Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
SPAM and Anti-Spam
The SPAM battlefield is in a constant state of flux. As better weapons are built on the defense side,
spammers are constantly building better weapons to overcome these measures on the offensive side. By becoming
and staying informed, about the offensive and defensive weapons of both spammers and anti-spammers, we can
prepare ourselves and our organizations to take direct measures to reduce the proliferation of SPAM. Finally,
by understanding the elements that define what a spam message is and the tactics that are use...
AD
Copyright SANS Institute
Author Retains Full Rights
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
07
,A
SPAM and Anti-Spam
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
GSEC Gold Certification
tu
te
Author: T. Brian Granier, briang at zebec dot net
Accepted: October 27th 2006
©
SA
NS
In
sti
Adviser: Jim Purcell
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
((-$*'
Outline
,-+- !$($("34 fu
ll r
igh
ts.
$-$)(+2 !$($-$)( )-$/-$)(,!)+ eta
ins
+-$& !$($-$)( ho
rr
% ,&)-,)!')( 2 07
,A
ut
*&)2$("&0+ 20
- "()"+*#2 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tu
te
)(($,,( In
sti
)'* -$-)+)-" SA
"&,,. ,)! ©
NS
.')+#$( -- +,()1 , # !$+,--.&)(/$-$)( $' &$( +$(+($ +
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
((-$*'
(-$*'--& !$ & - 01$&- +, fu
ll r
igh
ts.
$& +/ +("$( , &$ (-$ **&$-$)(, *)(,)!(-$*' ins
eta
,#$("# %,.', ho
rr
* (+ &1# %, 07
,A
ut
# %, 20
1 ,$($&- +$(" Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tu
te
.+$,-$, In
sti
$"(-.+ '-#$(" SA
NS
&%&$,-$(" ©
#$- &$,-$(" (-$/$+., (-$*10+ /)$$("-# .(,.,+$*-$)(-+* +$(+($ +
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
((-$*'
*',$(%, /)$$("*.--$(" '$&,$(*.&$*& , fu
ll r
igh
ts.
))%$ (" ' (- +)- -$)()!)( ,)0(( -0)+% ins
+)* +)(!$".+-$)()!'$&, +/ +, eta
4 ( +)&$2+' 0)+% ho
rr
(&2* +'$-).-).(!+)'.-#)+$3 '$&, +/ +, 07
,A
ut
/)$$("#$('$&(#)1'$&*+)*"-$)( 20
.+($(")!!+ ( +$("$( '$&&$ (-, Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
sti
,*)(,$& ',, '$& In
tu
te
$("(+ ,*)($("-) +, SA
NS
).& )*-$( ©
)()-.2'$&$("&$,-, )(,$ +.,$("&$,-, +/, +$)$*.+" +)- -2).+'$&$("&$,- +$(+($ +
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
((-$*'
'' $- .(,.,+$$(" )$-$(#)., fu
ll r
igh
ts.
)(,$ ++- &$'$-$(" $ -# + $*$ (-,)+)-# +/$, ins
, & "$-$'- )'$(,'-#$("-)**+)*+$- , eta
)(,.&-/$-#& "&).(, & ut
)(&.,$)( 07
,A
ho
rr
)($-)+&%&$,-,$- , 20
! + ( , Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tu
te
In
sti
©
SA
NS
+$(+($ +
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
!
!!
"
&
" !!! ! #!! !!!#! " !!!!!! # $ $
%"! $& "
fu
ll r
igh
ts.
!(!!)$
!# !$ "!! !#$ ! #
07
,A
ut
ho
rr
$$!!!!&#
eta
$ ! !&! '! ins
! !!! "
©
SA
NS
In
sti
tu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%"
+,
#!' $& % %! !#%%#+$",%%
fu
ll r
igh
ts.
"#!$$! $ #(%$ !% $*%$!#)% %%$$&%!
'# '#! %(# %! !!%!*( !%!"%
%!!##!(! %$$ %%"%(%!$&$$ #* %! !#
%%# % %!$&$$!#%!#!& %! %%$&$$%
eta
ins
$%#% "! %!#%$""#
ho
rr
Why do we call it SPAM?
Before we go much further, here’s a quick nod to the origination of the term SPAM
ut
that is now a common part of our technical vocabulary. As many of us know, SPAM
07
,A
is the name of a product created by Hormel Foods Corporation. This canned meat
product was used in a Monty Python sketch that featured a room full of Vikings in a
20
Key fingerprint
= AF19
2F94
998Dwas,
FDB5
06E4AsA169
4E46
restaurant
whose FA27
principle
ingredient
youDE3D
guessedF8B5
it, SPAM.
the skit
goes,
every time the word “SPAM” is mentioned a certain number of times, the entire room
tu
te
full of Vikings would break out into chorus spewing the word spam over and over
sti
again. This constant repetition of the word in the skit was compared to the quantity
In
and repetition of what we now call SPAM and a new term was born.
SA
NS
©
Dictionary Definition
%$&%%! %*! $"%! #* %! (%& '#$
"% !('#%!!( %! ($% #!
%%"(((%! #*!$ )"!%%*"! %! %%$!! !#%(!#$"
# # #
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
$ spam
Pronunciation Key (sp m)
n.
Unsolicited e-mail, often of a commercial nature, sent indiscriminately to
fu
ll r
igh
ts.
multiple mailing lists, individuals, or newsgroups; junk e-mail.
tr.v. spammed, spam·ming, spams
ins
1. To send unsolicited e-mail to.
eta
2. To send (a message) indiscriminately to multiple mailing lists, individuals, or
newsgroups.
rr
"$%$($*$"($+#$##$!%$$
ut
ho
### $#'$# ##$("$"%$%
07
,A
$$$ '''' ""##'#
20
#$%#$"###(#$#$#
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
%#$%###$#$'(")"# #
tu
# $$"#
$#"%##$"#$$
sti
### #$'#"% # #"# # #
NS
In
### SA
##"%#$%$$#$###$"#%##
©
'$# $#$$''&"$# "
""$#$
'#$"# "$$$$'$# $$"*+%#"""'"
"""
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
$$)&#
Practical Definition
(%'')"-&%$)%*)-)!&$)%$(&#$'')%
#(((($)$$-")'%$%'#)%,+'%'&*'&%(%)(&&',,""
fu
ll r
igh
ts.
%*(%$$''%,$%,$))'#)%(*((((*('"))%#(((($)
+#"*')')(&&'*(("-#*%*($)%$))((* )
)%$)'&'))%$$%*")(%*'%+-)%,+')(&&'(
$%)%*)"'-$)#*)(%))'#(%)%""%,$$)%$(
eta
ins
&'($)%'%$(')%$,)'(&))%)(&&'
rr
&#($-#'!)$&)+%' *(+*(% #" ut
ho
))) '&$)%($%),()% '+
07
,A
(#$)%$%+)($)%$($%)#$)($*')
©
SA
NS
In
sti
tu
te
20
$%#&")$)%$%'))'#)( *())%$*(%'&*'&%((%
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
)(&&'
'$'$'
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
+!+1&-*
,1&31&,+0#,/
)1&*1")61%"/"/"*+6*,1&31&,+0#,/+*+6 0"0--"/0,/
fu
ll r
igh
ts.
/"-,/10,+1%&01,-& 02$$"011%1))%0*,+"60&10/,,1*,1&31&,+
,4"3"/1%&001+ "&*-)&"01%10-*&0,+)62+0,)& &1"!*/("1&+$0"!"*&)0
1%14&)))"!1,!&/" 1,/&+!&/" 1#&++ &)-/,#&101%"!"#&+&1&,+4"8/"
20&+$%"/"&+ )2!"020&3",/!" "-1&3""*&)004"))4%& %,#1"+%3"+,1%&+$
ins
1,!,4&1%*,+"64"*201 ,+0&!"/*,/"*,1&31&,+01%+'201#&++ &)+ "4"
eta
2+!"/01+!1%"*,1&31&,+0,#1%"0-**"/4"/"&+"11"/-,0&1&,+1, %,,0"
ho
rr
,2/4"-,+01,!"#"11%"*
07
,A
ut
Makes lots of money
"$/!)"00,#1%"!&0 )&*"/-,01"!&+1%",-"+&+$-/$/-%#,/1%&0
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
0" 1&,+*,+"6/"))6&01%")/$"01*,1&31,/#,/
sti
tu
&/" 1 /("1&+$+!)"0
In
,**,+*&0 ,+ "-1&,+,210-**"/0&01%11%"6/"*/("1&+$-/,!2 10
NS
1%11%"6!&/" 1)60)"+!1%&0)&17*/("1&+$1" %+&.2"&0%,41%"6*("1%"&/
SA
*,+"661/6&+$1,/" %)/$"/*/("10%/"+!0"))1%"&/,4+-/,!2 1%&)"
©
1%&0!,"0%--"+1%&0&0 12))63"/6//")/$"+2*"/,#/1& )"0"5&01
*(&+$1%&0-,&+1 )"/21'2011,-/,3&!"#"4
%11-4441" %!&/1 ,*/1& )"0
0%1*)
%11-0(6%,, ,*%1*)
%11- 2,/"$,+"!2 +"4002**"/0-*" ,+,*& 0%1*)
•
•
•
/&+/+&"/
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
,#,2(. +
##1 0$'(&'2' 2(% +$11 &$(1-,2'$130% "$ #4$02(1(,&2'$
.0-#3"22'$1. ++$05 1$(2'$0. (#!72'$+ )$0-%2'$.0-#3"22-1$,#2'$
1-*("(2 2(-,-02' 22'$0$(11-+$(,#(0$"23*2$0(-0+-2(4$13"' 1" 31(,& fu
ll r
igh
ts.
! ,,$0 #2- ..$ 0%-05'("'2'$1. ++$0&$21. (# 1 9'(2:
2-") 0 )$2 +$
'$0$1$$+12-!$1-+$"*3$12' 213&&$122'$0$(1 .-11(!(*(272' 2
ins
1. ++$01 0$207(,&2-.* 72'$12-")+ 0)$2'(12$"',(/3$(1-%2$," **$#9.3+.
eta
,##3+.:.$"(%(" **7 0$"$,2-!1$04 ,"$5 11$$,!7 &0-3.),-5, 1
rr
$,$,5$*4$-0.2' 21$,2 * 0&$,3+!$0-%$+ (*1 #4$02(1(,&4 *(#12-")-,2'$
ho
2-")6"' ,&$,2$0$12(,&*72'$1$+$11 &$1#-,-2.0-4(#$ ,7#$2 (*1 !-32
07
,A
ut
'-52'$1$12-")1" ,!$.30"' 1$#2'0-3&'2'$1. ++$0(,13"' 5 72' 22'$75-3*#
#(0$"2*7.0-%(2'$ .. 0$,2&- *1$$+12-!$ "23 **72- %%$"22'$12-").0("$
20
%-0"$02
*&*-%2'$1.
