About spam countering techniques
Hi, Habr! According to a Symantec report published this summer, out of 704 billion e-mails sent in June, 353 billion (49.7%!) Were spam. Spam is harmful not only because it has to rake up a bunch of unnecessary promotional offers, among which the right email is easily lost. Mass mailings are widely used by hackers.
This summer, users worldwide received emails with a fake return address update@microsoft.com, the text "Windows 10 Free Update" and the attached file Win10Installer.zip. After unpacking the ransomware virus (CTB-Locker variant), it began to encrypt files on the hard disk - in order to get access to the data again, the victim had to pay a certain amount within 96 hours.
There are two main methods of protection. This is protection at the stage of receiving messages by the mail server and filtering mail after it is received.
The easiest way is to configure the email client installed on the user's computer. Settings (in general, not rich) allow you to set filters and block unwanted messages by subject, sender address or certain keywords. In our opinion, this is not the most effective way. In order to set up blocking by address or stop words, you still need to get the first spam letter, right? This method is good only to get rid of the annoying newsletter, which for some reason can not unsubscribe (this is rare, but it happens).
')
For corporate use, this method is not suitable at all. The Spamooborona service, which is used by Yandex.Mail, skips suspicious emails (for example, sent to a too large address list), but places them in the Spam folder. In addition, it checks emails sent from the user's address. Yandex does not guarantee that all suspicious emails will be recognized. “ If you think that you have received a spam email in your Inbox folder, select the email you need and click the“ This is spam! ”Button - the email will be moved to the Spam folder, and the necessary information will be sent to Spam Defense, ” the site reports .
Kaspersky Anti-Spam is a more advanced solution. The sender's IP address is checked against blacklists of providers and DNSBL services, the analysis takes into account the sender's authorization using the SPF (Sender Policy Framework) technology, the spamming URLs in the message body are analyzed using SURBL (Spam URI Realtime Block List), signature and linguistic analysis is used.
The first service RBL (Realtime Blackhole List), which contained lists of host sources of spam mailings, appeared in 1987. Mail verification is as follows: the mail server accesses the DNSBL and checks in it the presence of the client's IP address from which the message was received. If the client’s IP address is listed, the server receives a response. The sender server is reported with a 5xx error and the message is not accepted.
It is argued that the use of services based on RBL / DNSBL technology, allows to achieve spam filtering efficiency in 98-99.8% of cases. The lack of DNSBL-lists, apparently, is only one: they can get there by mistake and completely legal mail servers, if they send spam through themselves, sent by any computer within their network.
However, according to test data (which analyzes the effectiveness of the most popular anti-spam solutions), none of the letters that are not spam were mistakenly identified as spam.
We consider solutions based on the use of DNSBL lists to be the most reliable. That is why the functionality of the Traffic Inspector program's SMTP gateway complements the RBL module. His work is based on checking the IP address of a received message in RBL services by sending DNS requests to them. The RBL module of the mail server at the time of receiving the message requests the RBL service whether the sender's IP address is “bad” and, based on the response, the RBL accepts or rejects the letter.
Mass mailing is also dangerous due to the fact that in this way, letters are sent that directly or indirectly encourage the recipient to visit phishing sites. According to a survey by research company MFI Soft, e-mail ranks first among potentially dangerous data leakage channels:
Fraudsters send letters, very similar to real ones, on behalf of companies, services and social networks. In the text of the letter - a link to the site.
Clicking on such a link, the user gets on the phishing page, and then, as they say, the matter of technology: once he has entered some personal data - and they fall into the hands of fraudsters:
So Internet fraudsters can get the user's secret information: passwords from accounts, numbers or PIN-codes of credit cards and so on.
“ The most effective phishing attacks end in attackers' success in 45% of cases, and about 2% of emails received by Gmail are designed specifically to lure people into their passwords. Various network services send millions of such emails every day , ” say Google.
One of the ways to protect yourself against phishing sites is Yandex.DNS service, which is available in Asus, D-Link, TP-Link and ZyXEL routers. When you try to open a phishing site, Yandex.DNS stops downloading data and issues a warning to the user.
Most browsers also have the ability to block phishing sites. Chrome, Firefox and Safari use Safe Browsing API technology, IE - Smart Screen.
An interesting phishing protection system, Protect, was released by Yandex a little over a month ago. Protect tracks user actions and ensures that passwords are not entered on sites similar to known services. In addition, Protect technology includes checking all downloaded files. Protect protects your personal data when connected to an open Wi-Fi network in public places. Protect is integrated in the Yandex.Browser versions for Windows and OS X.
A functionally similar Password Alert password checking extension is in Chrome, however, it only works on Google and Google Apps for Work accounts.
Phishing Blocker's phishing protection module in Traffic Inspector uses the shareware Google Safe Browsing API project. Phishing Blocker checks URLs for threats in an updated Google blacklist of potentially phishing sites and pages. If the answer is yes, the host or IP address is assigned to one of the previously created content categories. This allows you to prevent users from visiting known fraudulent web resources.
Another possibility of Phishing Blocker is to assign a certain rating to a resource, which allows filtering unwanted content, allowing access only to content that has confidence and receiving reports on visited resources in accordance with the rating.
