The case of the painful hands It was part of his employment conditions. He could have as much free fizzy drinks as he wanted for himself and his family. At the factory where he worked, massive quantities of this popular brew left the premises in huge delivery trucks. Destinations? As many outlets as possible. The workers at this plant were encouraged to be the greatest fans and consu
E-mail accounts in the world - 3 375 000 000
Corporate E-mail accounts - 25% .
Consumer E-mail accounts - 75%.
Territorial division of Email users:
Asia Pacific region - 49%
Europe - 22%
North America - 14%
Rest of World - 15%
Top E-mail senders, e-mails/day:
Google.com - 435 200 000
Yahoo.com - 398 800 000
Hotmail.com - 160 300 000
Microsoft.com - 63 900 000
Linkedin.com - 58 800 000
Who play major role in world SPAM traffic? A botnet is a collection of internet-connected computers whose security defenses have been breached and control ceded to a malicious party.
Spam by Spambot Type
Spheres of usage
Phishing - redirecting users to fake copies of popular sites with
identical interface by links in e-mails for stealing5 their credentials or
Advertisement - sending unwanted advertisment for numerous amount
Virus and malware - sending viruses and malware in e-mail, usually in
attachment, with goal to infect user PC with virus or troyan.
Examples: Viruses, Troyans, Keyloggers.
Social engineering - sending fake e-mails from authoritative persons or
organizations who can influence on victim further actions and
Example: Mail from your bank, from police or your boss.
Anything you can imagine
10.0.0.2 → 10.0.0.3:25
mail from: email@example.com
rctp to: firstname.lastname@example.org
Received: by 10.0.0.2 with HTTP Sun, 01 Oct Common injection techniques
SPAM injection based on spam lists from compromised hosts and open-relays.
Spoofing of SMTP session headers and e-mail headers, sending from unprotected or unvalidated SMTP servers.
Spam via message bounce mechanism
Sending of SPAM via changing sender headers for victim address and recipient headers are changed to unexistent mailbox of some popular mail server.
Sending of SPAM via sending empty «mail from» and set victim as recipient.
Common counteractions methods
Transport level - verification based on sender host information: IP address,
Headers level - verification based on SMTP and E-mail headers:
Sender level - verification of message sender headers.
Recipient level - verification of message recipient headers.
Message level - verification based on the whole message and
Transport layer mechanisms
DNS RBL - Realtime Blocking List - e.g. Senderbase.org
Black lists - list of IP addresses of hosts which send spam stored on DNS servers.
Grey lists - delaying of mail receiving on mail server for interval from 30minutes to several hour by bouncing mail from IPs without reverse DNS zones or who sends mail for first time. Nolists - specifying several MX records with different priority, where MX with highest priority will HAT - Host Acces Tables - creation of rules on mail server which IP addresses are permitted and
Filtering senders by IP sddresses, country based filtering - creating listf of IP addresses from which receiving of mail is allowed or forbidden.
Rate limiting - control of amount of messages per connection, amount of connections from certain SMTP servers.
Headers level mechanisms
LDAP - LDAP based methods are methods in which e-mail recipient address is validated through LDAP accept queries, if query is fail - mail is rejected, if query is passed - mail is accepted. SMTP-Callahead - using verification of validity of recipient through other SMTP servers. While e-mail appears on server first he asks another SMTP - static or that who is responsible for recipient domain if such recipient exists, and only after positive answer proceed with mail delivery. If answer was negative message is rejected. RAT - Recipient Access Table - mean of validation of recipients, where SMTP server can be configured to accept or reject certain domains, users, partial domains. Message level mechanisms
Antispam Engines - using on SMTP server message scanning engines like IronPort Anti Spam, Rules - every engine uses rules for defining spam, rules are frequently refreshed from rule updater server. Rule may contain sender, subject, size of message, type and size of Fingerprints - addition to the rules - used for attachment scanning, helps to define what really Antivirus engines - engines from Sophos or McAfee for csanning messages for viruses and malware, can block, quarantine, deliver viral messages dependent on policy options.
Content scanning - as usual engines which helps to scan attachments of various types and SPF/SIDF Overview
SPF/SIDF - Sender Policy Framework is an email validation system designed to
prevent email spam by detecting email spoofing by verifying sender IP addresses
against DNS SPF record.
SPF - performs check of domain from «HELO» and «Mail from» provided during SMPT session against DNS SPF record.
DNS record: a.com IN TXT "v=spf1 +ip4:10.0.0.4 -all" SIDF - performs check of domain from headers «Sender» or «From» from e-mail headers and check of «Mail from» domain from SMTP conversation.
DNS record: a.com IN TXT "spf2.0/pra,mfrom +ip4:10.0.0.4 -all" Mail-client
Adding SPF headers
+a +mx +ip4:10.0.0.1 -all
Mail from: email@example.com
Rcpt to: firstname.lastname@example.org
b.com A IN 10.0.0.2
b.com MX IN 10.0.0.3
a.com A IN 10.0.0.1
a.com MX IN 10.0.0.1
22.214.171.124.in-addr.arpa. PTR IN b.com
126.96.36.199.in-addr.arpa. PTR IN a.com
a.com IN TXT "v=spf1 +a +mx +ip4:10.0.0.1 -all"
DKIM - DomainKeys Identified Mail is a method for associating a domain name to an email
message, the association is set up by means of a digital signature which can be validated by
recipients. Maint means for DKIM are private and public keys, e-mail is signed with private key
on mail server, and recipient can verify this subscription by public key which is stored on DNS
DKIM-Signature: v=1; a=rsa-sha256; d=a.com; s=ironport;
c=simple/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
b.com A IN 10.0.0.2
b.com MX IN 10.0.0.3
188.8.131.52.in-addr.arpa. PTR IN b.com|
ironport._domainkey.a.com. IN TXT "v=DKIM1;p=hnYvDFjxQIsdsYd.AQDSDdsSSDdAB;"
Formulaire de consentement du patientÉchange du cristallin (avec insertion de lentilles intraoculaires)Dans la grande majorité des cas, l’échange du cristallin (EC) rend une personne moins dépendante de ses lunettes et de ses lentilles cornéennes. Pour être admissible à l’EC, vous devez :1. Avoir approximativement 35 ans ou plus; 2. Être un mauvais candidat pour la chirurgie au lase