Menu
Is free
registration
home  /  Installation and configuration/ Spam protection. What is spam and how to deal with spammers on the Internet What methods of protection exist against spam

Spam protection. What is spam and how to deal with spammers on the Internet What methods of protection exist against spam

According to statistics, more than 80 percent of malware penetrates local area network precisely through e-mail. The mail server itself is a tasty morsel for hackers - having gained access to its resources, the attacker gets full access to the archives of e-mails and lists of e-mail addresses, which allows you to get a lot of information about the life of the company, projects and work carried out in it. In the end, even lists of email addresses and contacts can be sold to spammers or used to discredit a company by attacking those addresses or writing fake emails.

At first glance, spam is much less of a threat than viruses. But:

  • a large flow of spam interrupts employees from their tasks and leads to an increase in non-production costs. According to some reports, after reading one letter, an employee needs up to 15 minutes to get into a working rhythm. If more than a hundred unsolicited messages arrive per day, then their need to view them significantly disrupts current work plans;
  • spam contributes to the penetration of malicious programs into the organization disguised as archives or exploiting vulnerabilities in email clients;
  • a large flow of letters passing through the mail server not only impairs its performance, but also leads to a decrease in the available part of the Internet channel, an increase in the cost of paying for this traffic.

With the help of spam, some types of attacks using social engineering methods can be carried out, in particular phishing attacks, when the user receives letters disguised as messages from completely legal persons or organizations, with a request to take any action - for example, enter a password to his bank card.

In connection with all of the above, the service Email requires protection without fail and in the first place.

Solution Description

The proposed solution for the protection of the enterprise mail system provides:

  • protection from computer viruses and other malicious software distributed via e-mail;
  • protection from spam, both entering the company by e-mail and spreading over the local network.

As additional modules protection systems modules can be installed;

  • protection against network attacks on the mail server;
  • anti-virus protection of the mail server itself.

Solution components

Protection system postal services can be implemented in several ways. The choice of a suitable option is based on:

  • the information security policy adopted in the company;
  • operating systems, controls, protection systems used in the company;
  • budget constraints.

The right choice allows you not only to build a reliable protection scheme, but also to save a significant amount of money.

As examples, we give the options "Economical" and "Standard"

The Economy option is built on the Linux operating system and maximizes the use of free products. Option composition:

  • anti-virus and anti-spam subsystem based on products from Kaspersky Lab, Dr.Web, Symantec. If a company uses a demilitarized zone, it is recommended to move the mail traffic protection system into it. It should be noted that products designed to work in a demilitarized zone have greater functionality and greater capabilities to detect spam and attacks than standard ones, which improves network security;
  • a firewall subsystem based on the iptables2 firewall standard for the Linux operating system and management tools;
  • Snort-based attack detection subsystem.

Mail server security analysis can be done using Nessus

The solution based on the "Standard" option includes the following subsystems:

  • a subsystem for protecting mail server and mail gateway services from malware based on solutions from Kaspersky Lab, Dr.Web, Eset, Symantec or Trend Micro;
  • firewalling and attack detection subsystem based on Kerio Firewall or Microsoft ISA.

Mail server security analysis can be done using XSpider

Both of the above options do not include IM and Webmail protection modules by default.
Both the “Economical” and the “Standard” options can be implemented on the basis of certified FSB and FSTEK software products, which allows them to be delivered to state institutions and companies with an increased level of security requirements.

Benefits of the proposed solution

  • the solution provides reliable protection against the penetration of malware and spam;
  • optimal selection of products allows you to implement a protection scheme that takes into account the needs of a particular client.

It should be noted that a full-fledged protection system can only function if the company has an information security policy and a number of other documents. In this regard, Azone IT offers services not only for the implementation of software products, but also for the development of regulatory documents and audit.

More detailed information You can get information about the services provided by contacting the specialists of our company.

Modern spam mailing is distributed in hundreds of thousands of copies in just a few tens of minutes. Most often, spam goes through user computers infected with malware - zombie networks. What can be opposed to this onslaught? The modern IT security industry offers many solutions, and there are various technologies in the arsenal of antispammers. However, none of the existing technologies is a magic "silver bullet" against spam. There is simply no one-size-fits-all solution. Majority modern products use several technologies, otherwise the effectiveness of the product will not be high.

