An Anti-Spam Method with SMTP Session Abort Nariyoshi YAMAI 1 Kiyohiko OKAYAMA 1 Takumi SEIKE 1 Keita KAWANO 1 Motonori NAKAMURA 2 Shin MARUYAMA 3 1 Okayama.

Slides:

Advertisements

Similar presentations

Internet – Part I. What is Internet? Internet is a global computer network of inter-connected networks.

Advertisements

Basic Communication on the Internet:

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

Fighting spam: the thin grey line Alun Jones,

Transmission Control Protocol (TCP)

Intermediate TCP/IP TCP Operation.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

Barracuda Security Service. Barracuda Networks Introduction to Barracuda Security Service 2 Easy to Deploy Cloud-based security Nothing.

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

IMF Mihály Andó IT-IS 6 November Mihály Andó 2 / 11 6 November 2006 What is IMF? Intelligent Message Filter provides server-side message filtering,

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE INTERCONTINENTAL GROUP Information security in real business firewall security.

SMTP – Simple Mail Transfer Protocol

1 Enhancing Address Privacy on Anti-SPAM by Dou Wang and Ying Chen School of Computer Science University of Windsor October 2007.

Series DATA MANAGEMENT. 1 Why ? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.

Broadcast service Core tools. Agenda 1.Introduction – tool and its main features 2.Setting up and sending a simple broadcast 3.Achieving.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

SMTP Simple Mail Transfer Protocol. Content I.What is SMTP? II.History of SMTP III.General Features IV.SMTP Commands V.SMTP Replies VI.A typical SMTP.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

Spam Reduction Techniques Using greylisting and SpamAssassin.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

Overview of Exchange 2013 Architecture Transport components shipping with Exchange 2013 Mail Routing Scenarios Transport High Availability SMTP Client.

-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.

Update Unix Users Feb 2006 Kevin Hill. Update Spam Cop (We’ve been busted!) Greylisting- Next Generation Spam Fighting.

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

Copyright © 2000, ZipLink Inc. Patent Pending 1 Mail Message Metering or, how to block outbound spam Robert D. Haskins.

Towards Modeling Legitimate and Unsolicited Traffic Using Social Network Properties 1 Towards Modeling Legitimate and Unsolicited Traffic Using.

1 Introduction AfNOG CHIX 2011 Blantyre, Malawi By Evelyn NAMARA.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.

Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.

CSIE 1 Filtering mail Speaker: Chung yu Wu Adviser: Quincy Wu Date: 2005/12/07.

V 0.1Slide 1 Security – System Configuration How to configure WebSAMS? Access Control Other Information Configuration  system customization  system configuration.

Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.

Introduction to Internet Mail Abridged & Updated by Hervey Allen Noah Sematimba Based on Materials by Philip Hazel.

Chapter 15 DHCP. Dynamic Host Configuration Protocol An Application Layer Protocol A client server protocol that automatically provides an IP host with.

SMTP – Simple Mail Transfer Protocol

University of the Western Cape Chapter 12: The Transport Layer.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Networked & Distributed Systems TCP/IP Transport Layer Protocols UDP and TCP University of Glamorgan.

CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

1 SMTP - Simple Mail Transfer Protocol –RFC 821 POP - Post Office Protocol –RFC 1939 Also: –RFC 822 Standard for the Format of ARPA Internet Text.

EVON TAN KA VUN THECLA JOSEPH NOR FAEEZA ISMALI JESSICCA TOKIROI.

Spam from an ISP perspective Simon Lyall, Ihug Uniforum NZ NetForum Conference July 2003.

Silicon & Software Systems (S3)‏ Copyright © Silicon & Software Systems Limited Antispam protection IT Department 20/03/2008 Ondrej Valousek.

Deny-Spammers: Spam Blocking with a Dynamically Updated Firewall Ruleset chris tracy deeann m.m. mikula.

Delivery for Spam Mitigation Usenix Security 2012 Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher.

Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject.

Institute of Technology Sligo - Dept of Computing Chapter 12 The Transport Layer.

LinxChix And Exim. Mail agents MUA = Mail User Agent Interacts directly with the end user  Pine, MH, Elm, mutt, mail, Eudora, Marcel, Mailstrom,

«Fly Carrier» agent software Optimization of data transmission over IP satellite networks.

SMTP Tapu Ahmed Jeremy Nunn. Basics Responsible for electronic mail delivery. Responsible for electronic mail delivery. Simple ASCII protocol that runs.

