Unix 電子郵件管理 (漏洞排除、網路問題診斷、 DNS 管理

等 )

陳昌盛國立交通大學 計算機與網路中心

技術發展組組長(2008.11.26)

綱要 (Outline)• E-mail 基本運作原理與管理課題• 垃圾郵件防護機制• 問題診斷與除錯 ( Troubleshooting & Debugging)

• 常見過濾機制 (Mail, DNS, IPS/Firewall, etc.)

• 問題與討論• 個案探討• 總結與未來發展

• 附錄• 新興課題 - 網路釣魚詐騙信件 ( Phishing)

• 參考資料

E-mail 運作原理與管理課題(垃圾郵件的產生 )

Part 1

E-mail Basics 從 RFC 821/2821, E-mail 基本組成結構

Message = an envelope + content Content = mail headers + body

MIME extension For the transmission of images, audio, or other

sorts of structured data in electronic mail messages.

MIME document series [RFC2045, RFC2046, RFC2049]

Internet

•Bouncing server

•Incoming SMTP Gateway Farm

• Mail Spool server

•Outgoing SMTP Gateway Farm

• Firewall

典型 E-mail 系統運作圖

•SMTPauth

Mail Filtering•BL/GL/WL•Auto-learn

垃圾郵件防治概論 Q1: 何謂 SPAM ?

為何會有那麼多 SPAM mail ? Where did the SPAMmer get my e-mail

address ? Q2: 如何反制 Spam mail ?

Or, how does the E-mail system know if an incoming mail is a spam message ?

Q3: The big issues with filtering to date “Spam mail 阻擋效率如何 ?” “多少正常的 e-mail 也被阻擋 ?”

何謂垃圾郵件 (Spam Mail)?

Best description: "Unsolicited Bulk E-mail" 簡單地說 – 你不想要而且也沒有主動要求他人寄送給

你 In human terms: bulk e-mail you didn't

want, and didn't ask for Mailing lists, newsletters, "latest offers": not

spam, if you asked for them in the first place

UCE/UBE UCE = Unsolicited Commercial E-mail UBE = Unsolicited Bulk E-mail

垃圾郵件防護概論 ( 個別認知差異 ) -- Truth Depends on Interpretation

FilteringFilteringwithwith

HH11(msg)(msg)

FilteringFilteringWithWith

HH22(msg)(msg)

Mail Spool

Discard

•MTA1 (or MUA1)

Accept•MTA0

•MTA = Mail Transfer Agent•MUA = Mail User Agent

•MTA2 (or MUA1)

Spam Mail 特性 透過密件傳送功能 (header BCC for bulk mailing) 以

規避大量傳送信件的限制 Avoiding the header length limits

使用經常改變且是假的送件者以逃避郵件過濾 使用假造的電子信件郵戳以逃避追蹤 (faked Received

lines for preventing/confusing the spam source tracing)

Syntax Ok, Semantics Error

有時候 Spam mail 會夾帶病毒

Where did the SPAMmer get my e-mail address ? UCE/UBE 散佈途徑

名單收錄www homepage, USENET news articlesaccount password files on individual servers其他不當途徑 ( program bug, 招募會

員活動 , …) 找尋管理較鬆散的 mail relay

Domain Zone scanning ( DNS)URL scanning (web pages )

Dictionary attack

為何會有這麼多 Spam Mail ?

SPAM 來源 The most common form of spam is

commercial spam, where the user is hoping to make a profit.

Take as an example spam, where a user abuses the un-metered nature of email to send out millions of emails.

As the incremental costs of sending more emails to the spammer are almost zero, he can still make a profit even with a success rate of 0.0001 %.

Using a Botnet to send spam mails- From Wikipedia computer hacking and botnet attacks by

criminals, terrorists and foreign powers.

