Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
ECE4112 Internetwork Security Lab XX: Secure Mail Server and Spam Techniques Group Number: Group Member Names: 1) 2) 3) Date Assigned MM/DD/YYYY Date Due: MM/DD/YYYY Last Edited: MM/DD/YYYY Lab Authored by: Matt Peter & Parnav Sawjiany Goal This Lab is designed to teach the student how to setup a secure mail server that is resistant to spam from both a system administrator and spammer’s perspective. Summary This lab will focus on the challenges of e-mail administration. To begin, we will walk through an installation of Mail Transport Agent (MTA) software, which allows us to receive email from other systems or users. Additionally, we will install a copy of Spamassassin, heuristic anti-spam software which makes a best guess effort at determiniing whether or not a piece of mail is spam, and marking it accordingly. Then we will install software on our Windows XP machine that will allow us to craft spammy email messages. Lab Scenario We will use our VMware copies of RedHat 7.2 (hereafter known as “server”) and Windows XP (hereafter known as “client”). Server will run our mail software, and our client will serve first as a legitimate email user, and then later as a spammer. Maildir mailboxes .-----------, .----------, *********** .---------, | | | | * Inbox * | | | | ====> | Procmail | ===> * * <======> | Courier | <=== | Postfix | | | =\ *********** | IMAPD | ===> | MTA | `---------'/ | | | SMTP | | | |====> ************ | | to & | (Message | filtering | * YYY * | | from | Transfer | rules in \=>************ * <==> | | other | Agent) | .mailfilter * XXX * *** | | IMAP MTAs | | <--, *** * * <======> | | <-, `-----------' \ ************ `---------' \ \ \ V `---<----------------------------------------<--------------'/ SMTP outgoing mail \ \ .------------------------, \ `-> | | \ | IMAP capable Email | \ | client | \ | | `-----------<--------- |< SMTP outgoing mail | | | `------------------------' Section 01: Introduction E-mail spam is a subset of spam that involves sending nearly identical messages to thousands (or millions) of recipients. Perpetrators of such spam (”spammers”) often harvest addresses of prospective recipients from Usenet postings or from web pages, obtain them from databases, or simply guess them by using common names and domains. By popular definition, spam occurs without the permission of the recipients. As the recipient directly bears the cost of delivery, storage, and processing, one could regard spam as the electronic equivalent of “postage-due” junk mail. However, the Direct Marketing Association will point to the existence of “legitimate” e-mail marketing. Most commentators classify e-mail-based marketing campaigns where the recipient has “opted in” to receive the marketer’s message as “legitimate”. Spammers frequently engage in deliberate fraud to send out their messages. Spammers often use false names, addresses, phone numbers, and other contact information to set up “disposable” accounts at various Internet service providers. They also often use falsified or stolen credit card numbers to pay for these accounts. This allows them to move quickly from one account to the next as the host ISPs discover and shut down each one. Spammers frequently go to great lengths to conceal the origin of their messages. They do this by spoofing e-mail addresses (much easier than Internet protocol spoofing). The e-mail protocol (SMTP) has no authentication by default, so the spammer can easily make a message appear to originate from any e-mail address. To prevent this, some ISPs and domains require the use of SMTP-AUTH, allowing positive identification of the specific account from which an e-mail originates. Spammers cannot completely spoof e-mail delivery chains (the ‘Received’ header), since the receiving mailserver records the actual connection from the last mailserver’s IP address. To counter this, some spammers forge additional delivery headers to make it appear as if the e-mail had previously traversed many legitimate servers. But even when the fake headers are identified, tracing an e-mail message’s route is usually fruitless. Many ISPs have thousands of customers, and identifying spammers is tedious and generally not considered worth the effort. Spammers frequently seek out and make use of vulnerable third-party systems such as open mail relays and open proxy servers. The SMTP system, used to send e-mail across the Internet, forwards mail from one server to another; mail servers that ISPs run commonly require some form of authentication that the user is a customer of that ISP. Open relays, however, do not properly check who is using the mail server and pass all mail to the destination address, making it quite a bit harder to track down spammers. Increasingly, spammers use networks of virus-infected Windows PCs (zombies) to send their spam. Zombie networks are also known as Botnets. Spoofing can have serious consequences for legitimate e-mail users. Not only can their e-mail inboxes get clogged up with “undeliverable” e-mails in addition to volumes of spam, they can mistakenly be identified as a spammer. Not only may they receive irate e-mail from spam victims, but (if spam victims report the e-mail address owner to the ISP, for example) their ISP may terminate their service for spamming. 1) Question 01.01 Why are spammers making the switch to zombie networks? What tactical advantage does a dedicated zombie network have over a more traditional open proxy relay arrangement? Think back to our labs on Honeynets. Section 02: Information Exposure An effective anti-spam strategy for any individual or organization will necessarily be a multi-step solution. But as in many other things, often careful attention to the first line of defense is the most effective. Spammers most often generate valid email addresses by spidering the internet for webpages that contain valid email addresses. So, in order to limit the exposure an organization may have the number of times email addresses appear on the internet must be limited. At an individual level it is important to realize that any posting on a public forum, or mailing list will be harvested by automated scripts. Some people create throw-away email addresses that are meant for only for spam. This allows them to keep their private email address, private. Although many times an administrator cannot control everyone’s use of company email addresses, he can limit or eliminate email addresses that appear on company websites, mailing lists, and forums. One of the easiest methods many corporate websites use to limit spam is to create “feedback” forms that are sent through an html interface, rather than email client. This makes the internal address completely private. It also has the added benefit of encouraging feedback from users by making it a bit simpler for them to contact various departments. There are many methods of creating feedback forms, and any direct implementation depends on a host of factors related to the base installation. In many cases, forms are not a viable method, and a direct link to an email address must be provided on a public website. In this case, there are several methods for obfuscuating the email address to harvesters, while displaying a perfectly normal address to end users. Example 02.01 <script LANGUAGE="JavaScript"> <!-- BEGIN Script var cry1=String.fromCharCode(109,97,105,108,116,111,58); document.write("<a href=\""); document.write(cry1); document.write("YOURNAME"); document.write(String.fromCharCode(64)); document.write("YOURDOMAIN.com"); document.write("\">"); document.write("YOURNAME"); document.write(String.fromCharCode(64)); document.write("YOURDOMAIN.com"); document.write("</a>"); //END --> </script> citation: Example 02.02 <script type="text/javascript"> //<![CDATA[ var email = "enquiries" var domain = "seowebsitepromotion.com" document.write("<a href=" + "mail" + "to:" + email + "@" + domain + "?subject=General%20Enquiry" + ">" + email + "@" + domain + "</a>") //]]> </script> citation: Question 02.01 The above javascript solutions take in as strings the parts of a valid email address, and output a valid email address. In what ways do the two methods differ? Why might using Javascript be a bad idea in this case? Section 03: Installation Getting Setup First, we need to get our system up and ready for use by mounting our share, grabbing the lab files, and creating a working directory for ourselves. # start up your RH72 image and login as root # mount your shared nas drive mount /mnt/nas4112 # copy the file spam-lab.tar.gz from the LabXX directory to our new directory cp /mnt/nas4112/LabXX/spam-lab.tar.gz /home #unzip the files tar -zxvf spam-lab.tar.gz cd /home/spam-lab This will extract the entire lab into a new directory /home/spam-lab. The structure is as follows: /--. |-- backup/ # backup files |-- conf/ # configuration files |-- corpus/ # sample spam archive |-- docs/ # html version of lab |-- modules/ # perl modules |-- rpms/ # RedHat rpms |-- spammer/ # Spammer Programs `-- install.sh # install script System Preperation Because the amount of setup required to get all the software that needs to be installed and configured borders on the insane, we’ve created an installer script that will allow you to bypass several hours of installation