ando@bbsec.co.jp botnet OP25B? IW2006 2 1
? DHA WWW PC IW2006 3 DHA? User Unknown DATA? IW2006 4 2
IW2006 5 ML User Unknown User Unknown tempfail User Unknown MX IW2006 6 3
? SMTP SMTP Sendmail Milter ISP User unknown IW2006 7 (MX) (POP/IMAP) (Submission) Internet User Unknown Sendmail Flow-Control Filter IW2006 8 4
RBL IP? RBL? bot IP IP ISP IW2006 9 ISP OP25B 2005 port25 bot PC ISP port 587 ISP bot ISP... ISP ISP bot IW2006 10 5
ISP OP25B bot Outbound port 25 Blocking Internet POP/SSL IMAP/TLS (POP/IMAP) (Submission) SMTP AUTH/TLS Message Submission IW2006 11 zombie PC MX Server Internet POP/SSL IMAP/TLS (POP/IMAP) (Submission SMTP AUTH/TLS Message Submission IW2006 12 6
SMTP MUA YES? APOP IW2006 13 POP before SMTP bot POP before SMTP POP IW2006 14 7
POP before SMTP POP before SMTP IP FWPROXY? SMTP AUTH IW2006 15 APOP APOP? POPChallenge/Response MUA APOP?? IW2006 16 8
SMTP POP before SMTP bot POP before SMTP SMTP OP25B Message Submission SMTP bot SMTP IW2006 17 Message Submission RFC2476 MSA Message Submission Agent MTA Relayspam SMTP local Submission port 587 sendmail-8.11 default MSA MSP MessageSubmissionProgram/ IW2006 18 9
Message Submission RFC2476 Auth User by RFC2476 MSA port 587 MTA port 25 local user IW2006 19 SMTP Authentication RFC2554 SASL RFC2222 Relay sendmail-8.13 cyrus SASL SASLsendmail /usr/local/lib/sasl/sendmail.conf /etc/sasldb.dbsaslpasswd sendmail.cf Relay SMTP/TLS PLAIN LOGIN Outl**k IW2006 20 10
SMTP Authentication RFC2554 Auth User by RFC2554 MTA port 25 local user IW2006 21 POP/SSL(Port995) IMAP/TLS(Port 443) SMTP/TLS(Port 25,587) SSL/TLS IW2006 22 11
POP/SSL SSL Secure Socket Layer POP MUAPOP qpoppertls POP OpenSSL IW2006 23 SMTP/TLS TLS Transport Layer Security SSL SMTP sendmailtlssmtp OpenSSL IW2006 24 12
TLS SSL CA... TLS SMTP AUTH IW2006 25 POP/SSL,SMTP/TLS (MX) MUA POP,Submission Internet (POP/IMAP) (GW) IW2006 26 13
PC bot bot OS SSL WWW SSH MUA IW2006 27 MUA PCProxy POP/SSL SMTP/TLS MUA IW2006 28 14
POP/SSL POP/SSL (MX) (POP/IMAP) port 110 port 995 Internet (Submission) port 25 port 587 MUA 110 IW2006 29 (MX) GW Internet (POP/IMAP) port 110 port 995 110 (Submission) port 25/SMTP AUTH port 587/SMTP AUTH GW MUA IW2006 30 15
2 (MX) GW SMTP/TLS Internet (POP/IMAP) port 110 port 995 110 GW (Submission) port 25/SMTP AUTH GW port 587/SMTP AUTH MUA IW2006 31 (MX) GW? Internet (POP/IMAP) port 110 port 995 GW 110 (Submission) port 25/SMTP AUTH port 587/SMTP AUTH GW MUA IW2006 32 16
(MX) GW MX Submission Internet (POP/IMAP) port 110 port 995 GW 110 (Submission) port 25/SMTP AUTH port 587/SMTP AUTH GW MUA IW2006 33 (MX) (POP/IMAP) MTA Internet port 110 port 995 110 (Submission) port 25/SMTP AUTH port 587/SMTP AUTH MUA IW2006 34 17
??? User Unknown bot IW2006 35 botnet PC SMTP proxy PC PC IW2006 36 18
Excel Word PowerPoint Office JPEG HTML IW2006 37.wav (nimda).pif(sircam).scr(bugbear) HTTP JavaScript update Windows update! IW2006 38 19
MIME-multipart? nimda Content-Type DoS... IW2006 39 WWWIDS Windows security-update IW2006 40 20
? MUA IP bot OS IW2006 41 MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS RFC2142 abuse@example.gr.jp postmaster@example.gr.jp hostmaster@example.gr.jp DNS IW2006 42 21
owner-hoe@example.gr.jp sendmail hoe-admin@example.gr.jp hoe-request@example.gr.jp RFC2142 hoe-errorsto@example.gr.jp IW2006 43 DSN Delivery Status Notification) Envelope From null address <> RFC1893 Status Code RFC2821 Status: 5.1.1 5.X.X Permanent Failure X.1.1 Bad destination mailbox address IW2006 44 22
status code RFC sendmail Postfix SIMS MTA MTA... IW2006 45 spam IW2006 46 23
RDDoS envelope-from 1stMX 1stMX DNS TTL 2ndMX RDDoSDNS 2ndMX DNS cache 1stMX DNS cache JANOG12 RDDoS Reflected Distributed Denial of Service IW2006 47 DoubleBounce sender null-address DoubleBounce Default Postmaster envelope-from spam DoubleBounce OFF IW2006 48 24
spam SMTP Authentication RFC2554 Message Submission RFC2476 SMTP over TLS RFC2487 DHA who/members WWW IW2006 49 1 ISP... MIME-multipart spool IW2006 50 25