Botnet 簡介 Botnet 俗稱殭屍網路 (Zombie Network) ，又稱機器

人網路 (Robot Network), 受 Botnet 感染之主機猶如殭屍般任由控制者操控

駭客藉由 IRC (Internet Relay Chat) 等管道遠端控制受感染的主機，可發動網路攻擊 包括竊取私密資料、網路釣魚 (Phishing) 、散布垃圾郵件

(SPAM) 、發動阻斷式服務 (DDoS), 恐嚇被駭網站等犯罪行為 Botnet 病毒 , 通常每隔 5 至 10 秒利用 IRC 通訊埠 (6660-

6669 或 7000 ，主要為 6667) 進行網路連線 Botnet 具有自我複製並主動散播之特性，同時具有隱匿

性，受感染之主機不易發覺 若再經有心人士製造變種 Botnet 病毒，防毒軟體更不易偵測，

常造成嚴重之損害

垃圾郵件反制Part 2

Why Bother Filtering Spam?--Economical view On a global scale use of bandwidth, CPU

resources and people time are wasted. Seems to be about 30% to 60% of mail traffic, and

increasing The spam recipients time is wasted as well, and receiving

the spam may directly costing the user bandwidth fees from their ISP.

ISP's also dislike spam because it costs them time and money to deal with the complaints, and recover overloaded mail servers that sometimes crash under the load of intensive spamming.

Why Bother Filtering Spam? - Social view

Nearly impossible to unsubscribe “unsubscribe” addresses work only 37% of the time,

according to the US FTC Opt-in vs. opt-out

Legal retaliation (求償 ) not possible in most parts of the world yet Only possible in some regions (e.g., Korea, some states in

US, etc.) Taiwan ( 準備採用 Option-out)

已經訂草案 , 送交立法 ( 近年的報紙消息 )

A Hybrid Model for Anti-spam and Related Issues Economy + Education + Law + Technology

Education

Economy

Technology Law

Hash-money

•BL, GL, WL•Machine learning

•Opt-in, opt-out•Cyber forensic

•Authentication •Confirmation•Identification•Verification

Retaliation (( 求償 )

•Privacy protection

Anti-SPAM

How Do The Spammers Feel? Spam relies on low overheads and

extremely cheap delivery Disrupt the equation and they will give up!

Already hurting, according to CBS: “[I’ve gone through] unbelievable hardships

[to keep spamming] ... My operating costs have gone up 1,000% this year, just so I can figure out how to get around all these filters”

Anti-Spam Paradigm View 1: Prevent your sites from becoming SPAM

sources Sender authentication

Vulnerability scanning

Access Control (e.g., Firewall, etc.) View 2: Prevent SPAM from entering the mailboxes

of your site Tasks: identify/detect incoming SPAM messages

Sender authentication

Whitelist, Blacklist, Greylist,

Auto-learning (personalization)

Sub-views: server-side vs. client-side filtering

View 1 : 防止本單位網站變成 Spam 幫兇(Common SPAM Source )

目前 TANet 常見的模式 Compromised Hosts :

主機遭入侵 , 被植入後門程式 , 讓有心人士可以利用該主機發送廣告信件 . (e.g., 主機遭病毒攻擊 )

Open Proxy : Proxy Server 未對可信賴的使用者 IP 或 Domain name 範圍做限制 , 讓有心人士利用 HTTP 協定上的漏洞寄送廣告信件至 Internet.

Open Relay : 郵件伺服器未對可寄送信件的使用者 IP 或 Domain name範圍做限制 , 讓有心人士利用來轉發廣告信函至 Internet上 .

其 他 使用者不當使用 , 利用學術網路發送廣告信函 .

Measures to Avoid Becoming SPAM Victims -Other Suggested Administration Policies

Basic Measures Prevention/Disable of open relay (SMTP)

and/or open proxy Open proxy : tcp port 80, tcp 3128, etc. Enable anti-virus capability

Sender Authentication Enable SMTPauth (or something of the like) Sender Policy Framework (SPF) –

Enable advertised white-list from Sender (through DNS)

Subtype of Problem -Forged Sender

Good news: SPF, SenderID, DomainKeys, etc.