work. But we have done a complete explanation of each step of the installation process, and you will have to read the following in order to understand and answer the questions. So, with that said, LET’s ROLL! ./install # assuming you're in /home/spam-lab as was stated above First we need to create a temporary directory for our files to be installed in. rm -rf /tmp/20030313SPAM/ mkdir /tmp/20030313SPAM cp modules/* /tmp/20030313SPAM cp rpms/* /tmp/20030313SPAM cd /tmp/20030313SPAM/ Then we install the required RPM modules. A barebones installation of RH7.2 does not have many of the core features that may come on an ‘everything but the kitchen sink’ style install. So we include all the possible rpm’s that we need to minimize the chances that we miss a dependency somewhere down the road. In this case, it was necessary to upgrade two pieces of the basic system, namely, the version of perl and an installation of gcc. The first line in this block uses the U switch to signify that this is an upgrade to an existing perl installation, rather than a new one. the –nodeps allows us to force the installation, because the rest of the rpm files are in a state of circular dependency. This means that the perl5.6 rpm needs updated perl-CGI and perl-CPAN rpm’s, and perl-CGI, perl-CPAN want the updated version of perl-5.6. rpm rpm rpm rpm rpm rpm rpm rpm -Uv --nodeps perl-5.6.1-36.1.72.i386.rpm -iv zlib-devel-1.1.3-24.i386.rpm -iv zlib-1.1.3-24.i386.rpm -iv perl-CGI-2.752-36.1.72.i386.rpm -iv perl-CPAN-1.59_54-36.1.72.i386.rpm -iv perl-DB_File-1.75-36.1.72.i386.rpm -iv perl-NDBM_File-1.75-36.1.72.i386.rpm -iv perl-suidperl-5.6.1-36.1.72.i386.rpm rpm -Uv perl-HTML-Parser-3.26-2.i386.rpm Next, we install the necessary backend rpm’s for gcc, the linux C compiler. Again, we start from the bottomed out portion and work our way up the building blocks until we get to the final goal, gcc. rpm rpm rpm rpm rpm -iv -iv -iv -iv -iv binutils-2.11.90.0.8-9.i386.rpm kernel-headers-2.4.7-10.i386.rpm glibc-devel-2.2.4-13.i386.rpm cpp-2.96-98.i386.rpm gcc-2.96-98.i386.rpm Finally, we create a new user on the system that will serve as our test bed for scanning mail /usr/sbin/adduser -c "Junk Mail Account" -s /bin/bash junk -u 110 /usr/bin/passwd junk # INTERACTIVE Set the password to whatever you like, but remember it for later. Mail Software Mail Installation Now we have to backup and remove sendmail, then install Postfix (A drop in replacement for Sendmail) which is easier to use and has a better security reputation, and additionally, install Courier-IMAP, a industrial strength IMAP server that integrates well with Postfix. mkdir $CDIR/backup/sendmail/ cp /etc/aliases $CDIR/backup/sendmail cp /etc/sendmail.cf $CDIR/backup/sendmail cp /etc/sendmail.cw $CDIR/backup/sendmail cp /etc/mail/* $CDIR/backup/sendmail rpm -e sendmail sendmail-doc sendmail-cf --nodeps killall sendmail rpm -Uvh postfix-2.2.5-3.rh72.i386.rpm # install IMAP daemon rpm -iv courier-imap-1.4.3-2.rh.7.2.i386.rpm Mail Setup In this section we create a new user, and ask the installer to give him a password. Then we use the ‘maildirmake’ utility that comes with Courier-IMAP to create our initial IMAP directory structure. Finally, we take the modified conf files and replace the default ones with them. # add a user we can spam echo "--------------------" echo " Use password: junk " echo "--------------------" /usr/sbin/adduser -c "Junk Mail Account" -s /bin/bash junk -u 110 /usr/bin/passwd junk # INTERACTIVE maildirmake /home/junk/Maildir maildirmake -f Spam /home/junk/Maildir/ maildirmake -f Trash /home/junk/Maildir/ cp -f $CDIR/conf/procmailrc /etc/procmailrc cp -f $CDIR/conf/local.cf /etc/mail/spamassassin/local.cf cp -f $CDIR/conf/main.cf /etc/postfix/main.cf /etc/init.d/postfix restart /etc/init.d/spamassassin restart Spamassassin Spamassassin Installation Spamassassin requires a large number of different Perl modules in order to function properly. We have provided the necessary ones in spam-labmodules.tar.gz. Our installation script automates the tedious process of unzipping, making, testing, compiling, and installing. The standard process for installing Perl modules is as follows: # Install HTML-Tagset v3.03 cd /usr/src tar zxvf /tmp/20030313SPAM/HTML-Tagset-3.03.tar.gz cd HTML-Tagset-3.03/ perl Makefile.PL make make test make install # Install HTML-Parser v3.26 cd /usr/src tar zxvf /tmp/20030313SPAM/HTML-Parser-3.26.tar.gz cd HTML-Parser-3.26/ perl Makefile.PL make make test make install # Install Libnet cd /usr/src tar zxvf /tmp/20030313SPAM/libnet-1.0901.tar.gz cd libnet-1.0901 perl Configure -d perl Makefile.PL make make install # Install Digest-SHA-1 cd .. tar zxvf /tmp/20030313SPAM/Digest-SHA1-2.01.tar.gz cd Digest-SHA1-2.01 perl Makefile.PL make make test make install # Install DigestMD5 v2.20 cd /usr/src/ tar zxvf /tmp/20030313SPAM/Digest-MD5-2.20.tar.gz cd Digest-MD5-2.20/ perl Makefile.PL make make test make install # Install Digest-HMAC cd .. tar zxvf /tmp/20030313SPAM/Digest-HMAC-1.01.tar.gz cd Digest-HMAC-1.01 perl Makefile.PL make make test make install # Install CoreStack cd .. tar zxvf /tmp/20030313SPAM/Devel-CoreStack-1.3.tar.gz cd Devel-CoreStack-1.3 perl Makefile.PL make make test make install # Install Test-Harness cd .. tar zxvf /tmp/20030313SPAM/Test-Harness-2.26.tar.gz cd Test-Harness-2.26 perl Makefile.PL make make test make install cd .. tar zxvf /tmp/20030313SPAM/Test-Simple-0.45.tar.gz cd Test-Simple-0.45 perl Makefile.PL make make test make install cd .. tar zxvf /tmp/20030313SPAM/Net-DNS-0.31.tar.gz cd Net-DNS-0.31 perl Makefile.PL make make test make install cd .. tar zxvf /tmp/20030313SPAM/Time-HiRes-01.20.tar.gz cd Time-HiRes-01.20 perl Makefile.PL make make test make install cd .. tar zxvf /tmp/20030313SPAM/Digest-Nilsimsa-0.06.tar.gz cd Digest-Nilsimsa-0.06 perl Makefile.PL make make test make install # Install MIME-Base64 v2.12 cd /usr/src/ tar zxvf /tmp/20030313SPAM/MIME-Base64-2.12.tar.gz cd MIME-Base64-2.12/ perl Makefile.PL make make test make install # Install URI v1.22 cd /usr/src tar zxvf /tmp/20030313SPAM/URI-1.22.tar.gz cd URI-1.22/ perl Makefile.PL make make test make install # Install MailTools cd .. tar zxvf /tmp/20030313SPAM/MailTools-1.41.tar.gz cd MailTools-1.41 perl Makefile.PL make make test make install cd .. tar zxvf /tmp/20030313SPAM/Mail-Audit-1.11.tar.gz cd Mail-Audit-1.11 perl Makefile.PL make make test make install #HOMEPAGE: http://search.cpan.org/author/RBS/File-Spec-0.82/ cd .. tar zxvf /tmp/20030313SPAM/File-Spec-0.82.tar.gz cd File-Spec-0.82 perl Makefile.PL make make test make install #HOMEPAGE: http://search.cpan.org/author/MAREKR/PodParser-1.21/ cd .. tar zxvf /tmp/20030313SPAM/PodParser-1.21.tar.gz cd PodParser-1.21 perl Makefile.PL make make test make install cd .. tar zxvf /tmp/20030313SPAM/Mail-SpamAssassin-2.44.tar.gz cd Mail-SpamAssassin-2.44 perl Makefile.PL make make test make install Spamassassin Setup # add spamd user: This creates a new user, and makes the shell /bin/false, # which is non-interactive to prevent an attacker from gaining system # acccess. /usr/sbin/adduser -c "SpamAssassin" -s /bin/false spamd -u 103 # The redhat startup script is copied from the current directory into # /etc/rc.d/init.d/ which is the general place we put startup scripts cp redhat-rc-script.sh /etc/rc.d/init.d/spamassassin chmod +x /etc/rc.d/init.d/spamassassin # Now the startup script is set to start in runlevels 0 and 3 cd /etc/rc.d/rc3.d; ln -s ../init.d/spamassassin S81spamassassin cd /etc/rc.d/rc0.d; ln -s ../init.d/spamassassin K31spamassassin # we create a home directory for our spam daemon and set it up properly mkdir /home/spamd/.spamassassin chown spamd.spamd /home/spamd/.spamassassin cd /usr/src/Mail-SpamAssassin-2.44/spamd/ cp spamd spamc /usr/bin/ # start the server up /etc/rc.d/init.d/spamassassin start mkdir /etc/mail/spamassassin We now have a basic installation of RedHat 7.2 running Postfix MTA and CourierIMAP, backed up by ClamAV to protect our system against Virus, and Spamassassin to deflect spam at the server level. Procmail Filter Procmail is a program that Sendmail uses to deliver local mail. It’s operation is governed globally by the configuration file /etc/procmailrc and per-user by ~/.procmailrc. Procmail Installation Procmail comes preinstalled on RH7.2 Systems Procmail Setup By default, there is no /etc/procmailrc on fresh Red Hat Linux 7.2 installs. We must create this file and put it there. Our installer script copies the file conf/procmailrc into /etc/procmailrc for you. # setup system wide procmail cp procmailrc /etc/procmailrc /etc/procmailrc has the following contents: DEFAULT="$HOME/Maildir/" SPAMIT="$HOME/Maildir/.Spam/" :0 fw | /usr/bin/spamc -f :0 * ^X-Spam-Status: Yes $SPAMIT Line one setups up our default mail delivery site. The SPAMIT variable tells us where to deliver spam if we get a hit. Line 3, beginning with colon-zero, marks the start of what is called a “Procmail recipe.” A recipe is a condition followed by an action. For more information on Procmail recipes, see man procmailrc. The ‘fw’ indicates to Procmail that this recipe is a filter, meaning that it may modify the original email message. Line 4 tells Procmail to filter the message text through SpamAssassin. In other words, the original message is replaced with SpamAssassin’s output. If SpamAssassin determines that the message is spam, the subject line will be rewritten to include a spam tag. (Other less visible changes will also be made to the message.) 