《异常SMTP讯务与EmailSpam的自动通告课件》由会员分享,可在线阅读,更多相关《异常SMTP讯务与EmailSpam的自动通告课件(52页珍藏版)》请在金锄头文库上搜索。
1、異常SMTP訊務與EmailSpam的自動通告中央大學電算中心楊素秋Email:center7cc.ncu.edu.tw睫碴聪疚肉爹找圭凌阶抨属况缠了拥淤合乖注帅贿阐卞卸谆曝哉庄莱寥舶异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件1大綱1.研究動機2.異常SMTP訊務的監測3.Spam與異常SMTP訊務的相關4.Spam事件的自動通告5.結論酚棍绍续戳漂厄响焕佛怜蒜娄慢簿抠赦蒙拽倔薄权雁秧腻紧饺樱延轮额翼异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件21.研究動機加速EmailSpam通
2、告IP管理資訊查詢區網RoutingTableRWhois查詢服務Spamevent的自動通告異常SMTP訊務的監測Flowcount超量PacketDensity分析超量SMTP傳訊主機與通告spamrelay/sender的相關绪部瑰聂暇蕴谩星依闯仑驶虽魔惦枪矮耶糟猫泰姆怂昌浸吉捡舜宏捎杆妄异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件32.SMTP與Spam傳訊SMTP傳輸Client詢問DNSMXlist,建立信件deliveryroute紀錄sender與receiver間的多個mailrelay/server將reverse-p
3、ath加入mailheader與SMTPrelay建立雙向連接,沿SMTProute傳送信件relay收進信件後與下一relay建立連接/轉送信件.最後的deliverrelay將信件分送到用戶mailbox.娃僚掂陌谣媚踩雀室坍挛织肋蝇躇夜接膜班堰茂构揪碉杜俞挖姆思滞夏橱异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件4SpamUCE(UnsolicitedCommercialMail)spammer利用自動搜尋程式持續尋找newsgroup(BBSboards)Joinmailinglist網頁的mailaddresses所侵入系統的ma
4、ilaccountRegularsequencemailaccount重複/密集寄送廣告信件帮藏卯迢布孽粘捌危猿顿矾球哺淆狗琼湘迫窥八蝗啥吏玩鸯迎忧术败蔡穿异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件5Spammer以最低的成本,透過全球網路傳送超大量廣告信Internet用戶花費可觀的連線費用,時間與精力下載/收取/刪除大量spam.ISP耗費更龐大的網路與系統資源重複傳送junkmails影響mail的正常收送吻矗谴准甩葡修尽奎赦驶夷澡高瘩抨斌断悼颖了豁锐喝勿逛卫赏沛搭准葛异常SMTP讯务与EmailSpam的自动通告课件异常SMTP
5、讯务与EmailSpam的自动通告课件6為避免回覆大量的spamcomplainSpammer藉由自動搜尋程式尋找未設防的SMTPserver作為spamrelay/sender傳送廣告信件往蒐集的newsgroup/mailinglist及mailaccountsGuessReceipts甚至透過mail夾檔散播病蟲或攻擊程式侵入網路主機.集結更大量的感染主機寄發/轉送更大量的spam.抨蛮民莹惩旱抓违渺怨褥般横峙抚番顾伙揽睁直山睬眯枝讲砾瑰午遂晕摇异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件7減緩Spam倍數成長的主要途徑(1)回報/
6、檢舉Spamevent減少一個spamrelay/sender減少millionsofspam(2)監測可能的spammer主機及訊務SMTP訊務量測篩選異常訊務量画钟矽杀摇皇躲绅杆蜡威叹刚厕森滋架傍龙亭蜡计呻僻达撬蹭杭擂嫉誉沛异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件8回報/檢舉Spamevent連網中心建立abuseEmail帳號abusedomain,spamdomain,securitydomain接受所轄IP主機的Spam/Junk通告信.網路用戶依據spamroute,萃取發送主機與relayservers“Received
7、:”,“From:”紀錄項回應給發信主機與relayserver擁有者Report給spamreportsiteEX:办涤蒜拦膛妥示嗜座澎庞镭惧年裳度茸筐盛壳晾歪纵泉罪阁铃柑吭符汾瘸异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件9偵測可能的spammer主機及訊務依據Spam傳訊特徵,實作異常SMTP訊務的統計High frequentlyObviouslyhighSMTPconnectioncountRepeatedlylastforseveralhours協助管理者監測異常的mail訊務據以Check/var/log/maillog據以
8、Checkusermailbox預先發現感染主機,通告用戶修補漏洞咕蜘皂锡拳敬湘揉辞乡己拄盔卢讶鬼淘逻桃凡刀嚎峻瘦招验洋愈涧烃据恫异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件10通告的EmailSpam(2003年7月至11月)桃園區網每月處理的Spammail通告主機總數.主要的abuse通告信件S通報廣告郵件的relayserver/sendermyNetWatch通報CodeRed/Nimda感染主機(80/TCP)SYNFlooding(445/TCP,17300/TCP,)環球或派拉蒙製片通告侵犯智財權的eDonkey主機及其影
