??SMTP???Email Spam????? - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

??SMTP???Email Spam?????

Description:

SMTP Email Spam Email: center7_at_cc.ncu.edu.tw – PowerPoint PPT presentation

Number of Views:211
Avg rating:3.0/5.0
Slides: 52
Provided by: ncu83
Category:
Tags: ipv6 | smtp | email | header | spam

less

Transcript and Presenter's Notes

Title: ??SMTP???Email Spam?????


1
??SMTP???Email Spam????? 
  • ???? ????
  • ???
  • Email center7_at_cc.ncu.edu.tw

2
? ?
  • 1.????
  • 2.??SMTP?????
  • 3.Spam???SMTP?????
  • 4.Spam ???????
  • 5.??

3
1.????
  • ?? Email Spam ??
  • IP ??????
  • ?? Routing Table
  • RWhois????
  • Spam event ?????
  • ??SMTP?????
  • Flow count ??
  • Packet Density
  • ????SMTP???????spam relay/sender ???

4
2.SMTP? Spam??
  • SMTP ??
  • Client??DNS MX list,????delivery route
  • ??sender?receiver????mail relay/server
  • ? reverse-path??mail header
  • ?SMTP relay??????,?SMTP route????
  • relay?????
  • ???relay ????/????.
  • ???deliver relay
  • ????????mailbox.

5
  • Spam
  • UCE (Unsolicited Commercial Mail)
  • spammer????????
  • ???? newsgroup (BBS boards)
  • Join mailing list
  • ???mail addresses
  • ??????mail account
  • Regular sequence mail account
  • ??/????????

6
  • Spammer
  • ??????,??????????????
  • Internet??
  • ?????????,???????/??/????spam.
  • ISP
  • ?????????????????junk mails
  • ??mail?????

7
  • ????????spam complain
  • Spammer????????
  • ??????SMTP server ??spam relay/sender
  • ??????????newsgroup/mailing list?mail accounts
  • ????mail???????????
  • ??????.??????????
  • ??/??????spam.

8
  • ??Spam?????????
  • (1)??/??Spam event
  • ???? spam relay/sender
  • ??millions of spams
  • (2)?????spammer?????
  • SMTP????
  • ???????

9
  • ??/??Spam event
  • ??????abuse Email??
  • abuse_at_domain, spam_at_domain, security_at_domain
  • ????IP???Spam/ Junk???.
  • ????
  • ??spam route,???????relay servers
  • Received, From ???
  • ????????relay server???
  • Report?spam report site
  • EX spamcop.net

10
  • ?????spammer?????
  • ??Spam ????,????SMTP?????
  • Intensive
  • Obviously high SMTP connection count
  • Iteration
  • last for several hours
  • ??????????mail??
  • ??Check /var/log/maillog
  • ??Check user mailbox
  • ????????, ????????

11
  • ???Email Spam (2003? 7?? 11?)
  • ?????????Spam mail??????.
  • ???abuse????
  • Spamcop.net ??
  • ????? relay server/sender
  • myNetWatch ??
  • CodeRed/Nimda????(80/TCP)
  • SYN Flooding (445/TCP, 17300/TCP, )
  • ????????
  • ????????eDonkey?????????
  • Others

12
Table 1 ?????Abuse?????
Spam Hosts SYN Flooding InfringerHosts
Jul 5 18 6
Aug 15 22 5
Sep 20 0 9
Oct 11 3 6
Nov 7 1 12
13
3??SMTP?????
  • ??SMTP?????
  • Spam????
  • Intensive
  • Obviously high frequency of SMTP connections
  • Iteration
  • Last for Many hours
  • Mean Packet size
  • Little than 100 Bytes per Packt
  • More than 100 Bytes per packet

14
  • Transportation Traffic Logs
  • all network operators depend on the quantifiable
    traffic log data to evaluate the network
    performance
  • TCPDUMP
  • NetFlow, sFlow
  • Others

15
  • Tcpdump
  • a raw packet capture program.
  • Gather the layer 4 transportation traffic logs
    through
  • The dump transport traffic logs involved the
    detail fields of each IP packet header
  • source/destination IP addresses,
  • source/destination application ports,
  • protocol identity,
  • number of packets,
  • number of bytes,
  • TCP operators

16
  • Netflow
  • router ??????
  • Flow-based layer 4 transport traffic log
  • Source destination IP address
  • Source destination application port
  • Source destination interface
  • protocol identifier
  • packet count
  • byte count

