1、 International Telecommunication Union ITU-T Series XTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 14(09/2012) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.1243 Supplement on a practical reference model for countering e-mail spam using botnet information ITU-
2、T X-series Recommendations Supplement 14 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI N
3、ETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometric
4、s X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 C
5、YBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519
6、 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T
7、Recommendations. X series Supplement 14 (09/2012) i Supplement 14 to ITU-T X-series Recommendations ITU-T X.1243 Supplement on a practical reference model for countering e-mail spam using botnet information Summary Botnets are a major source of e-mail spam. Botnet related devices, including master,
8、command and control (C&C) servers and infected computers, are decentralized on the Internet, which greatly challenges any party to identify botnets and discover specific botnet-related information. Therefore, information sharing becomes a crucial factor to counter e-mail spam sent by a botnet. This
9、Supplement provides a reference model which can be applied to the interactive gateway system for countering spam, in accordance with Recommendation ITU-T X.1243. In this reference model, spam-countering gateways can share botnet-related information with each other. This Supplement mainly focuses on
10、countering e-mail spam sent by a botnet. History Edition Recommendation Approval Study Group 1.0 ITU-T X Suppl. 14 2012-09-07 17 Keywords Botnet, e-mail, spam. ii X series Supplement 14 (09/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the
11、 field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standa
12、rdizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is cov
13、ered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used for conciseness to indicat
14、e both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the publication is achieved when all
15、of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the publication is required of any party. INTELLECTUAL PROPERTY RIGHTS
16、ITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU membe
17、rs or others outside of the publication development process. As of the date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. However, implementers are cautioned that this may not represen
18、t the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. X series Supplement 14 (09/
19、2012) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Supplement 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 Background . 2 7 Reference model for countering e-mail spam using botnet information 3 7.1 General architec
20、ture 3 7.2 Functional entities in botnet detection systems 4 7.3 Functional entities in spam-countering gateways . 5 7.4 System interfaces 5 8 Working procedure of the reference model 6 Bibliography. 7 X series Supplement 14 (09/2012) 1 Supplement 14 to ITU-T X-series Recommendations ITU-T X.1243 Su
21、pplement on a practical reference model for countering e-mail spam using botnet information 1 Scope This Supplement to ITU-T X-series Recommendations provides a practical reference model for countering e-mail spam sent by a botnet, which can be applied to the interactive spam-countering gateway spec
22、ified in ITU-T X.1243. This Supplement also specifies the working procedure, functional entities and system interfaces of this reference model. Furthermore, this Supplement describes the function for making signatures and filtering rules based on botnet information. The objective of this Supplement
23、is to design and implement an interactive gateway for countering e-mail spam. This Supplement mainly focuses on countering e-mail spam sent by a botnet. 2 References ITU-T X.1243 Recommendation ITU-T X.1243 (2010), Interactive gateway system for countering spam. 3 Definitions 3.1 Terms defined elsew
24、here This Supplement uses the following terms defined elsewhere: 3.1.1 bot b-ITU-T X.1244: Bot is a contraction of “robot“, which is a program that operates as an agent for a user or another program to simulate a human activity. 3.1.2 email b-ITU-T X.1241: This term is mainly used to indicate the el
25、ectronic mail transmitted over a telecommunication network. 3.1.3 email spam b-ITU-T X.1241: This term is used to describe unsolicited electronic communications over email, which is usually sent for specific purposes. 3.2 Terms defined in this Supplement This Supplement defines the following terms:
26、3.2.1 botnet: A collection of Internet-connected computers whose security defences have been breached and are controlled by an unknown party. Each compromised device, known as a “bot“, is created when a computer is penetrated by software from a malware distribution source. The controller of a botnet
27、 is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols. 3.2.2 botnet information: Botnet information refers to the topology-related information of a botnet, such as command and control (C&C) IP addresses, zombie IP
28、lists, binary update server IP addresses, spam template server IP addresses, etc. 3.2.3 botnet master: An individual responsible for controlling and maintaining a botnet. 3.2.4 command and control server: Server used as a command and control point by a botnet operator. 2 X series Supplement 14 (09/2
29、012) 4 Abbreviations and acronyms This Supplement uses the following abbreviations and acronyms: BDE Botnet Detection Engine BID Botnet Information Database C&C Command and Control DDoS Distributed Denial of Service ID Identity IP Internet Protocol LscDB Local spam-countering Database MMS Multimedia
30、 Messaging Service MX Mail exchange SCG Spam-Countering Gateway SMS Short Message Service SMTP Simple Mail Transfer Protocol SRM Spam Receiver Monitor function SSFRG Spam Signature and Filtering Rule Generator SSM Spam Sender Monitor function URL Uniform Resource Locator 5 Conventions None. 6 Backgr