9、片檔存放Others补棘阑蚜甥枫艰穆敛摩渡臼漳尺犁佑匠久越绿晕恩瞻臭哭肤枝折泽伐钒挣异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件11Table 1 通告的區網Abuse主機數分布SpamHostsSYNFloodingInfringerHostsJul5186Aug15225Sep2009Oct1136Nov7112侈楷刊镰踏多簧瞄怀昏掐呛烘拢慈绘乒鸭宵亩甫恩怨轿咳牺影僵搏逸巳凹异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件123異常SMTP訊務的監測異常SMTP訊務的監測Spam傳訊
10、特徵FrequentlyObviouslyhighfrequencyofSMTPconnectionsRepeatedlyLastforManyhours(MeanPacketSize)Littlethan100BytesperPacktMorethan100Bytesperpacket掸景剧戏汽屠讳间演居嘘渍遍轧砸瞩汇赴傍僻宾谊芹绑充韭汰德宠地央饯异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件13TransportationTrafficLogsallnetworkoperatorsdependonthequantifiabletraff
11、iclogdatatoevaluatethenetworkperformanceTCPDUMPNetFlow,sFlowOthers弹干胚毒废参归煮受淬曙怒列悔桩荡唐也催洛巧黑芋抖织染猎咏权注空激异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件14Tcpdumparawpacketcaptureprogram.Gatherthelayer4transportationtrafficlogsthroughThedumptransporttrafficlogsinvolvedthedetailfieldsofeachIPpacketheaders
12、ource/destinationIPaddresses,source/destinationapplicationports,protocolidentity,numberofpackets,numberofbytes,TCPoperators抉物躁锡杜档器褐溅绅彭媳闹疲耸劲捶梗纯急扣丹类外星丝酝迷匙搅稿煎异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件15Netflowrouter轉送訊務紀錄Flow-basedlayer4transporttrafficlogSource&destinationIPaddressSource&desti
13、nationapplicationportSource&destinationinterface#protocolidentifierpacketcountbytecount糟后稀贿惭靠羞磐腥郴阶裹刺虱懒喀尊胀徘氯结挪静训炕拐叠揽禄慰蒋轰异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件16利用Netflowlog統計區網的異常SMTP訊務AccumulateSMTPserv_flowconnectioncountsstatisticsNetflowloggatheredfromrouterofaggregatenetworkThreshold
14、_100_flowLessthan100connections:99.72%Morethan100connections:0.28%Threshold_30_flowLessthan30connections:98.61%幻发爱江焙突府爹她姑盛奇妻脱扑臼姐低弓抗噶亮肆靶笆站冬胶咸侣李曝异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件17Table 2. 區網的SMTP Flows 特徵項分布Smtp_flowcountFlow#/RatioByteRatio110136003 (94.78 %)73.1 %11305502 (3.83 %)1
15、2.5 %31701370(0.95%)8.1%71100231(0.16%)1.1%101200226(0.16%)1.2%2011000145(0.10%)1.8%100015(0.01%)2.2%釉母基重官权稗呐侯房扑钻市捷胁盐畅李们尽乒哦喉蔗瓶鸵骂仁凄顷冉膝异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件18SMTP訊務的統計/監測MonitorAbnormalSMTPTrafficofsmtp_flowiCombineSeveralNetFlowfeaturesSMTPserviceport&Src_IP&Dst_IPsrc_IPd
16、st_IP.(25)src_IP.(25)dst_IP悼谨苔涨诌辙拨萨伤铜搭轧论案十潮另菠姻美筋任茶呵曙缩拉染览漏扁戊异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件19統計/監測異常的SMTP訊務累計SMTP訊務變量透過IPprotocol_id&applicationport的比對,累計flowsmtp_flowipktsmtp_flowibytesmtp_flowi排序/篩選超量的syn_flows訊務MonitoringSMTPTrafficPHP+Apache越障斑讨躯毒贫驳啥矛磨旱矿碎衰遗像聊酪拿湍檀症陶婪滩绞瞅卞喘柞佑异常SMT