17
  • ??Netflow log???????SMTP??
  • Accumulate SMTP serv_flow connection counts
    statistics
  • Netflowlog gathered from router of aggregate
    network
  • Threshold_100_flow
  • Less than 100 connections 99.72
  • More than 100 connections 0.28
  • Threshold_30_flow
  • Less than 30 connections 98.61

18
Table 2. ???SMTP Flows ?????
Smtp_flow count Flow /Ratio Byte Ratio
1 10 136003 (94.78 ) 73.1
11 30 5502 (3.83 ) 12.5
31 70 1370 (0.95 ) 8.1
71 100 231 (0.16 ) 1.1
101 200 226 (0.16 ) 1.2
201 1000 145 (0.10 ) 1.8
gt 1000 15 (0.01 ) 2.2
19
  • SMTP?????/??
  • Monitor Abnormal SMTP Traffic of smtp_flowi
  • Combine Several NetFlow features
  • SMTP service port Src_IP Dst_IP
  • src_IPgtdst_IP.(25)
  • src_IP.(25)gtdst_IP

20
  • ??/ ????? SMTP ??
  • ??SMTP ????
  • ?? IP protocol_id application port???,??
  • flowsmtp_flowi
  • pktsmtp_flowi
  • bytesmtp_flowi
  • ??/?????syn_flows??
  • Monitoring SMTP Traffic
  • PHP Apache

21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
Nov  3 202558 smtp3 sendmail7645 ID 801593
mail.info hA3CPot1007645fromltmarketing44_at_disne
y.bizgt, size64607, class0, nrcpts1,msgidlt2003
11031225.hA3CPot1007645_at_smtp3.cc.ncu.edu.twgt,
protoSMTP,daemonMTA, relay163.25.154.253 No
v  3 202558 smtp3 sendmail7645 ID 801593
mail.info hA3CPot1007645toltu9043700_at_cc.ncu.edu
.twgt, delay000006, mailerrelay,
pri30258,statqueued Nov  3 202645 smtp3
mailscanner3948 gtgtgt Virus 'W32/Yaha-P' found
infile ./hA3CPot1007645/disney.zip/DOCUME1\Denni
s\LOCALS1\Temp\setup.exe Nov  3 202651 smtp3
sendmail7958 ID 801593 mail.info
hA3CPot1007645toltu9043700_at_cc.ncu.edu.twgt,
delay000059, xdelay000000,
mailerrelay,pri120258, relay140.115.17.89
140.115.17.89, dsn2.0.0, statSent(hA3CP8k1016
181 Message accepted for delivery) Nov  3
202700 smtp3 mailscanner3948 gtgtgt Virus
'W32/Yaha-P' found infile ./hA3CPot1007645/disney
.zip/DOCUME1\Dennis\LOCALS1\Temp\setup.exe
25
(No Transcript)
26
(No Transcript)
27
syslogOct 26 082425 smtp3 sendmail13433 ID
801593 mail.info h9Q0ON2a013433
fromltur_at_miltyblinks.netgt, size6998, class0,
nrcpts1, sgidlt200310260024.h9Q0ON2a013433_at_smtp3.
cc.ncu.edu.twgt, protoSMTP, daemonMTA,
relaymgexchgr81.malupid.net 216.22.24.81 (may
be forged) syslogOct 26 082425 smtp3
sendmail13425 ID 801593 mail.info
h9Q0ON2a013425 fromltpg_at_miltyblinks.netgt,
size6994, class0, nrcpts1, sgidlt200310260024.h
9Q0ON2a013425_at_smtp3.cc.ncu.edu.twgt, protoSMTP,
daemonMTA, relaymgexchgr85.malupid.net
216.22.24.85 (may be forged) syslogOct 26
082425 smtp3 sendmail13435 ID 801593
mail.info h9Q0ON2a013435 fromlteh_at_miltyblinks.ne
tgt, size6971, class0, nrcpts1,
sgidlt200310260024.h9Q0ON2a013435_at_smtp3.cc.ncu.edu
.twgt, protoSMTP, daemonMTA, relaymgexchgr81.mal
upid.net 216.22.24.81 (may be
forged) syslogOct 26 082425 smtp3
sendmail13432 ID 801593 mail.info
h9Q0ON2a013432 fromltwc_at_miltyblinks.netgt,
size6995, class0, nrcpts1, sgidlt200310260024.h
9Q0ON2a013432_at_smtp3.cc.ncu.edu.twgt, protoSMTP,
daemonMTA, relaymgexchgr84.malupid.net
216.22.24.84 (may be forged) syslogOct 26
082425 smtp3 sendmail13434 ID 801593
mail.info h9Q0ON2a013434 fromltjo_at_miltyblinks.ne
tgt, size6965, class0, nrcpts1,
28
Mail Relay Testing
  • mrt
  • ftp//ftp.monkeys.com/pub/mail-tools/perl/mrt
  • mrt
  • test.patterns
  • Test.message
  • ./mrt v test.patterns test.message host_ip_add

