anti-spam techniques beyond Bayesian filters

Similar documents
Network Working Group. Category: Experimental pobox.com April 2006

COSC 301 Network Management. Lecture 14: Electronic Mail

SPF (Sender Policy Framework)

. SMTP, POP, and IMAP

Mail Assure Quick Start Guide

Fortinet.Certdumps.FCESP.v by.Zocki.81q. Exam Code: FCESP. Exam Name: Fortinet Certified Security Professional

SPF classic. Przemek Jaroszewski CERT Polska / NASK The 17th TF-CSIRT and FIRST joint Event, Amsterdam, January 2006

Mail Assure. Quick Start Guide

Ciphermail Webmail Messenger Administration Guide

Comodo Dome Antispam Software Version 6.0

Filtering 7 April 2014

CSN09101 Networked Services. Module Leader: Dr Gordon Russell Lecturers: G. Russell

Handling unwanted . What are the main sources of junk ?

Untitled Page. Help Documentation

Introduction to Antispam Practices

SMTP Settings for Magento 2

Over 99% of s are SPAM! Useless for mankind!

CS 43: Computer Networks. 12: and SMTP September 28, 2018

Deliverability Terms

S a p m a m a n a d n d H a H m 성균관대학교 최형기

Network Working Group Request for Comments: 4408 Category: Experimental April 2006

SMTP Scanner Creation

Comodo Dome Antispam Software Version 6.0

Defining Which Hosts Are Allowed to Connect Using the Host Access Table

MxVault Questions and Answers

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

NSE6_FML exam.14q

Status Node Reference

The Application Layer: & SMTP

Vendor: Cisco. Exam Code: Exam Name: ESFE Cisco Security Field Engineer Specialist. Version: Demo

Step 2 - Deploy Advanced Security for Exchange Server

Error Codes have 3 Digits

Network Working Group. Expires: November 21, 2005 May 20, 2005

Ethical Hacking and. Version 6. Spamming

Defining Which Hosts Are Allowed to Connect Using the Host Access Table

SMTP Extension for Alternate Recipient Delivery Option (draft-melnikov-smtp-altrecip-on-error-00.txt)

SMTP Relay set up. Technical team

Network Working Group. Expires: June 30, 2005 December 30, 2004

Electronic Mail. Prof. Indranil Sen Gupta. Professor, Dept. of Computer Science & Engineering Indian Institute of Technology Kharagpur

Application: Electronic Mail

Mail agents. Introduction to Internet Mail. Message format (1) Message format (2)

Introduction to Internet Mail. Philip Hazel. University of Cambridge Computing Service. Mail agents

Internet Technology. 03r. Application layer protocols: . Paul Krzyzanowski. Rutgers University. Spring 2016

Exchange 2010 Smtp Error Code Unable To Relay

CSC 4900 Computer Networks:

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Internet Electronic Mail

Category: Standards Track April Message Header Field for Indicating Message Authentication Status

CIT 470: Advanced Network and System Administration. Topics. Mail Policies.

SMTP Mail. February 14, 2012 Lotus Mail Routing Team IBM Corporation

BOTNET-GENERATED SPAM

Best Practices. Kevin Chege

Lab 3.4.3: Services and Protocols

Chapter 62 Simple Mail Transfer Protocol

Debian/GNU Linux Mailing

Installation & Configuration Guide Version 1.4

Networking Revision. TCP/IP Protocol Stack & OSI reference model. Basic Protocols. TCP/IP Model ANTHONY KAO NETWORKING FINAL EXAM SPRING 2014 REVISION

Mail Protocol, Postfix and Mail security

CompSci 356: Computer Network Architectures. Lecture 23: Application Layer Protocols Chapter 9.1. Xiaowei Yang

Outline. EEC-484/584 Computer Networks. Slow Start Algorithm. Internet Congestion Control Algorithm

CCNA Exploration1 Chapter 3: Application Layer Functionality and Protocols

How Internet Works

Managing Spam. To access the spam settings in admin panel: 1. Login to the admin panel by entering valid login credentials.

