Some standard content:
Communication Industry Standard of the People's Republic of China
YD/F1311-2004
Technical Requirements for Preventing Spam Emails on the InternetSpecification af Enternet Anti-Spam2004-03-24Promulgated
Implementation on 2004-03-24
Ministry of Information Industry of the People's Republic of China
1 Scope
2 Normative References
3 Definitions and Abbreviations
3.1 Definitions
3.2 Abbreviations
4 Overall Structure of Mail System
4.1 Basic Structure of Mail System
4.2 Network Structure of Spam Mail Processing System4.3 Parameter Model of Spam Mail Processing System5 Functional Requirements of Key Equipment in Spam Mail Processing System5.1 Specification of Mail Client Functional requirements of email: 5.2 Functional requirements of spam measures on email servers 5.3 Functional requirements of first-level spam information processing center 5.4 Functional requirements of second-level spam information processing center 6 Email format and definition of spam 6.1 Email format: 6.2 Main characteristics of spam 6.3 Spam judgment rules 10 methods to prevent spam 7.1 Disable the Open-Reluy function of the email server 7.2 Email sending authority control 7.3 Email filtering technology, YD/T 1311-2004
YD/T1311-2004
This standard is one of the standards for preventing industrial network waste: The names and addresses of this series of standards are as follows: 1. YD/T1710-20104 Requirements for the format of online advertisement emails 2. YTT1311-2001 Technical requirements for preventing electronic disclosure of Internet documents 3 This standard is based on TFTFRFC2821-2001 Simple Mail Transfer Protocol 3, TTFRTC2822-2001 Internet Message Format 3, and TTTRFC1869-1995 Simple Image Transfer Protocol 4. Based on the transmission protocol service plan 3, this standard is formulated in combination with the actual situation of domestic networks and services. With the rapid development of network terminal technology, this standard will be gradually supplemented and improved. This standard is proposed and managed by China Communications Standards Association: Standard drafting unit: Telecommunication Transmission Research Institute of Telecommunication Research Institute of Ministry of Information Industry AsiaInfo Technologies (China) Co., Ltd. China Mobile Communications Corporation Huxing Telecommunications Co., Ltd. Main drafters of this standard: Chen Kai, Wu Yinghua, Ouyang Jian, Chen Minshi, Li Yan1 Introduction 1311-2004
With the development of the Internet, a large number of micro-business advertising emails need to be transmitted to users through the Internet, and at the same time, a large number of junk emails are spread on the Internet: In order to combat the transmission of junk emails, it is necessary to formulate corresponding advertising email format standards and junk email classification standards to provide a basis for the system to distinguish normal advertising emails from junk emails, transmit legal advertising emails to users, and discard junk emails. In reality, the vast majority of junk emails are advertising emails, and also include emails that threaten personal safety and information security. Among advertising emails, those that are sent against the will of users and are difficult to be traced should be identified as junk emails. Only those approved by the relevant national management departments and published in accordance with the format regulations of advertising emails are legal advertising emails. 1 Scope
Technical requirements for preventing spam e-mails on the Internet YO/T1311-2004
This standard specifies the network structure of spam processing systems and the performance requirements of their main components and equipment, and provides the main characteristics and judgment criteria of spam mails and the main methods of preventing spam mails: This standard provides a technical basis for operators of electronic mail services and software vendors who develop anti-spam functions. 2 Normative references
The clauses in the following documents become the references of this standard through reference in this standard. For any dated reference, the subsequent amendments (excluding errata) or static versions are not applicable to this standard. However, the parties who reach an agreement based on this standard shall study whether the latest versions of these documents can be used. For any referenced documents without a date, the latest versions shall apply to this standard. RFC282
RFC2822
RFC:1869
RRC:1939
RFC:2060
RFC2222
RFE2505
RFC 2554
3 Terms and abbreviations
Simple Mail Authentication Protocol
Internet Message Format
Simple Mail Authentication Protocol Service Extension
Email Protocol Version 3
Internet Message Access Protocol Version 4
Business Authentication and Security Layer Protocol
Business Mail Transfer Protocol Recommendations for Mail Transfer Agents to Protect against Spam Business Mail Transfer Protocol Authentication Service Extension The following abbreviations are used for non-standard purposes. 3.1 Definitions
E-mail: Currently mainly refers to files and documents that are transmitted using computer programs in electronic communication technology. Spam: refers to emails with the characteristics of advertisements, electronic publications, various forms of unwanted products, etc. that the recipient has not requested or agreed to receive, as well as emails that conceal the sender's identity, address, or contain false information such as the source, sender, and location. Email samples are extracted from a large number of emails by the email server according to certain rules (called time or quantity rules). Email samples are called spam.
