SlideShare a Scribd company logo

Scanning for open relay using RBLs to block spam at source

Thomas Mangin
Thomas Mangin

An attempt to create a spam detection framework working near the source of spam.

TechnologyNews & Politics
1 of 27
Download to read offline
ScavengerEXA An open source program To fight spam at the source Thomas Mangin Exa Networks UKNOF 12 2009/02/13 http://wiki.exa.org.uk/doku.phpdo=export_s5&id=scavenger:uknof12
The spam battle - Yesterday Mouse: Using existing mail servers, open relay Few high volume source Cat: scanning for open relay Using RBL -> Trying to block the spam at the source
The spam battle - Today Mouse: BOTNETs, Spammers creating their own spam infrastructure Lots of “low” volume source Cat: Bots are simple, not RFC compliant (Greylisting) Spam traps -> RBLs when all fails ask SpamAssasin for some CPU time -> The defense is now at the receiving end
The spam battle - Tomorrow Mouse: Larger, more clever bots, able to bypass greylisting Better spam distribution to become more stealthy Cat: Trying to block bots faster, so they send less -> It looks bleak, doesn't it ?
Using my crystal ball What will not change: The use of bots The use of out of date email address databases Compromised machine sending spam but no mail before or after. What should change: Postmaster should get help some help from the 'network', spammers do. The fight should be brought back to the edge
Why am I here ? 1- present ScavengerEXA 2 - reduce the spam in //my// mailbox 3 - ? 4 - profit .. not ! Get help from the community to produce a turn key solution Convince some to help us with an high profile deployment
What is scavengerEXA On the net: http://www.thefreedictionary.com/scavenger Alteration of Middle English scauager, schavager, official charged with street maintenance In my book: An carnivore eating Junk created by Exa http://en.wikipedia.org/wiki/Carnivore_(FBI) http://en.wikipedia.org/wiki/Junk_mail http://en.wikipedia.org/wiki/Exa-
ScavengerEXA Design A collection of several application working together through the network mail conversation capture program dispatch server policy server (postfix policy server alike) action servers (email, block spam, etc. the part no ISP wants the same) a dummy MTA (return 450 on all messages)
Capture libpcap based application keep a track of the smtp conversation: client command, parameter EHLO [127.0.0.1] RCPT TO: <user@domain.com> mail server answers 250 Please to meet you 550 user does not exists here Ignore the body of the mail Transmit a UDP packet for each command to the dispatching server
UDP Message Content key=value structure, with the following keys (in no particular order) for each unique si:sp -> di:dp or=pacp (how the packet was created) in=unique random id (identifying the SMTP conversation) si=source IP, the potential bot di=destination IP, mail server contacted he=EHLO/HELO string st=state (HELO,MAIL,RCPT,DATA,END-OF-DATA) re=last recpient email address rc=number of recpient in the mail se=sender email address co=smtp response code
Example Mail conversation 220 mail server listing HELO [127.0.0.1] 250 mx.domain.com MAIL FROM: test@domain.com 250 2.1.0 Ok RCPT TO: user@spammed.com 550 5.7.1 <user@spammed.com>: Recipient address rejected: no such user <Disconnection> We do not track smtp auth information atm
UDP Message sent 1/3 HELO [127.0.0.1] 250 mx.domain.com or=pcap co=250 di=4.3.2.1 rc=0 st=EHLO re= si=1.2.3.4 in=01.3c6b.4e.c0c3 se= he=[127.0.0.1]
UDP Message sent 2/3 MAIL FROM: test@domain.com 250 2.1.0 Ok or=pcap co=250 di=4.3.2.1 rc=0 st=MAIL re= si=1.2.3.4 in=01.3c6b.4e.c0c3 se=test@domain.com he=[127.0.0.1]
UDP Message sent 3/3 RCPT TO: user@spammed.com 550 5.7.1 <user@spammed.com>: Recipient address rejected: no such user or=pcap co=550 di=4.3.2.1 rc=1 st=RCPT re=user@spammed.com si=1.2.3.4 in=01.3c6b.4e.c0c3 se=test@domain.com he=[127.0.0.1]
Dispatch Logic 1 - Receive the UDP message from a capture source Figure out a policy server (hash on sender IP) 2 - Generate a TCP message for that policy server with the same information as the UDP contained 3 - Wait for the answer from the policy server 4 - If the policy server reports it is spam 5 - Generate a/several TCP message(s) to action server(s) Prevent new message to the Policy Server from the spammer
Message Flow
Policy Daemon Based on the code of Exa's internal Postfix Policy Delegation Daemon (the daemon can still be used with Postfix) Use the UDP message format instead of Postfix's Returns: HAM HOLD <IP> (<duration>) <reason> FILTER <IP> [<MTA IP:PORT>] (<duration>) <reason> an MTA of [0.0.0.0:00000] mean that the MTA used to filter the message is left to the software performing the blocking to decide.
Policy Daemon A clear API for its spam classfication plugins with constraint, run if the message match what you are monitoring the backend DB is MySQL ... Explaining its design would take another 20 slides writing plugins is **//simple//** Each plugin has its own database connection. support MySQL, PostgreSQL or Sqlite3
Action Mail You may want to use this action whatever else you do. Takes a HOLD or FILTER message Emails you the suspected spammer information
Action Netfilter Read a Linux machine netfilter rules. Force Transproxying of mail to a specified MTA on receipt of a FILTER rule Remove the FILTERING when the filtering period is over Keep state across reboots
Deployment Example
Deployment Example
It is F.R.E.E Licensed under the Affero GPL 3.0 Each ScavengerEXA program being a separate entity, there is no problem implementing a new server under a proprietary licence. AFAIK, IMNAL
It is available now Public SVN Tree http://svn.exa.org.uk/scavenger/trunk Fisheye http://fisheye.exa.org.uk/browse/scavenger/ provides nice delta of changes RSS feed of commits Mailing list http://mailman.exa.org.uk/mailman/listinfo
Build on solid foundations Python, tested with version 2.5.2 Twisted Matrix, event-driven networking engine Python packet capture library (pcap) Python dump packet module (dpkt) Optional MySQL or PostgreSQL For more information see: http://wiki.exa.org.uk/scavenger/faq
Thank you to Richard Clayton SpamHINTS http://www.spamhints.org/
Questions ? Want to know more: website: http://scavenger.exa.org.uk/ Contact us: email: scavenger (at) exa (dot) org (dot) uk Thank you for listening.