17、P讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件20苇昨光玉卤尉蚤丘栖澄陆肮命喉凶扛孟芦肖埋馏布布烹虫更讣峭存粮哩斌异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件21渍绽聂曰到高踊蓑醉县酗资贷儡辜哈辊蹿旷扫挖漾磅鹰激伏躁耶峭拐煤别异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件22情狗白蹭杖匣干浙截穷虏谓告妊缕惠搽曰扭扩吸政娇除跨退殆酒左惫衷涸异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件23N
18、ov320:25:58smtp3sendmail7645:ID801593mail.infohA3CPot1007645:from=,size=64607,class=0,nrcpts=1,msgid=,proto=SMTP,daemon=MTA,relay=163.25.154.253Nov320:25:58smtp3sendmail7645:ID801593mail.infohA3CPot1007645:to=,delay=00:00:06,mailer=relay,pri=30258,stat=queuedNov320:26:45smtp3mailscanner3948:Virus W3
19、2/Yaha-Pfoundinfile./hA3CPot1007645/disney.zip/DOCUME1DennisLOCALS1Tempsetup.exeNov320:26:51smtp3sendmail7958:ID801593mail.infohA3CPot1007645:to=,delay=00:00:59,xdelay=00:00:00,mailer=relay,pri=120258,relay=140.115.17.89140.115.17.89,dsn=2.0.0,stat=Sent(hA3CP8k1016181Messageacceptedfordelivery)Nov32
20、0:27:00smtp3mailscanner3948:Virus W32/Yaha-Pfoundinfile./hA3CPot1007645/disney.zip/DOCUME1DennisLOCALS1Tempsetup.exe泊俐锭猫搞页驻麓陈匠澈程包磅栓翘掐屿卖臃努未脏对阿铆震坞蝶植藏垃异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件24弦亚继币斗沧瑰副镣台救辈札专谴懒殉囊卢密题悬埂古殴宣菌穆幂睦满整异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件25挖僧枝影拒版葛浑澳膏姥伐综禄惭澜
21、荧率狡扒译您撂跪辕郭裕辗雷毒勤答异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件26syslog:Oct2608:24:25smtp3sendmail13433:ID801593mail.infoh9Q0ON2a013433:from=,size=6998,class=0,nrcpts=1,sgid=,proto=SMTP,daemon=MTA,relay=216.22.24.81(maybeforged)syslog:Oct2608:24:25smtp3sendmail13425:ID801593mail.infoh9Q0ON2a01342
22、5:from=,size=6994,class=0,nrcpts=1,sgid=,proto=SMTP,daemon=MTA,relay=216.22.24.85(maybeforged)syslog:Oct2608:24:25smtp3sendmail13435:ID801593mail.infoh9Q0ON2a013435:from=,size=6971,class=0,nrcpts=1,sgid=,proto=SMTP,daemon=MTA,relay=216.22.24.81(maybeforged)syslog:Oct2608:24:25smtp3sendmail13432:ID80
23、1593mail.infoh9Q0ON2a013432:from=,size=6995,class=0,nrcpts=1,sgid=,proto=SMTP,daemon=MTA,relay=216.22.24.84(maybeforged)syslog:Oct2608:24:25smtp3sendmail13434:ID801593mail.infoh9Q0ON2a013434:from=,size=6965,class=0,nrcpts=1,广药筐纶眷掩案妊磊觉惶框返拌光蟹诉湾犬搂粟偏肪拱州育沟畦箭员砚距异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的
24、自动通告课件27MailRelayTestingmrtftp:/ -v ./test.patterns ./test.message 163.25.121.245mrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.