Detection and Mitigation of Spam in IP Telephony Networks using Signaling Protocol Analysis MacIntosh, R Vinokurov, D Advances in Wired and Wireless Communication,

Amanda Fristy Damara Thea Bayu Gerhana Yuda Evita Fitri Ila Uswatun Hasanah Putri Ayuning Kartika Presented by :

SMTP - Simple Mail Transfer Protocol RFC 821

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Linux Operations and Administration Chapter Twelve Configuring a Mail Server.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

Discussion of OCP/SMTP profile and some Use cases Presented by Abbie Barbir

[1] Control Spam by the Use of Greylisting Torgny Hallenmark LDC - Computing Center Lund University, Sweden TERENA Networking.

Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.

Fighting Spam in an Exchange Environment Tzahi Kolber IT Supervisor - Polycom Israel.

FNAL Central Systems Jack Schmidt, Al Lilianstrom, Ray Pasetes, and Kevin Hill (Fermi National Accelerator Laboratory) Introduction The FNAL .

Anti-Spam Updates Activity Coordination Meeting March 2006 Kevin Hill.

SMTP - Simple Mail Transfer Protocol POP - Post Office Protocol

This is the Sign In page for the Dashboard

Presentation transcript:

An Anti-Spam Method with SMTP Session Abort Nariyoshi YAMAI 1 Kiyohiko OKAYAMA 1 Takumi SEIKE 1 Keita KAWANO 1 Motonori NAKAMURA 2 Shin MARUYAMA 3 1 Okayama University, Japan 2 National Institute of Informatics, Japan 3 CO-CONV Corporation, Japan

2008/3/27 MIT Spam Conference Contents Existing anti-spam methods Anti-spam method with SMTP session abort Implementation and evaluation of prototype system Conclusions

Existing anti-spam methods 2008/3/27 MIT Spam Conference

2008/3/27 MIT Spam Conference Tempfailing (1) Utilizes difference of MTA behavior after temporary error –Legitimate MTAs Retry to send the temporarily failed messages –Spam sending MTAs Prefer throughput Give up resending the temporarily failed messages

2008/3/27 MIT Spam Conference First Delivery Second delivery Tempfailing (2) Spam sending MTA Legitimate MTA temporary error MTA temporary error Recipients retry Saves triplet ( Sender IP, SMTP From, SMTP To) Sender IP SMTP From SMTP To Sender IP SMTP From SMTP To

2008/3/27 MIT Spam Conference Tempfailing (3) Problems –RFC2821: Sending Strategy (excerpt) The sender MUST delay retrying a particular destination after one attempt has failed. In general, the retry interval SHOULD be at least 30 minutes. Causes large delay for legitimate mail delivery

2008/3/27 MIT Spam Conference Tempfailing (4) Problems (cont.) –Utilizes the following triplet for retransmission judgment: Sender IP SMTP From SMTP To Rejects retries from a different MTA

2008/3/27 MIT Spam Conference Tempfailing (5) Problems (cont.) –Rejects before receiving header/body –Logs only the triplet (Sender IP, SMTP From, SMTP To) Difficult to recover false positives

2008/3/27 MIT Spam Conference Distributed collaborative filter MTA Spam sending MTA Recipients Spam database check not found spam register found Only messages already read by existent recipients can be filtered out

Anti-spam method with SMTP session abort 2008/3/27 MIT Spam Conference

2008/3/27 MIT Spam Conference Summary of known problems (Tempfailing) Large delay (Tempfailing) Retries from a different MTA (Tempfailing) Recovery from false positives (Distributed collaborative filter) only messages read by recipients into DB

2008/3/27 MIT Spam Conference Features of the proposed method (Tempfailing) Large delay (Tempfailing) Retries from a different MTA (Tempfailing) Recovery from false positives (Distributed collaborative filter) only messages read by recipients into DB Introducing two mail gateways (MGs) Immediate fallback to the secondary MG SMTP session abort function Preserving header/body on first attempt Retransmission judgment with Message-ID or checksum instead of IP Automatic registration of unresent/undeliverable messages Early registration of many spam mails

