p0f, spam detection and OOF e-mails

Published: 2007-06-02
Last Updated: 2007-06-03 00:04:27 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
I have no doubt that all our readers are struggling in the everlasting race between spammers and spam detection applications. Actually, I don’t know almost anyone who isn’t running at least one tool that helps him detect spam.

I’ve been a happy user of amavisd-new (http://www.ijs.si/software/amavisd) for a long time. Amavisd-new is actually only a framework and allows you to use almost anything – by default it will use the most popular anti-spam tool, SpamAssassin, but it is very easy to use other tools such as DSPAM. Amavisd-new’s flexibility is its most powerful weapon.

Analyzing network traffic to detect spam

One extremely cool plugin that Mark wrote is p0f-analyzer.pl (http://www.ijs.si/software/p0f-analyzer.pl). This is a simple service that can be used with p0f, the famous passive fingerprinting utility.

So how does this help us with spam detection you might ask? First of all, let’s see what p0f-analyzer does. p0f-analyzer has to be run on your e-mail gateway and requires a p0f binary. It will use p0f’s output to create a local cache of all incoming TCP sessions for a limited time. Amavisd-new can be now configured to use p0f-analyzer in order to determine the operating system of the remote client. Finally, you can add additional rules for SpamAssassin (X-Amavis-OS-Fingerprint) that will trigger when certain OS has been detected on the remote client. So why is this good? Well, now we can add a positive score (moving the e-mail closer to being detected as spam) if the remote client is, for example, running Windows 98 – how many servers do you know running on this (unsupported) operating system?

If you’re interested in playing with this, read amavisd-new’s release notes (search for p0f to find how to install and configure this). Just a word of caution – be sure to properly configure amavisd-new so you don’t end up penalizing your own Windows clients!).

Dealing with backscatter OOF e-mails

I recently had to write a very simple plugin that detected e-mail messages with the subject of “Out of Office AutoReply: ***SPAM***”. Can you guess what this is?

If you thought about Exchange you were right. As you probably know, SpamAssassin marks e-mails detected as spam with ***SPAM*** in the header. As business users almost always demand that out of office replies are working even outside your organization, this (with Exchange) inevitably leads to backscatter e-mails produced by your own network. As far as I know, it’s impossible to tell Exchange to drop e-mails marked with ***SPAM*** in the header *before* it uses the OOF module. In other words, you end up sending OOF messages to innocent senders – those addresses are almost always spoofed. So, I ended with a small plugin that detects such e-mails and drops them (actually marks them as infected).

If you want to take a look at the plugin, you can get it here - be careful with it and use it at your own risk, of course (it’s been working fine for me for couple of months already). The plugin is, as you will see, extremely simple and so far it never had a false positive (in order to produce a false positive, one of our users would have to send an e-mail with the subject above – hardly likely).

Once you have it working properly, it will generate logs such as this one:

Jun 2 00:00:00 larry amavis[15399]: (15399-13) Blocked INFECTED (OOF-REPLY), [INTERNAL_IP] [INTERNAL_IP] <internal@user.local> -> <qkep1zcy@chello.com>, quarantine: virus-WkCuYouCzJCS, Message-ID: <1E11F4042C05ED4BAA6BA96319DA566113774068@internal.host.local>, mail_id: WkCuYouCzJCS, Hits: -, size: 1243, Subject: "Out of Office AutoReply: ***SPAM*** Over 1000+ models branded watches to choose, from Swiss Rolex, Patek Philippe, Panerai, Omega & ... yn", 102 ms

You can see that amavisd-new nicely blocked this e-mail (and helped in reducing the amount of backscatter in the world for at least 1 e-mail).



Rich Graves e-mailed us and pointed to a pretty interesting implementation of p0f as a spam discriminator: Scam-grey (http://www.elandsys.com/scam/scam-grey/). By using p0f it should be possible to apply greylisting to only Windows machines, for example, which ends up in having the best from both worlds!
0 comment(s)


Diary Archives