Email samples: The email server extracts the spam emails that can represent a type of spam emails according to the characteristics of the large number of spam emails. Basic actions: Compound rules: A rule composed of one or more simple rules. Action: When a certain email meets the conditions of the rule, the most appropriate measures are taken for the spam email. Blacklist: a list of server or host information that verifies or sends spam. Real-time blacklist: a list of server or host information that is updated in real time. Commercially dangerous emails: emails that contain or carry malicious codes or viruses that may be destructive to computer software, networks, or human senses, and may cause great potential harm. 32Abbreviations
E-nuitl
Duin Name Servei
Eleutranic mail
ExlendedSumpleMaitTraisterProtccolFile Trunfer Protocol
Hypcrext Transfcr I'rotocol
Intcrnect Mcssagc Aeccss I'rarocol v4Inicmet Proocol
PostofficrIrotocolv3
Sirmplc Authentication and Security Layer prorocolSimple MailTranstcr Prctocol4Overall structure of mail system
4.1 The basic structure of the tertiary system
The basic structure of the tertiary system is shown in Figure 1. Client
Figure 1 The basic structure of the mail system
Content server
Electronic document
Simple Mail Transfer Protocol Service Extension
File Transfer Protocol
Hypertext Transfer Protocol
Internet Message Access Protocol version 4
Internet Protocol
Post Office Protocol version 3
Simple Authentication and Security Layer Protocol
Simple Mail Transfer Protocol
Working principle
Method:
The sender of the email indicates the name and email address of the recipient, and the sender's mail server transmits the email to the recipient's mail server. The recipient's mail server then filters the email and sends it to the recipient's mailbox: As shown in Figure 1, in response to the email request of the mail client, an effective transmission channel is established between the sending email server and the receiving mail server. The receiving mail server can be the final recipient or the intermediate transmitter. The mail transmission protocol between the mail service and the mail server generally adopts SMTP (Simple Mail Transfer Protocol). The sending mail server sends the SMTP command and the receiving mail server receives it. The response to the SMTP command is transmitted by the sender. SMTP provides a mechanism for transmitting mail. If the receiving mail server and the sending mail server are connected to the same transmission service, the program can be directly transmitted from the sending mail server host to the receiving mail server host. When the two are not under the same transmission service, they are transmitted through the relay SMTP server. In order to provide relay capabilities for the SMTP service, it must have the final host address and mailbox name. In order to use the mail system more conveniently in actual work, there is a lot of communication between the mail server and the mail client except In addition to SMTP, IP UP3, IMAI4 and other protocols can also be used. 4.2 Network structure of spam mail processing system The spam mail processing system adopts a two-level structure, namely, the first-level spam component information processing center and the second-level spam mail information processing center, as shown in Figure 2.
Project protection
Dangerous thinking and guarding heart
That is, Niu La Service
General Manager Center
Message Processing Center
Hua Service Station
Email Client
Spam mail processing structure shows the establishment of a channel for exchanging information between the various parts in the mail processing system. YD/T1311-2004
The first-level spam component information processing center is responsible for construction and maintenance, and the first-level center is responsible for issuing rules to the second-level center: Second-level spam mail information processing The center is built and maintained by the email operator, and is responsible for receiving spam from all end users. The secondary center must have the ability to extract information from spam emails, and at the same time, it needs to submit important information to the primary center, and can send it to the lower system. The primary center basically only receives requests from the primary center, and the validity and legality of the submitted rules are reviewed by the secondary center. The administrator of the primary center needs to make another review before the plan takes effect. The mail client is an application that allows end users to directly send and receive emails, and the mail server is a server group that completes the task of email communication in the Internet. In order to prevent spam, these two parts of the system should cooperate with the spam information center to complete the collection and release of messages, and synchronize email lists and various email processing rules and strategies with the spam information processing center. The above functions can be directly integrated on the client and The server program can also be installed externally.