Forward set up. Technical team

Marketing 201. March, Craig Stouffer, Pinpointe Marketing (408) x125

Objectives CINS/F1-01

Standard Smtp Error Code Unable To

Securing, Protecting, and Managing the Flow of Corporate Communications

Obsoletes: 4408 (if approved) October 22, 2012 Intended status: Standards Track Expires: April 25, 2013

Internet Engineering Task Force (IETF) Request for Comments: 7601 August 2015 Obsoletes: 7001, 7410 Category: Standards Track ISSN:

Chapter 2 Application Layer

Security Protection

Anti-Spam. Overview of Anti-Spam Scanning

Debian/GNU Linux Mailing

Documentation for: MTA developers

Factors that Impact Deliverability

Synology MailPlus Server Administrator's Guide. Based on MailPlus Server 1.4.0

Investigating . Tracing & Recovery

Anti-Spoofing. Inbound SPF Settings

FortiMail Gateway Setup and Configuration Technical Note

CSC 401 Data and Computer Communications Networks

WeCloud Security. Administrator's Guide

Version SurfControl RiskFilter - Administrator's Guide

Network Working Group. Updates: 1894 June 2000 Category: Standards Track

Office 365: Secure configuration

Anti-Spam. Overview of Anti-Spam Scanning

Technical Note. FortiMail Best Practices Version 3.0 MR4.

Franzes Francisco Manila IBM Domino Server Crash and Messaging

Technical description

ESFE Cisco Security Field Engineer Specialist

Internet Engineering Task Force (IETF) Obsoletes: 4408 April 2014 Category: Standards Track ISSN:

MDaemon Vs. IceWarp Unified Communications Server

InterScan Messaging Security Virtual Appliance (IMSVA) Sender Policy Framework. Best practice guide for versions 9.0 and 9.1

Table of Contents Control Panel Access... 1 Incoming... 6 Outgoing Archive Protection Report Whitelist / Blacklist...

Expires July 1999 February 26, Simple Mail Transfer Protocol. draft-ietf-drums-smtpupd-10.txt. Status of this Memo

Hit the Ground Spam(fight)ing

Using Trustwave SEG Cloud with Exchange Online

ECE 435 Network Engineering Lecture 6

Test-king q

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Transcription:

anti-spam techniques beyond Bayesian filters

Plain Old SMTP protocol overview Grey-Listing save resources on receiver side Authentication of Senders Sender ID Framework DomainKeys signingbased IP-based

smtpintro

smtpintro simple mail transfer protocol MUA sending MTA SMTP receiving MTA Alice relaying POP IMAP mailbox MUA Bob

S: 220 tik6.ethz.ch ESMTP Postfix C: HELO student.ethz.ch S: 250 tik6.ethz.ch C: MAIL FROM:<fabio@student.ethz.ch> envelope sender S: 250 Ok C: RCPT TO:<nburri@tik.ee.ethz.ch> envelope receiver S: 250 Ok C: DATA S: 354 End data with <CR><LF>.<CR><LF> C: Subject: Test From: Fabio Lanfranchi headers To: Nicolas Burri Hello, World! message body. S: 250 Ok: queued as 6CDB86ADD7 C: QUIT S: 221 Bye

smtpstatus not sending directly multiple recipients temporary problems server reply messages 2XX positive completion 3XX positive intermediate retry after: 30 min (1st) 60 min (2nd) every 2 to 3 h 4XX transient negative completion 5XX permanent negative completion

spamdisaster RFC 821 (August 1982) no sender authentication message forged or authentic? spam, spoofing, viruses, phishing make transmission appear to come from another user trick users into providing personal information

dnsrecords domain name system class (internet) type dcg.ethz.ch. IN CNAME pc-4650.ethz.ch. pc-4650.ethz.ch. IN A 129.132.57.243 tik.ee.ethz.ch. IN MX tik6.ethz.ch. tik6.ethz.ch. IN A 129.132.119.136 mail exchange

antispam techniques (today) keyword filtering black-listing problems false positives cost on receiver side

greylisting

greylisting Evan Herris (2003) blocking technique on MTA level save resources on receiving MTA make life harder for spammers require minimal maintenance have minimal impact on users

S: 220 tardis.ee.ethz.ch ESMTP Postfix C: HELO fabio.ch S: 250 tardis.ee.ethz.ch C: MAIL FROM:<mail@fabio.ch> S: 250 Ok C: RCPT TO:<oetiker@ee.ethz.ch> S: 450 Greylisted for 300 seconds C: QUIT recipent address rejected S: 221 Bye

greylisting store triplet in database client IP address envelope sender envelope receiver additional information first seen expiry of blocking, expiry of record counters: blocks, passes

greylisting first attempt refuse delivery (4XX error) block triplet for some minutes second attempt unblock triplet accept message aging of record delete it after a month

greylisting spam and viruses «fire and forget» methodology 95% effectiveness

greylisting no content, no overhead less resource usage for filtering no false positives database allows traffic analysis blacklists more effective lot of work for spammers

greylisting delivery delays problems with multiple mail servers per domain mailing lists: changing sender address adaption by spammers experts say: within 1 year

senderid

senderid Sender ID Framework a merger and refinement of proposals SPF (Sender Policy Framework) inspired by RMX and DMP Microsoft Caller ID industry collaboration AOL, Microsoft, IBM, VeriSign