2) Our script sets this all up for you. Question 03.01 There are multiple ways to write this recipe. One of the most common things people who use procmail and spamassasin do is limit the size of an email that SpamAssassin checks. Why would this be a good idea? Read the man pages for procmail or go online and write down the changes necessary to the above recipe in order for it to disregard large emails. Overview We now have a test system that we can send emails to. Any email that is sent to localhost will be delivered to the test user junk. Now we can use some of our spammer tools to see just how effective we can make Spamassassin. This is also the final thing the script will do for you. From here on out, you will have to follow along with the directions. Section 04: Windows Client Setup We would not have a semi-accurate simulacrum of what a client-server mail setup is without a genuine Windows User to download mail from IMAP with. So, we will now setup our Windows XP image to download mail. So, to begin, fire up your vmware copy of Windows XP and login. Outlook Express Setup First, we need to configure an IMAP account on the built in mail reader, Outlook Express. For the quick ones among us: name Group XX email address junk@localhost server type imap incoming server rh72 ip outgoing server rh72 ip username junk password junk For the less quick, when you’re done with the wizard, your properties views should look like this: and this: When it prompts you to download the new folders say yes. The next prompt will be an Inbox with “Trash” and “Spam” subfolders. Subscribe to these two subfolders, when you’re done, it should look like this: Try sending yourself an email: Notice we’ve sent an email to our valid junk@localhost account, and an email that does not exist in our mail server. They both forward to junk@localhost. The system is setup such that *@localhost will end up in junk@localhost. This will allow to do some interesting tests on the system in our next section. Now, we can verify that SpamAssassin is indeed processing our emails by viewing the source of our message. Highlight one of the messages you just sent and go to Files → Properties, and click on the “Details” tab. Here you can see the exact details of how how SpamAssassin has treated your email, and what rules it processed it with. Question 04.01 Print out a copy of the contents of your email message, showing the SpamAssassin headers Everything under tests = “...” represents specific flags SpamAssassin found in the message that it used to adjust the overall score with. Consult the files in /usr/share/spamassassin to determine what each of those flags do, and what their current point value is. Here, grep is your friend. SpamAssassin Bayesian Learning One of the more effective methods SpamAssassin has for sifting through emails is by statistical analysis. In simplest terms, SpamAssassin can examine a quantity of known “Spam”, and a quantity of known “Ham” (not spam) and find signatures. Then when new mail comes in, it can make a judgement about a new piece and whether or not it feels more like spam, or not. We have provided a large corpus of known spam and ham, which we can teach SpamAssassin with. It will immediately start making better judgements on new email from this learning. sa-learn --showdots -L -C /etc/mail/spamassassin --ham /home/spam-lab/corpus/ham/* sa-learn --showdots -L -C /etc/mail/spamassassin --spam /home/spam-lab/corpus/spam/* This technique is even more useful when users put missed spam into a “LearnAsSpam” folder, at which point sa-learn can run from cron, thereby getting incrementally better at differentiating spam vs ham. Section 06: Offense Spammers exist because it’s actually a lucrative market for those people who are dedicated and smart enough. An interesting resource for those interested in getting directly at the source of Spammer culture can visit http://www.specialham.com. This is the main public forum for Spammers to talk openly, most of their communication is done over ICQ and other Chat networks. Not wistanding all the other shady business a spammer might also be in, a fulltime spammer can make money six-figure range US (See “Interview with a Spammer”). As with many other parts of this class, we learn by doing. Go back to your VMWare installation of Windows XP and install ssalone.exe (Send Safe)located in your /home/spam-lab/spammer/ folder. This is a fully featured program that is surprisingly well designed. Question 06.01 Use