Recommended

ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83Thomas Mangin
 
Naked BGP
Naked BGPNaked BGP
Naked BGPThomas Mangin
 
SDN-IP Peering using BGP
SDN-IP Peering using BGPSDN-IP Peering using BGP
SDN-IP Peering using BGPUmesh Krishnaswamy
 
6.Routing
6.Routing6.Routing
6.Routingphanleson
 
Jingle: Cutting Edge VoIP
Jingle: Cutting Edge VoIPJingle: Cutting Edge VoIP
Jingle: Cutting Edge VoIPmattjive
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPMaximilan Wilhelm
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 

Recommended

ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83Thomas Mangin
 
Naked BGP
Naked BGPNaked BGP
Naked BGPThomas Mangin
 
SDN-IP Peering using BGP
SDN-IP Peering using BGPSDN-IP Peering using BGP
SDN-IP Peering using BGPUmesh Krishnaswamy
 
6.Routing
6.Routing6.Routing
6.Routingphanleson
 
Jingle: Cutting Edge VoIP
Jingle: Cutting Edge VoIPJingle: Cutting Edge VoIP
Jingle: Cutting Edge VoIPmattjive
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPMaximilan Wilhelm
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
IPv6 im Jahre 2018
IPv6 im Jahre 2018IPv6 im Jahre 2018
IPv6 im Jahre 2018Maximilan Wilhelm
 
Wireshark
WiresharkWireshark
Wiresharkashiesh0007
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Natnarayannpp
 
Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the thingsMaximilan Wilhelm
 
Netzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPNetzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPMaximilan Wilhelm
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetjulianlz
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
 
Ospfv3 News version 2
Ospfv3 News version 2Ospfv3 News version 2
Ospfv3 News version 2Fred Bovy
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdumpLev Walkin
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetSwarup Hait
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-WiresharkHarsh Singh
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1ariesubagyo
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
 
