Come combattere lo SPAM in un ambiente Exchange Server 2003: tecniche e metodi 11 novembre 2005 - 10:30 Alessandro Appiani MCT MCSE (2000 NT 4.0 NT 3.5) Agenda Spam: come affrontare il problema in azienda Exchange Server 2003 Anti-Spam mail filtering e ambiti di azione Intelligent Message Filter & Outlook integration VSAPI e integrazione con sistemi Anti-Virus Per concludere Exchange Server 2003 Service Pack 2 news Message Hygiene @ Microsoft Best Practice Spam world I messaggi indesiderati sono il problema numero 1 del mondo e-mail Sono un rischio per security, privacy, availability Phisher scams, ID and information theft Unauthorized relay Spam rappresenta più del 60% del traffico e-mail Spoofing detected in 95% of phishing attacks Hotmail blocca più di 3 miliardi di messaggi al giorno Virus, Spyware, Trojan Fare Spam costa poco, genera alti profitti, può essere fatto in modo anonimo è difficile bloccare alla fonte spammer e phisher Message Classification Critical Legitimate Mail Less Critical Legitimate Mail Legitimate Commercial Mail Spam Destructive Business and Personal mail Easily classified at gateway Subscriptions Listservs Mail from company with a pre-existing business relationship Unsolicited promotional messages, phishing, scams Viruses, malware, spyware Easily classified at gateway * External communication only, all internal communication is assumed to be legitimate Enterprise Requirements per Anti-Spam Evitare i falsi positivi Bloccare quanto più possibile a livello di gateway Trasparente per gli utenti (non se ne accorgono) Minimizza l’impatto dello spam sulla banda e sulle risorse di sistema (anche client) Amministrazione Soluzioni complete Facili da gestire Ottimizzare il compromesso tra controllo aziendale e scelte utente Come combattere lo spam Cosa analizzare La struttura di un messaggio Da dove proviene (Connection) Da chi arriva (Sender) A chi è destinato (Recipient) Di cosa tratta (Content) La struttura del messaggio viene gestita direttamente da singole funzionalità di sicurezza di exchange analizzando il messaggio possiamo decidere cosa farne (accept / reject) Exchange Filtering Da dove proviene: Connection filtering (IP) Da chi arriva: Sender filtering Filter messages sent from particular e-mail addresses or domains Internal spoof detection A chi è destinato: Recipient filtering Global allow and deny lists DNS Block Lists (RBL) Block messages to non-existent recipients or specific e-mail recipients Restricted DLs Di cosa tratta: Content filtering SmartScreen Intelligent Message Filter (IMF) Message taxonomy mapped to Exchange Features Da dove proviene: Connection Filtering Liste globali “Allow / Deny” Specifici IP o subnet “Deny” by design Supporto ad abbonamento a servizi esterni “real-time block list (RBL)” Es: Mail from 62.190.247.12 12.247.190.62.bad.bl.org Supporto per diversi fornitori RBL (3 o 4 ideale) NDR personalizzabile per ogni fornitore Possibilità di sovrascrittura del filtro (exception by Email address) Live Meeting Sharing Slide Connection Filtering Demo Edit this slide by selecting Properties in the Live Meeting Presentation menu. Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu. Da chi proviene: Sender filtering Filtro di messaggi spediti da un indirizzo e-mail o dominio smtp Filtro di messaggi senza mittente Può eventualmente droppare la connessione Live Meeting Sharing Slide Sender Filtering Demo Edit this slide by selecting Properties in the Live Meeting Presentation menu. Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu. A chi è destinato: Recipient Filtering Filtro di messaggi spediti a destinatari non esistenti Filtro di messaggi spediti a specifici indirizzi Restricted Distribution List nessuna NDR (protocol level) verifica in tempo reale in Active Directory Solo utenti autenticati possono usarle per inviare mail si possono differenziare DL interne e pubbliche In aggiunta all’Address Filtering sul client – Safe/Block list Recipient Filtering Recipient Filtering Recipient Filtering Distribution List security Live Meeting Sharing Slide Recipient Filtering Demo Edit this slide by selecting Properties in the Live Meeting Presentation menu. Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu. Antispam: Microsoft Exchange Intelligent Message Filter Basato sulla tecnologia SmartScreen presente in Outlook2003 utilizzata da Hotmail dal 24 Febbraio 2004 integrata con l’infrastruttura SCL ( Spam Confidence Level ) E’ un’estensione (gratuita) di Exchange 2003 Server SP1 (è Built-in in SP2) Coesistenza con le soluzioni di 3° parti Exchange Anti-Spam Filtering caratteristiche E’ un componente di Front-End (no cluster setup) Aggiornabile Non filtra messaggi da connessioni autenticate e accettate Documentato in Exchange SDK evita i falsi positivi su mail interne o trusted http://msdn.microsoft.com/exchange Introduce nuove proprietà del messaggio (fields) per associare ad ogni messaggio informazioni specifiche sullo spam Spam Confidence Level (SCL) La probabilità che il messaggio sia Unsolicited Commercial E-mail (UCE) o junk e-mail E’ un numero da 0 (no spam) a 9 (spam sicuro) E’ memorizzato nel database insieme al messaggio (tag property) e con esso persiste (routing, inbox, ...) Microsoft Exchange Intelligent Message Filter Si amministra con Exchange System Manager Basato su soglie Gateway SCL threshold Reject, delete, archive, and no action Store SCL threshold Built-in performance counters MOM management pack extension Comprehensive deployment guide How it works (Server & Client settings) Intelligent Message Filter basic configuration Customizing Intelligent Message Filter (deployment guide – capitolo 6) Live Meeting Sharing Slide IMF Demo Edit this slide by selecting Properties in the Live Meeting Presentation menu. Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu. Outlook & OWA Client Features Web/Spam Beacon blocking Blocca contenuti HTML potenzialmente pericolosi Outlook2003 & OWA2003 Enhancements User specified Safe & Blocked Senders lists Safe Senders, Safe Recipients, Blocked Senders Possono includere Contatti e GAL Supporta anche la modalità Safe Senders Only User Lists CONDIVISE da Outlook 2003, Exchange 2003 ed OWA memorizzate sul server (mbx store) richiede Outlook 2003 per la configurazione Spostamenti in junk-folder determinati da: Exchange 2003 Mailbox Store based on user lists Per message SCL Client Side based on Microsoft SmartScreen Technology Block all external content by default (Web beacons) Il client Outlook Posta indesiderata Outlook 2003 security (Smartscreen, ...) Client settings (junk-mail, ...) Live Meeting Sharing Slide Outlook Web Access Demo Edit this slide by selecting Properties in the Live Meeting Presentation menu. Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu. Come combattere i virus Enterprise Requirements for Antivirus Sono necessarie difese adeguate Trattamento differenziato di messaggi inbound e outbound Non solo AV scanning Attachment management is key Directory lookups before scanning Security notifications Message purging versus cleaning Metrics and reporting Anti-Virus Protection In Exchange Server 2003 è presente una API specifica per la gestione dei Virus (Virus Scanning API 2.5) Previene la possibilità che i virus arrivino in Outlook Come per lo SPAM a maggior ragione per i virus il blocco deve essere il più possibile lato server Blocca allegati potenzialmente pericolosi Gateway scanning (non-mailbox server) Cancella messaggi infettati How to Fight Viruses VSAPI 2.5 exposed at the Exchange transport level (gateway) Additional message properties are exposed to the scanner Inbound message arrives at gateway using SMTP Transport event sink hands message to VSAPI queue VSAPI removes message from queue and passes to scanner For example, sender and recipient addresses can be used in notifications Message deletion is possible Allows an antivirus solution to implement message purge feature Exchange Server 2003 Antivirus Features VSAPI 2.5 Backward compatible with VSAPI 2.0 Optional infected message deletion Additional message properties Sender e-mail address Recipient addresses (To: and Cc:) Additional MAPI error codes Virus present Virus present, message deleted Exchange Server 2003 Service Pack 2 news Exchange Server 2003 SP2 AntiSpam Features Updated SmartScreen Technology Anti Phishing Technology Sender ID Framework (SIDF) Support Updated SmartScreen Technology