EMAIL

Electronic mails are messages distributed by electronic means from one computer user to
one or more recipients via a network

Types
Web-based email
Many email providers have a web-based email client (e.g. AOL
Mail, Gmail, Outlook.com and Yahoo! Mail). This allows users to log in to the email account by
using any compatible web browser to send and receive their email. Mail is typically not
downloaded to the client, so can't be read without a current Internet connection.

POP3 email services

The Post Office Protocol 3 (POP3) is a mail access protocol used by a client application to read
messages from the mail server. Received messages are often deleted from the server. POP
supports simple download-and-delete requirements for access to remote mailboxes (termed
maildrop in the POP RFC's).[90]
POP supports download-and-delete requirements for access to remote mailboxes (termed
maildrop in the POP RFC's).[2] Although most POP clients have an option to leave mail on server
after download, e-mail clients using POP generally connect, retrieve all messages, store them on
the user's PC as new messages, delete them from the server, and then disconnect.

IMAP email servers

The Internet Message Access Protocol (IMAP) provides features to manage a mailbox from
multiple devices. Small portable devices like smartphones are increasingly used to check email
while travelling, and to make brief replies, larger devices with better keyboard access being used
to reply at greater length. IMAP shows the headers of messages, the sender and the subject and
the device needs to request to download specific messages. Usually mail is left in folders in the
mail server.
In computing, the Internet Message Access Protocol (IMAP) is an Internet
standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over
a TCP/IP connection.[1] IMAP is defined by RFC 3501.
IMAP was designed with the goal of permitting complete management of an email box by
multiple email clients, therefore clients generally leave messages on the server until the user
explicitly deletes them. An IMAP server typically listens on port number 143. IMAP
over SSL (IMAPS) is assigned the port number 993.

*A port is always associated with an IP address of a host and the protocol type of the
communication, and thus completes the destination or origination address of a communication
session. A port is identified for each address and protocol by a 16-bit number, commonly known
as the port number.

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
IMAP was previously known as Internet Mail Access Protocol, Interactive Mail Access
Protocol (RFC 1064), and Interim Mail Access Protocol.[6]

Advantages over POP[edit]

Connected and disconnected modes of operation[edit]

When using POP, clients typically connect to the e-mail server briefly, only as long as it takes to
download new messages. When using IMAP4, clients often stay connected as long as the user
interface is active and download message content on demand. For users with many or large
messages, this IMAP4 usage pattern can result in faster response times.

Multiple clients simultaneously connected to the same mailbox[edit]

The POP protocol requires the currently connected client to be the only client connected to the
mailbox. In contrast, the IMAP protocol specifically allows simultaneous access by multiple
clients and provides mechanisms for clients to detect changes made to the mailbox by other,
concurrently connected, clients. See for example RFC3501 section 5.2 which specifically cites
"simultaneous access to the same mailbox by multiple agents" as an example.

Access to MIME message parts and partial fetch[edit]

Usually all Internet e-mail is transmitted in MIME format, allowing messages to have a tree
structure where the leaf nodes are any of a variety of single part content types and the non-leaf
nodes are any of a variety of multipart types. The IMAP4 protocol allows clients to retrieve any of
the individual MIME parts separately and also to retrieve portions of either individual parts or the
entire message. These mechanisms allow clients to retrieve the text portion of a message
without retrieving attached files or to stream content as it is being fetched..
*Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format
of email to support:
Text in character sets other than ASCII
Non-text attachments: audio, video, images, application programs etc.
Message bodies with multiple parts
Header information in non-ASCII character s

Message state information[edit]

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
Through the use of flags defined in the IMAP4 protocol, clients can keep track of message state:
for example, whether or not the message has been read, replied to, or deleted. These flags are
stored on the server, so different clients accessing the same mailbox at different times can detect
state changes made by other clients. POP provides no mechanism for clients to store such state
information on the server so if a single user accesses a mailbox with two different POP clients (at
different times), state informationsuch as whether a message has been accessedcannot be
synchronized between the clients. The IMAP4 protocol supports both predefined system flags
and client-defined keywords. System flags indicate state information such as whether a message
has been read. Keywords, which are not supported by all IMAP servers, allow messages to be
given one or more tags whose meaning is up to the client. IMAP keywords should not be
confused with proprietary labels of web-based e-mail services which are sometimes translated
into IMAP folders by the corresponding proprietary servers.

Multiple mailboxes on the server[edit]

IMAP4 clients can create, rename, and/or delete mailboxes (usually presented to the user as
folders) on the server, and copy messages between mailboxes. Multiple mailbox support also
allows servers to provide access to shared and public folders. The IMAP4 Access Control List
(ACL) Extension (RFC 4314) may be used to regulate access rights.

