Contents 2008/5/20 5 2
2008/5/20 5 3
2 (FN: false negative) (FP: false positive) 2008/5/20 5 4
Spam DoS 2008/5/20 5 5
(1) IP From IP / Tempfailing 2008/5/20 5 6
(2) IP IP or 2008/5/20 5 7
(3) IP PTR MTA DNS 2008/5/20 5 8
(4) (DNSBL: DNS Black List) Spamhaus ZEN (http://www.spamhaus.org/zen) SpamCop SCBL (http://www.spamcop.net/bl.shtml) SORBS (http://www.us.sorbs.net/) ORDB (http://ordb.org/) 2006 12 (Spamhaus ZEN ) IP A.B.C.D MTA SMTP D.C.B.A.zen.spamhaus.org A A (127.0.0.x) 2008/5/20 5 9
(5) CEAS 2006 bot 6% A. Ramachandran, et al.: Can DNS-Based Blacklists Keep Up with Bots? http://www.ceas.cc/2006/14.pdf 2008/5/20 5 10
(6) (DNSWL: DNS White List) (accreditation) (reputation) Bonded Sender Program IronPort Systems Return Path 2008/5/20 5 11
(7) Tempfailing MTA MTA MTA Greylisting 2008/5/20 5 12
(8) Tempfailing( ) 80% 1 MTA MTA MTA 2008/5/20 5 13
(9) (challenge&response) bot ( ) 2008/5/20 5 14
(1) Tarpitting 2008/5/20 5 15
(2) (DoS) Bot 2008/5/20 5 16
(3) Tarpitting / MTA Greet pause TCP damping 2008/5/20 5 17
(4) Greet pause (220 ) RFC2821 5 MTA 15 MAIL/RCPT MTA PIPELINING 2008/5/20 5 18
(5) Greet pause Tempfailing tempfailing (?) greet pause tempfailing 2008/5/20 5 19
(6) TCP damping K. Li, C. Pu, M. Ahamad: Resisting SPAM Delivery by TCP Damping, http://www.ceas.cc/papers-2004/191.pdf SMTP TCP ACK 2008/5/20 5 20
(1) 2008/5/20 5 21
(2) $ Viagra From To = 2008/5/20 5 22
(3) (Bayesian filter) ( 3 ) P(A B)= P(A)P(B A)/P(B) A B ff0000 HTML 2008/5/20 5 23
(4) URI 2008/5/20 5 24
(5) Spammer / Web redirect URL URL PDF, MS Word + 2008/5/20 5 25
(6) 10 PC 2008/5/20 5 26
2008/5/20 5 27
ISP ISP 2008/5/20 5 28
ISP (1) Outbound Port 25 Blocking (OP25B) bot MTA SMTP(25 ) MTA Submission(587 ) SMTP/SSL(465 ) ISP MTA MTA IP IP 2008/5/20 5 29
ISP (2) Outbound Port 25 Blocking ( ) MUA ISP ISP A 25 587 ISP ISP B ISP B MTA/MSA MUA MUA MTA 25 25 ISP A MTA 25 ISP ISP C ISP C MTA 2008/5/20 5 30
ISP (3) Outbound Port 25 Blocking ( ) ISP 2008/5/20 5 31
ISP MTA OP25B 2008/5/20 5 32
(1) ISP PGP (Pretty Good Privacy) S/MIME Sender: / 2008/5/20 5 33
(2) POP before SMTP POP MTA POP IP 10 IP MUA IP MUA/MTA NAT ISP 2008/5/20 5 34
(3) SMTP-AUTH SMTP (RFC2554 RFC4954) AUTH (SASL:RFC4422) CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, etc. MUA MUA 2008/5/20 5 35
(1) spam spam spam EU 2008/5/20 5 36
(2) (2002/7 2005/11 ) CM, 2008/5/20 5 37
(3) 2008/5/20 5 38
(4) PC 15 10 9 2 14 8 15 9 15 6 2008/5/20 5 39
(5) ( ) 10 (2005/5/16) (2005/6/14) 2 2006/5/25 2008/5/20 5 40
(6) CAN-SPAM (2004 1 ) 2008/5/20 5 41
(7) ( ) (2004 1 ) CAN-SPAM You SPAM Controlling the Assault of Non-Solicited Pornography and Marketing Act 2008/5/20 5 42
(8) EU 2003 10 31 45 = 7200 2008/5/20 5 43
(9) 2008/5/20 5 44
2008/5/20 5 45
(1) Spam 2008/5/20 5 46
(2) 2 IP SPF 1.0 (classic) RFC4408 Sender ID = SPF 2.0 + Caller ID RFC4406 SPF (Sender Policy Framework) POBOX Caller ID Microsoft DKIM = DomainKeys + IIM RFC4871 DomainKeys (RFC4870) Yahoo! IIM (Identified Internet Mail) Cisco Systems 2008/5/20 5 47
(3) Sender ID(1) 3 (PRA) From (MFROM) (SPF ) 2008/5/20 5 48
(3) Sender ID(2) PRA (Purported Responsible Address) RFC4407 Resent-Sender:, Resent-From:, Sender:, From: Resent-From: MAIL SUBMITTER RFC4405 SMTP MAIL FROM: <alice@example.com> SUBMITTER=<alice@example.jp> 2008/5/20 5 49
(4) Sender ID(3) SPF DNS TXT (SPF) + pass ( )? neutral ( ) ~ softfail (neutral fail ) - fail ( ) A MX IP MTA example.jp IN TXT v=spf1 +a +mx all example.jp IN SPF spf2.0/mfrom,pra +a +mx -all 2008/5/20 5 50
(5) Sender ID(4) Sender ID Microsoft PRA IETF MARID (MTA Authorization Records in DNS) WG RFC Standard Experimental 2008/5/20 5 51
(6) DKIM (DomainKeys Identified Mail) DNS 2008/5/20 5 52
(7) DKIM ( ) DKIM-Signature: v=1; a=rsa-sha256; s=brisbane; d=example.com; c=simple/simple; q=dns/txt; i=joe@football.example.com; h=received : From : To : Subject : Date : Message-ID; bh=2jusoh9nhtvgcqwnr9briaprekqjo6sn7xikfjvozv8=; b=auuofefdxtdkhllxszepzj79liceps6eda7w3detvfok4yauoqob 4nujc7YopdG5dWLSdNg6xNAZpOPr+kHxt1IrE+NahM6L/LbvaHut KVdkLLkpVaVVQPzeRDI009SO2Il5Lu7rDNH6mZckBdrIx0orEtZV 4bmp/YzhwvcubU4=; 2008/5/20 5 53
(7-2) DKIM ( ) DNS brisbane._domainkey.example.com. IN TXT ( "v=dkim1; p=migfma0gcsqgsib3dqebaquaa4gnadcbiq "KBgQDwIRP/UC3SBsEmGqZ9ZJW3/DkMoGeLnQg1fWn7/zYt "IxN2SnFCjxOCKG9v3b4jYfcTNh5ijSsq631uBItLa7od+v "/RtdC2UzJ1lWT947qR+Rcac2gbto/NMqJ0fzfVjH4OuKhi "tdy9tf6mcwgjanbcwtoimmpspddqpnuyckcq2qidaqab ) 2008/5/20 5 54
(8) 2 IP PRA MFROM 2008/5/20 5 55
(9) (accreditation) (reputation) Spam 2008/5/20 5 56
Yahoo! mail, Hotmail, Gmail CAPTCHA 2008/5/20 5 57