Key (,12-")15(2'2'$2'$-0$2("
fingerprint = AF19 FA27 2F94 998D
FDB5
DE3D F8B5++$0.0-%(2(,&%0-+2'$
06E4 A169 4E46
te
1 *$'$1$#-$11$$+ *(22*$% 0%$2"'$# 12'$% "$4 *3$-%2'$1$1. ++$11 &$1
tu
"-3*#4$075$**' 4$ #(%%$0$,2.30.-1$#$1"0(!$#(,-,$-%2'$-2'$0
In
sti
+-2(4 2(-,1!322'(127.$-%1. +' 1!$$,(,2'$(,"0$ 1$$4($52'$%-**-5(,&
SA
'22.555.17"'. &$"-+1. ++$0'2+*
'22.555 3!0$7230,$0-0&(,#$6.'.-0&*-&"-++$,21
'22.'-+$4$01 ,$2#$8.#($20("'1. +!*-")'2+*
'22.555,.0-0&2$+.* 2$112-0712-07.'.12-07#
%2
%
©
•
•
•
•
NS
1(2$1%-0+-0$(,%-0+ 2(-,
0( ,0 ,($0
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%!
07
,A
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
20
&#('% $
sti
tu
&%' #% # )$% In
$# )%%$ (% *&%'#%+ #
NS
$ %$* %$ )+$%#%#$% %%
SA
!# #$%%%)(&$&)!# $% ) &#"&)#! #%
©
%$'$% $%&!!)##$%#&%&#$&%%'&$( '
%!# #% $%(%% # )&$%)('
#! !%!# # (%# ( %)%&% ## #%
!# #% ( #%#$&$&)$ $ #% !# &%%%$% $ % $&#$) &'% %#)$&!% ! !% $$&#
###
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
((.#*'
3)/#-.),#&&3."#-.3*) ')&'1&&%()1((-/-- /&3'131")
1)(&1-/#.*)-3.",&,)''#--#)(.".*0."13 ),
).",)'*(#-.)/-."#-')&
fu
ll r
igh
ts.
( ),./(.&31#.".")'#(!) ."(.,(.-"'-"0)'
1#&3-*,("0!#(+/#.,*/..#)( ),#(!--)#.1#."
#&&!#.#'./-#(--*,.#-!))*),.#)() #-0,.#-#(!(
*,)!,'.".,&&3#-().&!#.#'./-#(--"-*,)!,'-,,&&3)(&3
ins
-#!(.)'%.",.),) ."*,)!,',#"(())(&-", &!-
rr
ho
ut
In
sti
•
07
,A
•
20
•
te
•
,.)'%&).-) ')(3.(/(&#0&,. #.-)/(-.))!))
.).,/#.*,)&3#-
.",#--#!(# #(.*#.&#(0-.'(.$/-..)!.-#!(/*."(
.",&')(3'%,#-*,)&3$/-.."-#!(/* 3)/(5.,&&3!.(3#( ),'.#)()/.1".."./&6*,)/.7
Key #(!-)&#-."(.",*,)&3#-().)(
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
"6*,)/.7#(!-)&#-)0,*,#()0,*,#*,)/.1)(5.
-&&(.",&!)&#-*,)&3.)!.3)/.)*3."-#!(/* ") ,.)$)#(."*,)!,'1-/(-)&##.-/"-.",)/!"'#&)-.
&!#.#'.*,)!,'-1#&&#(0)&0 .) '.#(!1#."."
*,-)(.,3#(!.)-#!(3)//* ),."*,)!,'
tu
•
eta
)/.."--'-,- )&&)1-
NS
%')(3 -.-'-,-#'#&,#((./,/.1#&&'*"-#4."
SA
-*.1"#"')(3#-'(1#&&.3*#&&3&%."*3,'#-"'-./*
©
-!(,&,/&(30,.#-'(.)'#(!.",)/!"'#&"-(
2.,'&3"#!"*,)#&#.3) #(!#&&!#.#'.(*,)&30(#&&!&!))
,-)/,.".#-/---."-().",, &!-( )/(.
"..*111'&'-.,./*)',.#&-")".'
,#(,(#,
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
07
,A
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
©
SA
NS
In
sti
tu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
Date: Wed, 26 Jul 2006 12:52:07 +0700
From: Rose Household Textiles LTD
<[email protected]>
Reply-To: [email protected]
To:
Subject: PART TIME JOB OFFER
ho
rr
eta
ins
fu
ll r
igh
ts.
Dear Sir/Madam,
Rose Household Textiles LTD is a UK textile company A subsidiary of (A Division of Actexotextile INC) in
HongKong We produce and distribute clothing materials such as batiks,assorted fabrics and traditional costume
worldwide. We have reached big sales volume of textile materials in the Europe and now are trying to penetrate the US
market. Quite soon we will open representative offices or authorized sales centers in the US and CANADA and
therefore we are currently looking for people who will assist us in establishing a new distribution network there. The
fact is that despite the US market is new to us we already have regular clients also speaks for itself.
WHAT YOU NEED TO DO FOR US?
The international money transfer tax for legal entities (companies) in UK is 25%, whereas for the individual it is only
7%.There is no sense for us to work this way, while tax for international money transfer made by a private individual is
7% .That's why we need you! We need agents to receive payment for our textiles( in certified money orders, certified
cashier's check and to resend the money to us via Money Gram or Western Union Money Transfer. This way we will
save money because of tax decreasing. JOB DESCRIPTION?
1. Recieve payment from Clients
2. Cash Payments at your Bank
3. Deduct 10% which will be your percentage/pay on Payment processed.
4. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment
to(Payment is to forwarded either by Money Gram or Western Union Money Transfer).
07
,A
ut
HOW MUCH WILL YOU EARN?
10% from each operation! For instance: you receive 7000 USD via checks or money orders on our behalf. You will cash
the money and keep $700 (10% from $7000) for yourself! At the beginning your commission will equal 10%, though
later it will increase up to 12%!
Key
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ADVANTAGES
sti
tu
te
20
You do not have to go out as you will work as an independent contractor right from your home office. Your job is
absolutely legal. You can earn up to $3000-4000 monthly depending on time you will spend for this job. You do not
need any capital to start. You can do the Work easily without leaving or affecting your present Job.The employees who
make efforts and work hard have a strong possibility to become managers.
Anyway our employees never leave us due to our excellent work condition.
©
SA
NS
In
MAIN REQUIREMENTS
18 years or older legally capable responsible ready to work 3-4 hours per week. With PC knowledge e-mail and internet
experience (minimal) And please know that Everything is absolutely legal, that's why You have to fill a contract! If you
are interested in our offer, please respond with the following details in order for us to reach you:
NAME:
CONTACT ADDRESS:
PHONE NUMBERS:
AGE:
SEX:
OCCUPATION :
MARITAL STATUS:
Thanks for your anticipated action.And we hope to hear back from you. So if interested kindly reply to my personal
email and i will get back to you immediately. I believe If we love the Lord we will obey His Word.And God bless us as
you get back to me as soon as you are interetsed in working with my company. Stay blessed, for further inquires.
Micholas Ones
CEO Rose Household Textiles LTD.
Rose Household Textiles LTD. 37 PECKHAM HIGH STREET, LONDON, SE1 5SW, UNITED KINGDOM
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
$$) &#
* ' / #
' #
fu
ll r
igh
ts.
1 ' (#2)( )(%,$)%'.*( )0(,('"".) '()
% )(! $)%%#,""!$%,$ ((# ("(%!$%,$(1
'*2)'
)' # $"% $ ' )) )+ %")(, (,') ().&%'*
#%*(".$%#!"%$()%'.(%')) (($, ""*(*"".%# $)%'#
ins
%$# "'%#(%#%$&'($) $)#("+(( $'%#%' $%*$)'.
eta
., ""+(%#()%'.%*)%,).+(()%"'(*#%#%$.))
rr
).$)%)'$('%*)%)%*$)'.)%$!%*$) ( $ + *", ""
ho
&'%+ (%##)%%%$)))%)! $)%*, ))#+ -$*#'%'
ut
$# "'((%'(%#%)'#$(%%##*$ ) %$"%$, )%#&"" $
07
,A
'(%$$%))% $+%"+",$%'#$))' $ ) "%$)) (#)(##'
te
20
, ""))#&)")+ ) #%,$&))), ""*") #)".'(*") $)+ ) #
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
&'%+ $1()')*&2#%*$)%& )"'&%')".*()%()'))&'%((%
tu
'"( $)"'(*#%#%$.%')%' &&'%&' )% "(%')%%&$*&
sti
$!%*$) $, )#%$. ()%)'$('')+ ) # (&') *"'".
In
*"" " ) (&%(( ")))., ""$#%'$#%'#%$.*)%$ $)%
NS
*)#%'')&%'' #%'% "(%+') #*$) ").+&"))
SA
*"" " ).%)+ ) #$ ) ("')' ($%#%'#%$.)%#)
©
(##', ""%,.' ')$#$)+ ) #, ""++'. *")
) # $')' + $)#%$.
#*#%') "-&"$) %$%) ' #$ )( ()%'.$
%*$)))&,,,%-(".'%#$ ' $(#()#"$-#&"%)
' $'$ '
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
! !
07
,A
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
©
SA
NS
In
sti
tu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
)&#/<2<A7)>/;
©
SA
NS
In
sti
tu
te
20
07
,A
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
3/??73<2
('+)*%(+($*+)$)))))*$
4A3?2B323:703?/A7=<D7A6;F167:2?3<2317232A=1=<A/1AF=B4=?F=B?/@@7@A/<137<
@A/<27<5/@/03<34717/?FA=A63@B;=4+)#*67?AF#7::7=<7C3B<2?32*6=B@/<2+<7A32
)A/A3@=::/?@%<:F
7?@A:3A;3@A/?A0F7<A?=2B17<5;F@3:4/@#?@)A3::/)751/B/;=A63?=4A6?33167:2?3<
/<2A63#7<7@A3?=4&B0:71,=?9@7<)=BA64?71/<=C3?<;3<A B<3A=2/A3B<23?A63
/B@>713@=4A63&?3@723<A=4)=BA64?71/#(*%#!-=B1/<C73D;F>?=47:3/A;F
D30@7A36AA>
DDD5=CG/
5=:
517@.>?=47:38@>72*&(%&%)"
4A3?A63@D3/?7<57<13?3;=<F;/97<5;3A63#7<7@A3?=4&B0:71,=?9@7<)=BA64?71/<
=C3?<;3<A B<3;F6B@0/<2#?23:303)751/B2732D67:363D/@=</<=44717/:A?7>
A=*?7<72/2/<2*=0/5=7<4A3?67@23/A627@1=C3?32A6/A636/2@=;34B<2@7</
2=::/?/11=B<AD6716/;=B<A32A=A63@B;=4+)#D7A6A63$!%$"$D67166/263?