Server-side searches[edit]
IMAP4 provides a mechanism for a client to ask the server to search for messages meeting a
variety of criteria. This mechanism avoids requiring clients to download every message in the
mailbox in order to perform these searches.

Built-in extension mechanism[edit]

Reflecting the experience of earlier Internet protocols, IMAP4 defines an explicit mechanism by
which it may be extended. Many IMAP4 extensions to the base protocol have been proposed
and are in common use. IMAP2bis did not have an extension mechanism, and POP now has
one defined by RFC 2449.

Disadvantages[edit]

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
While IMAP remedies many of the shortcomings of POP, this inherently introduces additional
complexity. Much of this complexity (e.g., multiple clients accessing the same mailbox at the
same time) is compensated for by server-side workarounds such as Maildir or database
backends.
The IMAP specification has been criticised for being insufficiently strict and allowing behaviours
that effectively negate its usefulness. For instance, the specification states that each message
stored on the server has a "unique id" to allow the clients to identify the messages they have
already seen between sessions. However, the specification also allows these UIDs to be
invalidated with no restrictions, practically defeating their purpose.[16]
Unless the mail storage and searching algorithms on the server are carefully implemented, a
client can potentially consume large amounts of server resources when searching massive
mailboxes.
IMAP4 clients need to maintain a TCP/IP connection to the IMAP server in order to be notified of
the arrival of new mail. Notification of mail arrival is done through in-band signaling, which
contributes to the complexity of client-side IMAP protocol handling somewhat. [17] A private
proposal, push IMAP, would extend IMAP to implement push e-mail by sending the entire
message instead of just a notification. However, push IMAP has not been generally accepted
and current IETF work has addressed the problem in other ways (see the Lemonade Profile for
more information).
Unlike some proprietary protocols which combine sending and retrieval operations, sending a
message and saving a copy in a server-side folder with a base-level IMAP client requires
transmitting the message content twice, once to SMTP for delivery and a second time to IMAP to
store in a sent mail folder. This is remedied by a set of extensions defined by the IETF
LEMONADE Working Group for mobile devices: URLAUTH (RFC 4467) and CATENATE (RFC
4469) in IMAP and BURL (RFC 4468) in SMTP-SUBMISSION. POP servers don't support
server-side folders so clients have no choice but to store sent items on the client. Many IMAP
clients can be configured to store sent mail in a client-side folder, or to BCC oneself and then
filter the incoming mail instead of saving a copy in a folder directly. In addition to the LEMONADE
"trio", Courier Mail Serveroffers a non-standard method of sending using IMAP by copying an
outgoing message to a dedicated outbox folder.[18]

MAPI email servers

Messaging Application Programming Interface (MAPI) is used by Microsoft Outlook to
communicate to Microsoft Exchange Server - and to a range of other e-mail server products
such as Axigen Mail Server, Kerio Connect, Scalix, Zimbra, HP OpenMail, IBM Lotus
Notes, Zarafa, and Bynari where vendors have added MAPI support to allow their products to be
accessed directly via Outlook.

Issues

Attachment size limitation

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
Email messages may have one or more attachments, which are additional files that are
appended to the email. Typical attachments include Microsoft Word documents, pdfdocuments
and scanned images of paper documents. In principle there is no technical restriction on the size
or number of attachments, but in practice email clients, servers and Internet service providers
implement various limitations on the size of files, or complete email - typically to 25MB or less. [96]
[97][98]
Furthermore, due to technical reasons, attachment sizes as seen by these transport systems
can differ to what the user sees,[99] which can be confusing to senders when trying to assess
whether they can safely send a file by email. Where larger files need to be shared, file hosting
services of various sorts are available; and generally suggested. [100][101] Some large files, such as
digital photos, color presentations and video or music files are too large for some email systems.

Information overload[edit]
The ubiquity of email for knowledge workers and "white collar" employees has led to concerns
that recipients face an "information overload" in dealing with increasing volumes of email.[102]
[103]
This can lead to increased stress, decreased satisfaction with work, and some observers
even argue it could have a significant negative economic effect,[104] as efforts to read the many
emails could reduce productivity.

Spam[edit]
Main article: Email spam
Email "spam" is the term used to describe unsolicited bulk email. The low cost of sending such
email meant that by 2003 up to 30% of total email traffic was already spam.[105][106][107] and was
threatening the usefulness of email as a practical tool. The US CAN-SPAM Act of 2003 and
similar laws elsewhere[108] had some impact, and a number of effective anti-spam techniques now
largely mitigate the impact of spam by filtering or rejecting it for most users,[109] but the volume
sent is still very highand increasingly consists not of advertisements for products, but
malicious content or links.[110]

Anti-spam techniques
Anti-spam techniques can be broken into four broad category
those that require actions by individuals,
those that can be automated by email administrators
those that can be automated by email senders and
those employed by researchers and law enforcement officials.