4.3 Reference model of spam processing system The reference model of spam processing system is shown in Figure 3. The basic units mainly include the primary spam information processing center, the secondary spam information processing center, the mail server and the mail client. The text format requirements between the components refer to other relevant standards and regulations. The definition of reference points between the components is as follows: Reference point A: the reference point between the spam information processing center, the mail server and the secondary spam information processing center. The filter must support PTP (File Transfer Protocol) and HTTP (HTTP), and mainly complete the transmission of receiving complaints and spam judgment rule information. Each rule is supplemented by a number of spam component samples as evidence. The rules for simultaneous transmission must support compound rules, such as the compound simple rule of "source IP+URL". Reference point B is the test point between the secondary spam information processing center and the mail service. It must support FTP and HTTF, and mainly complete the transmission of receiving complaints and spam judgment rule information. Each rule is supplemented by a number of spam component samples as evidence. The rules for simultaneous transmission must support compound rules, such as the compound simple rule of "source IP+URL". Reference point C is the test point between the mail server and the mail service, which can be used with SMTP Simple Mail. Trans[erPrutocol single mail transfer protocol.
Reference point D--, a reference point between the mail server and the mail client. In addition to SMI, POP3MAP4 and other devices can also be used.
Reference point E--a reference point between the secondary spam information processing center and the mail client. E can use HTTP, FTP and special client software or vulnerabilities.
5 Functional requirements of the main equipment in the spam mail processing system 5.1 Functional requirements of the mail client to prevent spam mail 1) In addition to the general mail sending and receiving, storage and other functions, the mail client can also file a spam mail complaint to the spam mail processing center. The recipient of the email can judge whether it is a suspicious spam mail based on the content of the email, such as unwanted advertisements, electronic publications, direct mail products, and emails whose sender's identity and address are unknown or cannot be unsubscribed. After receiving such emails, users should be able to use the complaint function of the client program to report to the spam information processing center. (2) You can download the spam list from the spam information processing center. The spam information processing center compiles the spam list based on the information received from various places, and publishes and updates it according to the user, sender, and domain name. The email client can download the spam list automatically, or the user can download the spam list manually. (3) Spam emails can be submitted to the spam information processing center. Emails that are initially judged as suspicious spam by the recipient of the email should be submitted to the spam information processing center for professional judgment and feature extraction to propose new blacklists and filtering rules. Spam component samples should completely include all the title words and text of the email, and should include the email body. (4) High-risk email alerts issued by the spam information processing center can be received. The spam information processing center will regularly publish reports on the transmission of dangerous emails. Email clients should automatically download these reports and give clear prompts to users when downloading. (5) Spam can be removed from the spam information processing center. The spam filtering rules. The manager of the spam information processing center is responsible for formulating spam filtering rules and publishing updates regularly. The rules include matching keywords in each part of the email, email size control, and email attachment validity limits. The client can also automatically download spam rules. (6) The client can filter spam emails and selectively filter all or part of the received emails based on the accumulated orders and email filtering rules. The filtering results should be submitted to the user for confirmation to avoid misjudgment by the client program.