The most famous and common technologies are listed below.

Blacklists

They are also DNSBL (DNS-based Blackhole Lists). This is one of the oldest anti-spam technologies. Block mail from the IP servers listed in the list.

  • Pros: The blacklist cuts off mail from a suspicious source by 100%.
  • Minuses: They give a high rate of false positives, so use with caution.

Mass Control (DCC, Razor, Pyzor)

The technology assumes detection in the mail flow mass messages that are absolutely identical or differ slightly. Huge mail flows are required to build a workable bulk analyzer, so this technology is offered by large vendors with significant volumes of mail that they can analyze.

  • Pros: If the technology has worked, then it is guaranteed to determine the mass mailing.
  • Minuses: First, a "large" mailing list may not be spam, but a completely legitimate mail (for example, Ozon.ru, Subscribe.ru send thousands of almost identical messages, but this is not spam). Secondly, spammers are able to "break through" such protection using intelligent technologies. They use software that generates different content - text, graphics, etc. - in every spam message. As a result, mass control does not work.

Checking internet message headers

Spammers write special programs for generating spam messages and their instant distribution. At the same time, they make mistakes in the design of the headers, as a result, spam does not always comply with the requirements of the RFC postal standard, which describes the format of headers. These errors can be used to calculate a spam message.

  • Pros: The process of recognizing and filtering spam is transparent, regulated by standards and quite reliable.
  • Minuses: Spammers learn quickly, and there are fewer spam header errors. Using this technology alone will stop no more than a third of all spam.

Content filtering

Also one of the old, proven technologies. A spam message is scanned for spam-specific words, text fragments, pictures, and other typical spam characteristics. Content filtering began by analyzing the subject of a message and those parts of it that contained text (plain text, HTML), but now spam filters check all parts, including graphic attachments.

As a result of the analysis, a text signature can be built or the "spam weight" of the message can be calculated.

  • Pros: Flexibility, the ability to quickly "fine-tune". Systems based on this technology can easily adapt to new types of spam and rarely make mistakes when distinguishing between spam and normal mail.
  • Minuses: Updates are usually required. The filter is configured by specially trained people, sometimes by entire antispam laboratories. This support is expensive, which affects the cost of the spam filter. Spammers devise special tricks to bypass this technology: they introduce random noise into spam, which makes it difficult to find and evaluate spam characteristics of a message. For example, they use non-letter characters in words (for example, this is how the word viagra might look like when using this technique: vi_a_gra or [email protected]@) generate variable color backgrounds in images, etc.

Content filtering: bayes

Statistical Bayesian algorithms are also designed to analyze content. Bayesian filters do not need constant tuning. All they need is prior training. After that, the filter adjusts to the subjects of letters typical for the given specific user... Thus, if a user works in the education system and conducts trainings, then personally his messages on this topic will not be recognized as spam. For those who do not need offers to attend the training, the statistical filter will classify such messages as spam.

  • Pros: Individual customization.
  • Minuses: Works best on individual mail flow. Setting up bayes on a corporate server with disparate mail is a tricky and thankless task. The main thing is that the end result will be much worse than for individual boxes. If the user is lazy and does not train the filter, then the technology will not be effective. Spammers specifically work to bypass Bayesian filters, and they succeed.

Greylisting

Temporary refusal to receive the message. Failure comes with an error code that everyone understands postal systems... After a while, they re-send the message. And programs that send spam, in this case, do not re-send the letter.

  • Pros: Yes, this is also a solution.
  • Minuses: Delay in mail delivery. For many users, this solution is unacceptable.