=44@6=?3=B@37<%""$$#)*(#
*67@4B<23;/</A32/@/?3@B:A=4/<=C3?7<C=71321=<A?/1AD6716633E31BA32D7A6A63
=C3?<;3<A=4)=BA64?71/*6=B56/@@7@A3267;7<53AA7<5A67@1=<A?/1A0BA<3C3?9<3D
A6/A7AD/@=C3?7<C=71320F67;/;/4?/72A6/AA635=C3?<;3<A=4)=BA64?71/;756A@A/?A
A=7<C3@A75/A3=<1=<A?/1A@/D/?2324?=;A=2/A34A63F27@1=C3?A67@;=<3F7<67@0/<9
/11=B<AA63FD7::1=<47@1/A37A/<2@37G367@/@@3A@63?37<)=BA64?71//<2A67@D7::
2347<3A3:F/4431A;F>=:7A71/:1/?33?7<=C3?<D/<AF=B?/@@7@A/<137<=>3<7<5/</11=B<A
D7A6"%"(*%#))%$*$!$#)*(#,(*#%$-)!&*A6?=B56;F
AA=?<3F@=A6/AA67@4B<21=B:203D7?327<A=F=B?/11=B<A27?31A:FD7A6=BA/<F67A16@
@==</@A634B<253A@A=F=B?/11=B<AF=B/?33E>31A32A=;=C37A7;;327/A3:F7<A=/<=A63?
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
>3?@=</:0/<9/11=B<A7<F=B?1=B<A?FD7::@33A=7AA6/AA63/11=B<A7@<=AA?/1324?=;
)=BA64?71/@@==</@F=B6/C31=<47?;32A634B<27<A=F=B?/11=B<AD7::@3<2;F3:23
)($&($*
=?F=B?/@@7@A/<13/;=443?7<5F=B=4A63>?7<17>/:@B;D6716/;=B<A@A=
+))7E;7::7=<%<3B<2?32*6=B@/<2+<7A32)A/A3@=::/?@%<:F=D3C3?F=B
6/C3A=/@@B?3;3/<2/:@=03?3/2FA=5=7<A=/5?33;3<AD7A6;3A6/AF=BD7::<=A3:=>3D7A6
;F4B<2
4F=B/5?33A=;FA3?;@97<2:F/@/;/AA3?=4B?53<1F@3<2;3/<3;/7:B3A=;F@3<@7A7C3
>=@7A7=<7<A63)=BA64?71/<=C3?<;3<AD=B:2<=A,$*F=BA=1/::;3=<>6=<3=?@3<2/
4/EA=;3::1=??3@>=<23<13;B@A030F;/7:
4F=BD/<AA=@>3/9D7A6;FAA=?<3FA6/A7@47<3/<2=9/F0F;37@16/;03?@D7::03
?3>?3@3<A7<5;F7<A3?3@A/AA63"%"(*%##)%$::1=??3@>=<23<13;B@A03;/23
37A63?A=;FAA=?<3F/??7@A3?(716/?2"7A6B:7=4"7A6B:76/;03?@=?@3<2;3/<3;/7:
D7::/:@=:793F=BA=57C3;3F=B?1=<A/1A/22?3@@A3:3>6=<3/<24/EA=3</0:3;FAA=?<3F
1/::=??3/16F=B4?=;A7;3A=A7;3
&:3/@32=<=A<332A=?3;7<2F=B=4A63<3324=?/0@=:BA3=<4723<A7/:7AF74A67@
A?/<@/1A7=<;B@A@B11332-%+#+)*$%*""#
4F=B2=<=A433:1=;4=?A/0:3D7A6A67@A?/<@/1A7=<2=<=A63@7A/A3A=27@1=<A7<B3
*?7/<?/<73?
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
""($!
) & . & " !
'"
fu
ll r
igh
ts.
'"(('*" #(#$&''"&"((!''(('
) (!( -'(#)'"((-(("#&(#'( &(&")!&'#&
#(&"" #)"("#&!(#""#&&(#&( -#("!#"-((#'"#(
#"(#(!#'(#((!$'"! +
$$&(##!&#!'#!
ins
(-$#"" "'(()(#"#$) &,!$ '&-""(#" "'"
$&#*'#!&'#"((-#)"(#!!( -
eta
!#'(''$'"! +
)')
-*'#!(-$# ""(!(( ## (!(-
ho
'! '+
rr
#""*&--#)&#)"("#&!(#"#&"(#('(()'#'#!'')
$&'"(+("# ##"'(+&
ut
#"(#( "(-)'&+
07
,A
(-&,$((#"(&("#&!(#"($'&'(&')
-('+
te
20
$&'#" "#&!(#"&(&")!&'#&)'&"!"$''+#&'(("
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
) (!( - (#($'&#(""&(''(#"" #)"('#+"
tu
-(*(!"!#'(''-*+"('#)&#"(! "
sti
)"&'("" (( (#)((! ('$#'' (#%) -"(-('
SA
©
#+",!$ NS
In
(-$'#'!'(#
&"&"&
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
07
,A
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
##(%"
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
20
) & . ' # , " % ! . # & $ " % $ & sti
tu
)%%$'-$)($$ ('"!#*+(("!'$)&#'+($!!$+#
In
&1((%"-%'#('"'%1
SA
NS
((%+++(&)'(# $"#&!)'(*&-#$'%
#(',"%!()#')'%(#)'&! '!# ((!$$ '! (/'
©
$#($0&)'(# 1+##(('$#($'$"%!&#(
#(&!-$&#&$)',"%!'**#$#'$&'($)'*)!#&!('
#&$+'&'($*#(&!!$($#('!# '($$ ()'&-
"#%)!(#(+-(!# '$+'#(&''&$&($&'(&$"#'((
"-!$$ !("((&'(!#')'# "&$"
&#&#&
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
'',")&
.*,"+" ' 2''*+
* -%0('(,!&(+,/"+)*&(,".,"('(*&*+!+'(,!"' ,((
/",!,*0"' ,( ,0(-,(*+)(',%%'+,,! '*,"''"%)*(",0
fu
ll r
igh
ts.
+,%"+!"' .*,"+"' *%,"('+!")+/",!-'+-+),"' /+",+(*(&)'"+/!(
)0,!&*+(*.*,"++-)(',!'-&*(,"&++)""''*
"+."/(*)*,"-%*/+","+."+",0*,"' ',""' &"%+'0
,$"' .', (&"%%"',+,!,/"%%(!,&%+)&&*+*(,'%,(
ins
&$#-+,,"'0)*(",#-+,0."*,-(,* ,*"."' '."/"' ,!,* ,
rr
eta
&"%
ho
('"+*,"%(-,,!"+"++-"+."%%,
07
,A
ut
!,,)////+!,"&+(&-+"'++
*!,&
20
%","' '*+%%"' &"%%"+, +
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
'"1**,/"+,(,&*+.'&$&('0((!(,!*!*
sti
tu
*&'0)%+,!,&*' (,()-*!+%"+,(4.%",5&"%
In
*+++!+&"%%"+,+*'(,!"' &(*,!'%"+,(*+++,!,,!
NS
+%%*%"&+,(!.*%!-&'!"',!&(/*,!+%"+,+ '*,
SA
+-%%00,!,,!,&"%++',,(,!(+*+++('3,(-'(*/(*+0
©
."*,-(,!,,!,,!)*+('/!((/'+,!*++,(($+(&,0)(,"('
+-)(')*."(-+,(,!&+-!++$"' ,(*&(.*(&,!%"+,
()%/!()-*!+,!+%"+,+/"%%(,',-*'*(-''+%%,!&,((,!*
)()%/!("',-*'/"%%+%%,!%"+, "'!"+"+('(,!&#(**+('+/!0
('0(-3. -',(*".,!%"$%"!((",/"%%.*+,()"+.*0%(/
*"'*'"*
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%!
Deploying Malware
% #(#$% $#%%
fu
ll r
igh
ts.
%#(*% * %%"&$&$% %*&% %* ('
$% '#&$$ %#(#%% %# &$*$%$
$%$$(#%%$! *%$(*$ % #%**%
ins
-$!#.$%%(#(&$ #$$
$ ##%
eta
# $%% $&$%!# $$! (#!#'$ %
rr
% $ %#$$%#'$ $$ (#'#
ho
*%%&%%*!%&# #% # %$*$%$-
07
,A
ut
.% '# #% %%*&%%*% %%*%%
Steganography
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
#('% &% %'% $ #$$!%&$#*
$!%%
sti
tu
$%#$$&$$ %'% #$ %
In
#*$ %$!$$ !#'%%$#*# &%% "&*
$!%* &(%% '*$$
NS
% #$$$%%
SA
% $ * (%%%#($!# %*%%! ! #( %
&#%#* &(%% %#*
©
$$$ %%(
$&#%%%*$%#$( !!% $%$$( ,%# +%%#&
,%# +%$ &$%$$#$(#%
#% $% #!* $$ #%$% #!*$%!#% '
% $$% '&% %$'#*%&#$)%### #
#
##
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%!
$$$(%%( # $% #!* #)! %$%"&
% '$%%%!$((($! fu
ll r
igh
ts.
Reconnaissance
#% %"&$&$ ##%$%$ '%$$ %%#$$$!&$%$$% %#*&#%' &%$
$% %$$# % $ %% (%%$!
ins
&%#%#%*%' &%$# ($% ! %%*
eta
'&$#$#%$ #% %&$% &
rr
#&% #%%$%&$#$!$$( #$% !$ !&%#
ho
$*$%$%%%# ($%%%$%*#$# % $!(%%
07
,A
ut
#'*'&$#$%*( %$$$$%%
)!%% %%%$$(%#%$$!*%$
20
'$%%%'%
$%%*'%
&%*#%
Key fingerprint = AF19 FA27 2F94
998D FDB5 DE3D F8B5 06E4
A169 4E46
tu
te
% %%% %#($$ #$
In
sti
Competitor Sabotage
NS
% &##%#'$$(#($$%(%%#%
SA
%% %#*% $! % !* #'& %'% % ©
%$ ##' # ##% %#*%&! % !%% ()#!%($%# %%$ #$%#'
Last summer I received a pornographic spam that had web links
(supposedly to the porn site).
Since I nearly always complain about spam I
receive, I was looking at the message and headers with Sam Spade and noticed
that the referenced web site was to a company that was not to far from where
###
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%"
I live.
I then loaded the
raw webpage and saw that it was not porn at all,
but a legitimate company that provides lifeguards for apartments, hotels etc.
fu
ll r
igh
ts.
I emailed the listed contact person for the site, appending a copy of
the spam. He replied that he believed this was an attempt by a competitor to
drive him out of business, as he depended on email for contacts and being
associated with porn would really damage his ability to recruit employees
(mostly part time university students).
ins
Since it was hard to trace the originator of the spam (dial up using
eta
spam relay), it would be almost impossible to prosecute this malicious act.
rr
This kind of social engineering type of attack is one that we as
ho
intrusion analysts will also need to understand, not just the bad packet
07
,A
ut
header attacks.
'%%%"
#'#%& $%&%%#%#' %#&$! $$%
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tu
te
Humor, Chain Letters and Hoaxes
In
sti
!(!&#&%%$"$$$ &%!$#!"!"(! !((!
NS
'!! % %! $&%!!$%!$ *!&% $*!&&$%! +%( %&%%# SA
*!&# !)% %$$$$#!#&!#!&$'&!# %%#!#
$"*%!"$$! %%$ #%*!)*% %! &$ %$
©
(%""#%#" %$ !$#%!#'%$$%*##
%!$$*%$$"!%'%! %!$ %$%!"$$! !!&!#%!