Bad news1. This might cost more money for

authentication services in the future (e.g., anti-virus checking services)

2. It might not be effective to authenticate something like abc.123@yahoo.com or a13yotdfgfg@hotmail.com, etc.

i.e., there might still be too much overhead/loading for authenticating these possible faked sources (Cf. DNSSEC)

View 2: 防止 SPAM 進入單位內信箱 (Anti-spam: 垃圾郵件防治 )

用戶端防制法 Thunder bird Outlook express

Server 端防治法 SpamAssasin (Machine Learning) Dspam ( 統計 )

Candidate Features for Filtering Envelop address (EnvFrom, EnvRcpt)

Malformed sender (or recipient) address

Relay (Helo, rDNS, IP address range, etc.) SMTP Peak Connection Ratio (8.13)

Header Address (HdrFrom, HdrRcpt, etc) Basic Features: From, To, Subject Extended Features: X-Mailer, Message-Id, etc.

Using SPAMware (e.g., Dynamailer, Dmailer, etc.)

Body Content Unwanted contents (Subject, Body lines, URL,

etc. )

垃圾郵件防治基礎 過濾方式評估 (Filtering Approaches)

Server-side vs. user-side Static vs. adaptive Auto-learning

可用過濾機制 (Filtering Mechanisms) 黑名單 (Blacklist - totally denied) 白名單 (Whitelist - totally accept) 灰名單 (Greylist - partly denied) 自動學習 (Auto-learning vs. Statistical

Approach)

Mail 過濾機制示意圖-- A typical Anti-spam Model

GenericMail

Filtering

白名單

黑名單

自動學習防治拒收

• 收下

灰名單

(1)

(2)

(3)

(4)

Pass

Pass

Fail

Fail

Failtemporarily

發信者

Update

Mail Spool

隔籬區(Quarantine)

暫時收下

Anti-SPAM Methodologies (using Artificial Intelligence Terms)

Rule-based Methodology Milter-regex (server-server), Procmail (client-side)

Database-based Methodology Blacklist (totally denied)

SpamCop, DNSBL, etc. Whitelist (totally accept) Greylist (partly denied) Razor-like or DCC-like approach (distributed)

Data Mining/Machine Learning Methodology Thunderbird approach (personal) SpamAssassin (server, personal)

Rule-based Models for E-mail filtering (e.g., Sendmail, Postfix, etc.) Pattern Matching (Regular Expression) Tool

E.g., Sendmail + Milter-regex White list vs. Blacklist

Reject vs. Discard

Behavior Heuristics SMTP Peak Connection Ratio/Threshold

( sendmail 8.13) Greylist ( two-phase adaptive blacklist)

E.g., Sendmail + milter-greylist

Machine Learning Tool Sendmail + SpamAssasin

Introduction to Greylist

In 2003, Evan Harris proposed a novel idea, which he called Greylisting. i.e., based on the observation that many unsolicited bulk

mails are sent via open proxies and other mechanisms that do not involve proper mail transfer agents.

The main ideas of greylisting are as follows: Mail from unfamiliar senders are temporarily rejected

and should be retransmitted by their ISPs' SMTP clients.

Mails from familiar senders are passed immediately. You can whitelist friendly SMTP servers, and you

should whitelist your own network, otherwise your SMTP clients will have real trouble to send e-mail.

Whitelisting localhost is also a must.

Rationale behind using Greylist (cont) Grey listing works by assuming that contrarily to legitimate

MTA, spam engines will not retry sending their junk mail on a temporary error. RFC 2821 says that the sending MTA should retransmit 30

minutes or later after a failure, but spam sent through an open proxy as well as some viruses and worms are not retransmitted.

A proper sending MTA will repeat a transmission after a temporary 4yz rejection.

If spammers ever try to resend rejected messages, we can assume they will not stay idle between the two sends.

Odds are good that the spammer will send a mail to an honey pot address and get blacklisted in a distributed black list before the second attempt.

Sample Knowledge Representation - Greylist for E-mail filtering

#

# greylisted tuples#----------------------------------------------------------------------------------------

# Sender IP Sender e-mail Recipient e-mail Time accepted

202.53.72.110 <vjxgtcfn@yahoo.com> <lh15@mail.nctu.edu.tw> 1099474741 # 2004-11-03 17:39:01

202.53.72.110 <vjxgtcfn@yahoo.com> <limintsai@mail.nctu.edu.tw> 1099474742 # 2004-11-03 17:39:02

202.53.72.110 <vjxgtcfn@yahoo.com> <lindajmm@mail.nctu.edu.tw> 1099474743 # 2004-11-03 17:39:03

Sample Knowledge Representation - Greylist for E-mail filtering (cont.)