Internet innovation with Multipath TCP
Internet innovation with Multipath TCPInternet innovation with Multipath TCP
Internet innovation with Multipath TCPOlivier Bonaventure
 
ExaProxy
ExaProxyExaProxy
ExaProxyThomas Mangin
 
LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?Thomas Mangin
 

More Related Content

What's hot

introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Natnarayannpp
 
Netzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPNetzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPMaximilan Wilhelm
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetjulianlz
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
 
Ospfv3 News version 2
Ospfv3 News version 2Ospfv3 News version 2
Ospfv3 News version 2Fred Bovy
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdumpLev Walkin
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetSwarup Hait
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-WiresharkHarsh Singh
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
 
Internet innovation with Multipath TCP
Internet innovation with Multipath TCPInternet innovation with Multipath TCP
Internet innovation with Multipath TCPOlivier Bonaventure
 

What's hot (20)

introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linux
 
IPv6 im Jahre 2018
IPv6 im Jahre 2018IPv6 im Jahre 2018
IPv6 im Jahre 2018
 
Wireshark
WiresharkWireshark
Wireshark
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Nat
 
Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the things
 
Netzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPNetzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IP
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheet
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
 
Ospfv3 News version 2
Ospfv3 News version 2Ospfv3 News version 2
Ospfv3 News version 2
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptables
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdump
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheet
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
IPv6
IPv6IPv6
IPv6
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-Wireshark
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux Systems
 
Internet innovation with Multipath TCP
Internet innovation with Multipath TCPInternet innovation with Multipath TCP
Internet innovation with Multipath TCP
 

Viewers also liked

LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?Thomas Mangin
 
flowspec @ APF 2013
flowspec @ APF 2013flowspec @ APF 2013
flowspec @ APF 2013Tom Paseka
 

Viewers also liked (6)

ExaProxy
ExaProxyExaProxy
ExaProxy
 
LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?LINX 83 ExaBGP as a route server ?
LINX 83 ExaBGP as a route server ?
 
IXLeeds
IXLeeds IXLeeds
IXLeeds
 
AS-STATS
AS-STATSAS-STATS
AS-STATS
 
VOIP QOS
VOIP QOSVOIP QOS
VOIP QOS
 
flowspec @ APF 2013
flowspec @ APF 2013flowspec @ APF 2013
flowspec @ APF 2013
 

Similar to Scanning for open relay using RBLs to block spam at source

vishal_sharma: python email sending software
vishal_sharma: python email sending software vishal_sharma: python email sending software
vishal_sharma: python email sending software vishal sharma
 
E-Mail - Technical Overview
E-Mail - Technical OverviewE-Mail - Technical Overview
E-Mail - Technical OverviewVenkatesh Iyer
 
Chat app case study - xmpp vs SIP
Chat app case study - xmpp vs SIPChat app case study - xmpp vs SIP
Chat app case study - xmpp vs SIPGenora Infotech
 
Lecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignmentsLecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignmentsSerious_SamSoul
 
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)I Goo Lee
 
An Effective Spam Protection System
An Effective Spam Protection SystemAn Effective Spam Protection System
An Effective Spam Protection SystemApollo_n
 
SMTP and TCP protocol
SMTP and TCP protocolSMTP and TCP protocol
SMTP and TCP protocolDivyaKS18
 
香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideSharebiyu
 
Baocao Web Tech Java Mail
Baocao Web Tech Java MailBaocao Web Tech Java Mail
Baocao Web Tech Java Mailxicot
 
Technical Background Overview Ppt
Technical Background Overview PptTechnical Background Overview Ppt
Technical Background Overview PptAntonio Ieranò
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
Cyber security and ethical hacking 3
Cyber security and ethical hacking 3Cyber security and ethical hacking 3
Cyber security and ethical hacking 3Mehedi Hasan
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networksUC San Diego
 
Elegant Systems Integration w/ Apache Camel
Elegant Systems Integration w/ Apache CamelElegant Systems Integration w/ Apache Camel
Elegant Systems Integration w/ Apache CamelPradeep Elankumaran
 