$%$*$!#!$&"#$%%! !&%%$$%#%%%!&#%*
! +%"$$! %!#&%! !! %!' %%%*(
#'#$&!! *#!#!$!%%*"$$! %$$
# # #
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
# !#$#(*" +##"#!("(#"#
$##""$"#($"$(! ($&!
$"$(#"#$#"$&(##!(!$#"
fu
ll r
igh
ts.
#( "##($#($!!"(&#$(
%###"#" ! #!"$!# #"#
%#("##'"## &&&" "!#"
($)#&##!%$!$"!##!"&%!"
07
,A
ut
ho
rr
eta
ins
!$##"
©
SA
NS
In
sti
tu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
!!!
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
"/%/5*1".
&("-446&40'
! ! fu
ll r
igh
ts.
)&*/'03."5*0/$0/5"*/&%*/5)*44&$5*0/4)06-%/05#&$0/4*%&3&%-&("-
$06/4&-03"/9*/'03."5*0/"#0655)&-"8035)&*/5&313&5"5*0/5)&3&0'1-&"4&
$0/46-58*5)906308/-&("-$06/4&-635)&3.03&*/03%&350.*/*.*:&"/9'"$56"-
ins
&33034*/5)*44&$5*0/5)&7"45."+03*590'5)*44&$5*0/8"45",&/'30.05)&3
eta
4063$&48*5)-*55-&03*(*/"-"65)034)*1%0/&#95)&"65)030'5)*41"1&3
ho
rr
113013*"5&$3&%*5*4(*7&/'03&"$)4063$&64&%
ut
CAN-SPAM
07
,A
)&"$50'
*46/%&35)&+63*4%*$5*0/0'5)&&%&3"-3"%&
te
20
0..*44*0/)*4-"8&45"#-*4)&43&26*3&.&/54'03&."*-5)"5*44&/5"4"/
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
"%7&35*4&.&/55%&'*/&416/*4).&/54'03#05)5)&1&01-&4&/%*/(5)&41"."/%5)&
tu
$0.1"/*&48)04&130%6$5*4#&*/("%7&35*4&%)*4"$54&54'035)41&$*'*$
SA
NS
0'"-4&03.*4-&"%*/()&"%&3*/'03."5*0/
0%&$&15*7&03.*4-&"%*/(46#+&$5-*/&4
307*%&"803,*/(.&5)0%'03&."*-3&$*1*&/5450015065
033&$5-9*%&/5*'95)&&."*-"4"/"%7&35*4&.&/5"/%*/$-6%&5)&4&/%&34
7"-*%1)94*$"-."*-*/("%%3&44
©
•
•
•
•
In
sti
(6*%&-*/&45)"5.645#&'0--08*/('0346$)&."*-/46.."395)&9"3&
&/"-5*&4'037*0-"5*/(5)&"$5$"/#&61501&3*/$*%&/5
%%*5*0/"-'*/&4$"/#&"11-*&%'0341"..&348)064&05)&341"..*/(5&$)/*26&446$)
"4&."*-)"37&45*/((&/&3"5*/("-"3(&/6.#&30'&."*-4'03163104&40'4&/%*/(
41".033&-"9."*-5)306()05)&34945&.4/&5803,4*/"/"65)03*:&%."//&3
3*"/3"/*&3
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
* *0%,)
$!%*"+.)0%+*+2!%*0$%//!0%+*3/+..+3! $!2%(5".+)
$00,
333"0#+2,+*(%*!,1/1/,1/*/,)$0)
*
%0%+*0+0$!/! !0%(/0$!0#%2!/0$!0$!+,0%+*(
fu
ll r
igh
ts.
.%#$00+!/0(%/$ +*+0!)%(.!#%/0.5* (/+((+3/"+.%),+/%*#/,!%"%
.!-1%.!)!*0/%*/1&!0(!(%*#"+./!41((5!4,(%%0)0!.%(/,.!/.%! 5
0$!$!$+/!0+ !(%*!0$!#.*0! 10$+.%050+.!0!0$! +*+0!)%(
.!#%/0.5%0%*#%//1!/3%0$ %""%1(050+)%*0%** 0$!"00$0/,))!./.!
ins
(%'!(50+1/!0$!.!#%/0.5/(%/0+"2(% 0! !)%(
.!//!/0+/,)0$1/
eta
*!#0%*#0$!,1.,+/!+"0$!.!#%/0.5+*/1)!.//$+1( !3.5+"*5/%0!0$0
rr
(%)/0+!0$!*0%+*( +*+0!)%(.!#%/0.5+.)+.!%*"+.)0%+*/!!
07
,A
ut
ho
$00,
333/*+,!/+)+),10!.%*0!.*!01*/1/,
%0$.!/,!00+0$!(!("+./!41((5!4,(%%0)0!.%(0$!!/0(%/$! 20
#1% !(%*!/0$0.!-1%.!0$!0!.)780+!+*0%*!
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 %*0$!
%0%+*( !0%(/*!"+1* 0
tu
!4,(%%0)0!.%(
te
/1&!0(%*!"+.*5!)%(3$+/!+,!*%*#3%((.!/1(0%*0$!2%!3%*#+"/!41((5
In
sti
$00,
333"0#+2+, 1(0(!($0)
SA
NS
The first actual conviction
©
%$+(/+).+/$/0$!*+0/+#()+.+1/ %/0%*0%+*+"!%*#0$!"%./00+
!+*2%0! 1* !.0$!0%$+(/3/73. .%2%*#8%*+. !.0+(+0!
* 10%(%6!+,!*%%+**!0%+*/".+)3$%$$!+1( 1/!+0$!.,!+,(!/*!03+.'/0+
(/0/,))!//#!/$%/+*2%0%+*$ /% !!*!"%0+"00.0%*#(+0+"
00!*0%+*0+0$!*!! 0+/!1.!3%.!(!//*!03+.'/
.%*.*%!.
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
##(%"
$&(!$)(('##(#('$)&&$"+(''($#+'
•
•
fu
ll r
igh
ts.
+&((##$)#(($!!$+#'('
((%#+'-#($"
("!
((%+++$*%#$*+&'%""&("
CAN-SPAM Timeline
ins
$!!$+#("!#+'( #*&("&$"
rr
eta
((%+++!,&'$"&'$)&'&(!'#'%"("!
ho
By Shannon Coulter
07
,A
ut
It's been a whole year since the CAN-SPAM Act was signed, so we thought we'd take a quick look
back at some of the major highlights (and lowlights) of its first year as law.
20
December 16, 2003
President Bush signs the CAN-SPAM Act. It establishes the first national standards for commercial email and
requires
the Federal
enforce
its provisions.
Key
fingerprint
= AF19Trade
FA27Commission
2F94 998D to
FDB5
DE3D
F8B5 06E4 A169 4E46
sti
tu
te
April 2004
The first criminal charges are filed under the CAN-SPAM act when the FTC arrests four Detroit area
men for selling fraudulent weight-loss products via email.
SA
NS
In
June 2004
The Coalition Against Unsolicited Commercial E-Mail (CAUCE) notes that in the six months since the
CAN-SPAM act has been in effect, the volume of unsolicited commercial messages has increased
dramatically.
©
September 2004
The first-ever conviction under CAN-SPAM takes place when a Southern California man pleads guilty
to spamming people through unprotected hot spots. The case raises concerns about the risks of openaccess Wi-Fi service.
October 2004
Email security firm MX Logic reports that only 4 percent of all unsolicited commercial email complies
with the CAN-SPAM law. The FCC expands its regulation of spam to the realm of text messaging,
making CAN-SPAM applicable to wireless devices such as cellular phones and personal digital
assistants
&#&#&
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
fu
ll r
igh
ts.
November 2004
The FTC declines to implement a national "do-not-spam" list, citing difficulties associated with
authentication. Two siblings-a brother and a sister-receive the first felony spam convictions under
Virginia's anti-spam law. The Virginia law includes tougher sentences than the national CAN-SPAM
act; the jury recommends a nine-year sentence. Industry observers note rapid growth in unsolicited
email messages that contain religious themes. Because most messages are not overtly commercial, they
are deemed CAN-SPAM compliant. The state of Ohio sends a new anti-spam bill to the governor who
is expected to sign it.
07
,A
ut
ho
rr
eta
ins
December 2004
Microsoft files seven lawsuits against defendants who allegedly sent spam that violated the anti-spam
law by not including the label "SEXUALLY EXPLICIT" in the subject line and initially viewable area
of the messages.
©
SA
NS
In
sti
tu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
&"
&"&&
&& %&%"%!'&! *$! &%!&! %(* fu
ll r
igh
ts.
%(*%%&! %%&! &*&!%&!! &&%)$&
&%$$!'&
Gateway Filters
ins
&)*&$%$ % &* "!"'$&*%%!'&! %)
eta
$' ! %*%&%"$&$!&%$($&% !$$&!!!
rr
"$!$ ( )&! %'"&! %%'%)&$'
&! &
ho
%$($$&**!$& &!! %!'&! %&& (!(
07
,A
ut
"'$% &%!'&! !$ !'%! %'"&! &!$%%$(
&& "'$%$!&$"$&*!" *
% !'%%!'&! &%
20
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5
06E4 A169 4E46
%*%&%&
&!($*&'$$'&)!&
$#'$&$!%&!
te
!'&%"&'$%%'%$&&$! &$!* '%$% !$$&!
sti
tu
"'$%% %!'&! &&)'%!$& &$ ($! &%
In
%!'&! %)&*"*!'")& &($'%&!"$!(!"&
NS
&$ ""&! % !'&%!'$%$(&%%!'&! %!$&'
SA
&!$ &$"$%&!""!$&' &*&!'*'%&%'&$ %&* ©
&!( !!% &!' &! )&! %'"&! $!($ ! %'*&!" %!) &$ &!
&! % )$%&!&!
&$"$&*"$!($&$ )&%! %'!$% &' &$
&! *&&$)&!$&*($! %' * )&
!$&' &*&%%! %&$'%& &$"$&*&!($% *)& &$ &)!$ $%&$'&'$ !$$&! %'$! & '!'%(&*!$
$ $ $
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
""($!
-#)&! "*&#"!"(
Mail Server Engines
fu
ll r
igh
ts.
'&*&""'&$&'"('#!#(&'(!(#'(("(& .
"('$!'# )(#"'+& *&'$&#)('+
&( -"$&#''#&'$! #
&)"#"! '&*&
-'$$ (#"'&(-$
-#)$ +("(*&)''# )(#"'#+*&(&)''"#" ""*#&#
-!"(#$&#''! #&""(&
eta
(-*("(#""(&
ins
(+- (&'(($&#''! #&*&!"((#! '&*& rr
#!"(#"(-("(##"(" ''()&'("((+- (&
ho
#)"(&$&('"#("*"#( !$(#"(#*&
Client Side Applications
-" &&"*&#"!"('
07
,A
ut
&'$#"'$ (-#(! "&'(&)()&'$
$&#&!""