2 spam bot bot bot US bot spam CAN-SPAM? US spam IW2006 51 3 ISP spam ON/OFF ISP SMTP AUTH TLS OP25B IW2006 52 26
4 bot bot PC? SPF spammer SPF OP25B ISP SMTP ISP? IW2006 53 5 ISP port 25! IP port 25 ISP bot Phishing spam bot IW2006 54 27
6 / IP Linux Windows! bot telnet FTP samba reboot OFF IW2006 55 7 2006 ISP OP25B/IP25B ON/OFF ON/OFF IW2006 56 28
8 2006 ISP? IW2006 57 1 bombing spambombing ML Confirm IW2006 58 29
2 Phishing WWW ID SSL? IW2006 59 spam 1 RBL Realtime Blackhole List SBL Spam Blocking List spam DNS MTAIP botnet bot ISP ON/OFF IW2006 60 30
spam 2 SPAMLIST access_db envelope from IP POP before SMTP ISP POPSMTP qpopper IP bot IW2006 61 spam 3 Sender Base spam reputation IP IP RBL bot IP? Bonded Sender Program? IW2006 62 31
spam 4 spam spam OK spam spam MUA IW2006 63 spam 5 IW2006 64 32
spam 6 From Subject To Received Content-Type? IW2006 65 spam 7 URL spam URL URL userinfo query IW2006 66 33
spam 8 d-sig DB spam d-sig MIME multipart d-sig partspam spam IW2006 67 spam 9 Channelled Address spam US AT&T WebMail ZoEmail IW2006 68 34
spam 10 ML IW2006 69 spam 11 tempfail BruteForce spam IP IP SMTP Sendmail IP User Unknown IW2006 70 35
Phishing 1 SPF AOL / DNS SMTP Sender http://spf.pobox.com/ example.jp. IN TXT "v=spf1 ip4:218.223.0.0/22 ip4:210.164.161.64/27 mx a:accele.ope.example.jp a:sv04.example.jp a:jasmine.example.jp include:example.com -all" IW2006 71 Phishing 2 Sender-ID MS Caller-ID + SPF SPF Caller-ID MS Microsoft Sender-ID 2006.10.23 sid-filter http://www.sendmail.net/ IW2006 72 36
Phishing 3 DKIM Yahoo! DomainKeys + CISCO Identified Mail DNS DNS Yahoo!,Google Gmail,Sendmail dk-milter SourceForge.net IW2006 73 spam 1 Phishing Phishing? 17 11 1 MUA POP IMAP ISP spam ON/OFF spammer IW2006 74 37
spam 2 spam Word-Salad bot PC WWW spam bot spam IW2006 75 spam 3? User Unknown User Unknown spam... IW2006 76 38
spam 4 SMTP AUTH Sender Sender SMTP sender RDDoS OP25B IP IW2006 77 spam 5 URL 2004URL Phishing MUA IW2006 78 39
URL spam 14570 URL IW2006 79 spam 6 JPEG bot 2004 HTML JPEG OS MUA spam bot spam IW2006 80 40
Spam 7 Security Focus BrightMail DeerSoft SpamAssassin Apache SpamAssassin Project Opensource spam spam... IW2006 81 SMTP opt-out DHA Subject / IW2006 82 41
ISP Cloudmark Sendmail,Openwave,OCN,Biglobe,So-net, Web... DNA Brightmail @NIFTY,Hi-Ho,IRONPORT... IW2006 83 ISP OP25B Message Submission/SMTP AUTH OP25B POP before SMTP spam... IW2006 84 42
1 DHA DoS / / ON/OFF ISP IW2006 85 2 DHA/DoS User Unknown // User Unknown DB tempfail tempfail IW2006 86 43
3 / ISP IW2006 87 4 DoS / Queueing POP/IMAP IW2006 88 44
5 CSV? GUI? IW2006 89 devtools/site/siteconfig.m4 IW2006 90 45
VERSIONID(`$Id: config.mc,v 1.8 2006/12/05 12:27:36 ando Exp ando $') OSTYPE(bsd4.4)dnl DOMAIN(generic)dnl MASQUERADE_AS(`example.jp')dnl MASQUERADE_DOMAIN(`accele.example.jp')dnl FEATURE(`limited_masquerade')dnl FEATURE(`masquerade_envelope')dnl EXPOSED_USER(`root postmaster')dnl FEATURE(`mailertable')dnl FEATURE(`nocanonify')dnl FEATURE(`access_db')dnl FEATURE(`blacklist_recipients')dnl FEATURE(`accept_unresolvable_domains')dnl FEATURE(`no_default_msa')dnl MODIFY_MAILER_FLAGS(`LOCAL', `+S') MAILER(local)dnl MAILER(smtp)dnl Dmexample.jp Dwaccele define(`confdomain_name',`$w.$m')dnl define(`confto_ident',`0s')dnl define(`confcf_version', `IW2006 Sample')dnl define(`confmax_queue_children', `100')dnl define(`confmin_queue_age', `1m')dnl define(`confauth_mechanism',`[login PLAIN DIGEST-MD5 CRAM-MD5]')dnl TRUST_AUTH_MECH(`LOGIN PLAIN CRAM-MD5 DIGEST-MD5') dnl INPUT_MAIL_FILTER(`sid-filter', `S=inet:8891@localhost') INPUT_MAIL_FILTER(`dk-filter', `S=inet:8892@localhost') define(`confcacert_path', `/etc/ssl/ca/certs/') define(`confcacert', `/etc/ssl/ca/ca.crt') define(`confserver_cert', `/etc/ssl/ca/certs/server-ca.crt') define(`confserver_key', `/etc/ssl/ca/private/server.key') IW2006 91 46