## Auto-whitelisted tuples#======================================

==

# Sender IP Sender e-mail Recipient e-mail Expire

210.58.229.92 <epaper@eslite.com.tw> <ysm@cc.nctu.edu.tw> 1100042183 AUTO # 2004-11-10 07:16:23

210.58.229.92 <epaper@eslite.com.tw> <yytzou@cc.nctu.edu.tw> 1100042354 AUTO # 2004-11-10 07:19:14

210.58.229.92 <epaper@eslite.com.tw> <wsfu@cc.nctu.edu.tw> 1100041397 AUTO # 2004-11-10 07:03:17

… more

Considerations, Caveats, and Differences False positives ( 不是 SPAM, 卻沒有放行 ) are possible if a

legitimate SMTP client does not retransmit an embargoed (禁制 ) message after the embargo expires. Failing to retransmit clearly violates the SMTP

standard, because it will result in lost mail should something other than Greylisting cause a temporary failure response.

False negatives ( 是 SPAM, 卻未擋下 ) are common. Greylisting can only detect bogus SMTP clients. Bulk mail

advertisers that use standards compliant software automatically pass

Machine Learning Approach for Anti-Spam(cf. , SpamAssassin Concepts)

Combines many systems for a "broad-spectrum" approach Lots of rules to determine if a mail is spam or not

Detect forged headers Spam-tool signatures in headers Text keyword scanner in the message body DNS blacklists Razor, DCC (Distributed Checksum Clearinghouse), Pyzor

These are combined to produce an overall score for each message

If over a user-defined threshold, the mail is judged as spam Spammers cannot aim to defeat 1 system; the others will catch

them out

SpamAssassin GA

Start

Good Enough?

Evolve Scores

Final Scores

No

Yes

Machine Learning Approach for Anti-Spam(cf. SpamAssassin Example)

用戶端防治垃圾郵件 - 範例： thunderbird (1/2)

垃圾郵件

用戶端垃圾郵寄防治工具 --範例： Thunderbird (設定 , 2/2)

垃圾郵件防治設定

垃圾郵件防護 (Anti-Spam) Server 端防制 (Dspam 系統 ) Dspam 基本運作架構 Dspam UI 使用範例

Dspam 成效 (performance) 調整 Dspam 個人化設定條件 垃圾信件隔離區檢視 (Quarantine)

按機率 (Spam)高低顯示 ( 分成三種顏色 ) 圖表顯示 (Spam vs. Good mail) 誤判可放行 (i.e., 正常 e-mail) 重新訓練 ( 誤判、漏判 )

Dspam As a Delivery Agent Proxy In the diagram below,

MTA refers to Mail Transfer Agent, or your mail server software: Postfix, Sendmail, Exim, etc.

LDA refers to the Local Delivery Agent: Procmail, Maildrop, etc..

BEFORE: [MTA] ---> [LDA] ---> (User's Mailbox)

AFTER: [MTA] ---> [DSPAM] ---> [LDA] ---> (User's Mailbox)

\ \--> [Quarantine]

[End User] ------> [Web UI]

Dspam 過濾成效 (performance)

垃圾信件隔離區 (Quarantine)- 分三種顏色顯示，低、中、高，不同機率範圍

問題診斷與除錯Part 3

問題診斷與除錯 ( Troubleshooting & Debugging)• 過濾機制 ( 設備 )

– Router, Firewall, IPS, Mail, etc.