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
-#'((+""
$&"'(
tu
(-$
#")'&'+#&'((#"&( -'
(#"#+*&
sti
$$ (#"'+
"'(
te
"('$$ (#"'+
In
&) #"'&(#"'#) ("#&$ #-"')"$$ (#""
NS
#&$#&("*&#"!"(('$$ (#"'&& -!'"'(#$ #-'
SA
#&$#&("((*)'(-&"(& .-"()&"()'+#) ©
&%)&!)!#&!"'(&(#"("(&! '&*&#&(+-'# )(#"
#)"(&$&('"(#"'"( (&"#)&''! '&*"
)'&'+
&( -,$&""-(#!!#"'')#' ($&#&!"&"
'('-'(!$&#'''(! #&'$! (' -#)&'"! '&*&
""'"(+- (&''+
&"&"&
© SANS Institute 2007,
(")'&'' &#!(#"&"
As part of the Information Security Reading Room
Author retains full rights.
##)%"
(#).,!!''!.+#.$('+#$)(!.$*''#!()
$,#($(*%%!)$#(())).$)#'&*'!))!)$#*('
#$,!#,'#(()$!)$*()$)(*!!-)#)!)#!
fu
ll r
igh
ts.
#(%!!.(*').%'($##!''!.+#((*,))()(( !!
)),!!$)#!*)!(()#!"$#()*(
#)$)'(!#)(%%!)$#(+)%!).)$"*
"$'#)*#,),)(%#*('#(!$##)(%"%%!)$#
ins
")!)'#.#!!*(''$*%(#$)'"."$')+)%'"))#
eta
*)$'/()'*)$#'$*%(#!)'#%%'$%')!.(*%$#)$#)#)
rr
')')#)%))'#*%$#,)"((,('+().%($
ut
ho
%%!)$#()#)$"*))')*'()#
.(#!)'#
07
,A
%!)((#)$#!.#()$$*(*%$#)%))'##()!(
20
*'()#
.(#%))'#($(#!*('')')#"#.*')')'
Key fingerprint = AF19 FA27 2F94
998D FDB5 DE3D F8B5 06E4 A169 4E46
!$,$()$'(#!!#("
)"+'.$'!#!$'$"*('
te
$'$'#$,)*()("!!#*"'$*('($',"*"$'$()!.
In
sti
tu
"!('+'##$'),.!)'".#$)" (#(
NS
,!#)(%%!)$#()$$#(''($!!$,(
%"
*!!.))%,,,(%"*!!.$"
#
$-'))%,,,#$-'$"%'$*)(()"!
*'))%,,,&*'$"
©
SA
•
•
•
(!()($*!#$)$#('#)+!()$!!!#)(#)
(%"($),'#$'(##$'("#)$'#.$)($),'$+!#)(
#)(%"%%!)$#('%!#)*!#($*!'+,$'(%)*'(
'#'#'
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
07
,A
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
©
SA
NS
In
sti
tu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
$
$* &#
&%$)%
$* &#
Hashing/Checksums
fu
ll r
igh
ts.
$ "*( $# ") $!)+#!) )&(%(# $#*#* "
%#&+** %$ $)*$# "%(&%(* %$%*# "*% $* .$ "*()
+&%$'+$* *.%#* $# "))$* )*$ '+"&)*% $* .# "
ins
#)))**#.)$* $+"!%(#*!$%-$)&#%$*$**(*$)*%(
eta
*$* (%$*$* $'+)* %$) $!)+#$ $)- "") #&".&(%(#
rr
#*#* "%#&+** %$ $)***%$*$**%&()$* * $#+)#""(%(#
ho
%(&+(&%))%#* $ "**#*)*()+"* $)- "". $ * %$
ut
+"!# "- ) (".%%) $**#)) )
$)%+"
07
,A
&(%"."%!
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
20
Open relay checks
tu
&$(".!)- ""!*%) *)%+(# ")(,(&(# *)(".)
sti
%## ")(,()#.%* ) (*".%(*.#.(".+&%$$(""., ""
In
%$" $*)))+)&$".*)**&---%(%( "
NS
)(,()**(".($("".%$) (*%# )%$ +($(,(. SA
*(*%()&##()-%- ""+)*#)#$)*%" # *&(%"#)- * $
©
"!" )*$*+)+$"*%%$* $+)$ $)&#."%! $)(,()**
&(# *(". $* ) ))+$,% RBL checks
"* #"!%"" )*))+)%(&#%&(" )*%$#)
( $($ (
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
&"
!$$%%%$!)% &&%%&%$ $+
$+(!$(!$% %'%$$%+! + &&%! $!%$($%& %& !$&' &+&%
fu
ll r
igh
ts.
%&%$!& "$! &!%"!%&(% %!''%)&*&$'&! )& !$"!$& ($! &
Bayesian Filtering
ins
+% &$ %"$!$ %&&%&'&! !"$!&+
eta
&&( %%%%"%'"! '%$ "'&%& #'%)!$%%
rr
'"! $!'%$%&!&$ &&$!'&%"!%&(% %
ho
&(%%!&&& + +'%&&%&$ "&%%&+"
07
,A
ut
!& #''%'+)!$%%&) "!+ &%""&! &$
'&!%(%!'% !$ &$,&$%%)
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
Heuristics
sti
tu
'$%&%% !&$!$!%&&%&'&! &)! In
($&+!&&! & #'%&!$! ,"&&$ %&&) & &!&$+
NS
&&"$!&+!%'%'+!% &!$!%% SA
$& "! &('%&!%"&%%'%% &'$& !$*%& ©
& %&& "! &&$%!&&$!%%) &&&&
%%% %!'&$&%%'
Signature matching
&'$& )%! !&$%&&!%'%&!&$!$%
$ $ $
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
""($!
("%)+
$ #-'!$ - (&((+
###&'$-+#&'+("
!''"#&()"( -(''#("$&#"(# '$#'(*'"&*' &
!#)"(#&('!#"'&#&,!$ (&((+
#!'''
fu
ll r
igh
ts.
'$!(#"("'(+#&/&'(0#+#"'&(' (&'$ #-"
(&#&".(#"+#&) & -&*'"'"'! #)(&'(
"&
ins
Black listing
eta
'("'(* -"# # ."( '(
-&'&#!""
-!"("-(#&".(#"+#'! ' (&-(
ut
((('(-$
ho
! '#) #'(-$# '((#&
'-'(!(()''( '(
07
,A
rr
'($&(#"(-"'$'#)&&''#!"#&&#!+
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
White listing
sti
tu
"(#$$#'('# '("+*+( '("+'(
In
$&(#"(-"'$'#)&&''#!"#&&#!+
-!"("-(
NS
'#) $&!(( '('+( '('&(-$
! SA
#&".(#"+#'! ' (&-('-'(!(()''(+( '((
©
'('&#("$ #-+"#"(")#)' '$#'(*'#)&"#(&
#")&(#""'+
"#(' -"')&((('&! "-$''(
(&
&"
&"&
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%!
Anti-virus
% $%# &$%*!$ %%)$%%( #% *#
%%%##$$ %*! (#*$$%$!%"&$
fu
ll r
igh
ts.
(( #% %* $ %(# #%'#&$
' #$'%! *%#$ #%(#%#%$$
&#$ %&$%%! *% #'#&$!!$(%
$&$!%%% $&$% %%# &%$ $(%%$
ins
%%(#%$!# (#%#%$ ('#%#%
eta
%+%,(%$$#$%*(%% &% %
rr
$%#%#$&$% %%$&&$%(! %%%
ho
'#&$!!% $#'#&# !# '$% !#'%%
07
,A
ut
&#%#$!# '#&$$ %#(#%# &%$$!$$$
te
20
&#%#%$&$#&% %%$ %%&% #$%
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
'#&$$ %#(#%%##'%# &(!% !#'%
tu
!# #% $!* % !$%%!!#$&$! &$%&#
SA
NS
Anti-Spyware
In
sti
% $&$ % %#$! % $&$
!*(#!!% $#$ $$ %(%$! #$'##$ $
©
#$%%&$#&% %#%%( &!!#'%$ # ! *$!*(#( #$(%%$%#%%!!#'%
!#$ # %$%% &% #'#$ &% $!
&#%# #$!*(#!!% $' (% #%*% !# '#$$$%%$&$"&%*&$*$!#$% $%#
###
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%!
&$$$$ #%
%$!*(#!%% !+ #
#&)! $&#% $!* %#$&#%* #$#%% %$
!!% $
($$%%%##* ##%
$
fu
ll r
igh
ts.
'$&$
(#!* %#$%# *# $ %
%!*(#
%%%!%%$%# *$!*(#
Avoiding the unsubscription trap
ins
$%!%$%*% %%,&$&$#- ! $!
eta
%$$ % '$!#$( %( #% %*
rr
,'%- &%$&$%$% $ #%#(% %#*
ho
,&$&$#-* &*%&*% %#!$%*
07
,A
ut
%$!% '%%%#&$#%$$$%$* &#
#$$ #'&'%#$&% #$% &% te
20
$!*Key
&#
&%%
#'#%#%#
'*
&#
%$!#$$%
fingerprint
= AF19
FA27 2F94 998D FDB5 DE3D
F8B5
06E4
A169 4E46
sti
tu
Spamsinks
In
!$ &%$# &%$$%&!%*!* #$#'$
NS
$&$ % #(%%$!!&#! $ % !# '
SA
%# ((*#$$( #% $&%#$$$ (*
©
$ $$%$ &%$*$ #* &## &% #* &*$%
%&!!%*% !# $$$$!
#"&#$ #'%&# &$*
$% #%( &%%%*
##"&#% !# '#$$% "&$% $ &#$ %%%*
(( *'$#%# &%% $!#$%!!# !#%
###
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
((.$*'
.$)(
Avoiding putting emails in public places
fu
ll r
igh
ts.
( )!.# ')-.)'')(. #($+/ -.#.-*'' ,-/- .)).$(, --$-.)
- ./*-,$*.-.#./.)'.$&&3*,- )'*(31 -$. -(*/&$ '$&",)/*
,#$0 -.)#,0 -. '$&, -- -3/-$("&$..& $&$" ( 1# ($-*&3$("
'$&, -- -$(.# - */&$13-&).)!-*'( 0)$ ! 1' .#)-
ins
.)).#$-)/& .)*)-.( '$&, --$(-/#13.#.#/'(1)/& eta
& .)/( ,-.(1#..# '$&, --$-/..#.)'*/. ,*,)",')$("
ho
rr
-$*,-$("1$&&&$% &3'$--), 2'*& 3)/'$"#.*)-.
07
,A
ut
-'*& )'$()'),-'*& .)'$().)'
().# ,' .#)$(#.'&$-.) () .# (.# -3')&-$(-/#-
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
'*& )'$(
)'
sti
tu
-* $&&3)()'*(31 -$. -( 0 ('), !! .$0 13$-.)( 0 ,
In
*/&$&3$-*&3*/&$ '$&, -- -/.$(-. .)*,)0$ !),'-.#.( NS
!$&& )/.(1$&&, -/&.$(.# % (1 ) .)- ( '$&.).# -$"(. SA
)2
©
().# ,. #($+/ .)#$ 0 .#$-")&$-.)$-*&3 '$&, -- --(
$'" ,.# ,.#(-./&. 2.