2008/3/27 MIT Spam Conference System layout and behavior (1) Organization Inside MTA Recipients Spam database Primary mail gateway Secondary mail gateway Mail gateway × TCP segment (RST) SMTP session abort After SMTP session to the primary MG is aborted, a legitimate MTA usually sends the message to the secondary MG immediately. Retry Reducing delay of legitimate mail delivery header body Preservingheader/body Check triplet (MsgID/checksum, SMTP From, SMTP To) Retransmission judgment based on header(MsgID) or body(checksum) header body Sender MTA Preserving header/body in case of false positive

2008/3/27 MIT Spam Conference System layout and behavior (2-1) Organization Inside MTA Recipients Spam database Primary mail gateway Secondary mail gateway Spam sending MTA undeliverable RCPT TO recipient check Unknown recipient register header body × SMTP session abort headerbody

2008/3/27 MIT Spam Conference System layout and behavior (2-2) Organization Inside MTA Recipients Spam database Primary mail gateway Secondary mail gateway formerly deliverable RCPT TO Recipient check Unknown recipient register header body × SMTP session abort headerbody Recipient check header body cancel RCPT TO Automatic registration of unresent/undeliverable messages Sender MTA

User preference of abort timing (1) Affects network traffic and delay Possible options –Accept No session abort –Header Abort after End of Header Low traffic/delay –Body Abort after End of Message Easy recovery on false positives 2008/3/27 MIT Spam Conference

2008/3/27 MIT Spam Conference User preference of abort timing (2) Organization Inside MTA A Spam database Primary mail gateway Secondary mail gateway RCPT TO: A RCPT TO: B RCPT TO: C RCPT TO: A × SMTP session abort at end of message RCPT TO: B RCPT TO: C RCPT TO: A RCPT TO: B RCPT TO: C Sender MTA accept BC headerbody header body

Implementation and evaluation of prototype system 2008/3/27 MIT Spam Conference

2008/3/27 MIT Spam Conference Prototype system implementation Platform –FreeBSD with sendmail & DCC SMTP session abort function –An external program using “ipfw” Retransmission judgment –(Message-ID, SMTP From, SMTP To)

2008/3/27 MIT Spam Conference First operation test (1) Objectives –Performance evaluation of blocking/filtering Test domains –Some sub-domains in okayama-u.ac.jp –Already obsolete five years before –To be removed in one month –Some legitimate mails were possibly sent to these domains Test period –Seven days from Jan. 29 to Feb. 5th, 2006

2008/3/27 MIT Spam Conference First operation test (2) Result Number of mails processed54,719 Number of mails blocked44,303 Number of mails received10,416 Number of mails filtered out by DCC2,180 81% (44303/54719) of mails processed were blocked by SMTP session abort 20% (2180/10416) of mails received were filtered out by DCC NB: we counted both legitimate mails and spam mails.

2008/3/27 MIT Spam Conference Second operation test (1) Objectives –Comparison with conventional tempfailing as for processing of legitimate mails Test domain –New sub-domain dedicated for this test –Only 1 IP address available Two MGs have the same IP address Usual in small companies in Japan

2008/3/27 MIT Spam Conference Second operation test (2) Result Domain (service)MTAResendDifferent MTAMin. interval cc.okayama-u.ac.jp (Univ.)sendmailYESNO0(sec) nifty.com (ISP)sendmailYESNO1 listbox.com (ML)postfixYESNO1 yahoo.com (free mail)?YESNO10 gmail.com (free mail)?YES 385 aol.com (free mail)?YESNO6 hotmail.com (free mail)SMTPSVCYESNO6 yahoogroups.jp (free ML)?YESNO1 freeml.com (free ML)qmailYESNO399 mag2.com (mail magazine)qmailYESNO3264 trashmail.net (anonymous mail)postfixYESNO6 All messages even from gmail.com were accepted without whitelist Small delays of mail delivery from many domains Some domains using qmail still had large delays

2008/3/27 MIT Spam Conference Possible false positives Messages without Message-ID –Use Date: field (mandatory), or –Use the checksum of the body MTAs without retransmission –Can recover lost headers/bodies easily –Find such MTAs and register them into whitelist MTAs changing SMTP From address –Use (Message-ID, SMTP To) without SMTP From for retransmission judgment

Conclusions 2008/3/27 MIT Spam Conference

2008/3/27 MIT Spam Conference Conclusions Combination of three functions –Tempfailing –Distributed Collaborative filter –SMPT session abort Reduces the drawbacks of existing two methods Future works –Long term actual performance evaluation –Combination with on-the-fly filters

Questions ? Please speak slowly and clearly 2008/3/27 MIT Spam Conference