• 常見驗證 /診斷機制– System Log 觀察– 退信分析 – Header 驗證

• Domain name 查詢– DNS + Whois

特殊案例-- 某 區網中心的誤擋實例 (Router 阻擋 Worm 攻擊 )

Part 4

• 問題與討論• 個案探討 (Case Study)• 垃圾防護機制未來發展

問題與討論 Spam Detection Stats ( 正確率 )訂定 Spam 防制策略

Policy 1 – 訂定不同的管理策略 (包括個人化support)

Policy 2 – 將 incoming/outgoing relay 分開 Policy 3 – 啟動傳送用戶認證 (sender

authentication)

Spam Detection Stats(From SpamConf2003)

DNSBLs Phrase Matching

Heuristics (SA)

Statistics

Accuracy 0 - 60% 80% 95% 99%+

False Positives

10% 2% 0.5% 0.1%

Measures to avoid becoming SPAM victims -NCTU Administration Policies

Considering Users’ Views Server-side filtering

mail.nctu.edu.tw Client-side Filtering (i.e., no filtering at the

server side) faculty.nctu.edu.tw

Other Advanced Features Personalization support (e.g., Dspam,

etc.) Client Tools Server-side Support

Measures to avoid becoming SPAM victims -NCTU Administration Policies (cont.) Separation of Incoming & Outgoing Relays

For easy separation (or identification) of spam source

Incoming Relay: Enable advertised blacklist (or semi-blacklist) from Sender (through DNS)

Reject direct SMTP relaying from 240.9.80.219.dynamic.tfn.net.tw

Outgoing Relay: Might accept relay from 240.9.80.219.dynamic.tfn.net.tw with SMTPauth ( or similar)

案例 : Spam mail 散佈 – 利用 Webmail 用戶之密碼太簡單者

案例 : 詐騙信 – Social Engineering(騙取帳號 /密碼 )

案例 - 詐騙 + Virus Message

範例 - Server 端阻擋 Virus Message (1/3)

範例 - Server 端阻擋 Virus Message (2/3)

範例 - Server 端阻擋 Virus Message (3/3)

Summary and Discussion - Future Directions

Economy - "Hash-cash" Sending mail currently more-or-less free With hash-cash, each recipient requires CPU

time for the sender SpamAssassin can provide "bonus points"

for hash-cash users Education Technology--Learning filters (Bayesian

probability etc.) Learn automatically, to detect what "good"

mail to your network looks like

Summary and Discussion - Future Directions (cont.)

Technology - Hybrid approach for anti-spamming Static (Blacklist + Whitelist) + Adapative (e.g.,

Greylist, SpamAssassin, etc.) + Auto-learn (or machine learning)

Sender AuthenticationSenderID, SPF, DomainKeys, etc.Published/advertised rules – blacklist

vs. whitelist

Sample Message - from Gmail to NCTU

Summary and Discussion - Future Directions (cont.)

Law Cyber-forensic, Retaliation, etc.

立法防杜垃圾郵件 台灣政府已把濫發商業電子郵件管理條例草案送交立法院，若順利希望明年實施；

張天欽 (行政院通訊傳播委員會籌備處法制組組長 ; UDN-931117)

草案中規範 :企業濫發垃圾郵件罰金可達 2 千萬元， 個人收到垃圾郵件，可到法院最低可請求 500 至 2000元賠

償。

附錄 Mail Relay 架構與 Spam 防護

DNS: Mail Exchange Records 使用 Greylist 網站統計 ( 參考資訊 )

幾年前的網站資訊 網路詐欺 ( 釣魚 ) 和防護機制 Mail System Log 範例

Filtering Configuration 1 – MTA + anti-spam + anti-virus engine

Distributed Configuration -Anti-spam+anti-virus engine in MX hosts

MX Hosts Configuration

Sample Statistics (幾年前 -非最新 ) anti-spam in mail.TN.edu.tw(http://ms2.tn.edu.tw/report/day/ )

AllMsg.

