AntiVirus and AntiSpam

1
Anti-Virus and Anti-Spam

• Waikato Linux Users Group
• Monday 27th October 2003
• Craig Box
• http//www.wlug.org.nz/CraigBox

2
Happy Birthday To Me
3
Synopsis

• Why viruses in Linux are not an issue
• Setting up a mail server with virus and spam
  filtering
• Client side filtering
• Bayesian filtering Mozilla Mail
• SpamAssassin in Evolution/KMail
• Using DNS to stop spam
• Virus scanning of cached web pages

4
Viruses

• Not a threat
• Viruses in the wild Near to none
• Staog attempted root exploits
• Bliss - polite virus
• Slapper exploits Apache
• Virus must
• run
• be able to write to executables
• spread
• This is why Unix users claim LindowsOS is broken

5
Viruses 2

• A computer virus, like a biological virus, must
  have a reproduction rate that exceeds its death
  (eradication) rate in order to spread.
• If the reproduction rate falls below the
  threshold necessary to replace the existing
  population, the virus is doomed from the
  beginning -- even before news reports start to
  raise the awareness level of potential victims.

6
Why do I bother then?

• Windows viruses
• Sophos 87 of all reports of infections during
  2002 concerned Windows viruses.
• 7,189 new viruses/worms/trojans total of more
  than 78,000. On average, the Sophos virus labs
  produce detection routines for more than 25 new
  viruses each day.
• Most are variants but still very deadly
• The Wildlist 248 viruses currently in the wild

7
Unix virus scanners

• Many commercial vendors have a product
• Open source open definitions ClamAV
• The virus database is based on the virus database
  from OpenAntiVirus, but contains additional
  signatures (including signatures for popular
  polymorphic viruses, too) and is kept up to date
• ClamAV currently detects 9886 viruses
• Updates are regular and definition distribution
  method is sensible (unlike some AV vendors!)

8
Protecting Windows networks

• Linux firewall stops gateway worms
• Inherent gain from NAT, but many losses
• Electronic Mail
• Web browsing

9
Email Scanning on Linux

• Run this on your gateway machine
• Easy to protect a SMTP network by changing MX
  records
• Easy to protect a POP3 server by running
  fetchmail and a simple mail server such as
  Courier IMAP
• Debian Woody Exim 3 Amavis
• http//ente.limmat.ch/linux/exim_v3_-_amavisd-new.
  html

10
Fetching mail with Debian

• Install Courier IMAP
• Install SpamAssassin Amavis from aurel32
  backport repository
• Amavis vs. MailScanner
• MailScanner is tidier, more maintained and does
  other useful things (eg. regexp checking)
• Amavis only requires a single queue so fits into
  Exim's model more and is simpler
• To get the mail into this system, get Fetchmail
  and point your email client to your new local
  mail server

11
Client side filtering

• Server must apply all spam filtering rules to all
  users
• Not everyone gets the same spam filtering words
  with predefined score fails in some cases
• Allows you to do Bayesian filtering
• Per user
• Works based on word frequency in pre-seeded
  spam/non-spam (ham)
• Paul Graham's A Plan for Spam
• No longer the best method but a very interesting
  read

12
Evolution Filtering

• SpamAssassin can be plugged into Evolution via
  email filters
• Server output
• filter on X-Spam-Flag contains YES
• Running on local machine
• spamassassin -P -e gt /dev/null
• Returns 1 if spam
• But does not score spam in headers
• Very similar for Kmail see Wiki for link

13
Procmail method

• .forward
• "exec /usr/bin/procmail"
• .procmailrc
• SHELL /bin/sh
• MAILDIR HOME/Mail
• LOGFILE _logfile
• VERBOSE no
• LOGABSTRACT all
• PATH /bin/usr/bin/sbin/usr/sbin
• If the mail is larger than 255k than skip
  spamassasin
• 0fw spamassassin.lock
• lt 256000
• /usr/bin/spamc
• Move very large spam out before I see it 20
• 0
• X-Spam-Level \\\\\\\\\\\\\\

14
Bayesian Filtering

• Natively implemented in
• MacOS X's Mail.app
• Mozilla Mail (Cross platform)
• Outlook SpamBayes plugin
• Popfile
• Buttons in the mail client
• Mark as junk
• Mark as not junk

15
Extra for experts

• Using DNS to stop spam
• Basic idea only the authorative person for a
  domain can decide who can send messages appearing
  from that domain
• Domains publish "reverse MX" records to tell the
  world what machines send mail from the domain.
• People can still spam from their own domain, but
  it can be accurately traced, and few ISPs
  legitimately allow spammers

16
Virus scanning Web pages

• Use a caching proxy server content filter
• Squid
• DansGuardian
• Anti-Virus patch
• Downloads each page and then scans it
• Uses MailScanner's engine
• Supports F-Prot and ClamAV

17
See also

• Viruses
• Staog - http//www.f-secure.com/v-descs/staog.shtm
  l
• Bliss - http//math-www.uni-paderborn.de/axel/bli
  ss/
• Slapper - http//www.sophos.com/virusinfo/analyses
  /linuxslappera.html
• ELF Virus Writing HOWTO - http//www.lwfug.org/ab
  artoli/virus-writing-HOWTO/_html/
• Windows vs. Linux Viruses http//librenix.com/?in
  ode21
• Windows vs. Linux Viruses http//www.theregister.
  co.uk/content/56/33226.html
• The Wild List - http//www.wildlist.org/
• Amavis
• A Mail Anti-Virus Scanner http//www.amavis.org/
• Debian Amavis/SpamAssassin HOWTO
  http//ente.limmat.ch/linux/exim_v3_-_amavisd-new.
  html
• ClamAV
• Clam Anti-Virus http//clamav.elektrapro.com/
• Web based submission test http//www.gietl.com/te
  st-clamav/
• Bayesian Filtering
• A Plan For Spam http//www.paulgraham.com/spam.ht
  ml
• Mozilla's built in bayesian filtering
  http//www.mozilla.org/mailnews/spam.html
• Client Side Filtering with SpamAssassin
• Evolution http//krath.dk/linux/evolution_spamfil
  ter/