Detecting spam

A short reference guide by Asif ( CCNA,MCSE)

EMAIL

Checking words: false positives

Detecting spam based on the content of the email, either by detecting keywords such as
"viagra" or by statistical means (content or non-content based), is very popular. Content
based statistical means or detecting keywords can be very accurate when they are
correctly tuned to the types of legitimate email that an individual gets, but they can also
make mistakes such as detecting the keyword "cialis" in the word "specialist"

Lists of sites
The most popular DNSBLs (DNS Blacklists) are lists of domain names of known
spammers, known open relays, known proxy servers, compromised "zombie" spammers,
as well as hosts on the internet that shouldn't be sending external emails, such as the
end-user address space of a consumer ISP. These are known as "Dial Up Lists", from
the time when end users whose computers were "zombieing" spam were connected to
the internet with a modem and a phone line.

End-user techniques

Discretion
Sharing an email address only among a limited group of correspondents is one way to
limit the chance that the address will be "harvested" and targeted by spam. Similarly,
when forwarding messages to a number of recipients who don't know one another,
recipient addresses can be put in the "bcc: field" so that each recipient does not get a list
of the other recipients' email addresses.

Address munging
related technique is to display all or part of the email address as an image, or as jumbled text
with the order of characters restored using CSS. no-one@example.com", might be written as
"no-one at example dot com",

Avoid responding to spam

A common piece of advice is to not to reply to spam messages [2] as spammers may
simply regard responses as confirmation that an email address is valid. Similarly, many
spam messages contain web links or addresses which the user is directed to follow to be
removed from the spammer's mailing list and these should be treated as dangerous. In

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
any case, sender addresses are often forged in spam messages, so that responding to
spam may result in failed deliveries or may reach completely innocent third parties.

Contact forms
Businesses and individuals sometimes avoid publicising an email address by asking for contact
to come via a "contact form" on a webpage which then typically forwards the information via
email

Disable HTML in email

Many modern mail programs incorporate web browser functionality, such as the display
of HTML, URLs, and images.Avoiding or disabling this feature does not help avoid spam.
It may however be useful to avoid some problems if a user opens a spam message:
offensive images, being tracked by web bugs, being targeted by JavaScript or attacks
upon security vulnerabilities in the HTML renderer. Mail clients which do not
automatically download and display HTML, images or attachments, have fewer risks, as
do clients who have been configured to not display these by default

Disposable email addresses

An email user may sometimes need to give an address to a site without complete assurance that
the site owner will not use it for sending spam. One way to mitigate the risk is to provide
a disposable email address an address which the user can disable or abandon which
forwards email to a real account

Ham passwords
Typically the email address and ham password would be described on a web page, and the ham
password would be included in the subject line of an email message

Reporting spam
Tracking down a spammer's ISP and reporting the offense can lead to the spammer's service
being terminated[5] and criminal prosecution.[6] Unfortunately, it can be difficult to track down the
spammer, and while there are some online tools such as SpamCop and Network Abuse
Clearinghouse to assist

Automated techniques for email administrators[edit]

Authentication
A number of systems have been developed domain owners to identify who can send mail. Many
of these systems use the DNS to list sites authorized to send email on their behalf spam. While
not directly attacking spam, these systems make it much harder for spammers to spoof
addresses.

A short reference guide by Asif ( CCNA,MCSE)

EMAIL

Challenge/response systems
Another method which may be used by internet service providers

Checksum-based filtering
Checksum-based filter exploits the fact that the messages are sent in bulk, that is that they will
be identical with small variations. Checksum-based filters strip out everything that might vary
between messages, reduce what remains to a checksum, and look that checksum up in a
database which collects the checksums of messages that email recipients consider to be spam

Country-based filtering
Some email servers expect to never communicate with particular countries from which they
receive a great deal of spam. Therefore, they use country-based filtering a technique that
blocks email from certain countries. This technique is based on country of origin determined by
the sender's IP address rather than any trait of the sender.

DNS-based blacklists
DNS-based Blacklists, or DNSBLs, are used for heuristic filtering and blocking. A site publishes
lists (typically of IP addresses) via the DNS, in such a way that mail servers can easily be set to
reject mail from those sources.

URL Filtering
Most spam/phishing messages contain an URL that they entice victims into clicking on. So a
popular technique since the early 2000 consists in extracting URLs from messages and look
them up in databases such as Spamhaus' Domain Block List (DBL), SURBL, URIBL.