52 Functional requirements for spam prevention and control measures of email servers 5.2.1 Basic functions of mail server equipment
1: In addition to completing general mail transmission, storage, etc., it can also turn off the automatic forwarding function of mail users. SMIP stipulates that the process of mail transmission can be through the mail server, and when there is no restriction on the forwarding direction, it is called automatic forwarding: the automatic forwarding function can hide one's identity and send mail with powerful mail servers, so the automatic forwarding function should be turned off (2) It can prevent non-verified users from sending mail. 3 It can refuse to receive timed mail. Including mail sent by individual groups: all mails sent by specified users, all mails sent from specified domains: (4) It can verify the name of the sender. The information in the sender field of some spam emails is forged. To verify whether the address in the sender field really exists, you can use the DNS resolution method to query the address. If the address cannot be resolved to the real address, it will be suspected that it is a spam email. The DNS reverse resolution method can be used to query the address or address of the recipient. The SMTP command can be used to find the multiple names of the sender or the complete name of the recipient. The FY command can be used to detect the legitimacy of the address. Limiting the response to these two commands can control illegal queries to the email account. The ETRN command is a command that sends mail to the SMTP service. When a client sends an ETRN command, the remote user's message will be sent to the client. If this command is executed, the mail server can be used by the spam creator. "6) It can automatically add a link to the spam reporting center in the email, so that users can report spam. 5.2.2 The functions of the spam processing module of the email server should have the following functions in addition to the functions of the email client (1) to (6): (1) In addition to the functions of sending and storing emails, it can also report spam to the spam information processing center when it finds it, download the latest spam sensitive list from the spam information processing center, receive high-risk email alerts from the spam information processing center, download the latest spam prevention rules from the spam information processing center, and process spam based on the blacklists and filtering rules downloaded. Received mails are filtered: (2) The mail service provider should be able to make an initial judgment on whether the entire mail is dangerous or not, and when sending dangerous mails, the mail service provider should immediately report to the city's spam information processing center. 3) The original backup of the spam mails that have been intercepted and filtered should be provided, including the full message header information of the mails. The original spam mails can be used as evidence for crimes or judicial decisions. The filtered spam mails should be stored in the server for a certain period of time. 4) The mail tracking information and resending information can be provided to the mail recipient. If the receiving mail service provider If the mail server does not send the mail it plans to receive, the receiver can use this information to track the transmission path of the spam mail. (5) It can provide local log information and statistical information. The mail server records all its forwarding and anti-spam actions in its local log, so that it is possible to find the cause of the problem later: this log should be kept for less than 30,000 days. The mail server can also classify all forwarding and spam mail processing actions and use statistics. 6) It can limit mail traffic: only the spam creator can be verified by SMTP between servers at the same time. The mail server can directly send mail to the recording terminal. When receiving a spam email, the server will often change its location to track it down. In order to prevent spam emails, the server will send a large number of emails in a short period of time. Therefore, the server can effectively prevent spam emails by limiting the amount of email traffic. 7) It can provide different return codes with different filtering schemes. 8) It can manually monitor the working process of the anti-spam email system. 5.3 Functional requirements of the first-level spam email information processing center The first-level spam email information processing center has the following functions (1) Receiving information function, receiving spam emails produced by other spam email processing centers and spam blacklists, 5
YD/F 1311-2004
(2) Storage function. Save the original information of the user and the secondary spam processing center. (3) Information release function: publish, establish spam blacklist, network-wide high-frequency alarm and spam anti-filtering rules (4: temporary management, maintenance function. Generate spam blacklist according to the sortable list of spam, sort and modify spam forwarding rules: perform daily maintenance on the processing center website. The primary spam processing center can be established. The homepage provides two functions: 1) accepting users and first-level spam processing center reports: 2) publishing the information of the spam information processing center: including publishing the information on the monitoring and management of the first-level spam information processing center,
5.4 Functional requirements of the secondary spam information processing center The functions of the secondary spam information processing center can be divided into 5 parts (1) receiving information output function. Receive user reports on suspicious emails, and receive user reports on spam filtering rules and blacklists of spam from the first-level spam information processing center. (2) Storage function: save user reports on suspicious emails: at least including the header information of spam emails; save the first-level spam processing center's original information on suspicious emails. (3) Release and report information: publish and approve spam lists, high-risk email alerts, and spam filtering rules. (4) Administrator settings and maintenance functions. According to the suspicious spam components, list the spam blacklists, and conduct routine maintenance of the spam processing center website. (5) Software (scanner) download function. Download email address software, add-ons, and spam plug-ins. A spam processing center can establish an official homepage, which can provide three functions: 1) accept various special mail reports; 2) provide spam prevention knowledge to users; 3) provide technical support documents for mail client software. 6 Email format and identification of spam