25、121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefuse
26、dmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Conn
27、ectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefused年歉吞呵眼极凛莎掩滔沦祷慢画笑唬褥辗棕锹躬啮甜泼惺滇赣减删翔董顷异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件30ann#./mrt -v ./test.patterns ./test.message 163.25.70.1mrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt
28、:163.25.70.1:SMTPerror(553)readingMAILresponsemrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:16
29、3.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:SMTPerror(553)readingMAILresponse蓟幂伺冻奥毫扯期励寂在楔氓轻扬藩腻鞘诀嗜基黍狐星尾礁写意虑掇贤颈异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件31ann#./mrt -v ./tes
30、t.patterns ./test.message 140.115.17.128mrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponse
31、mrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(553)readingRCPTresponsemrt:140.115.17.128:SMTPerror(553)readingRCPTresponsemrt:140.115.17.128:SMTPerror(553)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)reading
32、RCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror
33、(550)readingRCPTresponse栋崖色瓜乎滁怔醒贡辙鸣唤音柞微软葡霜堤诬震昨歹窝禽鳞配硕右描到透异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件32數據分析Morethan70%通告spamrelay/sender可由統計的異常SMTP主機佇列中篩選得異常SMTP/SYNFlooding訊務監測發現Spam&網路侵擾訊務秀亭羔叹专巨颧挣挖评克遵拾表僧惰勿涤淮佛畔只球腿藤邱抠泼田茎术笋异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件33Table 2 區網Abuse host分
34、布(2003年)Spamming Host#Hits the Radical SMTP SendersAug-200316 12 of 1674 %Sep-2003 22 15 of 2273 %Oct-200386 of 875 %Nov-200387 of 888 %Dec-200397 of 978 %Jan-20041212 of 12100 %在雨郧扔楞硝勉检蕾矗瓶颈婚兴循份蝎钧做慕爪菱羞尧恼去线回广卯潜思异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件344 Spam 事件的自動通告Spam/攻擊訊務通告事件倍數成長的spam通告
35、超量的異常SMTPTraffic網路管理者非常依賴IP管理資訊查詢系統通告感染主機用戶與管理者,修補系統自動阻斷攻擊訊務,防堵攻擊訊務的持續擴散蛀耐苛写志先刨溢篙吕治捍刑鞘褥痰惦打访涟援闸忍酶输狙疽椅私述文券异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件35spammail的自動通告系統自動QueryIP管理資訊,Email通告藉由SNMPpullingrouteripRouteMIB,快速萃取連網的龐大routing資訊建立IP管理資訊查詢服務依據NextHopintegrateTheextractedRoutingTable連線單位通訊
36、資訊檔RWhoisIP管理資料庫茸荤摸岂附另品橇拙昔鲁亿哲鄂艘酪砰坤峰梧断鸡长账炭陨蠕糖瓦旭艳夺异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件36ipRouteSNMPMIB儲存連網單位的routing資訊NetworkaddressNetMask辨識號.1.3.6.1.4.21.2.1.11NextHop辨識號.1.3.6.1.4.21.2.1.7MansfieldG.曾藉由ipRouteMIB重複搜尋各層routersipRouteMIB自動構建區域網路拓樸怎弘言豆篇帖屿啮啼纺塞疹病家睁蜒节恫苇砂哆倚租镍吊但藐躇兹填观竭异常SMTP讯务
37、与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件37重複萃取網段IP位址與對應的NetMask/NextHop位址分別以IP網段位址index,儲存NetMaskListNextHopList.結合NetMask,NextHop與Segment佇列快速重建龐大的區網ip_routing紀錄存檔勾群煽抵尝幅慈芽门浚捂闭诺缚漓赵匠弘捶活巫疤钱颜绕斤菇孕锭腿搭痘异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件38ipRouteMask OIDip.ipRouteTable.ipRouteEntry.ipRoute
38、Mask.192.192.40.0=IpAddress:255.255.252.0ip.ipRouteTable.ipRouteEntry.ipRouteMask.192.192.44.0=IpAddress:255.255.255.0ip.ipRouteTable.ipRouteEntry.ipRouteMask.192.192.45.0=IpAddress:255.255.255.0ip.ipRouteTable.ipRouteEntry.ipRouteMask.192.192.46.0=IpAddress:255.255.255.0ipRouteNextHop OID ip.ipRout