29
ann ./mrt -v ./test.patterns ./test.message
163.25.121.245 mrt 163.25.121.245 Error
connecting Connection refused mrt
163.25.121.245 Error connecting Connection
refused mrt 163.25.121.245 Error connecting
Connection refused mrt 163.25.121.245 Error
connecting Connection refused mrt
163.25.121.245 Error connecting Connection
refused mrt 163.25.121.245 Error connecting
Connection refused mrt 163.25.121.245 Error
connecting Connection refused mrt
163.25.121.245 Error connecting Connection
refused mrt 163.25.121.245 Error connecting
Connection refused mrt 163.25.121.245 Error
connecting Connection refused mrt
163.25.121.245 Error connecting Connection
refused mrt 163.25.121.245 Error connecting
Connection refused mrt 163.25.121.245 Error
connecting Connection refused mrt
163.25.121.245 Error connecting Connection
refused mrt 163.25.121.245 Error connecting
Connection refused mrt 163.25.121.245 Error
connecting Connection refused mrt
163.25.121.245 Error connecting Connection
refused
30
ann ./mrt -v ./test.patterns ./test.message
163.25.70.1 mrt 163.25.70.1 Message
accepted mrt 163.25.70.1 Message accepted mrt
163.25.70.1 Message accepted mrt 163.25.70.1
SMTP error (553) reading MAIL response mrt
163.25.70.1 Message accepted mrt 163.25.70.1
Message accepted mrt 163.25.70.1 Message
accepted mrt 163.25.70.1 Message accepted mrt
163.25.70.1 Message accepted mrt 163.25.70.1
Message accepted mrt 163.25.70.1 Message
accepted mrt 163.25.70.1 Message accepted mrt
163.25.70.1 Message accepted mrt 163.25.70.1
Message accepted mrt 163.25.70.1 Message
accepted mrt 163.25.70.1 Message accepted mrt
163.25.70.1 Message accepted mrt 163.25.70.1
SMTP error (553) reading MAIL response
31
ann ./mrt -v ./test.patterns ./test.message
140.115.17.128 mrt 140.115.17.128 SMTP error
(550) reading RCPT response mrt 140.115.17.128
SMTP error (550) reading RCPT response mrt
140.115.17.128 SMTP error (550) reading RCPT
response mrt 140.115.17.128 SMTP error (550)
reading RCPT response mrt 140.115.17.128 SMTP
error (550) reading RCPT response mrt
140.115.17.128 SMTP error (550) reading RCPT
response mrt 140.115.17.128 SMTP error (550)
reading RCPT response mrt 140.115.17.128 SMTP
error (553) reading RCPT response mrt
140.115.17.128 SMTP error (553) reading RCPT
response mrt 140.115.17.128 SMTP error (553)
reading RCPT response mrt 140.115.17.128 SMTP
error (550) reading RCPT response mrt
140.115.17.128 SMTP error (550) reading RCPT
response mrt 140.115.17.128 SMTP error (550)
reading RCPT response mrt 140.115.17.128 SMTP
error (550) reading RCPT response mrt
140.115.17.128 SMTP error (550) reading RCPT
response mrt 140.115.17.128 SMTP error (550)
reading RCPT response mrt 140.115.17.128 SMTP
error (550) reading RCPT response
32
????
  • 60 ??spam relay/sender???????SMTP????????
  • 7???60
  • 8???60
  • 9???60
  • 10???100
  • 11???100
  • ??SMTP/SYN Flooding????
  • ??Spam ??????

33
Table 2 ??Abuse host??(2003?)
Abnormal SMTP Traffic Abnormal www /SYN Flooding
Jul 60 43
Aug 60 48
Sep 60 -
Oct 55 100
Nov 100 100
34
4 Spam ???????
  • Spam/????????
  • ?????spam ??
  • ????? SMTP Traffic
  • ?????
  • ????IP????????
  • ????????????,????
  • ????????,???????????

