EXC05 Testing Your Mail Hygiene Solution

1
EXC05Testing Your Mail Hygiene Solution

• Devin L. Ganger (3Sharp LLC) deving_at_3sharp.com
• (e)Mail Insecurity http//blogs.3sharp.com/blog/d
  eving/

2
Download the most up-to-date version of these
slides athttp//www.3sharp.com/files/deving/exc0
5-ganger-f06.ppt
3
If I were to ask you

• What is your total catch rate?
• How many false positives?
• How many false negatives?
• could you answer?

4
Defining Message Hygiene

• The measures you take to remove
• unsolicited and non-legitimate messages
• from your incoming mail feed.
• Anti-spam
• Anti-virus

5
Message Hygiene Measures

• Connection filtering
• DNS blocklists
• Sender filtering
• Recipient filtering
• Greylisting
• Sender ID
• Intelligent Message Filter
• Anti-virus scanning

6
The Testing Process in a Nutshell

• Collect known good messages
• Collect known spam messages
• Set up test mailboxes
• Disable all measures but one
• Inject good messages and record data
• Inject spam messages and record data
• Repeat 4-6 for each measure/stage

7
Some Terms Defined

• Total Catch Rate (/, )
• False Positive (/, )
• False Negative (/, )

8
Testing live measures

• Configure measures to reject bad messages
• Use SMTP protocol logs to measure
• Allow/deny lists
• Sender/recipient filters
• DNS block lists
• Recommended a good log analysis tool such as the
  Microsoft Log Parserhttp//www.microsoft.com/tec
  hnet/scriptcenter/tools/logparser/

9
Testing the Scanning Engines

• Disable client-side filtering, mailbox rules, and
  Outlook cached mode
• Inject messages from a single host
• Test one stage at a time
• Use the same test data for each stage
• Use a single (but different) mailbox for each
  stage
• Disable or block automatic updating
• Dont worry about performance

10
Sources of Good Data

• Live data
• Collected from mailboxes
• Should make sure MAPI properties have been
  stripped
• May need to remove some headers
• Ham generator

11
Sources of Spam

• Junk Mail Folder
• Honeypots
• External spam feed
• Spam feed from John R. Levine
• Gathered by honeypots
• Currently around 100K messages/day
• Sent to a single address
• http//www.taugh.com/

12
Injecting Messages

• Goal modify the messages as little as
• possible during injection.
• Pickup folder will work for all Exchange add-ons,
  but uses message headers
• Appliances/third-party systems may require SMTP
  injection
• SMTP injection SHOULD avoid changes
• SMTP injection MUST modify envelope

13
Tips and Tricks

• Use a distribution group for the injection
  address
• If you use an external spam feed, give them the
  DG address
• Use a single server-side rule to move all
  messages into a per-test folder
• Use OWA to provide message counts for each folder

14
Questions?