- € 55-250 million annually. 60% world mail traffic.
50-75% from all Russian mail traffic. Modern antispam tools filter 85-98% of spam. The global market for antispam filters and services in 2004 was approximately $ 500 million (IDC estimates).
Most antivirus vendors have included anti-spam components in their products. There were several purchases of anti-spam software vendors by anti-virus companies during the year (notably the $ 340 million purchase of BrightMail by Symantec). In Russia, antispam filters have been installed by most of the holders of public mail services and most of the providers, which made it possible to remove the urgency of the problem of spam for their clients. The undoubted leader in Russia in terms of sales and the number of protected mailboxes is the Spamtest technology.
1. PREVENTION The # 1 anti-spam tool is to protect your email address. No spammers will know your address - no spam. Highlight your address on the network, you will have to throw it away and start a new one, it will only be a matter of time. And, as a result, tell all your friends and partners a new address again, and you may lose a number of contacts. To prevent this from happening Get two email addresses. One address for long-term contacts (do not shine it on the network).
Another address for making contacts, using the network (chats, message boards, etc.).
Then there should be no spam on the first address, because it is not known on the network.
When spam goes to the second address, just throw it away and start a new one.
2. CHOOSING A NAME People tend to get the most concise address. Let's say sergey@ mail.ru is cool and what a pity that all simple addresses are already taken. Rest assured that on [email protected] spam is pouring in without stopping. It's cool to have a laconic name for the site, but you still have to tell the email address to everyone personally, let it be from numbers or an original, not a hackneyed word. By the way, for this purpose, the leading mail gmail.com registers names of at least 6 characters. All short names have long been included in spam lists.
3. HTML SPECIAL CHARACTERS The easiest and most commonly used method of protecting against spiders is to encode the email address using special HTML characters. Instead of a dog - @ ... But today this method is hopelessly outdated.
Robots can easily find such addresses.
4. JAVASCRIPT On the Anti-Spam Code Generator page, you can generate your own script. Since these scripts for hiding the address are crafted, they are very motley and there are no programs that would be able to fetch email from JavaScript. Today it is the most reliable protection network addresses.
5. ANTISPAMMERS But, what if you are lit up, or you are so famous that it is impossible for you not to get noticed, then you cannot do without an anti-spammer. There are many antispam programs that you can download online.
What I do not advise you to do.
I came to the conclusion that all these antispams are small and weak, and a sensible antispam cannot be handled by a person, only a reputable company, such as Gmail.com, can do that. Their spam remains on the server, you can always go in and correct it. So my strong advice: get yourself a mail on Google.
I have not seen a better spam filter, all spam remains on the server, which, if desired, can always be viewed and corrected. Antispammers do not completely solve the problem, but make life easier in the problem.
6. POCKET PC AND WAP Spam has reached this level, but today there are fairly reliable means of protection. Therefore, the development of this issue is not relevant.

Introduction to the problem

We all know what spam is because we have either encountered it or read about it. We all know how spammers collect email addresses. It is also no secret that spam cannot be completely defeated. The problem is how to maximally protect users who leave their contact details on your site with minimal effort.

Previously tested methods of protection

The biggest threat mailboxes represent programs that download sites and take mail addresses from the text of the pages. They either download only your site, or roam like search engines, all over the web. If your site is small, the protection of this autocorrect text is quite enough:

] + href =) ([""]?) mailto: (+) () @ ".
"() (+. (2,4)) 2 ([>]) ~ i", "1" mailto: [email protected]"
onMouseover = "this.href =" mai "+" lto: 3 "+" 4 "+"% 40 "+" 5 "+" 6 ";" 7 ", $ text);?>

Unfortunately, it won't work if you have a large site. Let's say spectator.ru, the author of which was one of the first to use this method. If I were a spammer, I would have climbed into personal settings, checked the "do not show ears" checkbox, 1000 reviews per page, and caught the cookies by Proxomitron. Then, with a rocking chair or a php script, I would download the pages with comments (substituting cookies with settings) and using regular expression fished out the addresses. I would get a small base for advertising mailing.

There were a couple of other protection methods in which the mailto: link is automatically replaced with a cookie, but the effect remained the same - when you clicked on it, the system client would create a letter to the desired address. Both of them did not stand up to criticism.

Meet the iron grip

Obviously, it is difficult to think of another method of protection besides the already tried one - providing a form on the site to send a message. Let's start designing it. The advantages of this method are obvious: no one will be able to get the addresses for their spam database from your site. It will not work to send messages by hiding their address, as spammers do - the web server will fix its IP address. Public lists anonymous proxy servers are regularly updated, and it is easy to block access from them.

