HEC Montréal: Follow-up on the Large-Scale Mail Installation
In order to produce valuable statistics, two tools were used: Spamity and pflogsumm. The former is a complete solution for extracting information from log files of a mail infrastructure based on Postfix and AMaViS. Spamity extracts all the relevant information and stores it in a database. A Web frontend is offered so users simply can log in to the Web application to see the mail rejected by the filtering policies. The nature of Spamity makes it a valuable tool to examine the spam and virus tendencies in order to tune the infrastructure over time to limit the delivery of UBEs and viruses. Spamity efficiently gathers the information related to the rejected messages and classifies it with regard to the following policies:
RBL: Message rejected by a real-time blackhole list.
RHSBL Client: Message rejected by a right-hand side block list.
Header Date: Message has a date from the distant past or future.
Header Subject: Message rejected by suspicious subject.
Header X-Mailer: Message rejected by suspicious mail user agent.
Header Content-Disposition: Message rejected by suspicious attachment.
Header Content-Type: Message rejected by suspicious attached file. The filter method specifies the file extension.
Body: Message rejected by suspicious body content.
Access Username: Message rejected by access username.
Virus: Message rejected by AMaViS together with the anti-virus solution used.
Spam: Message rejected by AMaViS together with SpamAssassin.
On the other hand, pflogsumm is a useful tool for providing a quick overview of Postfix activity. This allows an administrator to identify rapidly potential problems in a Postfix installation. Among the information reported by pflogsumm, we have:
Total number of received, delivered, forwarded, deferred, bounced and rejected messages
Per-day and per-hour message traffic and connection summaries
Various other summaries (warnings, fatal errors, panics) and more.
Using those two tools and some custom Perl scripts, we produced the different figures found in this article.
Figure 2 shows the weekly total number of mail considered to be UBE or containing viruses that were blocked since the beginning of 2004. The rules' efficiency also is shown in this figure.
As shown in Figure 2, the RBL policy is definitively the most effective one, followed by content analysis using SpamAssassin and message Subject header analysis. You also can note that the virus policy numbers are not as high as expected. This is easily understandable as the detection of viruses often is moved from AMaViS to Postfix's header checks (Content-Disposition, for example). This requires considerably less system resources, because we avoid both detailed analysis in SpamAssassin and a process fork, for each received message, for virus scanning using NAI VirusScan. The network analysts proceeded with such modifications after the 01-25 week for the MyDoom e-mail worm.
Furthermore, Figure 3 shows the usage of services offered by the mailstore, during the busiest week of the first three months (March 21-27).
As shown in Figure 3, POP3 is the most solicited service, followed by IMAP and the Web mail system, which also uses IMAP but was separated in the figure. During this week, peeks of 52 POP3 and 338 IMAP concurrent connections were observed coming from a total of 11,000 different users. The mailstore also is responsible for message deliveries in the user's mailboxes using the Local Mail Transfer Protocol (LMTP). Peaks of 75 concurrent delivery processes often were seen.
On the other hand, Figure 4 shows the amount of mail exchanged using the four SMTP servers for the entire month of March 2004.
As shown in Figure 4, 40 to 60% (55,000 messages per day, on average) of all received mail was rejected by various UBE and virus filtering techniques. This number actually is down from 80% in December 2003. At that time, HEC Montréal was receiving more than 125,000 spams per day. Currently, the average number of messages sent per day is 57,000, while the average number of received (from external servers) and delivered email per day is 35,000.
As you have seen from the different figures, the mail infrastructure certainly is a key component at HEC Montréal, as it is highly solicited. Overall, the mail infrastructure has been very fast and stable since it was deployed. Minor updates were performed by network analysts, mainly to keep up with the new e-mail worms.
|September 2015 Issue of Linux Journal: HOW-TOs||Sep 01, 2015|
|September 2015 Video Preview||Sep 01, 2015|
|Using tshark to Watch and Inspect Network Traffic||Aug 31, 2015|
|Where's That Pesky Hidden Word?||Aug 28, 2015|
|A Project to Guarantee Better Security for Open-Source Projects||Aug 27, 2015|
|Concerning Containers' Connections: on Docker Networking||Aug 26, 2015|
- Optimization in GCC
- Using tshark to Watch and Inspect Network Traffic
- September 2015 Issue of Linux Journal: HOW-TOs
- Problems with Ubuntu's Software Center and How Canonical Plans to Fix Them
- Concerning Containers' Connections: on Docker Networking
- A Project to Guarantee Better Security for Open-Source Projects
- Where's That Pesky Hidden Word?
- Firefox Security Exploit Targets Linux Users and Web Developers
- My Network Go-Bag
- Doing Astronomy with Python