异常SMTP讯务与EmailSpam的自动通告课件.ppt
《异常SMTP讯务与EmailSpam的自动通告课件.ppt》由会员分享,可在线阅读,更多相关《异常SMTP讯务与EmailSpam的自动通告课件.ppt(52页珍藏版)》请在三一文库上搜索。
1、1,異常SMTP訊務與Email Spam的自動通告,中央大學 電算中心 楊素秋 Email: center7cc.ncu.edu.tw,2,大 綱,1.研究動機 2.異常SMTP訊務的監測 3.Spam與異常SMTP訊務的相關 4.Spam 事件的自動通告 5.結論,3,1.研究動機,加速 Email Spam 通告 IP 管理資訊查詢 區網 Routing Table RWhois查詢服務 Spam event 的自動通告 異常SMTP訊務的監測 Flow count 超量 Packet Density 分析超量SMTP傳訊主機與通告spam relay/sender 的相關,4,2.SM
2、TP與 Spam傳訊,SMTP 傳輸 Client詢問DNS MX list,建立信件delivery route 紀錄sender與receiver間的多個mail relay/server 將 reverse-path加入mail header 與SMTP relay建立雙向連接,沿SMTP route傳送信件 relay收進信件後 與下一relay 建立連接/轉送信件. 最後的deliver relay 將信件分送到用戶mailbox.,5,Spam UCE (Unsolicited Commercial Mail) spammer利用自動搜尋程式 持續尋找 newsgroup (BBS
3、 boards) Join mailing list 網頁的mail addresses 所侵入系統的mail account Regular sequence mail account 重複/密集寄送廣告信件,6,Spammer 以最低的成本,透過全球網路傳送超大量廣告信 Internet用戶 花費可觀的連線費用,時間與精力下載/收取/刪除大量spam. ISP 耗費更龐大的網路與系統資源重複傳送junk mails 影響mail的正常收送,7,為避免回覆大量的spam complain Spammer藉由自動搜尋程式 尋找未設防的SMTP server 作為spam relay/sende
4、r 傳送廣告信件往蒐集的newsgroup/mailing list及mail accounts Guess Receipts 甚至透過mail夾檔散播病蟲或攻擊程式 侵入網路主機.集結更大量的感染主機 寄發/轉送更大量的spam.,8,減緩Spam倍數成長的主要途徑 (1)回報/檢舉Spam event 減少一個 spam relay/sender 減少millions of spam (2)監測可能的spammer主機及訊務 SMTP訊務量測 篩選異常訊務量,9,回報/檢舉Spam event 連網中心建立abuse Email帳號 abusedomain, spamdomain, sec
5、uritydomain 接受所轄IP主機的Spam/ Junk通告信. 網路用戶 依據spam route,萃取發送主機與relay servers “Received:”, “From:” 紀錄項 回應給發信主機與relay server擁有者 Report給spam report site EX: ,10,偵測可能的spammer主機及訊務 依據Spam 傳訊特徵,實作異常SMTP訊務的統計 High frequently Obviously high SMTP connection count Repeatedly last for several hours 協助管理者監測異常的mai
6、l訊務 據以Check /var/log/maillog 據以Check user mailbox 預先發現感染主機, 通告用戶修補漏洞,11,通告的Email Spam (2003年 7月至 11月) 桃園區網每月處理的Spam mail通告主機總數. 主要的abuse通告信件 S 通報 廣告郵件的 relay server/sender myNetWatch 通報 CodeRed/Nimda感染主機(80/TCP) SYN Flooding (445/TCP, 17300/TCP, ) 環球或派拉蒙製片 通告侵犯智財權的eDonkey主機及其影片檔存放 Others,12,Table 1
7、通告的區網Abuse主機數分布,13,3異常SMTP訊務的監測,異常SMTP訊務的監測 Spam傳訊特徵 Frequently Obviously high frequency of SMTP connections Repeatedly Last for Many hours (Mean Packet Size) Little than 100 Bytes per Packt More than 100 Bytes per packet,14,Transportation Traffic Logs all network operators depend on the quantifiabl
8、e traffic log data to evaluate the network performance TCPDUMP NetFlow, sFlow Others,15,Tcpdump a raw packet capture program. Gather the layer 4 transportation traffic logs through The dump transport traffic logs involved the detail fields of each IP packet header source/destination IP addresses, so
9、urce/destination application ports, protocol identity, number of packets, number of bytes, TCP operators,16,Netflow router 轉送訊務紀錄 Flow-based layer 4 transport traffic log Source & destination IP address Source & destination application port Source & destination interface# protocol identifier packet
10、count byte count,17,利用Netflow log統計區網的異常SMTP訊務 Accumulate SMTP serv_flow connection counts statistics Netflowlog gathered from router of aggregate network Threshold_100_flow Less than 100 connections: 99.72 % More than 100 connections: 0.28 % Threshold_30_flow Less than 30 connections: 98.61 %,18,Ta
11、ble 2. 區網的SMTP Flows 特徵項分布,19,SMTP訊務的統計/監測 Monitor Abnormal SMTP Traffic of smtp_flowi Combine Several NetFlow features SMTP service port & Src_IP & Dst_IP src_IPdst_IP.(25) src_IP.(25)dst_IP,20,統計/ 監測異常的 SMTP 訊務 累計SMTP 訊務變量 透過 IP protocol_id & application port的比對,累計 flowsmtp_flowi pktsmtp_flowi byt
12、esmtp_flowi 排序/篩選超量的syn_flows訊務 Monitoring SMTP Traffic PHP + Apache,21,22,23,24,Nov 3 20:25:58 smtp3 sendmail7645: ID 801593 mail.info hA3CPot1007645: from=, size=64607, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=163.25.154.253 Nov 3 20:25:58 smtp3 sendmail7645: ID 801593 mail.info hA
13、3CPot1007645: to=, delay=00:00:06, mailer=relay, pri=30258, stat=queued Nov 3 20:26:45 smtp3 mailscanner3948: Virus W32/Yaha-P found in file ./hA3CPot1007645/disney.zip/DOCUME1DennisLOCALS1Tempsetup.exe Nov 3 20:26:51 smtp3 sendmail7958: ID 801593 mail.info hA3CPot1007645: to=, delay=00:00:59, xdela
14、y=00:00:00, mailer=relay, pri=120258, relay=140.115.17.89 140.115.17.89, dsn=2.0.0, stat=Sent (hA3CP8k1016181 Message accepted for delivery) Nov 3 20:27:00 smtp3 mailscanner3948: Virus W32/Yaha-P found in file ./hA3CPot1007645/disney.zip/DOCUME1DennisLOCALS1Tempsetup.exe,25,26,27,syslog:Oct 26 08:24
15、:25 smtp3 sendmail13433: ID 801593 mail.info h9Q0ON2a013433: from=, size=6998, class=0, nrcpts=1, sgid=, proto=SMTP, daemon=MTA, relay= 216.22.24.81 (may be forged) syslog:Oct 26 08:24:25 smtp3 sendmail13425: ID 801593 mail.info h9Q0ON2a013425: from=, size=6994, class=0, nrcpts=1, sgid=, proto=SMTP,
16、 daemon=MTA, relay= 216.22.24.85 (may be forged) syslog:Oct 26 08:24:25 smtp3 sendmail13435: ID 801593 mail.info h9Q0ON2a013435: from=, size=6971, class=0, nrcpts=1, sgid=, proto=SMTP, daemon=MTA, relay= 216.22.24.81 (may be forged) syslog:Oct 26 08:24:25 smtp3 sendmail13432: ID 801593 mail.info h9Q
17、0ON2a013432: from=, size=6995, class=0, nrcpts=1, sgid=, proto=SMTP, daemon=MTA, relay= 216.22.24.84 (may be forged) syslog:Oct 26 08:24:25 smtp3 sendmail13434: ID 801593 mail.info h9Q0ON2a013434: from=, size=6965, class=0, nrcpts=1, ,28,Mail Relay Testing,mrt ftp:/ mrt test.patterns Test.message ./
18、mrt v test.patterns test.message host_ip_add,29,30,ann# ./mrt -v ./test.patterns ./test.message 163.25.121.245 mrt: 163.25.121.245: Error connecting: Connection refused mrt: 163.25.121.245: Error connecting: Connection refused mrt: 163.25.121.245: Error connecting: Connection refused mrt: 163.25.121
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 异常 SMTP EmailSpam 自动 通告 课件
链接地址:https://www.31doc.com/p-2664472.html