senderid create multiple choke points protects sender's domain from spoofing and phishing: receivers validate origin of mail prevent «before it happens» a foundation for the reliable use of domain names in accreditation, reputation and safe lists the first step industry need to take together use of existing services: DNS and SMTP

senderid framework of technical specifications DNS Sender ID Record (SPF) Check MAIL FROM Classic SPF PRA (Microsoft) SMTP SUBMITTER SMTP Optimization

senderid senders publish IP addresses of outbound email servers in DNS receivers determine which domain to check Purported responsible domain (PRA) Envelope From (Classic SPF) receivers query DNS for the outbound email servers of the chosen domain and perform domain spoofing test

senderid 192.0.2.2 initiates an SMTP connection Sender «Hey, I'm sending you mail from somebody@sender.com» Receiver receiver MTA performs IP-based authentication «Never heard of it dude. Do me a favor and reject that message.» «Hey, do you know anything about 192.0.2.2?» sender.com has an SPF record Name Server

rmxrecords Reverse MX (Hadmut Danisch, 2003) example.com. IN RMX "ip4:10.0.0.0" IN RMX "host:relay.example.com" IN RMX "apl:relays.provider.de" relays.provider.de. IN APL "213.133.101.22 1.2.3.0/24" Allowed hosts: 10.0.0.0, relay.example.com, 213.133.101.22, and 1.2.3.0/24

dmprecords Designated Mailer Protocol (Gordon Fecyk, 2003) 1.2.0.192.in-addr._smtp_client.example.com. IN TXT "dmp=allow" 2.2.0.192.in-addr._smtp_client.example.com. IN TXT "dmp=allow" *.in-addr._smtp_client.example.com. IN TXT "dmp=deny" Allowed hosts: 192.0.2.1 and 192.0.2.2

rmxvsdmp Danisch RMX Fecyk DMP large entries potentially IP-address specific DNS extension RMX record type TXT records indirection pointers to APL list for each domain dynamic hostnames DynDNS pointer update records CIDR notation built into APL byte boundary joe-job notification static mailhost list DNS logs DNS caching save bandwidth IP-specific

spfrecords Sender Permitted From (Meng Weng Wong, 2004) spammer.com. IN TXT "v=spf1 +all" gmx.net. gmx.de. *.ethz.ch. IN TXT "v=spf1 ip4:213.165.64.0/23 -all" IN TXT "v=spf1 include:gmx.net -all" IN TXT "v=spf1 +mx +a:smtp.ethz.ch -all" *.dialup.ch. IN TXT "v=spf1 exists:%{ir}.%{lr}._spf.%{d} -all" 192.0.2.1 sends email as <someuser@dialup.ch> resulting query: 1.2.0.192.someuser._spf.dialup.ch

senderid PRA (Microsoft patent) validates identity seen by user parses headers and tries to find out the entity most recently responsible for injecting a message into the email system Classic SPF validates MAIL FROM address (return-path)

senderid check_host() from SPF specification check_host(<ip>, <domain>, <sender>) domain is badly formed => return FAIL sender has no local part => assume postmaster fetch DNS records for domain or return FAIL // SPF entry denies relay or return TEMPERROR // DNS server down or return NONE // SPF entry doesn't exist or return PERMERROR // syntax error in SPF entry Based on this information other tools and techniques can be applied to identify spoofing and spamming. (e.g. keyword filtering)

senderid Forwarding someuser@example.com sends email to fabio@student.ethz.ch that is forwarded to mail@fabio.ch MAIL FROM: <someuser@example.com> Mailing Lists mailing list list@example.com MAIL FROM: <list@example.com> add a Resent-From: header => PRA can find out last sender add a Sender: header => PRA can find out last sender

senderid SUBMITTER SMTP extension S: 220 fabio.ch ESMTP Postfix C: EHLO student.ethz.ch S: 250-SUBMITTER S: 250 Ok C: MAIL FROM:<somuser@example.com> SUBMITTER=<fabio@student.ethz.ch> S: 250 Ok C: RCPT TO:<mail@fabio.ch> S: 250 Ok SPF Classic doesn't need to look at headers to decide if sender is allowed to relay email for a domain.

domainkeys proposal by Yahoo (August 2004) provider generates public/private key pairs public key is published in DNS outgoing email is signed with private key receiver incoming mail against public key

SPF Classic and DomainKeys to authenticate senders of email Reputation lists will help receivers decide if a mail from an authenticated sender is desirable or undesirable.

senderid today 3 years + Greylisting, Blacklisting, Keyword Filtering Sender ID Framework Signing Solutions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback