Statistics E-mail accounts in the world - 3 375 000 000 ➢ Corporate E-mail accounts - 25% . Consumer E-mail accounts - 75%. Territorial division of Email users: ➢ Asia Pacific region - 49% Europe - 22% North America - 14% Rest of World - 15% Top E-mail senders, e-mails/day: ➢ Google.com - 435 200 000 Yahoo.com - 398 800 000 Hotmail.com - 160 300 000 Microsoft.com - 63 900 000 Linkedin.com - 58 800 000
Who play major role in world SPAM traffic?
A botnet is a collection of internet-connected
computers whose security defenses have been
breached and control ceded to a malicious party. Spam by Spambot Type Spheres of usage Phishing - redirecting users to fake copies of popular sites with identical interface by links in e-mails for stealing5 their credentials or personal data. Advertisement - sending unwanted advertisment for numerous amount of e-mails. Virus and malware - sending viruses and malware in e-mail, usually in attachment, with goal to infect user PC with virus or troyan.
Examples: Viruses, Troyans, Keyloggers. Social engineering - sending fake e-mails from authoritative persons or organizations who can influence on victim further actions and behaviour.
Example: Mail from your bank, from police or your boss. Anything you can imagine E-mail structure TCP session 10.0.0.2 → 10.0.0.3:25 Headers: SMTP session mail from: [email protected] rctp to: [email protected]
Received: by 10.0.0.2 with HTTP Sun, 01 Oct
Common injection techniques Bulk Injection
SPAM injection based on spam lists from compromised hosts and open-relays. Headers spoofing
Spoofing of SMTP session headers and e-mail headers, sending from
unprotected or unvalidated SMTP servers. Spam via message bounce mechanism
Sending of SPAM via changing sender headers for victim address and recipient headers are changed to unexistent mailbox of some popular mail server.
Sending of SPAM via sending empty «mail from» and set victim as recipient. Common counteractions methods Transport level - verification based on sender host information: IP address, Headers level - verification based on SMTP and E-mail headers: ➢
Sender level - verification of message sender headers.
Recipient level - verification of message recipient headers. Message level - verification based on the whole message and Transport layer mechanisms DNS RBL - Realtime Blocking List - e.g. Senderbase.org ●
Black lists - list of IP addresses of hosts which send spam stored on DNS servers.
Grey lists - delaying of mail receiving on mail server for interval from 30minutes to several hour
by bouncing mail from IPs without reverse DNS zones or who sends mail for first time.
Nolists - specifying several MX records with different priority, where MX with highest priority will
HAT - Host Acces Tables - creation of rules on mail server which IP addresses are permitted and
Filtering senders by IP sddresses, country based filtering - creating listf of IP addresses from
which receiving of mail is allowed or forbidden.
Rate limiting - control of amount of messages per connection, amount of connections from certain SMTP servers. Headers level mechanisms
LDAP - LDAP based methods are methods in which e-mail recipient address is validated through LDAP accept queries, if query is fail - mail is rejected, if query is passed - mail is accepted.
SMTP-Callahead - using verification of validity of recipient through other SMTP servers. While e-mail appears on server first he asks another SMTP - static or that who is responsible for
recipient domain if such recipient exists, and only after positive answer proceed with mail delivery.
If answer was negative message is rejected.
RAT - Recipient Access Table - mean of validation of recipients, where SMTP server can be
configured to accept or reject certain domains, users, partial domains.
Message level mechanisms Mail server Incoming Antispam Antivirus scanning delivery
Antispam Engines - using on SMTP server message scanning engines like IronPort Anti Spam,
Rules - every engine uses rules for defining spam, rules are frequently refreshed from rule
updater server. Rule may contain sender, subject, size of message, type and size of
Fingerprints - addition to the rules - used for attachment scanning, helps to define what really
Antivirus engines - engines from Sophos or McAfee for csanning messages for viruses and
malware, can block, quarantine, deliver viral messages dependent on policy options.
Content scanning - as usual engines which helps to scan attachments of various types and
SPF/SIDF Overview SPF/SIDF - Sender Policy Framework is an email validation system designed to prevent email spam by detecting email spoofing by verifying sender IP addresses against DNS SPF record.
SPF - performs check of domain from «HELO» and «Mail from» provided
during SMPT session against DNS SPF record.
DNS record: a.com IN TXT "v=spf1 +ip4:10.0.0.4 -all"
SIDF - performs check of domain from headers «Sender» or «From» from e-mail headers and check of «Mail from» domain from SMTP conversation.
DNS record: a.com IN TXT "spf2.0/pra,mfrom +ip4:10.0.0.4 -all"
Mail-client Web-browser Adding SPF headers MX 10.0.0.3 +a +mx +ip4:10.0.0.1 -all Internet SMTP server SMTP server IP: 10.0.0.1 EHLO a.com Mail from: [email protected] IP: 10.0.0.3 b.com MX? Rcpt to: [email protected] Data a.com SPF? From:[email protected] b.com A IN 10.0.0.2 b.com MX IN 10.0.0.3 a.com A IN 10.0.0.1 a.com MX IN 10.0.0.1 2.0.0.10.in-addr.arpa. PTR IN b.com 1.0.0.10.in-addr.arpa. PTR IN a.com a.com IN TXT "v=spf1 +a +mx +ip4:10.0.0.1 -all" DKIM Overview DKIM - DomainKeys Identified Mail is a method for associating a domain name to an email message, the association is set up by means of a digital signature which can be validated by recipients. Maint means for DKIM are private and public keys, e-mail is signed with private key on mail server, and recipient can verify this subscription by public key which is stored on DNS server. DKIM-Signature: v=1; a=rsa-sha256; d=a.com; s=ironport;
c=simple/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938; h=from:to:subject:date:etc; bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=; b=dzdVyOfAKCdLXdJ2q8LoXSlEniSbav+yuU4zGeD00lszZVoG4ZHRNiYzR Mail-client Web-browser [email protected] DKIM signing DKIM verification MX 10.0.0.3 Add headers Internet SMTP server SMTP server IP: 10.0.0.1 IP: 10.0.0.3 b.com MX? a.com DKIM? b.com A IN 10.0.0.2 b.com MX IN 10.0.0.3 2.0.0.10.in-addr.arpa. PTR IN b.com| ironport._domainkey.a.com. IN TXT "v=DKIM1;p=hnYvDFjxQIsdsYd.AQDSDdsSSDdAB;"
LAUSUNTO YH-ANTURA OY:N HAKEMUKSESTA ARAVARAJOITUSASIASSA ASUMISEN RAHOITUS- JA KEHITTÄMISKESKUKSELLE KH § 325Yhteyspäällikkö Martti Sipponen 14.8.2012YH-Antura Oy / toimitusjohtaja Mikko Laurila on lähettänyt Naan ta lin kau-pungille seuraavan kirjeen:" Hakemus aravarajoitusasiassa, Alppilankatu 4, Naantali YH-Antura Oy on YH-Yhtymä Länsi Oy:n omistama yleis-hyödyllinen ty t�
Landelijke Transmurale Afspraak Chronische nierschade De Grauw WJC, Kaasjager HAH, Bilo HJG, Faber vroege fase behandeling en controle plaats- Achtergronden EF, Flikweert S†, Gaillard CAJM, Labots-Vogele- Begrippen sang SM, Verduijn MM, Verstappen WHJM, Vle- Een aandoening van de nieren kan zich op ming LJ, Walma EP, Van Balen, JAM. Huisarts type 2 en Cardiovasculair risicomana