Integrated Intelligent Message Filter Latest Filter Updates User Interface updates to Exchange System Manager – Junk E-Mail Filtering Added Anti Phishing Technology Anti Phishing Technology Integrated into SmartScreen Technology Transparent to administrators and endusers Phishing Confidence Level (PCL) Weighted 1-8 (higher = more likely bad) Sender ID Framework (SIDF) Industry standard created to counter domain spoofing SIDF has been reviewed and submitted to the Internet Engineering Task Force for final review Combines Sender Policy Framework and Microsoft Caller ID for Email Email domain authentication framework that uses Sender Policy Framework (SPF) records in DNS as an authentication mechanism Message Hygiene @ Microsoft Message Hygiene at Microsoft Gateway Server Transport Gateway Server Transport Connection Filtering RBLs Sender/Recipient Filtering Mailbox Server Store SCL Store Threshold User Safe/ Blocked Senders Outlook 2003 & Outlook Web Access Desktop Anti-Virus Attachment Stripping Attachment blocking Spam? Exchange IMF Yes No User Safe/Blocked Senders Virus Scanning SCL=Gateway Threshold? Spam? No Yes Junkmail Inbox Filter Action Inbox Junkmail Internet Anti-Spam Antivirus and Attachments Mailbox servers Clients Message Hygiene at Microsoft Connection filtering Blocks of all incoming SMTP connections Sender and recipient filtering Blocks of remaining messages Intelligent Message Filter Blocks of remaining messages Outlook 2003 and Outlook Web Access junk e-mail Blocks of remaining messages Best Practice Best Practice - 1 Connection Filtering Recipient Filtering Abilitare Accept/Deny IP al gateway (e se possibile anche RBL) le liste IP restrictions possono essere modificate da codice (KB 810913) Recipient Lookup al Gateway Abilitare ricerca in AD Restricted DL solo quando tutti i membri sono interni attenzione all’uso da parte di applicazioni (autenticazione o no) Best Practice – 2 (IMF) In realtà Multi-Forest abilitare l’autenticazione (cross-forest) sui connettori SMTP in questo modo vengono mantenute le info su SCL Tagging & c. non abilitabile su Exchange 2003 Cluster (è un tipico servizio di Front-End) iniziare “laschi” per evitare falsi positivi Configurare Outlook 2003 Trusted Senders (& Junk setting) via CIW Best Practice – 3 (IMF) Reject vs Archive controllabile con Performance Monitor controllare la cartella location modificabile (registry) può contenere anche SCL (registry) Total Messages Scanned for UCE Messages Scanned for UCE/sec % UCE out of Total Messages Scanned Total Messages Assigned an SCL Rating of X .... Microsoft Exchange Intelligent Message Filter Deployment Guide IMF Archive Manager Live Meeting Sharing Slide IMF Archive Manager Demo Edit this slide by selecting Properties in the Live Meeting Presentation menu. Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu. Riferimenti e risorse IMF Archive Manager (C# tool released with source on GotDotNet) http://workspaces.gotdotnet.com/imfarchive Microsoft Safety Technology and Strategy www.microsoft.com/mscorp/safety/default.mspx Security Resources http://www.microsoft.com/technet/security Sender ID: http://www.microsoft.com/senderid Riferimenti e risorse (Exchange) Exchange Home http://www.microsoft.com/exchange Exchange Italy Home http://www.microsoft.com/italy/exchange Exchange Server TechCenter http://www.microsoft.com/technet/prodtechnol/exchange/default.mspx Exchange Server 2003 Technical Documentation Library http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx Exchange Developer Documentation on MSDN http://msdn.microsoft.com/exchange Exchange Server 2003 Errors and Events Web Site http://www.microsoft.com/technet/support/ee/search.aspx?LCID=1033&DisplayNam e=Exchange%20Server%202003&ProdName=Microsoft%20Exchange&MajorMinor= 6.5 Exchange Support Center http://support.microsoft.com/default.aspx?scid=fh;EN-US;exchange Exchange Downloads http://www.microsoft.com/exchange/downloads/ Exchange Server Community Center http://www.microsoft.com/Exchange/community/default.mspx Domande? Live Meeting Web Feedback https://mseventseu.microsoft.com/cui/WelcomePage.aspx?EventID =118764263&culture=it-IT Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.