!$(&*)$(.!),)(-$ ,.$)($-.# . #($+/ )!/-$("- *,. )/(.
!,)'3)/,*,$',3)/(.!),/- $(*/&$$-/--$)(!),/'-),!),*/&$$-*&3
,$(,($ ,
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
$$*&#
$+)$)+$%+$*%#)%,(+($-*)&#$-%+$*$
(*$*%($"%$*(%-$-/#+"!)&#)$!%+$*
fu
ll r
igh
ts.
Cookie Management
%%!)(")**()*%(/-(%-)(*%%$*$)&
$%(#*%$%("*((*(,"/-)***)$,)*$%(*+$*"/
*$%(#*%$$*)%%!)#/%*$&(%,)&$%(#*%$)+)
ins
(*($+#()%(&()%$"$#)$#"()))**$&%*$*""/
eta
(,)*/)&""/(*-)*)$%((*%(,)*#"()))/
rr
)"$%%!)"*%*(%(*")*/(+""/#$$*)*%($
ho
(*(,"%*)%%!)/)&-)*)*)*$'+)+)/)&##()
07
,A
ut
*%(,)*#"()))$&%*$*""/*
te
20
$$*($*.&"%((%%!)$)"/%$*%%%")$*($*
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
&*%$)(,/ +)**)"(&&(%&(*"/
sti
tu
$(%.%*%%%")&*%$)(,/
%%!)
In
("/,(/-(%-)(-""&(%,%$*(%")%(/%+*%#$/%+(
NS
%%!)/%+0($%*+)$$*($*.&"%((%((%.()(%-*%%*)
SA
$/%+((%-)($%$)(-*(%($%*/%+$",-*%+*)*%($%%!)
©
*0)%$"/(*%&%$*%+***/)"$%%!))%#$%$,$$$
#$%($$%/$)-"".&($
$)*%)"$%%!)*)#%()("*%*,"/#$
*#*((#$/*(&(*/&&"*%$)**$%*))+)
%%!-""
($($(
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%!
$%#
#&$%% ($!!% $( #
(%#%# ($#$ #$%$ # ($#$ ##%%&#$ $#
%)$ &% %%!) &%#(
%&($%$!&(
') &%! (#% fu
ll r
igh
ts.
!) & (($%$#"&$%
$% $% #
$% !#&%
#'$%
ins
Protection of ones own network
eta
&% %#$! $%%$!#$'#'# $% %#
rr
%$!%"&$%)' #% # ( #% ho
'% #%)($ &#$# (% $%#$$%%
07
,A
ut
$!#$'&(##' #&$ %#$% % %# $)$%$ %%#%# (% &%#$!%%$)!%!# !#
20
$&#%)
%# $
&# FA27
( 2F94
!)%(
#$
F8B5
%(
#$(!)
Key fingerprint
= AF19
998D FDB5
DE3D
06E4 A169
4E46
te
!#%#&%&# $)$%$%( #$%%$!#$&$% sti
tu
##) &%%#%'%$
In
$% !#' &$)%#$%%& '% &$%%
NS
' '%(% $ # $( ($(##'% %&$&#
SA
(#$$%( #$# ($%$!$$$$$#$!
©
% %%%$ %#%$# &#( #% )) &%
!#%% ( #% $&# &# (%( #$$%$&%%$(%$%%#)
% !#'% !#% %!# '#)! #%%!#% $ (%( #$$)$%$$%
###
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
''-#)&
(&#'!%.'"#'!)(#'- (+,)&%(($+ .%%2#'-(%($#'!%%(.-(.',&-)
-)-+
# +(&%%,2,-&,0#-",)# #1)-#(',%%(0 (+$'(0''
.-"(+#3&#%,+/+,('%2"#,-''(-('%2"%)&#-#!-!#',-(&#'!
fu
ll r
igh
ts.
%.'"#'!)(#'- (+,)&.-'%,("%)+.-")+(#%#-2-"-'
#'-+'%#' -#('2/#+.,-"-,)+,-"+(.!"#-,(0',&-)'!#'0#%%
.+-"+)+()!-22(.(+2(.+(+!'#3-#('
ins
Proper configuration of mail servers
eta
',#&#%+/#'-()+(--#'!(',(0''-0(+$+ .%--'-#(',"(.%
rr
)#-(-"&#%,+/+)# #%%2.+,"(.%-$'-(',.+-"-
ho
+%2#'!#,'(-)+&#-- +(&-"!'+%'-+'-"+&2%!#-#&-
07
,A
ut
+,(',-()+&#-+%2#'! +(&,)# ##'-+'%"(,-,.--",,"(.%('
0#-".#%#!''+.+-"+&(+0"','#'!&#%('"% ( .,+
20
,(& Key
(+&(
.-"'-#-#(',"(.%+*.#+-(-+2')+/'-2(.+&#%,+/+
fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
+(&,'#'!)(-'-#%,)&&,,!,('-"-(.% +(&'.'.-"(+#31-+'%
tu
.,+0"(,)(( ,-",(.++,,-('#'-+'%&#%(.'-2+*.#+#'!
In
sti
.-"'-#-#(' (+,'#'!%%(.-(.'&#%-"#,-"+-'!+-%2+.
SA
NS
SPF – Sender Policy Framework
©
'+(%#2+&0(+$+(+,+ #+%2+'-#'/'-#(''+
'(-2-,-'+(0/+,/+%(&)'#,"/%+2!.'-(.,(++*.#+
+(+,#'(++ (+&#%,+/+-()+&#---(,'&#%"+(+
#, #'2
',"(+--"#,#,02-(.,,."-"-,(&('0#-"
('-+(%( ,#-,+(+,',-,)# #+(+-"-0#%%#'-# 2
+#'+'#+
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
&"
%"+)%$($%!$$%%%$'&!$,&!% ! !
&&! " &'+%$($% & !!%&! !&"&
&!!$! $%%)$&%!'$$%%!&
&! % !&! $! $%%%& &$!$%
fu
ll r
igh
ts.
!
& #' "&!% &+$'&!' &!%"!! &&%!'$$ %"%%%"$$+)%&&!$!'& $ !$!'&%
ins
&&")))!" %"!$
eta
Only permit outbound SMTP from authorized mail servers
rr
%%"$%&!'%,!% !$$&!% &$$%"! %
ho
!" +)" & % "&%&$&%&& '! +"$&& &
07
,A
ut
%%&&%$#'$&%%+&!!" '"%%!'&!' " &!$$%&$&($'%&!$ !' &$&%%&$&+%
20
$$%"!
(%&!"
+*"!%&!($&+!$%%
) Key%
fingerprint
= AF19 FA27 2F94 998D
FDB5 DE3D F8B5 06E4 A169 4E46
te
&&$ %&! ! &$!!%+%&&&+! !" + &)!$&
tu
'%' %%!&&%+%&)&&+&%%&&&%%+%&% In
sti
&$%!'$%&&& "$!(
+! !'&!' %%*"&$!
NS
!) '&!$,%$($%&&$&&&%"$%)!& ! &$!!
SA
& '%+!'$!" %-$%!'$% !$$&!%"%$&+ %
'$&$!$&%%% &!"$!&& %&($'%%&&"$!"&
©
+)+!&$!) % %!%"+)$""&! %&&)!&&
%
$ $ $
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
!
Avoiding chain mail and hoax mail propagation
!"% !!&"!
!"! !!&!! #" &
fu
ll r
igh
ts.
!! ! ! !! &!& ! !!"!#!!!
!!
" !
#"!&!"!& " " "
$!"!&" #!& ! ins
!&# !$ !!#
eta
" !&!&" !$#!! rr
# " !! !!!" #" !!
ho
! " #& "!&
07
,A
ut
!! # $%"!!!$$$ 20
Turning
off =HTML
rendering
in FDB5
emailDE3D
clients
Key
fingerprint
AF19 FA27
2F94 998D
F8B5 06E4 A169 4E46
tu
te
"!! !&"!
sti
"!!"!"!! !! In
# !
&!#$ ! NS
" ! !$!! !!!!!%!!
SA
!!!&!!" %
!$! ©
$!!
! ! $#
"!#!$!
" !! !!"! !
#$!!#"$!!!&"
! ! &! "!!!$!
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
&2)28.4&1
6*(*.:*)*1&.02&)).8.32838-*7*'*2*+.87*<403.878-&8)*4*2)9432-810
6*2)*6.2,*74*(.&00='=28*62*8<4036*6(&2'*&:3.)*)*28.6*0=+631(31.2,.2
&7&6*79083+6*(*.:.2,&74*(.&00=(6&+8*)*1&.02+36892&8*0=.8.7.1463'&'0*
fu
ll r
igh
ts.
8-&81&2=36,&2.>&8.327;.00(-337*83*2+36(*8-.78*(-2.59*)9*838-*&'92)&2(*
3+0*,.8.1&8*1&.08-&897*7-810-**&7*&2)(32:*2.*2(*3+8-.7+*&896*;.00
3+8*2;.23983:*68-*8*(-2.(&0&2)7*(96.8='*2*+.878-&8.8463:.)*7
298033/360&8*6-8106*2)*6.2,(&2'*).7&'0*)'=&440=.2,8-*
ins
+3003;.2,6*,.786=/*=
eta
"%%$3+8;&6*$.(6373+8$++.(*$$98033/$48.327$&.0!3+
ho
rr
&09*3+
07
,A
ut
298033/,383330748.3276*+*6*2(*1&.0348.327&2)
(-*(/8-*348.32836*&)&001&.0&740&.28*<8
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
7&438*28.&0(314631.7*'*8;**28962.2,3++&083,*8-*67(6.48.2,&2)
tu
te
38-*6463,6&11&8.((3286307;.8-.28-*-8106*2)*6.2,*2,.2*(&2'*).7&'0*).2
sti
98033/-.7.7)32*'=,3.2,83330748.327*(96.8=#32**786.(8*)
In
7.8*7&2)8-*297.2,8-*>32*7*88.2,783*2796*8-&8&007(6.48.2,&2)(3286307
SA
NS
&6*).7&'0*)'=)*+&908
©
968-*6136*.8;390)'*469)*2883(32+.,96*98033/832387*2)1&.07.2
&2=8-.2,38-*68-&240&.28*<83)373+3003;8-*7*78*47+631;.8-.23307
48.327&.0361&8
-
31437*.28-.71*77&,*+361&80&.2*<8
*7*0*(8?7*.(6373+8!36)83*).8*1&.01*77&,*7@
*7*0*(8?7*.(6373+8!36)836*&).(-*78*1&.01*77&,*7@
6.&26&2.*6
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
"
"'$!
-
"'%"'#%!'#")%''#$ "'+'#%!'
''$&"&(&'#"&&(&&#)#(&#"'(&#
%#&#'(' ##'("% ,"$%"$ $$ &'#",! "'"&#!
fu
ll r
igh
ts.
#"&%'#""%&%&#( )"'#&#)%"'#$'#"&) #%
,#(%#!$"&! %%&'#&*'#"(%'#"&''"&!' $'#!'