35
  • spam mail???????
  • ??Query IP????,Email??
  • ??SNMP pulling router ipRoute MIB,
  • ????????? routing??
  • ??IP????????
  • ?? NextHop integrate
  • The extracted Routing Table
  • ?????????
  • RWhois IP?????

36
  • ipRoute SNMP MIB
  • ???????routing ??
  • Network address
  • NetMask??? .1.3.6.1.4.21.2.1.11
  • NextHop ??? .1.3.6.1.4.21.2.1.7
  • Mansfield G. ???ipRoute MIB
  • ??????routers ipRoute MIB
  • ??????????

37
  • ??????IP??????
  • NetMask/ NextHop??
  • ???IP????index,??
  • NetMask List
  • NextHop List.
  • ??NetMask ,NextHop ?Segment??
  • ?????????ip_routing ????

38
ipRouteMask OID ip.ipRouteTable.ipRouteEntry.ipRo
uteMask.192.192.40.0 IpAddress
255.255.252.0 ip.ipRouteTable.ipRouteEntry.ipRoute
Mask.192.192.44.0 IpAddress 255.255.255.0 ip.ip
RouteTable.ipRouteEntry.ipRouteMask.192.192.45.0
IpAddress 255.255.255.0 ip.ipRouteTable.ipRoute
Entry.ipRouteMask.192.192.46.0 IpAddress
255.255.255.0 ipRouteNextHop OID
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.192.19
2.40.0 IpAddress 203.71.2.72 ip.ipRouteTable.ip
RouteEntry.ipRouteNextHop.192.192.44.0
IpAddress 192.83.175.111 ip.ipRouteTable.ipRouteE
ntry.ipRouteNextHop.192.192.45.0 IpAddress
192.83.175.116 ip.ipRouteTable.ipRouteEntry.ipRout
eNextHop.192.192.46.0 IpAddress 192.83.175.111
39
NextHop Dest. Netmask
Seg
203.72.244.226, 140.115.0.0, 255.255.0.0,
256 203.71.2.5, 140.132.0.0,
255.255.0.0, 256 203.71.2.61,
140.135.0.0, 255.255.0.0, 256
203.71.2.237, 140.138.0.0,
255.255.0.0, 256 203.71.2.209,
192.192.40.0, 255.255.252.0,
4 203.71.2.209, 203.68.52.0,
255.255.252.0, 4
40
  • IP?????????????
  • Router??routing table???
  • ?? NextHop ?? switch packet
  • Switch ???? routing interface

41
  • RWhois????
  • ??Mark KostersDataBase (MKDB) ??????????.
  • ?????????rwhoisd
  • ???????rwhoisd_indexer

42
  • RWhois Server
  • ??IP????????????,??????Spam ???.
  • ??routing??,??Nexthop ????/????????????
  • ??RWhois network schema?????
  • ?????indexing, ?????? query??.

43
  • ???Network schema??
  • IP-Network(????)
  • Admin-Contact (????)
  • Address(????)
  • Tel(????)
  • Updated-By(?????)
  • Updated (??????

44
(No Transcript)
45
(No Transcript)
46
  • Sendmail
  • ??????????????
  • Mail server ??sendmail daemon ?? mail client????
  • ????mail? destination mail server
  • ?????user mail,????user mail-box
  • ?? /var/mail/user_name?.

47
  • ????Spam????
  • ?? /var/mail/abuse buffer ?
  • ??From ??????mail??.
  • parsing????,????IP??.
  • ????RWhois server,??IP????.
  • ??IP????, ???????????????/??mail

48
(No Transcript)
49
????????????
  • ???????????, ??????IP
  • ????IP,????RWhois server,??????.
  • ??????,?????? router
  • ????????,???????????
  • ??RWhois ??????,??????
  • ??????????/??
  • ?????????,????????.

50
5.??
  • ??IP????????
  • ?Spam/?????????????
  • Spam/??????????
  • ??spam?????
  • ?????????????????

51
  • ?? SMTP/www DoS?????
  • ???????Spam senders
  • ????SMTP????.
  • ??????
  • ?? mail server???????
  • ???????????
  • PING Storm, SYN Flooding, Spam relay
  • ?????????????
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "??SMTP???Email Spam?????" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!