Difference between revisions of "IP Reputation"
(→Hands On) |
(→Level 1) |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 10: | Line 10: | ||
1) Blacklist | 1) Blacklist | ||
| − | + | <pre style="white-space: pre-wrap; | |
| + | white-space: -moz-pre-wrap; | ||
| + | white-space: -pre-wrap; | ||
| + | white-space: -o-pre-wrap; | ||
| + | word-wrap: break-word;"> | ||
Much like RBL, a black list is kept of known IP addresses of spammers. | Much like RBL, a black list is kept of known IP addresses of spammers. | ||
SMTP scanner using connection dropping: | SMTP scanner using connection dropping: | ||
| Line 16: | Line 20: | ||
Any scanner using header scanning: | Any scanner using header scanning: | ||
If you do not have connection dropping enabled or are not using an SMTP scanner we can still use the blacklist to our advantage. Just like RBL we can scan the header lines of the message for IP addresses and see if any of those hops are on the blacklist. If one of the IPs is on the blacklist the message will follow the rules you assigned to that server (block, quarantine, etc). | If you do not have connection dropping enabled or are not using an SMTP scanner we can still use the blacklist to our advantage. Just like RBL we can scan the header lines of the message for IP addresses and see if any of those hops are on the blacklist. If one of the IPs is on the blacklist the message will follow the rules you assigned to that server (block, quarantine, etc). | ||
| − | + | </pre> | |
2) Greylist | 2) Greylist | ||
| − | + | <pre style="white-space: pre-wrap; | |
| + | white-space: -moz-pre-wrap; | ||
| + | white-space: -pre-wrap; | ||
| + | white-space: -o-pre-wrap; | ||
| + | word-wrap: break-word;"> | ||
One of the problems using any sort of anti-spam solution is that it is highly reactive. Once a new type of spam message is used there is a little bit of a delay before we can come up with a good way to block it. This is another area where IP reputation can really be useful. Any time we begin to see messages from an IP address we have not seen before a 4xx level error is returned to the sending SMTP server. A 4xx level error means to try again later. 99% of legitamate email servers will in fact try again later and if they do we will let the message pass by the IP reputation service. Usually spammers won't try to send the message again--because of this IP reputation gives you a little bit of protection against zero-day spam or spam we haven't seen before. | One of the problems using any sort of anti-spam solution is that it is highly reactive. Once a new type of spam message is used there is a little bit of a delay before we can come up with a good way to block it. This is another area where IP reputation can really be useful. Any time we begin to see messages from an IP address we have not seen before a 4xx level error is returned to the sending SMTP server. A 4xx level error means to try again later. 99% of legitamate email servers will in fact try again later and if they do we will let the message pass by the IP reputation service. Usually spammers won't try to send the message again--because of this IP reputation gives you a little bit of protection against zero-day spam or spam we haven't seen before. | ||
Note: This feature is only available when using an SMTP scanner with connection dropping turned on | Note: This feature is only available when using an SMTP scanner with connection dropping turned on | ||
| − | + | </pre> | |
3) Whitelist | 3) Whitelist | ||
| − | + | <pre style="white-space: pre-wrap; | |
| + | white-space: -moz-pre-wrap; | ||
| + | white-space: -pre-wrap; | ||
| + | white-space: -o-pre-wrap; | ||
| + | word-wrap: break-word;"> | ||
One of the side effects of using the greylisting feature is that legitimate sender's mail can be delayed from time to time. To mitigate this there is also a whitelist. The whitelist contains a list of IP addresses from known good senders. This is so that common sources of email won't be delayed by the greylisting feature. Common senders include gmail, yahoo, hotmail, etc. Most of your good mail won't be delayed because it'll already be on the whitelist the first time the messages come in. | One of the side effects of using the greylisting feature is that legitimate sender's mail can be delayed from time to time. To mitigate this there is also a whitelist. The whitelist contains a list of IP addresses from known good senders. This is so that common sources of email won't be delayed by the greylisting feature. Common senders include gmail, yahoo, hotmail, etc. Most of your good mail won't be delayed because it'll already be on the whitelist the first time the messages come in. | ||
| − | + | </pre> | |
By using IP reputation you protect yourself from known spammers and also any new spammers that may pop up. It is highly recommended to use IP reputation with an SMTP scanner with connection dropping enable to take advantage of all its capability. | By using IP reputation you protect yourself from known spammers and also any new spammers that may pop up. It is highly recommended to use IP reputation with an SMTP scanner with connection dropping enable to take advantage of all its capability. | ||
| − | IP Reputation Setup | + | IP Reputation Setup: The GWAVA scanning system can provide signature and IP reputation services to other GWAVA servers in the same network. If a secondary GWAVA server is to provide the interface service, the connection information for that server must be specified via IP address. The default configuration is to have the local host provide the scanning service. |
| − | The GWAVA scanning system can provide signature and IP reputation services to other GWAVA servers in the same network. If a secondary GWAVA server is to provide the interface service, the connection information for that server must be specified via IP address. The default configuration is to have the local host provide the scanning service. | + | |
== Level 2 == | == Level 2 == | ||
| Line 44: | Line 55: | ||
You should get a reponse like this: | You should get a reponse like this: | ||
| − | + | <pre style="white-space: pre-wrap; | |
| + | white-space: -moz-pre-wrap; | ||
| + | white-space: -pre-wrap; | ||
| + | white-space: -o-pre-wrap; | ||
| + | word-wrap: break-word;"> | ||
gwava106:~ # wget www.yahoo.com | gwava106:~ # wget www.yahoo.com | ||
--14:43:22-- http://www.yahoo.com/ | --14:43:22-- http://www.yahoo.com/ | ||
| Line 56: | Line 71: | ||
14:43:24 (189.25 KB/s) - `index.html.1' saved [265638] | 14:43:24 (189.25 KB/s) - `index.html.1' saved [265638] | ||
| − | + | </pre> | |
If it times out or never connects then something is blocking port 80 inbound or outbound. | If it times out or never connects then something is blocking port 80 inbound or outbound. | ||
Latest revision as of 19:53, 12 March 2014
[edit] Level 1
IP Reputation works much like the RBL interface does, in that it uses a black list, but also has a white list for common mail sources. But when used on a SMTP interface and configured for a connection drop, IP Reputation will temporarily fail messages from sources not found on either list. The temporary fail will allow the sending SMTP gateway to retry, and IP Reputation will allow a repeated unknown attempt to pass on to the Antispam filter. As with RBL, the header lines scanned may be limited and specified. (This can be used to skip lines added to the header by a proxy server or other service.)