'&!# &"'#&'%!,)"''%#%!#%' #"'%# &
''")"(%'%""'&(%',#,#(%#!$"&! %"
eta
ins
")%#"!"'
rr
Reading and responding to SMTP Headers
ho
, %""'#%%&*"''%$%$%#(%& )&'##%%'
07
,A
ut
"'%$%'"%&$#"'#&$!!&&&"#%!'#"#"'"*'"
%&$%#)&# )"#('''%(&#(%#&$!! &"%
20
&&"'
Key *"%&$#""'##%%$#%'"&$!!&&&*'""(&%$#%'"
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
")%#"!"'
)%,' +$ "'#"#%&&) '
©
SA
NS
In
sti
tu
''$***&'#$&$!#%! %&'! %"%"%
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%!
$! $$$
fu
ll r
igh
ts.
!% %$! %('$!% % %$&$$%%$%%
!% %*$! (% $%% !%$&$$ &%
$!$ #$ !%(% &%$&$$ ( #+% $
ins
$$#% #$$$%#&% $(% &% !#% %!# eta
#%&%**#!&%( #+% $%#$ rr
$$$$!#%* %#$! $*%#
ho
#%!$$$% $$% !# '$ &% #+% ut
( $%% '$&$$#% #$$$%#&% !# #
07
,A
%%$%%$#% $ #$! $#
te
20
Key
fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Double
opt-in
tu
& !%!# $$$!!# !#%% &$(&$#$% $$
sti
*(* $ #*%&$#$#"&#% !# '
In
#$$!#!$&$%*#!&#$$ !# &%# * &#($%%*
NS
$ &#"&#% $% ) ##% % %$% %
SA
%%%$ )$ &'# *&% #$%$( &
©
!% &%$% % !%$% ( ($&$$ %$( #%
&$#$ &%$% #% %%)!$%*#% $%#&% $%
##% !%%!# $$ % %
$%#&% $%%&$#$ &#"&#% #$! % %$*%#
#$! $ #* % !# '&"&($#$$ &
###
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
$ $#$%$$)& $$# "##&$$$$)
'#$$#$"%$#$# "## #$"#
'"##$$$%#"#$$#$#$)"%#$
fu
ll r
igh
ts.
$$#$"$$ "#'#$$##"$
"###$#% $$#$
Do not buy mailing lists
ins
# #"*$##%&"%)#$"###
eta
# #$""#$%$$)#$"*$
rr
"&$#$#$"&"'$"$"###'"
ho
$""# #)"# "$)$$ %"##$#"
07
,A
ut
$" #$$%$*"##"&#$$!%##"
"")"####%##"$"###$"%$
20
Key
""#%$)')"$$"$!%#$'$
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tu
te
)%#$#$$ "#$$#$
In
sti
Consider using listservs
$$$
NS
#$#"&#$#$($")#$"%$"% SA
'%#"#$"$)#% ""&$#&#"$#$"%$)')
©
###$#"&#"$"%"$'
"&#"&$$)#"# #
$#"
##%#%""$$) ""#%$"&")%#%"'
#"% ##%#'#"$#%
"$# ""#'&"$#
""##%#"")##"$"## ""
"
""
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
"
"($!
'$
-#"'((+
(-$
-'"!) ($ ! '"'" -#&*"
+'(-"#& #(# , (-(#(')'&!!&'(##"(&# #+(! '&*"(# (#&( -&!#*(!' *'("-(!
!!&'$(-$
'"")$(-$
(#*#" ''''$!'((
fu
ll r
igh
ts.
"#(&&'#"+- '('&*'+#&+
-&%)&''$"&((#"(#("-($&'#"
-#) #$("(-$$&#''"#&&(#(#(
ins
'(
eta
Periodic purge
rr
! '('+($#'' ,$(#"#& '('&*''#) $&#
-
ho
$)&(#&!#*! &'''#&&'''#&"*) '+#"# #"&
07
,A
ut
+'(##"( '()(+#*"#(("'($'(#)"')'&&((
+$)&'#) #)&'#"(#$""()$#"((-$# '("&(
20
#!
#"$&#$#''
-
Key''('&*'+
fingerprint = AF19 (-$
FA27 2F94-+#&"+(*&-
998D FDB5 DE3D F8B5 06E4
A169 4E46
te
!')&"-&'(+"$)&'#+*&!#&*&('"#&!&("'
tu
'(&)(#" '(''#) ##($)&"$&#''!')&!#&"!#"('
In
sti
$&$'("-&'$)&"$&#'''#) "*# *'""#)("! #&
NS
!-*"'&'#! '((&%)&)'&(#('$(#"')
SA
' #" "#&&'$#""#&&(#&!"#"( '('&'+# (#
(('(#"'#) ("&!#*(&'$$&##(!(('
©
(("(! '$&#'''!$#&("(')'&'&"(&""
'#) (&"(#*#/)"')'&"0&#! '('(((-$&*'
'$! '$!!& ##'#&"'&'$#'(*&'$#"'(#/)"')'&0
&'$#"' #&".(#"+
!$ !"($&#$&#''((+
(&) -
)"')'&"! &''')$#" #&'$#"'
&"&"&
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
$$) &#
Protect your mailing list
('(,%( $*&)%' +# "('%#-%*'%'$ .) %$, ""+( $
*&%'' &)%# "('%#-%*'%'$ .) %$ "#$-%#&$ (, ""
fu
ll r
igh
ts.
%'%&) $&'%(((-, *('*)%' .()%'$ .) %$)%(') '
# "'((, )&')$'() ( (+'-$'%*(&') $-%*'# " $
" ()($&'%+ )%&')$'-%*'%'$ .) %$$%"%$'($-%$)'%"
%+','$%,))# "'(( (*(##'))+$'&*)"
ins
%#&$ (#-"" $)%(&#" !)) ($%*"*$, )) $"-&'%+ *")%
eta
%'$ .) %$(%'&%&",%!$%, $"-$ $)$) %$""-$ $(&#&') (
rr
") #)"- ) (&&$(( ')%' $ ')'(*")%(%#%$&'%+ $
ho
) '# "'(()%-%*'%'$ .) %$-%*'%'$ .) %$, ""+ )( #
07
,A
ut
'* $)-(%)(&#' & $)
20
Immediate
Key
fingerprint unsubscribing
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tu
te
")%'%*,'$((&'%'#(, "")' $$*('()%$%)0*$(*(' 1
sti
'%#(&#" ()() (%($/)#$))" ) #)%#&$ ((%*"$/)%'
In
)# '$),$(&##'$" ) #)%'$ .) %$ ())
NS
(&##', "" $) -0*$(*(' 1'((((%$ '#%*$)($)$
SA
'(*"), ""$ $'( $)#%*$)%# "(' +%$)%)'$
©
" ) #)%#&$-, ""
'#%+)# "'(('%#) ()' *) %$
$ (') $%'#) %$%*))# "'((")%)'
Do it in house
$($ $# "())*"(-()#($&'(%$$"))($)#(%*"
' $'$ '
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
$ "")%"$"$$" )$)%""*$)
#)%" )"$# $$"&"$##"$##
""#$" "$)+&"$#),)"%##
fu
ll r
igh
ts.
$#&"$##)$$# "#"''"$")$
"$$%"#&#)% "$#%$" "$)"*$$"%)%"
"$ )%'# "&$'$)%"#$"%$
#$#"# #"*$#%#""$$& $
ins
( "$###")!% $$&"$$"&"$$" "##
rr
eta
$%)#$#
ho
Consider rate limiting
07
,A
ut
"$$'##$& $$'$
$%#"" "$$))%"'"*$$%$#
20
#$#$"%)##&$###%$
$
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
$$' "&#$) "$$$$"$$$"$$'$
sti
tu
#"#$
NS
In
Hide the recipients (BCC or otherwise)
SA
)$##$'"%$ " $#'"&$
©
"#%$$#%"$$" $#'$"&$#$
$" '""&$#'%$$ "&)%"
#$"%$#$#$$" "$#''#")$#$$
&
%"$"")%"#$$% #$"%$"% # )$
#$"%$"% "####$#$+" )$,"###%"$$
"""
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
%%+ '$
&%#/*' ,+&) 0 % - ,#*. + %/&,)&$'%/-+ # +/+&*%
+&++# *+-% +$$)* ' * % #,)+&')&++.&%*%+&
*, *+) ,+ &%# *+. ## %-) #/)*,#+ %#&&&$ #*&$ %"+&
fu
ll r
igh
ts.
# *+*)*,#+&) ' %+*1-+ &%$***&)&+),+&$+)*'&%**
#,)+&#&".&%*%+&+* *+) ,+ &%# *+* %- &#+*+
') % '#&%&+')&- %$ #)***+&+ )')+ * %% % )+$%%)
###* #*/&,%,*+ #. . ##%*,)+++ %+ +/&
eta
ins
+) ' %+ *')&++
rr
Use legitimate DNS domains matching to appropriate IPs
ho
%/$ #*)-)*. ##)!+%/%##$ #*++)%&+&$ %)&$
07
,A
ut
*'&))&$%. +
)&)++ *%&+# + $+#/) *+)* %
**& +. ++'')%+*%) #+ *')&**,))%+#/. ##)*,#+ %
20
#&"&$/#
$+$
#*998D
+ **&$+
%++*&,#+"%
%+&
Key fingerprint = +AF19
FA27 2F94
FDB5 DE3D
F8B5 06E4 A169 4E46
te
&%* )+ &%%% #.&)#+$ #*)-)++*%*$**$)"+ %&)$**
tu
*+) ,+ &%$ #*&)/&,)&)% 0+ &%*&,#&%)***'++/&,&.%
In
sti
&) %+&+) *+)+ &%+ #*&.-) %$%/**+ * *
NS
$')+ #%+)#.&)#+$ % $,$*)-)*++*%$ #*&,#
SA
'))#/-
)&)*'')&') +&)/&,)&$'% *
&$ %%+
)&)&)+)****& +. ++$ #*)-)*&,#'& %++&+
©
)&)"&)&) *&+%,**)*&%&). $ #*)-)$/
)!++) '+&%$ # %+ *')+ *')&%+&$%/#*
'&* + -*,+ + * )#/. #/,*+% (,+&#'* % %+#/),
+%,$)&*'$$***) -/%&)% 0+ &% * *,*+) *
-)/ ')%+&20&$ 3*/*+$*)&$. *'$$)**%$ #&). ) %)% )
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
'',#)&
,"*#+'(*(*',"(,"*"'.*1"#!")*',!( %!#,#&,
&#%+*.*+/#%%".*(*
fu
ll r
igh
ts.
+ #'%'(, (*('+#*,#('*.#/,"*%#*#+-++#('(-,
(*'*(%#1*&/(*$"#++"(/+%(,( )*(&#+#'#'!
