Wisc.org.ua

Statistics
E-mail accounts in the world - 3 375 000 000
➢
Corporate E-mail accounts - 25% .
Consumer E-mail accounts - 75%.
Territorial division of Email users:
➢
Asia Pacific region - 49%
Europe - 22%
North America - 14%
Rest of World - 15%
Top E-mail senders, e-mails/day:
➢
Google.com - 435 200 000
Yahoo.com - 398 800 000
Hotmail.com - 160 300 000
Microsoft.com - 63 900 000
Linkedin.com - 58 800 000
Who play major role in world SPAM traffic? A botnet is a collection of internet-connected computers whose security defenses have been breached and control ceded to a malicious party.
Spam by Spambot Type
Spheres of usage
Phishing - redirecting users to fake copies of popular sites with
identical interface by links in e-mails for stealing5 their credentials or
personal data.
Advertisement - sending unwanted advertisment for numerous amount
of e-mails.
Virus and malware - sending viruses and malware in e-mail, usually in
attachment, with goal to infect user PC with virus or troyan.
Examples: Viruses, Troyans, Keyloggers.
Social engineering - sending fake e-mails from authoritative persons or
organizations who can influence on victim further actions and
behaviour.
Example: Mail from your bank, from police or your boss.
Anything you can imagine
E-mail structure
TCP session
10.0.0.2 → 10.0.0.3:25
Headers:
SMTP session
mail from: a@wisc.ua
rctp to: b@wisc.ua
Received: by 10.0.0.2 with HTTP Sun, 01 Oct Common injection techniques
Bulk Injection
SPAM injection based on spam lists from compromised hosts and open-relays.
Headers spoofing
Spoofing of SMTP session headers and e-mail headers, sending from unprotected or unvalidated SMTP servers.
Spam via message bounce mechanism
Sending of SPAM via changing sender headers for victim address and recipient headers are changed to unexistent mailbox of some popular mail server.
Sending of SPAM via sending empty «mail from» and set victim as recipient.
Common counteractions methods
Transport level - verification based on sender host information: IP address,
Headers level - verification based on SMTP and E-mail headers:
➢
Sender level - verification of message sender headers.
Recipient level - verification of message recipient headers.
Message level - verification based on the whole message and
Transport layer mechanisms
DNS RBL - Realtime Blocking List - e.g. Senderbase.org
●
Black lists - list of IP addresses of hosts which send spam stored on DNS servers.
Grey lists - delaying of mail receiving on mail server for interval from 30minutes to several hour by bouncing mail from IPs without reverse DNS zones or who sends mail for first time. Nolists - specifying several MX records with different priority, where MX with highest priority will HAT - Host Acces Tables - creation of rules on mail server which IP addresses are permitted and
Filtering senders by IP sddresses, country based filtering - creating listf of IP addresses from which receiving of mail is allowed or forbidden.
Rate limiting - control of amount of messages per connection, amount of connections from certain SMTP servers.
Headers level mechanisms
LDAP - LDAP based methods are methods in which e-mail recipient address is validated through LDAP accept queries, if query is fail - mail is rejected, if query is passed - mail is accepted. SMTP-Callahead - using verification of validity of recipient through other SMTP servers. While e-mail appears on server first he asks another SMTP - static or that who is responsible for recipient domain if such recipient exists, and only after positive answer proceed with mail delivery. If answer was negative message is rejected. RAT - Recipient Access Table - mean of validation of recipients, where SMTP server can be configured to accept or reject certain domains, users, partial domains. Message level mechanisms
Mail server
Incoming
Antispam
Antivirus
scanning
delivery
Antispam Engines - using on SMTP server message scanning engines like IronPort Anti Spam, Rules - every engine uses rules for defining spam, rules are frequently refreshed from rule updater server. Rule may contain sender, subject, size of message, type and size of Fingerprints - addition to the rules - used for attachment scanning, helps to define what really Antivirus engines - engines from Sophos or McAfee for csanning messages for viruses and malware, can block, quarantine, deliver viral messages dependent on policy options.
Content scanning - as usual engines which helps to scan attachments of various types and SPF/SIDF Overview
SPF/SIDF - Sender Policy Framework is an email validation system designed to
prevent email spam by detecting email spoofing by verifying sender IP addresses
against DNS SPF record.
SPF - performs check of domain from «HELO» and «Mail from» provided during SMPT session against DNS SPF record.
DNS record: a.com IN TXT "v=spf1 +ip4:10.0.0.4 -all" SIDF - performs check of domain from headers «Sender» or «From» from e-mail headers and check of «Mail from» domain from SMTP conversation.
DNS record: a.com IN TXT "spf2.0/pra,mfrom +ip4:10.0.0.4 -all" Mail-client
Web-browser
Adding SPF headers
MX 10.0.0.3
+a +mx +ip4:10.0.0.1 -all
Internet
SMTP server
SMTP server
IP: 10.0.0.1
EHLO a.com
Mail from: bob@a.com
IP: 10.0.0.3
b.com MX?
Rcpt to: ted@b.com
Data
a.com SPF?
From:bob@a.com
b.com A IN 10.0.0.2
b.com MX IN 10.0.0.3
a.com A IN 10.0.0.1
a.com MX IN 10.0.0.1
2.0.0.10.in-addr.arpa. PTR IN b.com
1.0.0.10.in-addr.arpa. PTR IN a.com
a.com IN TXT "v=spf1 +a +mx +ip4:10.0.0.1 -all"
DKIM Overview
DKIM - DomainKeys Identified Mail is a method for associating a domain name to an email
message, the association is set up by means of a digital signature which can be validated by
recipients. Maint means for DKIM are private and public keys, e-mail is signed with private key
on mail server, and recipient can verify this subscription by public key which is stored on DNS
server.
DKIM-Signature: v=1; a=rsa-sha256; d=a.com; s=ironport;

c=simple/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
h=from:to:subject:date:etc;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJ2q8LoXSlEniSbav+yuU4zGeD00lszZVoG4ZHRNiYzR
Mail-client
Web-browser
bob@a.com
DKIM signing
DKIM verification
MX 10.0.0.3
Add headers
Internet
SMTP server
SMTP server
IP: 10.0.0.1
IP: 10.0.0.3
b.com MX?
a.com DKIM?
b.com A IN 10.0.0.2
b.com MX IN 10.0.0.3
2.0.0.10.in-addr.arpa. PTR IN b.com|
ironport._domainkey.a.com. IN TXT "v=DKIM1;p=hnYvDFjxQIsdsYd.AQDSDdsSSDdAB;"

Source: http://wisc.org.ua/mat/PavloKhromchak_BotnetsConteraction.pdf