This article defines the format of emails and the characteristics of spam in the format. 1. The characteristics of spam are as follows: 6.1 Email format
6.1.1 Basic format of email messages
E-mail messages sent between users are composed of two parts: message header and message body (optional). (1) Basic format of message header
The message header is composed of two parts: name+","+field name+CRL. (2) Basic format of message body
The message body is composed of three lines of US-ASCⅡ characters, with the following two requirements: 1. CR and LF must appear at the same time in the form of CRLF and cannot appear together. 2. The number of characters in each line must be less than 998, and we recommend less than 78. 6.1.2 Types and formats of message headers
The message header includes the date of origination, the address of the originator, the name, information, resend, summary trace, and optional fields. Its format is as follows: (") Originator date
The person who writes the message indicates the date and time when the message is completed and ready for transmission: Basic syntax: crig-date = \Dara:\ dare-sime CRJ,F12. Sender requirements
The initiator field can be composed of three parts: from, sender and reply-to. fron refers to the mailbox of the author of the message. There can be multiple mailboxes of the author of the message: de can specify the mailbox of the party that actually sends the message. For example, the author sends an email on behalf of the author of the message: the mailbox address of the author is filled in the ftom field, and the mailbox address of the sender is filled in the sendcr field. rcply-to indicates that the message author wants the reply to be sent to a mailbox. By default, it is sent directly to the mailbox of the message author. The whole destination is as follows:
fron=\Trm:\mailbox-list CRLFsender =\Seader\mailbox CRLFreply-ta\Reply-Ta:\addrers-list The address field of CRLF (3) is composed of three parts: hce field indicates which mailboxes the message will be forwarded to at the same time, and hcc field indicates which mailboxes the message will be forwarded to "privately" at the same time. When forwarding, some processing is done: except for the recipient of the hcc message, no one else knows where the message is sent and where the hcc message is received: the basic structure is as follows,
1o-\To:\addreRs-list CRLF
cc=\Ce\address-lisr CRLF
\Bcc:\ (arddress-list/[CFWS) CREF (4) Identification field
The identification field contains three parts: message-id, in-reply-to and referernce fields. The message-id gives a unique identifier to each message. This uniqueness is guaranteed by the host sending the message. It is machine-readable and people do not know its meaning. The in-reply-to and referernce segments used by someone else to reply to a message contain the message-id of the same message (i.e., the "elder" message). The feature can be used to identify the thread of the conversation. The syntax of this document is as follows:
meksage-id _
m-reply-n=
reterences
5! Information field
\Mexsage-T):\ msg-id CR1.F\In-Reply-To:\ 1*m5g-id CRI.FReferenoes:\ 1 *m5g-id CRI.F contains "human readable" content and is composed of two parts: suhject, cammenskeywaml. subject Subject of the message: cammentx Contains the description and text of the message body: keyw(us The keyword list in this package is as follows
suhjeet
conments
keywords
=\\Subjcct:\ nstnuctured CRT.T=\Coruments:\unstruclured CRLF=\Keywcrds:\phrase *(\\ phrase) CRLF (6) in the send field
This word group is used when the message is sent to the system. Each time this operation is performed, this field group is added and the new segment is placed in the first position. That is to say, the resend group with 1 added first appears in the message first: When a resend group is added to a message, the other segment values in the message remain unchanged. The segment selection method in the resend field is consistent with other corresponding fields in this standard. The part of the resend field and its basic storage method are as follows: \Rescnt-Dare:\ date-time CRLHIscut-date=
WCustomer standard industry data free download YD/T 1311-2Q04
iesent-from
Tesenl-geandler
resenl-n
Tesenl-er
reseni-b
rene-msg-i =
\Restul-Frum:r mailbox-list CRLF\Rerettl-Sendear\ meilbux CRLF\Rereut-Tu: llress-list CRLF\Resenl-Ce:\ adldess-lisl CRLFReseat-Bur:\ (address-lisl [CFWS]) CRLF\Rent-Mesagt-ID:\ sg-il CRLF uses this field because when the receiver receives the message, it does not sense the existence of the retransmission. The message seems to have been sent from the original sender, and all the header fields remain unchanged. (7) The header field is also composed of an optional \Rctum-Path: field and one or more \Receive\Received segments. The format is as follows:
(8) Optional
[rctum]
1\rcrcived
\Rctumn-Path:\ path CKLF
([CFwS]\s\([ChWS]/addr-spee)>\[CFwS)iohs-pauuWhen the optional field appears in a message, it must conform to the optional name defined in the standard, that is, a name followed by a number, indicating arbitrary unstructured text. The name must consist of all printable US-ASCII characters except SI and official names, and must not overlap with any characters specified by the standard. The sentence is as follows,
optional-tield
fieid-name
6.2 Main characteristics of spam
field-name \:\ unstuctured CRLHI*ftext
gd33-57/
%59-126
;Any character except
conomois,P,and
The following are the characteristics of spam messages: The spam management center can extract the following characteristics from the spam prevention and control: The blacklist is published to the email server.