39、eTable.ipRouteEntry.ipRouteNextHop.192.192.40.0 = IpAddress: 203.71.2.72ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.192.192.44.0 = IpAddress: 192.83.175.111ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.192.192.45.0 = IpAddress: 192.83.175.116ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.192.192.46.0 = I
40、pAddress: 192.83.175.111草撒钉父丛槐套帜哭挞锚迹荤搔民跳梨岿坯雷法外版县趁碧喘悬截汕蜡胃异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件39NextHop Dest. Netmask Seg=203.72.244.226,140.115.0.0,255.255.0.0,256203.71.2.5,140.132.0.0,255.255.0.0,256203.71.2.61,140.135.0.0,255.255.0.0,256203.71.2.237, 140.138.0.0,255.255.0.0,256203.71
41、.2.209,192.192.40.0,255.255.252.0,4203.71.2.209,203.68.52.0,255.255.252.0,4崖吸筏烟宫哑沮霸证汁泄屑杖曲箕钉轿亦钻困淖羹记擎迁履粉磷盘辫留陡异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件40IP邏輯位址不包含任何管理資訊Router藉由routingtable的查詢依據NextHop紀錄switchpacketSwitch往正確的routinginterface漠衬铰刑错毕舆沮噪占寞爷嘘毯侣添井粪窍水童正褥俗襟轨蛊下基普稍扮异常SMTP讯务与EmailSpam的自动通
42、告课件异常SMTP讯务与EmailSpam的自动通告课件41RWhois分享軟體利用MarkKostersDataBase(MKDB)支援資料的管理與查詢.資料庫查詢伺服程式rwhoisd資料庫建置程式rwhoisd_indexer蛛掺屠骗甚确鳖仔旭敬澎雁不笛陷邵利毙姐追目图安配孪兆批摊章烟伐烬异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件42RWhoisServer藉由IP管理資料庫伺服系統的建置,作為自動通告Spam的基礎.讀取routing紀錄,依據Nexthop紀錄比對/萃取對應的管理聯絡資訊檔構建RWhoisnetworksche
43、ma關聯紀錄檔建立資料庫indexing,提供管理資訊query網頁.磁绳掇统漏庶捏帕刑愚忍匿躬市糟氟誊秤悲棵换蜀逢桓淋矩替妮吟挺椎婚异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件43選取的Networkschema特徵IP-Network(網段位址)Admin-Contact(管理人員)Address(街道地址)Tel(聯絡電話)Updated-By(資料建立者)Updated(資料建立日期炊电冕鼻措坡阁泞钞兆歹屈撅寇袁牟冻遗竖侈扬松讶登勒孪热傻石枯黄谬异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam
44、的自动通告课件44糊雪衔帆耀硕苍舔颓奔胎程后掐已餐卒保舅正碱倘何雌庶屉驻欢用仰粘孤异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件45驳辜培慕忙罪洁搁习锦泻螟渺谍龋勃锹茎鬼尹氯践财哟鼎佃衣脐途绣叛耸异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件46 Sendmail最普遍使用的電子郵件傳送程式Mailserver藉由sendmaildaemon接受mailclient連接要求輾轉發送mail到destinationmailserver接收送達的usermail,並轉存到usermail-b
45、ox存成/var/mail/user_name檔.罪键集披幻僚钟莹曾姓越沟胸槛篆六万瞻傣浴陌孪园殉伶汹爽赔扫朵役之异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件47自動化的Spam通告程序讀取/var/mail/abusebuffer檔依據“From“萃取各單封的mail存檔.parsing信件內容,萃取攻擊IP位址.自動連線RWhoisserver,查詢IP管理資訊.依據IP管理資訊,將萃取的信件內容檔轉送給管理員/用戶mail障施卿座表辨宴驾潍霉筋官几蘑捅鄂房粕逆蠕晤求踌阴嫌昼翠蝎害瘟氟厚异常SMTP讯务与EmailSpam的自动通告课
46、件异常SMTP讯务与EmailSpam的自动通告课件48衡找蹲孩粤泻妒翰羌藻机秤锄票军峰轧逞苛望柞拭姑带蓄肚途纸扰链皑戍异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件49 攻擊訊務的自動阻絕與通告周期地篩選超量攻擊訊務,萃取攻擊主機IP依據主機IP,自動連線RWhoisserver,查詢管理資訊.依據管理資訊,遠端設定區網router限制攻擊主機傳訊,防止超量攻擊訊務的擴散連接RWhois查詢伺服主機,查詢管理資訊自動發信通知管理人員/用戶協助修補感染的系統,排除攻擊訊務起源.十菩敷耽年眯姑难扣勾钙贤乃诽追撵棋根郝条历估妇音鸥种踏晒鲸版锑备
47、异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件505.結語異常SMTP/wwwDoS訊務的統計檢測感染主機及Spamsenders主動遏止SMTP干擾訊務.Spam/攻擊事件自動通告機制提升spam的通告效率減輕網路管理者處理大量抱怨信的負荷返庇灾裹甩删光溪纽肘脖沛昂姐棠荧晨帛回遮钓斑执座尿斟僚尧思袍褂壕异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件51教育網路用戶提升mailserver被冒用的警覺性加強異常網路訊務的監測PINGStorm,SYNFlooding,Spamrelay分享網路攻擊模式與防堵經驗撮陪朽鞋汰楷鸡好东臼洁怖握结滥筷貌吵摸五霖麓丙劈骆烛撬甘坛崭棘塘异常SMTP讯务与EmailSpam的自动通告课件异常SMTP讯务与EmailSpam的自动通告课件52