73%

Rejected

27%Greylist

25%

ClamAVSpamAssassin

2%

Virus3% 17%

5%

PassedBlockedSpamLevel > 16

PassedSpamLevel (6-15)

新興威脅 – Phishing Mail 網路釣魚 /詐欺牽涉多種網路服務

Mail + Web (+ DNS ) 欺騙用戶的眼睛 ( 視覺 /警覺盲點 ) 問題：假冒 URL 常牽涉 DNS 名稱 相似的問題

典型問題 – “郵件欺詐”是一種電子郵件圈套，它透過使用虛假網站或一封回復電子郵件，誘騙客戶公佈自己的個人資訊 如信用卡或借記卡帳號、支票帳戶資訊、社會保險號或銀行帳戶密碼等。

網路詐欺 - 網路釣魚 (Phishing 網站 )此類問題大致的發生機制

入侵特定網站主機 A建置假網頁

入侵特定網站主機 B (形成 Botnet) 製作 Spam Mail, 內含假 URL l (例如知名銀行網站 , 網路購物 , 拍賣網站等 )

由 B 散佈 Spam 給 (不 )特定的受害者 X ，誘騙受害者上當 , 點擊假的 URL, 導引到上述甲網站 A,

騙取個人身分資訊 ( 帳號 /密碼等 ) 或不自覺下載惡意程式 ( 所謂 keylogging 鍵盤記錄程式 )

網路詐欺縣電子郵件函 -範例 1: 網路釣魚 (詐騙信+Phishing 網站 )

•真正網址 (URL)

•看起來的連結 ( 有問題的假連結 , 欺騙眼睛 )

網路詐欺案 (i.e., 受害者 ? 幫兇 ?) 範例 2 - 被利用的網站畫面

網路詐欺通報案→範例 3 ︰受害單位自救通告 (必須盡快因應 )

網路詐欺 - 網路釣魚 (Phishing 網站 ) 新趨勢

鎖定對象 Spear phishing 有漸增的趨勢 一般性質 run-of-the-mill phishing

Recent email scams include the targeting of company directors with fake subpeonas and Mastercard users who were promised discounts on future purchases.

網路釣魚 (Phishing 網站 ) 防護機制 資安教育

用戶本身的警覺性 ( 分辨假的訊息 ) 資安防護工具

E-mail Server 過濾 瀏覽程式 (Web Browser) 的過慮

防護通報 Report 到特定網站

可協助其他人 – 前人種樹，後人乘涼 盡快處理來自受害單位的自救通告

避免日後的財物及法律糾紛

網路釣魚 (Phishing) 防護機制–範例 4 ︰ 新版瀏覽程式 IE 7.0(+), Firefox 2.0(+) 等

Abnormal relay May 17 00:30:09 NS sm-mta[64943]: i4GGU4Av064943:

ruleset=check_rcpt, arg1=<selios.bbh@cis.nctu.edu.tw>, relay=[211.20.42.103], reject=550 5.7.1 <selios.bbh@cis.nctu.edu.tw>... Relaying denied. IP name lookup failed [211.20.42.103]

May 17 00:30:10 NS sm-mta[64943]: i4GGU4Av064943: ruleset=check_rcpt, arg1=<seta.bbs@cis.nctu.edu.tw>, relay=[211.20.42.103], reject=550 5.7.1 <seta.bbs@cis.nctu.edu.tw>... Relaying denied. IP name lookup failed [211.20.42.103]

May 17 00:30:10 NS sm-mta[64943]: i4GGU4Av064943: from=<sender2@www-mailserver.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[211.20.42.103]

Anti-SPAM Case Study (1) - DNS Check May 13 07:56:41 Www sm-mta[91713]: i4CNubd2091713:

ruleset=check_rcpt, arg1=<nickie@cpshs.hcc.edu.tw>, relay=[211.22.16.18], reject=553 5.1.8 <nickie@cpshs.hcc.edu.tw>... Domain of sender address e00025cca@mail01.2eworld.com does not exist

May 13 07:56:41 Www sm-mta[91713]: i4CNubd2091713: from=<e00025cca@mail01.2eworld.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[211.22.16.18]

Anti-SPAM Case Study- unacceptable relay blocked (2) May 13 00:00:26 ns sm-mta[18832]: i4CG0IHN018832:

ruleset=check_rcpt, arg1=<chia@mail.nctu.edu.tw>, relay=218-170-127-234.dynamic.hinet.net [218.170.127.234], reject=550 5.7.1 <chia@mail.nctu.edu.tw>... Access denied

May 13 00:00:26 ns sm-mta[18832]: i4CG0IHN018832: from=<a8705135@yuema.com.tw>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=218-170-127-234.dynamic.hinet.net [218.170.127.234]

May 13 01:00:58 ns sm-mta[21035]: i4CH0sk2021035: ruleset=check_rcpt, arg1=<chia@mail.nctu.edu.tw>, relay=90.5.80.219.dynamic.tfn.net.tw [219.80.5.90], reject=550 5.7.1 <chia@mail.nctu.edu.tw>... Access denied

May 13 01:00:58 ns sm-mta[21035]: i4CH0sk2021035: from=<ammhb@lnnkn.www-mailserver.com>, size=0, class=0, nrcpts=0,

proto=SMTP, daemon=MTA, relay=90.5.80.219.dynamic.tfn.net.tw [219.80.5.90]

Anti-SPAM Case Study - Sendmail: new intelligent relay check (3) May 13 00:38:21 ns sm-mta[20313]: ruleset=check_relay,

arg1=[163.23.225.106], arg2=163.23.225.106, relay=[163.23.225.106], reject=452 4.3.2 Connection rate limit exceeded.

May 13 00:38:23 ns sm-mta[20314]: ruleset=check_relay, arg1=[163.23.225.106], arg2=163.23.225.106, relay=[163.23.225.106], reject=452 4.3.2 Connection rate limit exceeded.

May 13 00:38:23 ns sm-mta[20314]: i4CGcNvr020314: rejecting commands from [163.23.225.106] [163.23.225.106] due to pre-greeting traffic

Anti-SPAM Case Study- Blocked by SpamAssassin (4) May 13 10:49:44 Www sm-mta[11667]: i4D2nPxm011667: Milter add: header:

X-Spam-Status: Yes, hits=13.8 required=10.0 tests=FROM_HAS_MIXED_NUMS,\n\tFROM_HAS_MIXED_NUMS3,HTML_FONT_BIG,HTML_IMAGE_ONLY_02,\n\tHTML_IMAGE_RATIO_04,HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,\n\tMIME_HTML_ONLY,PRIORITY_NO_NAME,RCVD_IN_DYNABLOCK,RCVD_IN_RFCI,\n\tRCVD_IN_SBL,RCVD_IN_SORBS,X_LIBRARY autolearn=no version=2.63

May 13 10:49:44 Www sm-mta[11667]: i4D2nPxm011667: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin

May 13 10:49:44 Www sm-mta[11667]: i4D2nPxm011667: to=<hwf@cc.nhctc.edu.tw>, delay=00:00:10, pri=31950, stat=Blocked by SpamAssassin

Anti-SPAM Case Study- Greylist filtering (5) May 13 00:04:55 ns milter-greylist: i4CG4qK7019112: addr

139.175.54.12 from <t9161016@ms3.ckitc.edu.tw> to <usws@mail.nctu.edu.tw> delayed for 00:04:30

May 13 00:04:55 ns sm-mta[19112]: i4CG4qK7019112: Milter: to=<usws@mail.nctu.edu.tw>, reject=452 4.7.1 Greylisting in action - temporarily embargoed, please come back later

May 13 00:04:55 ns sm-mta[19112]: i4CG4qK7019112: from=<t9161016@ms3.ckitc.edu.tw>, size=54023, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=sn12.seed.net.tw [139.175.54.12]

Reference (1) DCC (Distributed Checksum Clearinghouse)

http://www.rhyolite.com/anti-spam/dcc/ Domain Name System Real-time Black Lis (DNSRBL)

http://www.dnsrbl.com/index.html Dspam Greylist

Evan Harris, "The Next Step in the Spam Control War: Greylisting “, http://projects.puremagic.com/greylisting/

Hash Cash, http://www.cypherspace.org/adam/hashcash/

Milter-regex, Reject mail matching regular expressions http://www.benzedrine.cx/milter-regex.html

Reference (2) Sender Policy Framework

http://spf.pobox.com/ Sendmail

http://www.sendmail.org SpamAssassin for UNIX (free)

http://SpamAssassin.org/

Justin Mason, “Filtering Spam With SpamAssassin”

‘Internet Level Spam Detection and SpamAssassin 2.50”, MessageLabs