 IN PTR 64.94.106.43.efax.com.
  • 44 IN PTR 64.94.106.44.efax.com.
  • 45 IN PTR 64.94.106.45.efax.com.
  • 46 IN PTR 64.94.106.46.efax.com.
  • 47 IN PTR 64.94.106.47.efax.com.

16
Checking the rDNS Zone
  • Example of checking the 64.94.106.40/29
    configuration to make sure it works
  • ltltgtgt DiG 2.1 ltltgtgt _at_206.13.31.12
    40.106.94.64.in-addr.arpa. PTR
  • (1 server found)
  • res options init recurs defnam dnsrch
  • got answer
  • -gtgtHEADERltlt- opcode QUERY, status NOERROR,
    id 10
  • flags qr rd ra Ques 1, Ans 2, Auth 2,
    Addit 0
  • QUESTIONS
  • 40.106.94.64.in-addr.arpa, type PTR, class
    IN
  • ANSWERS
  • 40.106.94.64.in-addr.arpa. 43200 CNAME 40.40-47.10
    6.94.64.in-addr.arpa.
  • 40.40-47.106.94.64.in-addr.arpa. 86400 PTR 64.94.1
    06.40.efax.com.
  • AUTHORITY RECORDS
  • 40-47.106.94.64.in-addr.arpa. 86400 NS ns2.j2globa
    l.com.
  • 40-47.106.94.64.in-addr.arpa. 86400 NS ns1.j2globa
    l.com.
  • Total query time 48 msec
  • FROM us.mirror.menandmice.com to SERVER
    206.13.31.12
  • WHEN Tue Jul 20 012009 2004

17
Setting up SPF Classic
  • Configuration of example.com SPF
  • ORIGIN example.com.
  • Leaving out the SOA info for space reasons
  • NS records
  • _at_ IN NS ns1.example.com.
  • _at_ IN NS ns2.example.com.
  • MX records
  • _at_ IN MX 10 mx1.example.com.
  • _at_ IN MX 20 mx2.example.com.
  • A records
  • mx1 IN A 1.1.1.1
  • mx2 IN A 2.2.2.2
  • TXT SPF records
  • _at_ IN TXT "vspf1 a mx -all"
  • mx1 IN TXT "vspf1 a -all"
  • mx2 IN TXT "vspf1 a -all"

18
Register your SPF domain
  • Once you have configured SPF for your domain you
    should register it at
  • http//spftools.infinitepenguins.net/register.php
  • Then put the logo on your site!

19
Testing SPF Classic
  • Testing of example.com SPF
  • http//www.dnsstuff.com/pages/spf.htm
  • Dummy Sample Output from dnsstuff
  • SPF lookup of sender droid_at_example.com. from IP
    1.1.1.1
  • SPF string used vspf1 mx -all.
  • Processing SPF string vspf1 mx -all.
  • Testing 'mx' on IP1.1.1.1, target domain
    example.com, CIDR 32, defaultPASS. MATCH!
  • Testing 'all' on IP1.1.1.1, target domain
    example.com, CIDR 32, defaultFAIL.
  • Result PASS

20
Impact on the Internet
  • These solutions will help reduce overall
    architecture problems of Authentication,
    Authorization, and Accounting with e-mail (back
    to AAA)
  • 68B e-mails daily of which approx. 42.8B are spam
    or 69 spam!1
  • Estimated 1,400 annual savings per employee from
    lost productivity currently due to spam2
  • 1 The Radicati Group and Brightmail
  • 2 - Vircom

21
Questions and Answers
22
Resource Links
  • rDNS
  • http//www.ietf.org/rfc/rfc2317.txt
  • http//www.ietf.org/rfc/rfc2505.txt
  • http//www.arin.net/registration/lame_delegations/
    index.html
  • http//kbase.menandmice.com/view.html?rec31
  • http//www.microsoft.com/windows2000/techinfo/resk
    it/en-us/default.asp?url/windows2000/techinfo/res
    kit/en-us/cnet/cncf_imp_dewg.asp
  • http//dedicated.sbcis.net/customer_support/dns_wo
    rksheet.html
  • http//dedicated.sbcis.net/customer_support/revers
    e_delegation.html
  • DNS tools
  • http//www.dnsstuff.com/
  • http//us.mirror.menandmice.com/cgi-bin/DoDig
  • http//network-tools.com/
  • http//www.squish.net/dnscheck/
  • http//www.dns.net/dnsrd/tools.html
  • http//www.dnsreport.com/
  • http//www.samspade.org/t/
  • General references

23
Resource Links
  • Meng Wongs SPF
  • http//spf.pobox.com/howworks.html
  • http//spf.pobox.com/rfcs.html
  • http//www.ietf.org/internet-drafts/draft-mengwong
    -spf-01.txt
  • Microsofts E-mail Caller ID
  • http//www.microsoft.com/downloads/details.aspx?Fa
    milyID9a9e8a28-3e85-4d07-9d0f-6daeabd3b71bdispla
    ylangen
  • Sender ID the merged E-mail Caller ID and SPF
  • http//www.microsoft.com/presspass/press/2004/may0
    4/05-25SPFCallerIDPR.asp
  • http//www.microsoft.com/presspass/press/2004/jun0
    4/06-24SIDSpecIETFPR.asp
  • http//www.microsoft.com/mscorp/twc/privacy/spam_s
    enderid.mspx
  • http//spf.pobox.com/wizard.html
  • http//spftools.infinitepenguins.net/register.php
  • http//www.dnsstuff.com/pages/spf.htm
  • Yahoo! DomainKeys
  • http//antispam.yahoo.com/domainkeys
  • http//www.ietf.org/internet-drafts/draft-delany-d
    omainkeys-base-00.txt

24
Contact Info
  • Ed Horley ed_at_tvnug.org

25
35 Years Since Man walked on the Moon!
Write a Comment
User Comments (0)
About PowerShow.com