.*1
,#./)('!#'+,&#%+)(( #'!"#%,"#+#+'(,1,
ins
+,'*,"*#+'*%1'('!,#.#&),,(#&)%&',#'!,"& (*1(-*
rr
eta
'.#*('&',
ho
Consult with legal counsel
07
,A
ut
',"'#,,,+#+#*,%1))%#%'.*1#&)(*,',,(
('+#*/"'+'#'!&++&*$,#'!&#%+"#%#,/(-%.*1#
#-%,,(
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
)*(.#.*10#+,#'!%/*%,,(+)&,((.*.*1',#('(**!#('#,#+
te
+1,()*(.#,"*(&&',#(',",'1+-")*(!*&+"(-%#'.(%.
sti
tu
(&&-'#,#('/#,"%!%(-'+%,('+-*%!%(&)%#'/#,"'1',#('%(*
NS
In
%(%#2%/+ (*1(-*+#,-,#('
SA
Monitor blacklist sites
©
(&,,*/",1(-(,"*#+.*1*%,"*,,",1(-*(&)'1&1
%#+,('%$%#+,+(&/"*' (*,-',%1&'1%$%#+,+"..*1
,''1,("..*1"#!"*,( %+)(+#,#.+ 1(-**-''#'!&++
&*$,#'!(*&++&#%)*(!*&1(-*(&)'#+&#%+*.*/#%%%&(+, #'#,%1
%#+,('%$%#+,,+(&)(#',#',#&*!*%++( "(/ *1(-!(,(
*#'*'#*
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
&"
!!)&(( !( !)$%"! %**!'$!$ +&! &%%
'&&*'% *%&%%&%!'&! %%&*) !&& *
%'$%&!(&&&*!%&&$%'&&&!&
fu
ll r
igh
ts.
!$&' &* *!$"!$& ($! &%)'%%&%%%!$%! !$
! )&!'&' $%& &%"!%&($&%%' !$$&!
&& %&&%%! $ !$*!'$!$ +&! %&%%!'
$'$*&!&$ *!'$!$ +&! % %& &!!)
ins
*!'&!&%&"%&!$!(*!'$!$ +&! $!&%%&%)!%&%&!"
eta
*!'*!'$!" %%$($%( %&$(&&
rr
!!) %
&&"$*%!%$'%!&! $
&&")))&#'!$""
ut
ho
•
•
07
,A
©
SA
NS
In
sti
tu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
$ $ $
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
"
#!
""!!""!""#&!"" !$
fu
ll r
igh
ts.
%! #""!!! ! !""'#"" %!"$ "!!$!# !"!$! "#"'
"!!"" ("!#!""#" "$#"" !!"" ' $"#%""%!"""!# "'
ins
" "$" ! " "$ "!'!"' eta
#""!$!$%!"! !"! !%
rr
# !$!# ("!"" "!# !" #"
ho
"
''# !"""!""%"
ut
!!!!"""!""! !#! !! ("!%
07
,A
"'$"""!!! " !!!" #"
20
!!#!'"!"!"$!!"#!"
"!
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
! !
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
)&#.:1:@6)<.9
(232>2:02?
©
SA
NS
In
sti
tu
te
20
07
,A
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
C.>1+6::6:4)<.968@2>3;>#60>;?;3@%A@8;;7 :;D2>%0@
5@@<CCC6:/;D2>0;9<>;1A0@??5@98
./2:2>!233>2E 12:@63E6:4 8824.8&E>.961)05292?#"#)@.>@A<
%0@
5@@<CCC989?@.>@A<0;9.>@6082?/5;5@9
:@6)<.9;>92>8E'A>/%0@
5@@<CCC=A>/0;9
;A8@2>)5.::;:$)&#*69286:2"E>6?"E>6?*205:;8;462?%0@
5@@<CCC8E>6?0;9>2?;A>02?.>@6082?
0.:?<.95@98
$)".@./.?25207%?6>A?;3@%0@
5@@<>28.E?;?6>A?;3@0;9046/6:>/05207046
212>.8A>2.A;3 :B2?@64.@6;:&>2??(;;92.186:2>056B2? ;B
$;B
%0@
5@@<CCC3/64;B<.42:;B
C.>?<.992>
5@9
*1;<@?(A82*5.@(2=A6>2?$;@602*5.@)<.9;:@.6:?)20A.88ED<8606@E
Key
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
#.@2>6.8<>
212>.8*>.12;996??6;:%0@
5@@<CCC3@04;B;<.
.1A8@8./285@9
;C;)<.992>[email protected]#.72*526>#;:2E?7,.5;;%0@
5@@<.?7E.5;;0;9
5@98
#2@@6:4)<.9>;9&?E05&.42&?E05&.42#.E
%0@
5@@<CCC<?E05<.420;9?<.992>5@98
"2972*69)<.992>?#.72&>;36@?+6@5;A@#.76:4.).82+.?56:4@;:&;?@
%0@
5@@<CCCC.?5@692?0;9/A?6:2??
>5@9
#672*20516@)<.992>?#.72&>;36@?+6@5;A@#.76:4.).82*20516>@
%0@
5@@<CCC@20516>@0;9.>@6082?
?5@98
#A8@6("52072>*'#-%0@
5@@<CCC@=90A/20;9>/805207<5<
*>6.:>.:62>
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
+)&2>5>C:+@2=
©
SA
NS
In
sti
tu
te
20
07
,A
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
':86A:2>+42=B+42=#>7?A=2C:?>
"?2G+<2H6A
(4C
9CC@FFF
9?2GB<2H6A
4?=>:86A:2>B42=B
9C=<
')*)6>>H+C?4;+@2=/:6<5B)A?7:CB
'2C:?>2<)D3<:4*25:?
D8
(4C
9CC@FFF
>@A
?A8C6=@<2C6BBC?AHBC?AH
@9@BC?AH#57C7
(@6>*6<2H2C232B6.6<4?=6C?C96(*
(A8C96(@6>*6<2H2C22B6
(*
(4C
9CC@FFF
?A53
?A8
*6+@2=<?4;:>8
64
(4C
9CC@2A49:E6
46AC
D>:
BCDCC82AC
562A49:E6:>CADB:?>B=B8
9C=<
*625:>8=2:<"6256AB
+C?@B@2=
(A8
(4C
9CC@FFF
BC?@B@2=
?A86=2:<96256AB
9C=<
+2DE6A)9
5
$?6+
,964?>?=:4B?7+@2=
->:E6AB:CH?7(A68?>
(4C
9CC@44
D?A68?>
65D4>6FBBD==6AB@2=64?>?=:4B
9C=<
Key
+9:=*:492A5
.2A5A:E:>8?>E:4C:?>:B
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D:ABC->56A2>+@2=J,649'6FB
F8B5 06E4 A169 4E46
?>0'6C
0'6C
+6@C
','6FB
4?=
(4C
9CC@>6FB
I5>6C
4?=1
9C=<
+@2=<64CA?>:4.:;:@65:2C96 A66>4H<?@65:2
.:;:@65:2
(4C
9CC@6>
F:;:@65:2
?A8F:;:+@2=16<64CA?>:4
+@2=67:C:?>B A?=:4C:?>2AH
?=
:4C:?>2AH
?=
(4C
9CC@FFF
5:4C:?>2AH
4?=
+@2=D<<H=2:<+@2= :<C6A7?A(DC<??;2>5(DC<??;G@A6BB
+@2=D<<H
(4C
9CC@FFF
B@2=3D<<H
4?=
+@2=%:BC?7=2:<B
(4C
9CC@9?=6
E6AB2>6C
56K@5:6CA:49B@2=
3<?4;
9C=<
+@2==:=:4
(4C
9CC@BFFF
B@2==:=:4
4?=
,
A:2>!A2>:6A
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
$"'3*39/$5'2
©
SA
NS
In
sti
tu
te
20
07
,A
ut
ho
rr
eta
ins
fu
ll r
igh
ts.
$"'$+3*+7"41/)>7'2+<47094"7+;+392'/147-+7>!5+385,!7-
!)9.995<<<45+385,47-
%.+ $")9#+6:/7+2+398,47422+7)/'12'/1+78+*+7'1%7'*+
422/8/43
!)9
.995<<<,9)-4;()5)431/3+5:(8(:85:(8)'385'2.92
%/5
#+'*'8"1'/3%+=9!:91440%/58
!)9
.995<<<4:914409/583+9'7)./;+8.92
%:73+7:(7+>%+3%+3%<+1;+475:(7+>9:73+7!7-
!)9
.995<<<':(7+>9:73+747-/3*+=5.547-14-)422+398
&7('3+-+3*8#+,+7+3)+"'-+8425:9+78 '9/43'14 49'/1#+-/897>
$345+8+(
!)9
.995<<<8345+8)42)425:9+7/39+73+9:38:('85
&7('3+-+3*8#+,+7+3)+"'-+8$345+8
!)9
.995<<<8345+8)42
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
%7/'37'3/+7
© SANS Institute 2007,
As part of the Information Security Reading Room
Author retains full rights.
Last Updated: June 14th, 2017
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
DFIR Summit & Training 2017
Austin, TXUS
Jun 22, 2017 - Jun 29, 2017
Live Event
SANS Paris 2017
Paris, FR
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Cyber Defence Canberra 2017
Canberra, AU
Jun 26, 2017 - Jul 08, 2017
Live Event
SANS Columbia, MD 2017
Columbia, MDUS
Jun 26, 2017 - Jul 01, 2017
Live Event
SEC564:Red Team Ops
San Diego, CAUS
Jun 29, 2017 - Jun 30, 2017
Live Event
SANS London July 2017
London, GB
Jul 03, 2017 - Jul 08, 2017
Live Event
Cyber Defence Japan 2017
Tokyo, JP
Jul 05, 2017 - Jul 15, 2017
Live Event
SANS Los Angeles - Long Beach 2017
Long Beach, CAUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Cyber Defence Singapore 2017
Singapore, SG
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS ICS & Energy-Houston 2017
Houston, TXUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Munich Summer 2017
Munich, DE
Jul 10, 2017 - Jul 15, 2017
Live Event
SANSFIRE 2017
Washington, DCUS
Jul 22, 2017 - Jul 29, 2017
Live Event
Security Awareness Summit & Training 2017
Nashville, TNUS
Jul 31, 2017 - Aug 09, 2017
Live Event
SANS San Antonio 2017
San Antonio, TXUS
Aug 06, 2017 - Aug 11, 2017
Live Event
SANS Hyderabad 2017
Hyderabad, IN
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Prague 2017
Prague, CZ
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Boston 2017
Boston, MAUS
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS New York City 2017
New York City, NYUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Salt Lake City 2017
Salt Lake City, UTUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Adelaide 2017
Adelaide, AU
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Virginia Beach 2017
Virginia Beach, VAUS
Aug 21, 2017 - Sep 01, 2017
Live Event
SANS Chicago 2017
Chicago, ILUS
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Tampa - Clearwater 2017
Clearwater, FLUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS San Francisco Fall 2017
San Francisco, CAUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS Network Security 2017
Las Vegas, NVUS
Sep 10, 2017 - Sep 17, 2017
Live Event
SANS Dublin 2017
Dublin, IE
Sep 11, 2017 - Sep 16, 2017
Live Event
SANS Minneapolis 2017
OnlineMNUS
Jun 19, 2017 - Jun 24, 2017
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced