 Hello everyone, let's welcome the next speaker Giovanni Becchis with the talk fighting spam for fun and profit Hi, I am Giovanni Becchis I am Apache and open BSD developer and today I'll talk about what happens in the past four years in spam accessing community and What will maybe be the future of the this software first Just to note that Spam as seen is mostly seen as a plug-and-play software by several users that just Installate update rules and never got completely. It's it should be seen as Something different so it should be seen as a framework to develop something on top of it so to get out the most you have to Write your own rules for for your own cannot spam your team because Spam is is different from everybody. So it's different basic basically of The language you speak of the interest and a lot of other things and Participate to mass check that appliance software mechanism now it took more later about it and It's a general purpose framework is not just an antispound software because it's used to protect some web forms and It's in I think in in Holland the does it the not so famous CMS that's integrated in Spam as seen to check web form submission So first was mass check mass check is a client service of tour that's integrated in spams is in it's not deployed with general distributions is It's Leaves on SVN you have to check it out extra and it's It's come it's it takes an input or a spam folder and a ham folder it it downloads the latest version of spam as seen with the old rules and It checks All your your messages for spam and ham with new rules rules are committed in SVN repo In each developer sandbox. So there are some rules that are Never pushed to the public Once the software has detected how new rules are Perform on your sport folder Sent the results to the to an Apache server and the Apache server grab all the the stuff and decides if Spam has Changed in some way and decided So decides to push new rules for example where where are some new bit kind of obfuscation technique This new rules gets pushed to the public and gets new default scores there are Lower or or not depends on how it goes and it's it's it's a good way You can use it on your owner as well So it's good way to know if you are what your rules are are performed and now it's Your rules or in general the rules the public rules are performing with your Mail flow so you can You can for example, there's also a web interface so you can For every On your mail flow, you can detect the score assigned it to messages and by which rule if There are some rules that overlaps so for example if Lot of spam messages are written by two or three rules and There's one rule dates all the messages. It's it could be possible to remove this rule and Say Push up the score as to one other rule So you have the same results, but it would perform better because it has less rules to to perform it and to check so in three Latest release is 342 in September and the previous one was three years and enough and the this big Time was due to some problems. We encountered in development in particular There were some problems with the Apache VM. So the system team have to Recreate from scratch Some infrastructure and The server part of the mass check would be Was was not very well documented. So it will be Recreated from sketch the main problem is that from From when the mass check tool check send the reports to the server and the server In sense to the public to new rules. It's passes a couple of days so If you if you are in a tree on an error or phase in development, it's it's a long time to wait such a couple of days to to know the results of of your code and There were some security info security fixes for PDF info plug-in and for in the core and General security auditing girl has been done and it's ongoing as well and Adorable per bug we we find we found so We are in during the development out of free fortune. We optimized the startup codes and During the regression test we Check out that the parts are Skipped some URL in the emails only on Red Hat systems Do was and the very end the cause was that Red Hat compiles pair with the 45 swoots free option by GCC and this maybe does a bug in a pair itself and and Yet evaluated in a different way In optimization they're part of the optimizations code that In the optimization of the ash it it removes some random data so Which we we changed the code that we're we're working with relapsed to find the The original reason in the code of this bug There were some assortment improvements first of all Faster start up code with some of the visualization finally which took help some a look at the spam c and optimize The code Security so remove the SSL this be three and other Stuff the words are free mail anti-forge improvements. So There are some some code that checks if for example you are you are sending an email As a Gmail user, but you're not using Gmail So it's trying out to check This kind of abuse You can check if mail a previous version you you can check if email is coming from a Particular Nations or from France or whatever and now we can check with continent as well. So if you it's easier if you can block or Score a particular continent without setting a lot of rules for each nation Some improvements in the urela will be a plugin that detects if a new URL in the mail is coming from a particular source and some very bad Father script or leaks in the ticks replugging which is the a plugin that Recognized and stores where from where email an email is coming. So the IP address the The score of the mail that it came saying in a tour So if this in this email a similar email comes from the same EP others with the same the chemist saying that or it's probably Not a spam because it's core a correct correspondence. So it can detect it and lower the the global