SendSafe to craft an email message that your installation of SpamAssassin picks up as Spam. It should be automatically routed to your Spam directory. Make sure you show the properties page with the score. If you get stuck consult the /usr/share/spamassassin directory for concrete examples of what SpamAssassin is using to score. Take a screen shot and turn it in with your lab. Additional Resources StealthMail Master LegalSender Interview with a Spammer Section 07: Questions Question 01.01 Why are spammers making the switch to zombie networks? What tactical advantage does a dedicated zombie network have over a more traditional open proxy relay arrangement? Think back to our labs on Honeynets. Question 02.01 The above javascript solutions take in as strings the parts of a valid email address, and output a valid email address. In what ways do the two methods differ? Why might using Javascript be a bad idea in this case? Question 03.01 There are multiple ways to write this recipe. One of the most common things people who use procmail and spamassasin do is limit the size of an email that SpamAssassin checks. Why would this be a good idea? Read the man pages for procmail or go online and write down the changes necessary to the above recipe in order for it to disregard large emails. Question 04.01 Print out a copy of the contents of your email message, showing the SpamAssassin headers Everything under tests = “...” represents specific flags SpamAssassin found in the message that it used to adjust the overall score with. Consult the files in /usr/share/spamassassin to determine what each of those flags do. Here, grep is your friend. Question 06.01 Use SendSafe to craft an email message that your installation of SpamAssassin picks up as Spam. It should be automatically routed to your Spam directory. Make sure you show the properties page with the score. If you get stuck consult the /usr/share/spamassassin directory for concrete examples of what SpamAssassin is using to score. General Questions 1. How long did it take you to complete this lab? 2. Was it an appropriate length lab? 3. What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyx adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements. The lab addition section must start with the title “Lab Addition”, your addition subject title, and must start with a paragraph explaining at a high level what new concept may be learned by adding this to the existing laboratory assignment. After this introductory paragraph, add the details of your lab addition. Appendix A: Spamassassin Caveats One thing we have glossed over in this lab are the many ways in which SpamAssassin uses the power of the community to track and identify Spam. Due to the lack of internet access in our labs, none of this is available to us. But we would still like to provide you with resources and a little bit of information about the more popular community based solutions. Host Verification: Spamassassin does makes a variety of checks with the sending host and domain name such as determining whether or not a DNS MX record exists to verify whether or not a host is legitimate. This also includes SPF (Sender Policy Framework) Vipul’s Razor: “Vipul’s Razor is a distributed, collaborative, spam detection and filtering network. Through user contribution, Razor establishes a distributed and constantly updating catalogue of spam in propagation that is consulted by email clients to filter out known spam. Detection is done with statistical and randomized signatures that efficiently spot mutating spam content. User input is validated through reputation assignments based on consensus on report and revoke assertions which in turn is used for computing confidence values associated with individual signatures.” 3) Pyzor: A system designed to be an open source replacement for Razor which has since become widely adapted. It comes in the default installation of SpamAssassin SBL: “The Spamhaus Block List The SBL is a realtime database of IP addresses of verified spam sources (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.” 4) Appendix B: Additional Resources SpamAssassin Resources Sender Policy Framework Spamassassin Razor Pyzor Mail Server Setup RH71 Mail Server Config How to set up a mail server on a GNU / Linux system ACME.com Mail Filtering Introduction RH7.1 > Postfix > Maildrop > Courier IMAP - How-I-did-it Other The Strange Story of Spammers & Blue Frogs SpecialHam: Where Spammers go to Chat Anti's: Keeping your Inbox Sorta Clean 1) Wikipedia Spam Overview 2) http://sharkysoft.com/tutorials/linuxtips/spam/ 3) http://razor.sourceforge.net 4) http://www.spamhaus.org/sbl/index.lasso