(1) The private sender's address is the original address of the sender:
(2) The private source of the message
identifier field of message-i is empty.
(3) The frm-seder field of the sender
is a forged email address; (4) The message-id field of the message source
is forged. (5) The resun-from, tesent-sender, etc. fields of the sender
are forged.\ date-time CRLHIscut-date=
WCustomer standard industry data free download YD/T 1311-2Q04
iesent-from
Tesenl-geandler
resenl-n
Tesenl-er
reseni-b
rene-msg-i =
\Restul-Frum:r mailbox-list CRLF\Rerettl-Sendear\ meilbux CRLF\Rereut-Tu: llress-list CRLF\Resenl-Ce:\ adldess-lisl CRLFReseat-Bur:\ (address-lisl [CFWS]) CRLF\Rent-Message-ID:\ sg-il CRLF uses this field because when the receiver receives the message, it does not sense the existence of the retransmission, and the message seems to have been sent from the original sender, with all the header fields remaining unchanged. (7) The message header is also composed of a header field, including an optional \Rectum-Pah: field and one or more \Receive\Ning segments. The following is the syntax:
(8)Optional-Path
[rctum]
1\rcrcived
\Rctumn-Path:\ path CKLF
([CFwS]\s\([ChWS]/addr-spee)>\[CFwS)iohs-pau When the optional field appears in a message, it must conform to the definition of optional path in the standard, that is, a name followed by a prefix, indicating arbitrary unstructured text. The name must consist of all printable US-ASCⅡ characters except SI and official characters, and must not overlap with any characters specified in the standard. The sentence is as follows,
optional-tield
fieid-name
6.2 Main characteristics of spam
field-name \:\ unstuctured CRLHI*ftext
gd33-57/
%59-126
;Any character except
conomois,P,and
The following are the characteristics of spam messages: The spam management center can extract the following characteristics from the spam prevention and control: The blacklist is published to the email server.
(1) The private sender's address is the original address of the sender:
(2) The private source of the message
identifier field of message-i is empty.
(3) The frm-seder field of the sender
is a forged email address; (4) The message-id field of the message source
is forged. (5) The resun-from, tesent-sender, etc. fields of the sender
are forged.\ date-time CRLHIscut-date=
WCustomer standard industry data free download YD/T 1311-2Q04
iesent-from
Tesenl-geandler
resenl-n
Tesenl-er
reseni-b
rene-msg-i =
\Restul-Frum:r mailbox-list CRLF\Rerettl-Sendear\ meilbux CRLF\Rereut-Tu: llress-list CRLF\Resenl-Ce:\ adldess-lisl CRLFReseat-Bur:\ (address-lisl [CFWS]) CRLF\Rent-Message-ID:\ sg-il CRLF uses this field because when the receiver receives the message, it does not sense the existence of the retransmission, and the message seems to have been sent from the original sender, with all the header fields remaining unchanged. (7) The message header is also composed of a header field, including an optional \Rectum-Pah: field and one or more \Receive\Ning segments. The following is the syntax:
(8)Optional-Path
[rctum]
1\rcrcived
\Rctumn-Path:\ path CKLF
([CFwS]\s\([ChWS]/addr-spee)>\[CFwS)iohs-pau When the optional field appears in a message, it must conform to the definition of optional path in the standard, that is, a name followed by a prefix, indicating arbitrary unstructured text. The name must consist of all printable US-ASCⅡ characters except SI and official characters, and must not overlap with any characters specified in the standard. The sentence is as follows,
optional-tield
fieid-name
6.2 Main characteristics of spam
field-name \:\ unstuctured CRLHI*ftext
gd33-57/
%59-126
;Any character except
conomois,P,and
The following are the characteristics of spam messages: The spam management center can extract the following characteristics from the spam prevention and control: The blacklist is published to the email server.
(1) The private sender's address is the original address of the sender:
(2) The private source of the message
identifier field of message-i is empty.
(3) The frm-seder field of the sender
is a forged email address; (4) The message-id field of the message sourcebzxZ.net
is forged. (5) The resun-from, tesent-sender, etc. fields of the sender
are forged.
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.