IP Reputation, RBL, and SPF drop at connection settings are recommended as default. This dumps any incoming message that fails these initial incoming tests, saving bandwidth and performance.
IP reputation is a service that will allow GWAVA to filter messages based on the sending server's IP address. The type of messages sent from that IP address are tracked and stored so GWAVA knows if the sending server is a likely source of spam.
There are three functions of IP reputation:
1) Blacklist
Much like RBL, a black list is kept of known IP addresses of spammers. SMTP scanner using connection dropping: If a message comes from a blacklisted sender to the SMTP scanner with connection dropping enabled a 5xx level error is returned to the sending server. The 5xx error is returned before the message is even received saving the server from having to do any other tests on the message. This is the most ideal setting. Any scanner using header scanning: If you do not have connection dropping enabled or are not using an SMTP scanner we can still use the blacklist to our advantage. Just like RBL we can scan the header lines of the message for IP addresses and see if any of those hops are on the blacklist. If one of the IPs is on the blacklist the message will follow the rules you assigned to that server (block, quarantine, etc).
2) Greylist
One of the problems using any sort of anti-spam solution is that it is highly reactive. Once a new type of spam message is used there is a little bit of a delay before we can come up with a good way to block it. This is another area where IP reputation can really be useful. Any time we begin to see messages from an IP address we have not seen before a 4xx level error is returned to the sending SMTP server. A 4xx level error means to try again later. 99% of legitamate email servers will in fact try again later and if they do we will let the message pass by the IP reputation service. Usually spammers won't try to send the message again--because of this IP reputation gives you a little bit of protection against zero-day spam or spam we haven't seen before. Note: This feature is only available when using an SMTP scanner with connection dropping turned on
3) Whitelist
One of the side effects of using the greylisting feature is that legitimate sender's mail can be delayed from time to time. To mitigate this there is also a whitelist. The whitelist contains a list of IP addresses from known good senders. This is so that common sources of email won't be delayed by the greylisting feature. Common senders include gmail, yahoo, hotmail, etc. Most of your good mail won't be delayed because it'll already be on the whitelist the first time the messages come in.
By using IP reputation you protect yourself from known spammers and also any new spammers that may pop up. It is highly recommended to use IP reputation with an SMTP scanner with connection dropping enable to take advantage of all its capability.
IP Reputation Setup: The GWAVA scanning system can provide signature and IP reputation services to other GWAVA servers in the same network. If a secondary GWAVA server is to provide the interface service, the connection information for that server must be specified via IP address. The default configuration is to have the local host provide the scanning service.
[edit] Level 2
IP Reputation uses a 3rd party company to do lookups (CommTouch). If a valid email is blocked by IP Reputation you can go to http://www.commtouch.com/check-ip-reputation to see if an IP address is on that list, or to report a mistakenly blocked IP address.
If CTIPD is not running when doing an 'rcgwavaman status' then that means that GWAVA is unable to reach CommTouch servers. CTIPD is the last thing to load when GWAVA first starts up, it is best to watch the GWAVA log to see when it has started all the way up and check again.
If CTIPD never loads look in the /var/log/localmessages log or /var/log/messages for errors. Most likely port 80 inbound or outbound is not open. One test that can be done to see if port 80 is open is from the server type:
wget www.yahoo.com
You should get a reponse like this:
gwava106:~ # wget www.yahoo.com
--14:43:22-- http://www.yahoo.com/
=> `index.html.1'
Resolving www.yahoo.com... 206.190.36.45, 206.190.36.105, 2001:4998:c:401::c:9101, ...
Connecting to www.yahoo.com|206.190.36.45|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 265,638 189.93K/s
14:43:24 (189.25 KB/s) - `index.html.1' saved [265638]
If it times out or never connects then something is blocking port 80 inbound or outbound.
[edit] Hands On
1) Log into the GWAVA Management Web Page and go to Scanner/Policy Mangement | policy | scanning configuration | IP Reputation
2) Make sure 'Enable IP Reputation test', 'Enable message header scan' and 'Block the message' is checked.
3) Make sure 'Enable connection drop' is unchecked.
4) Send a test message via telnet to make it look like it was from an IP address that is on the IP reputation blacklist.
5) After the message has been sent, check the GWAVA/support log (/opt/beginfinite/gwava/services/logs/gwava/support) to ensure the IP Rep. event fired.