Form sender

Let's start with him, because this is the hardest part.

When installing a form sender on a website, it is important to protect it from hooligan attacks, which can be no easier than spam. Therefore, we will have to make great efforts in this direction.

First, we will protect ourselves from stupid double clicks and sending many identical requests. The idea is this: the message will not be sent if the user has not opened the page with the form before, and by opening the page with the form, you can send the message only once. This can be done using the built-in PHP sessions... When opening a page with a form, we will start a session in which we will save a variable, say $ flag. We will display the session identifier as a hidden element at the very end of the form. The user enters a message and submits the form. Upon receiving the form, the script starts a session and checks for the existence and value of the $ flag variable. If the variable does not exist, then this is a second click, the letter is not sent and an error message is displayed. If there is a variable, and the form data suits us (the required fields are filled in), the script sends a letter and deletes the session.

Secondly, we will protect ourselves from smart bullies by writing down message logs. If the user submits a correctly filled form, the script will look in the logs and check what is there. So, you need to ban

* send messages to the same address more often than a certain period
* send the same text to different addresses
* and just use the form sender too often - say, no more than 10 messages per day per user

We print the session ID at the very end of the form so that the hacker needs to download the entire form and parse it, which is more difficult than just sending HTTP requests. Naturally, the sender will issue messages about errors in writing a message, a request to indicate a return address, etc.

The resulting sender code was too large to be included in the text. It is archived on the site. The script seems to be running and sending messages.

Replacing addresses in text

Now the sender is ready, and you need to replace all emails with links to it. Of course, you shouldn't do this manually. For myself, I wrote a script that automatically replaces addresses with links to the sender.

... Cons: more time for placing links (compensated by a catalog of links), the user, hovering the cursor over the link, does not see which address it will go to. (Dmitry Smirnov, "Ideal author's project, hypertextuality")

All the mentioned disadvantages can be easily eliminated if you use a code similar to the one that I will now describe and show.

There is nothing complicated here, if these are links, then "more time for placement" is not required. On my site, I use an engine script that is called by all pages, so it is not a problem to add or call a code that replaces addresses from it. Postal addresses are both written and written directly in the text of the pages, but before being displayed to the user, they are replaced with the desired text. Compiling a database of links or postal addresses is not a problem.

So what does an address substitute do. It looks for "mailto:" links in the text, selects addresses from them, sends a request to the database to count (count (*)) how many addresses from those on the page are in a special table. If there are new addresses on the page, then their number will be greater than the query result. In this case, a query is made, in which the values ​​of addresses are selected, and those already existing in the table are excluded from the list. The remaining list is sent to the table with an INSERT query.

As for the ID addresses, in my opinion, it is better to use something that the site visitor could not pick up. Imagine, the link /email.php?id=10 leads to the sender? What a temptation to put in there 11, 12, etc. and try to send them all a message. Therefore, I decided to use the md5 hash from the addresses as identifiers. Hardly anyone will undertake to select a hash. In the case of a directory of links, you can get by with ID, but then you have to select all values ​​from the base, and to replace addresses with their hashes, everything is much easier.

A command of the form

] + href =) "." ([""]?) mailto :( [email protected]+ ".". (2,4)) 2 (. *?>) ~ Ie "," "12" /email.php?email= ". Urlencode (md5 (" 3 "))." "4" " , $ text);?>

... which replaces addresses with their hashes. The rest of the addresses in the text, I did not dare to replace with links, but did simple replacement to addresses like vasya_at_pupkin_dot_ru. The autocorrect code is also in the archive.

Outcome

It is quite easy to hide email addresses from visitors. The autocorrect mechanism does not require additional effort, and you can write further pages of the site as if nothing had happened. Difficulties arise when protecting the form sender from web bullies. This protection requires a lot of effort and complex code, so I have not yet started using the written code on the site. You can download the archive with a substitute for addresses and a form sender, but I beg you: do not put it on your site in the form in which you downloaded it, I myself do not know how reliably it works.