PS And how do you, the readers of Habr, fight against spam and phishing threats?
This summer, users worldwide received emails with a fake return address update@microsoft.com, the text "Windows 10 Free Update" and the attached file Win10Installer.zip. After unpacking the ransomware virus (CTB-Locker variant), it began to encrypt files on the hard disk - in order to get access to the data again, the victim had to pay a certain amount within 96 hours.
How to deal with spam?
There are two main methods of protection. This is protection at the stage of receiving messages by the mail server and filtering mail after it is received.
The easiest way is to configure the email client installed on the user's computer. Settings (in general, not rich) allow you to set filters and block unwanted messages by subject, sender address or certain keywords. In our opinion, this is not the most effective way. In order to set up blocking by address or stop words, you still need to get the first spam letter, right? This method is good only to get rid of the annoying newsletter, which for some reason can not unsubscribe (this is rare, but it happens).
')
For corporate use, this method is not suitable at all. The Spamooborona service, which is used by Yandex.Mail, skips suspicious emails (for example, sent to a too large address list), but places them in the Spam folder. In addition, it checks emails sent from the user's address. Yandex does not guarantee that all suspicious emails will be recognized. “ If you think that you have received a spam email in your Inbox folder, select the email you need and click the“ This is spam! ”Button - the email will be moved to the Spam folder, and the necessary information will be sent to Spam Defense, ” the site reports .
Kaspersky Anti-Spam is a more advanced solution. The sender's IP address is checked against blacklists of providers and DNSBL services, the analysis takes into account the sender's authorization using the SPF (Sender Policy Framework) technology, the spamming URLs in the message body are analyzed using SURBL (Spam URI Realtime Block List), signature and linguistic analysis is used.
The first service RBL (Realtime Blackhole List), which contained lists of host sources of spam mailings, appeared in 1987. Mail verification is as follows: the mail server accesses the DNSBL and checks in it the presence of the client's IP address from which the message was received. If the client’s IP address is listed, the server receives a response. The sender server is reported with a 5xx error and the message is not accepted.
A large number of DNSBL lists can be found here .
It is argued that the use of services based on RBL / DNSBL technology, allows to achieve spam filtering efficiency in 98-99.8% of cases. The lack of DNSBL-lists, apparently, is only one: they can get there by mistake and completely legal mail servers, if they send spam through themselves, sent by any computer within their network.
However, according to test data (which analyzes the effectiveness of the most popular anti-spam solutions), none of the letters that are not spam were mistakenly identified as spam.
We consider solutions based on the use of DNSBL lists to be the most reliable. That is why the functionality of the Traffic Inspector program's SMTP gateway complements the RBL module. His work is based on checking the IP address of a received message in RBL services by sending DNS requests to them. The RBL module of the mail server at the time of receiving the message requests the RBL service whether the sender's IP address is “bad” and, based on the response, the RBL accepts or rejects the letter.
Mass mailing is also dangerous due to the fact that in this way, letters are sent that directly or indirectly encourage the recipient to visit phishing sites. According to a survey by research company MFI Soft, e-mail ranks first among potentially dangerous data leakage channels:
Fraudsters send letters, very similar to real ones, on behalf of companies, services and social networks. In the text of the letter - a link to the site.
Clicking on such a link, the user gets on the phishing page, and then, as they say, the matter of technology: once he has entered some personal data - and they fall into the hands of fraudsters:
So Internet fraudsters can get the user's secret information: passwords from accounts, numbers or PIN-codes of credit cards and so on.
“ The most effective phishing attacks end in attackers' success in 45% of cases, and about 2% of emails received by Gmail are designed specifically to lure people into their passwords. Various network services send millions of such emails every day , ” say Google.
One of the ways to protect yourself against phishing sites is Yandex.DNS service, which is available in Asus, D-Link, TP-Link and ZyXEL routers. When you try to open a phishing site, Yandex.DNS stops downloading data and issues a warning to the user.
Most browsers also have the ability to block phishing sites. Chrome, Firefox and Safari use Safe Browsing API technology, IE - Smart Screen.
An interesting phishing protection system, Protect, was released by Yandex a little over a month ago. Protect tracks user actions and ensures that passwords are not entered on sites similar to known services. In addition, Protect technology includes checking all downloaded files. Protect protects your personal data when connected to an open Wi-Fi network in public places. Protect is integrated in the Yandex.Browser versions for Windows and OS X.
A functionally similar Password Alert password checking extension is in Chrome, however, it only works on Google and Google Apps for Work accounts.
A good overview of anti-phishing anti-virus solutions can be found here .
Phishing Blocker's phishing protection module in Traffic Inspector uses the shareware Google Safe Browsing API project. Phishing Blocker checks URLs for threats in an updated Google blacklist of potentially phishing sites and pages. If the answer is yes, the host or IP address is assigned to one of the previously created content categories. This allows you to prevent users from visiting known fraudulent web resources.
Another possibility of Phishing Blocker is to assign a certain rating to a resource, which allows filtering unwanted content, allowing access only to content that has confidence and receiving reports on visited resources in accordance with the rating.
PS And how do you, the readers of Habr, fight against spam and phishing threats?
Source: https://habr.com/ru/post/269633/
All Articles