score and regression tests switch it change it completely to be more performance and to be able to To add better tests Some additions that has been done in in 342 and that will be even better in PMS in for we consider that we will release a free for free, you know, I think in the next weeks and Maybe if passing for this year, I hope is the HBL plug-in yes, it's a plug-in as a which is present in earthpandy as well and It's it's a it's a particular DNF blacklist because he doesn't It's nothing to be blacklist for IP addresses. It's a blacklist of ashes cause serious for example if a Message is trying to A spam message is coming from like a Google server or a Microsoft server. You cannot block all Google or Microsoft net block. So This you can block this hasher and these ashes is stored as this particular email address with this technique and In spama sin for we We develop a new plug-in. Well, the death is from us in for does a Modified version of HBL or if you want to use this future in spama sin in free for there's a additional of plug-in We developed a DNS blacklist For Bitcoin addresses so you can credit DNS To the Bitcoin out the hash of the Bitcoin address dot BLB It is black dot a T and it applies that if it has been Used for fraudulent purposes or not so you you the plug-in scans the email for Bitcoin addresses and check today the DNS and so You can very easily detect a Bitcoin scan emails Then there was nothing the developer was gip to support cause Max mind is the bigger player in Geo-localization and they decided that from starting from latest April that we did not Have more support for the legacy gip that database bar also they Push in for the new version the problems is that the new version with pearl are or very slow or in our 8664 only so We developed the the plug-in For Max mind and we develop on the simple game We had that support also for EP counter adb file as an additional option. It's Different approach. It doesn't use Max mind the databases, but it's a database a created Downloading the Txt files directly from ripe or after a care are in etc. And It's it's very fast. It it doesn't need all the Longer dependencies Max mind have It's not complete as the Max one one cause Max one one as the at least the com as commercial support and it has database for ISP for example or Cd names or a lot of other interesting things Just send a new anti fishing plug-in based on the fish tank or open fish projects in free for two is the it appears it's been developed for free for two and in free for three it has been changed to be very very More fast and More database will be added soon. So it's it's way to try to detect a more Tentative of fishing in emails One other dish interesting this resource limits and it's right to Limits their resources consumption of the server this is One tries to things the main problem is that the mass check is based on the people that are Using this software. So rules are public rules are determined on the span of the People using mass check and the vast majority of people using much as mass check are from us and rules the developers a rule of right truth for English spam, so There are some additional channels. There are some from Italy France Germany, Greece. I think They're trying to write rules specific for Non-English language, so it's very very Efficient to detect If spam if your main language is not English This is new in plug-in in the spama system for is detect if there's an attachment with a macro In word or Excel and it detects if is if is this macro is trying to Doing something shit. It's it's not tame to do So spam of passing for will have a full utf-8 support So there's no more a conversion between the email and utf-8, but it's full utf-8. It will it'll be It will have godd be Support even better than what we have in three at the moment and the better tx rep handling Some fixes for postgres as I mean committed these days and it will be available in three for three Some more would be available only in four If you have any question So we happen to receive a lot of French spam and also Ukrainian spam for some reason and I've actually I've developed like a huge list of of custom rules should I then Actually submit them somewhere or what should I do to them because I use them for myself But I presume other people are also getting this spam. Yeah, I Have a similar problem with with the Italian spam I I put my rules on a web server does a Procedure to at the moment the it means you you write your rules You sign you with a pgp key then you put it on a web server and You you just and on the DNS you have a a particular txt Record so when the the client tries to do downloads It's it just credit DNS and checks if there's a new rule to download or not So it will be I think it there is an official French Channel so you can interact with them to merge the efforts That could be a Yeah, no question in a case where There's a lot of different people behind Infrastructure do you have any advice for? To to make it work because the spam is like you said different for everybody Should there be different instances of the specimens as I'm running in parallel with different rules I I have I had in the past some of this those problems because I had I Had the customer that a lot of traffic with with commercial traffic with China and Then there was the opposite other people that were getting only spam with China and the solution or Was that one solution will be two instances, but the better one will be User preferences dedicated to that different user preferences dedicated to that cast to that customer to this particular and You can use also The base database per user so you can every user can have is by easy and Database you can train for every user and so it's it can Detect this difference Any other question? So, thank you