Presentation is loading. Please wait.

Presentation is loading. Please wait.

Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject.

Published byClinton McDonald Modified over 9 years ago

Similar presentations

Presentation on theme: "Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject."— Presentation transcript:

1 Source pictures for document ”Thoughts about increasing spam annoyance” by <jari.aalto@cante-net License: This material may be distributed only subject to the terms and conditions set forth in GNU General Public License v2 or later; or, at your option, distributed under the terms of GNU Free Documentation License version 1.2 or later (GNU FDL).

2 How address harvesting works A program collecting items from various sources Mail addresses are collected and later used as a false SMTP MAIL FROM: identification to send Unsolicited Bulk Email (forged addresses in mail messages) Mailing lists Usenet newsgroups addr@example.com... Saved addresses WWW pages

3 Challenge-Response based authentication Send challenge Bar sends his first mail to Foo Add foo to whitelist Respond to challenge Accept challenge Add bar to whitelist Bar and Foo exchange messages (Passwords/Catchpas no longer needed) A bar@from.com... foo@to.com... C B There are serious problems in the C- R system at points A, B and C

4 How viruses/spam should not be treated mail sent in the name of Bar (forged address) to Foo MAIL FROM: 1) Message is rejected and returned in full 2) Or notification is sent: ”Your message contained virus or spam and it was not delivered” But this person never sent that message. His mailbox is being filled with false notifications Scanner found that ncoming message is spam or carrying a worm bar@from.com’s mailbox

5 Challenge-Response system causing Joe-Job http://cr.yp.to/smtp/mail.html See also RFC 2821 A challenge is sent to: foo@to.com SMTP connection Bar’s C-R system falsely concludes that foo@to.com is the sender foo@to.com ”Joe-Job” Multitude of challenges sent to wrong address More users running C-R systems TO.COMFROM.COM Spammer’s messages which all use forged addresses 220 mailserver.from.com ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL... 220 mailserver.from.com ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL... (2) (1)

6 IP 111.2.3.4 How SPF helps to prevent forgeries SPF result: ”No, mail did not come through our Mail Exchanger (MX)” SPF check: consult DNS TXT record Is this message coming from IP 111.2.3.4 authorized to send mail? Host located at some ISP’s address space 111.2.*.* TO.COM FROM.COM 220 mailserver.to.com ESMTP... 550 220 mailserver.to.com ESMTP... 550 (1) (3) SMTP 5xx reject: message is returned to sender due to SPF result: ”you did not use from.com to send mail.” (4) Spammer sends message pretending to come from foo@from.com SMTP connection (2) TXT ”v=spf1 ip4:64.126.106.0/24” DNS configuration includes record:

7 220 mailserver.to.com ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL... 220 mailserver.to.com ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL... IP x.x.x.x How MTA level UBE prevention works - Is this mail coming from correct location (SPF) - Is this IP in block lists? - Has this email ”DATA” seen before as spam? (1)(3) (4) - SPF check - IP block lists (DNSBL) - Known bad domains - Razor2, Pyzor, DCC email spam collection checks... SMTP connection TO.COM Access control lists (ACL) or Content filters (2) ?? Virus scanners (Clamv) Spam checkers (Spamassassin) A B (5) (6) External process Other Programs

8 Procmail with battery of statistical tools Procmail’s rules cannot reliably identify content, so external statistical (Bayesian) programs are called in chain to determine if message is Unsolicited Bulk Email (*.rc modules interface to statistical programs) MTA (Exim) LDA (Procmail) to deliver mail to user foo # ~/.procmailrc SHELL = /bin/bash... # Detect spam INCLUDERC = bayes1.rc INCLUDERC = bayes2.rc... # was message spam? :0 * ERROR ?? [a-z] spam.mbox # ~/.procmailrc SHELL = /bin/bash... # Detect spam INCLUDERC = bayes1.rc INCLUDERC = bayes2.rc... # was message spam? :0 * ERROR ?? [a-z] spam.mbox bogofilterSpamprobe Bmf Spamoracle Ifile... incoming mail message Host A Host B UBE?

9 Tools http://cr.yp.to/smtp/mail.html See RFC 2821 SMTP connection A ”robot” program making a collection of email addresses TO.COM Spammer injects messages: All use forged address 220 mailserver.target.net ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL... 220 mailserver.target.net ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL... RFC Libraries

Download ppt "Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject."

Similar presentations

1 Eloqua Providing Industry-Leading Management Tools May 2009.

1 Eloqua Providing Industry-Leading Management Tools May 2009.
Email Deliverability @ Eloqua Providing Industry-Leading Email Management Tools.

Eloqua Providing Industry-Leading Management Tools.
Basic Communication on the Internet:

Basic Communication on the Internet:
Fighting spam: the thin grey line Alun Jones,

Fighting spam: the thin grey line Alun Jones,
What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via email, text message, online chat, blogs or various other.

What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via , text message, online chat, blogs or various other.
Surrey Public Library Electronic Classrooms Email Essentials.

Surrey Public Library Electronic Classrooms Essentials.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
Methods for Stopping Spam James Lick

Methods for Stopping Spam James Lick
Course 201 – Administration, Content Inspection and SSL VPN Filtering

Course 201 – Administration, Content Inspection and SSL VPN Filtering
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
----Presented by Di Xu 17.12.2010.  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
Preventing Spam: Today and Tomorrow Zane Bonny Vilaphong Phasiname The Spamsters!

Preventing Spam: Today and Tomorrow Zane Bonny Vilaphong Phasiname The Spamsters!
Spam May 15 2006 CS239. Taxonomy E-mail (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:

Spam May CS239. Taxonomy (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Sender policy framework. Note: is a good reference source for SPFhttp://www.openspf.org/

Sender policy framework. Note: is a good reference source for SPFhttp://
Office 365 SMTP Relay June 2013. Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.

Office 365 SMTP Relay June Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 15 How Email Spam Works.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 15 How Spam Works.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Similar presentations

Ads by Google