31、ound A botnet is a collection of Internet-connected computers whose security defences have been breached and are controlled by an unknown party (see Figure 1). The botnet master can use the remotely controlled botnet to launch various kinds of attacks such as spam, distributed denial of service (DDo
32、S), theft of personal information, etc. The most significant characteristics of a botnet are that the botnet master can control every attack property (such as type, method and time, etc.), and that command and control (C&C) servers and infected computers are distributed all over the world. These fac
33、tors make it difficult to identify a botnet. X series Supplement 14 (09/2012) 3 X.Suppl.14(12)_F01BotnetmasterC and C ServerBot Bot Bot1. Spreadsmaliciouscodes 3. AccessesC and C server5. Updatescommand and control4. DeliverscommandBotnet Server / Host2. Computersbecome bots6. Initiatesattacks Figur
34、e 1 Common working procedure of a botnet Botnets have become the major source for e-mail spam, which generates massive unwanted e-mail traffic on networks and negatively influences e-mail receivers. First, a botnet master can send spamming attack commands to a C&C server. Second, after the C&C serve
35、r receives the command, the C&C server will update the attack information in the infected computers to include target addresses, e-mail content and the sending rate. Finally, the infected computers will send e-mail spam according to the attack information. Generally, the botnet uses normal e-mail ad
36、dresses as sender e-mail addresses. Meanwhile, the botnet generates e-mail content and subjects randomly. Therefore, it is difficult to detect e-mail spam from normal e-mails in network devices including e-mail servers. The e-mail spam is commonly filtered by e-mail receivers rather than e-mail serv
37、ers, which causes serious waste of network resources and negatively influences e-mail receivers. Considering that most e-mail spam is sent by botnets, it will be more effective and efficient to use botnet information for identification of e-mail spam. In addition, spam-filtering rules stored in e-ma
38、il gateways can be also updated simultaneously based on botnet information. It is very hard to identify botnet masters and C&C servers from botnets. It is also very difficult to recognize spam control and attack messages from Internet flows. Considering the above difficulties, it is more practical t
39、o identify infected computers and recognize e-mail spam in real time. Therefore, botnet information used for countering e-mail spam can generally be IP addresses of infected computers, behaviours of the botnet, etc. 7 Reference model for countering e-mail spam using botnet information 7.1 General ar
40、chitecture Botnet information usually needs to be synchronized between different spam-countering gateways via a botnet detection system. The general architecture for countering e-mail spam sent by a botnet is shown in Figure 2, which is in accordance with the architecture of the spam-countering gate
41、way (SCG) specified in ITU-T X.1243. 4 X series Supplement 14 (09/2012) X.Suppl.14(12)_F02Botnet detection engine(BDE)Botnet information database(BID)Botnet detection systemSpam-countering gateway 1Spam signature and filteringrule generator (SSFRG)Spam receiver monitor(SRM) functionSpam-countering g
42、ateway 2Spam signature and filteringrule generator (SSFRG)Spam-counteringpeerLocalcountering databasespam-Localcountering databasespam-User message Signalling Spam receiver monitor(SRM) functionSpam sender monitor(SSM) functionSpam sender monitorfunction(SSM) MessagesenderMessagesenderMessagereceive
43、rMessagereceiverFigure 2 Reference model for countering e-mail spam sent by a botnet In Figure 2, the detected botnet information is stored in the botnet information database (BID) after data pre-processing. The two functional entities, including the spam sender monitor (SSM) function and spam recei
44、ver monitor (SRM) function in the spam-countering gateway (SCG), can get botnet information from the BID. Then, the above two functional entities can monitor spamming activities from the botnet. If they find spamming activities, they will record the spam information, such as e-mail spam body, mail e
45、xchange (MX) queries, relay server and attached files. Afterwards, they will transmit it to the spam signature and filtering rule generator (SSFRG). The SSFRG will generate spam signature and filtering rules, which will be synchronized to the local spam-countering database (LscDB). 7.2 Functional en
46、tities in botnet detection systems A botnet detection system is used to detect, collect and store botnet information, which consists of two functional entities: the botnet detection engine (BDE) and the botnet information database (BID). BDE: This functional entity is used to collect the botnet info
47、rmation which will be transmitted to the BID either directly or after pre-processing. Many countries or organizations operate such botnet detection systems to obtain botnet information by means of honeypot detection, security incident analysis, network traffic analysis, malware analysis, etc. Best p
48、ractices are described in b-ITU-T X-Sup.8 BID: This functional entity is used to store botnet information. Botnet information can include C&C servers IP addresses/URLs, infected computers IP addresses, attack behaviours and information of related servers. The botnet information can be used to detect
49、 e-mail spam sent by a botnet. This functional entity also provides botnet information to other systems requiring it. X series Supplement 14 (09/2012) 5 7.3 Functional entities in spam-countering gateways Countering e-mail spam is mainly realized through SCGs. The SCG has three functional entities: the SSM, the SRM and the SSFRG. Generally, each SCG has a sender gateway function and receiver gateway function. The SSM can check which e-mails are sent by a botnet based on the botnet information on t