Similar to Scanning for open relay using RBLs to block spam at source (20)

spam.ppt
spam.pptspam.ppt
spam.ppt
 
vishal_sharma: python email sending software
vishal_sharma: python email sending software vishal_sharma: python email sending software
vishal_sharma: python email sending software
 
EmailTracing.ppt
EmailTracing.pptEmailTracing.ppt
EmailTracing.ppt
 
E-Mail - Technical Overview
E-Mail - Technical OverviewE-Mail - Technical Overview
E-Mail - Technical Overview
 
Chat app case study - xmpp vs SIP
Chat app case study - xmpp vs SIPChat app case study - xmpp vs SIP
Chat app case study - xmpp vs SIP
 
XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)
 
Lecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignmentsLecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignments
 
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
 
An Effective Spam Protection System
An Effective Spam Protection SystemAn Effective Spam Protection System
An Effective Spam Protection System
 
SMTP and TCP protocol
SMTP and TCP protocolSMTP and TCP protocol
SMTP and TCP protocol
 
Unix Administration 5
Unix Administration 5Unix Administration 5
Unix Administration 5
 
香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare
 
Baocao Web Tech Java Mail
Baocao Web Tech Java MailBaocao Web Tech Java Mail
Baocao Web Tech Java Mail
 
Networking
NetworkingNetworking
Networking
 
Technical Background Overview Ppt
Technical Background Overview PptTechnical Background Overview Ppt
Technical Background Overview Ppt
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
Cyber security and ethical hacking 3
Cyber security and ethical hacking 3Cyber security and ethical hacking 3
Cyber security and ethical hacking 3
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networks
 
Elegant Systems Integration w/ Apache Camel
Elegant Systems Integration w/ Apache CamelElegant Systems Integration w/ Apache Camel
Elegant Systems Integration w/ Apache Camel
 
Unit 8 Java
Unit 8 JavaUnit 8 Java
Unit 8 Java
 

Recently uploaded

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Scanning for open relay using RBLs to block spam at source

  • 1. ScavengerEXA An open source program To fight spam at the source Thomas Mangin Exa Networks UKNOF 12 2009/02/13 http://wiki.exa.org.uk/doku.phpdo=export_s5&id=scavenger:uknof12
  • 2. The spam battle - Yesterday Mouse: Using existing mail servers, open relay Few high volume source Cat: scanning for open relay Using RBL -> Trying to block the spam at the source
  • 3. The spam battle - Today Mouse: BOTNETs, Spammers creating their own spam infrastructure Lots of “low” volume source Cat: Bots are simple, not RFC compliant (Greylisting) Spam traps -> RBLs when all fails ask SpamAssasin for some CPU time -> The defense is now at the receiving end
  • 4. The spam battle - Tomorrow Mouse: Larger, more clever bots, able to bypass greylisting Better spam distribution to become more stealthy Cat: Trying to block bots faster, so they send less -> It looks bleak, doesn't it ?
  • 5. Using my crystal ball What will not change: The use of bots The use of out of date email address databases Compromised machine sending spam but no mail before or after. What should change: Postmaster should get help some help from the 'network', spammers do. The fight should be brought back to the edge
  • 6. Why am I here ? 1- present ScavengerEXA 2 - reduce the spam in //my// mailbox 3 - ? 4 - profit .. not ! Get help from the community to produce a turn key solution Convince some to help us with an high profile deployment
  • 7. What is scavengerEXA On the net: http://www.thefreedictionary.com/scavenger Alteration of Middle English scauager, schavager, official charged with street maintenance In my book: An carnivore eating Junk created by Exa http://en.wikipedia.org/wiki/Carnivore_(FBI) http://en.wikipedia.org/wiki/Junk_mail http://en.wikipedia.org/wiki/Exa-
  • 8. ScavengerEXA Design A collection of several application working together through the network mail conversation capture program dispatch server policy server (postfix policy server alike) action servers (email, block spam, etc. the part no ISP wants the same) a dummy MTA (return 450 on all messages)
  • 9. Capture libpcap based application keep a track of the smtp conversation: client command, parameter EHLO [127.0.0.1] RCPT TO: <user@domain.com> mail server answers 250 Please to meet you 550 user does not exists here Ignore the body of the mail Transmit a UDP packet for each command to the dispatching server
  • 10. UDP Message Content key=value structure, with the following keys (in no particular order) for each unique si:sp -> di:dp or=pacp (how the packet was created) in=unique random id (identifying the SMTP conversation) si=source IP, the potential bot di=destination IP, mail server contacted he=EHLO/HELO string st=state (HELO,MAIL,RCPT,DATA,END-OF-DATA) re=last recpient email address rc=number of recpient in the mail se=sender email address co=smtp response code
  • 11. Example Mail conversation 220 mail server listing HELO [127.0.0.1] 250 mx.domain.com MAIL FROM: test@domain.com 250 2.1.0 Ok RCPT TO: user@spammed.com 550 5.7.1 <user@spammed.com>: Recipient address rejected: no such user <Disconnection> We do not track smtp auth information atm
  • 12. UDP Message sent 1/3 HELO [127.0.0.1] 250 mx.domain.com or=pcap co=250 di=4.3.2.1 rc=0 st=EHLO re= si=1.2.3.4 in=01.3c6b.4e.c0c3 se= he=[127.0.0.1]
  • 13. UDP Message sent 2/3 MAIL FROM: test@domain.com 250 2.1.0 Ok or=pcap co=250 di=4.3.2.1 rc=0 st=MAIL re= si=1.2.3.4 in=01.3c6b.4e.c0c3 se=test@domain.com he=[127.0.0.1]
  • 14. UDP Message sent 3/3 RCPT TO: user@spammed.com 550 5.7.1 <user@spammed.com>: Recipient address rejected: no such user or=pcap co=550 di=4.3.2.1 rc=1 st=RCPT re=user@spammed.com si=1.2.3.4 in=01.3c6b.4e.c0c3 se=test@domain.com he=[127.0.0.1]
  • 15. Dispatch Logic 1 - Receive the UDP message from a capture source Figure out a policy server (hash on sender IP) 2 - Generate a TCP message for that policy server with the same information as the UDP contained 3 - Wait for the answer from the policy server 4 - If the policy server reports it is spam 5 - Generate a/several TCP message(s) to action server(s) Prevent new message to the Policy Server from the spammer
  • 17. Policy Daemon Based on the code of Exa's internal Postfix Policy Delegation Daemon (the daemon can still be used with Postfix) Use the UDP message format instead of Postfix's Returns: HAM HOLD <IP> (<duration>) <reason> FILTER <IP> [<MTA IP:PORT>] (<duration>) <reason> an MTA of [0.0.0.0:00000] mean that the MTA used to filter the message is left to the software performing the blocking to decide.
  • 18. Policy Daemon A clear API for its spam classfication plugins with constraint, run if the message match what you are monitoring the backend DB is MySQL ... Explaining its design would take another 20 slides writing plugins is **//simple//** Each plugin has its own database connection. support MySQL, PostgreSQL or Sqlite3
  • 19. Action Mail You may want to use this action whatever else you do. Takes a HOLD or FILTER message Emails you the suspected spammer information
  • 20. Action Netfilter Read a Linux machine netfilter rules. Force Transproxying of mail to a specified MTA on receipt of a FILTER rule Remove the FILTERING when the filtering period is over Keep state across reboots
  • 23. It is F.R.E.E Licensed under the Affero GPL 3.0 Each ScavengerEXA program being a separate entity, there is no problem implementing a new server under a proprietary licence. AFAIK, IMNAL
  • 24. It is available now Public SVN Tree http://svn.exa.org.uk/scavenger/trunk Fisheye http://fisheye.exa.org.uk/browse/scavenger/ provides nice delta of changes RSS feed of commits Mailing list http://mailman.exa.org.uk/mailman/listinfo
  • 25. Build on solid foundations Python, tested with version 2.5.2 Twisted Matrix, event-driven networking engine Python packet capture library (pcap) Python dump packet module (dpkt) Optional MySQL or PostgreSQL For more information see: http://wiki.exa.org.uk/scavenger/faq
  • 26. Thank you to Richard Clayton SpamHINTS http://www.spamhints.org/
  • 27. Questions ? Want to know more: website: http://scavenger.exa.org.uk/ Contact us: email: scavenger (at) exa (dot) org (dot) uk Thank you for listening.