Strict enforcement of RFC standards

Analysis of an email's conformation to RFC standards for the Simple Mail Transfer
Protocol (SMTP) can be used to judge the likelihood of the message being spam. A lot of
spammers use poorly written software or are unable to comply with the standards because they
do not have legitimate control of the computer they are using to send spam (zombie computer).
By setting tighter limits on the deviation from RFC standards that the MTA will accept, a mail
administrator can reduce spam significantly, but all these techniques also run the risk of rejecting
mail from older or poorly written or configured servers.
a) Greeeting Delay A sending server is required to wait until it has received the SMTP greeting
banner this banner before it sends any data. A deliberate pause can be introduced by receiving
servers to allow them to detect and deny any spam-sending applications that do not wait to
receive this banner.
b) Temporary rejection The greylisting technique is built on the fact that the SMTP protocol
allows for temporary rejection of incoming messages. Greylisting temporarily rejects all
messages from unknown senders or mail server

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
c) HELO/EHLO checking SMTP server "MAY verify that the domain name argument in the
EHLO command actually corresponds to the IP address of the client. However, if the verification
fails, the server MUST NOT refuse to accept a message on that basis." System can however be
configured to
Refuse connections from hosts that give an invalid HELO for example, a HELO
that is not an FQDN or is an IP address not surrounded by square brackets.
Refusing connections from hosts that give an obviously fraudulent HELO
Refusing to accept email whose HELO/EHLO argument does not resolve in DNS

Invalid pipelining Several SMTP commands are allowed to be placed in one network
packet and "pipelined". For example, if an email is sent with a CC: header, several SMTP "RCPT
TO" commands might be placed in a single packet instead of one packet per "RCPT TO"
command. The SMTP protocol, however, requires that errors be checked and everything is
synchronized at certain points. Many spammers will send everything in a single packet since
they do not care about errors and it is more efficient. Some MTAs will detect this invalid
pipelining and reject email sent this way.

Nolisting The email servers for any given domain are specified in a prioritized list, via the
MX records. The nolisting technique is simply the adding of an MX record pointing to a nonexistent server as the "primary"

Quit detection An SMTP connections should always be closed with a QUIT command.
Many spammers skip this step because their spam has already been sent and taking the time to
properly close the connection takes time and bandwidth. Some MTAs are capable of detecting
whether or not the connection is closed correctly and use this as a measure of how trustworthy
the other system is.

Honey Pots
Another approach is simply an imitation MTA which gives the appearance of being an
open mail relay, or an imitation TCP/IP proxy server which gives the appearance of being
an open proxy. Spammers who probe systems for open relays/proxies will find such a
host and attempt to send mail through it, wasting their time and resources and potentially
revealing information about themselves and the origin of the spam they're sending to the
entity that operates the honeypot. Such a system may simply discard the spam attempts,
submit them to DNSBLs, or store them for analysis.

Hybrid filtering
Hybrid filtering, such as is implemented in the open source programs SpamAssassin and
Policyd-weight uses some or all of the various tests for spam, and assigns a numerical
score to each test. Each message is scanned for these patterns, and the applicable
scores tallied up. If the total is above a fixed value, the message is rejected or flagged as
spam. By ensuring that no single spam test by itself can flag a message as spam, the
false positive rate can be greatly reduced.

Outbound spam protection |

Outbound spam protection involves scanning email traffic as it exits a network, identifying spam

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
messages and then taking an action such as blocking the message or shutting off the source of
the traffic. Outbound spam protection can be implemented on a network-wide level

PTR/reverse DNS checks[edit]

Further information: Reverse DNS lookup and Forward-confirmed reverse DNS
The PTR DNS records in the reverse DNS can be used for a number of things, including:
Most email mail transfer agents (mail servers) use a forward-confirmed reverse DNS (FCrDNS)
verification and if there is a valid domain name, put it into the "Received:" trace header field.
Some email mail transfer agents will perform FCrDNS verification on the domain name given in
the SMTP HELO and EHLO commands. See #HELO/EHLO checking.
To check the domain names in the rDNS to see if they are likely from dial-up users, dynamically
assigned addresses, or home-based broadband customers. Since the vast majority, but by no
means all, of email that originates from these computers is spam, many mail servers also refuse
email with missing or "generic" rDNS names.[11]
A Forward Confirmed reverse DNS verification can create a form of authentication that there is a
valid relationship between the owner of a domain name and the owner of the network that has
been given an IP address. While reliant on the DNS infrastructure, which has known
vulnerabilities, this authentication is strong enough that it can be used for whitelisting purposes
because spammers and phishers cannot usually bypass this verification when they use zombie
computers to forge the domains.

Rule-based filtering[edit]
Further information: Email filtering
Content filtering techniques rely on the specification of lists of words or regular
expressions disallowed in mail messages. Thus, if a site receives spam advertising "herbal
Viagra", the administrator might place this phrase in the filter configuration. The mail server
would then reject any message containing the phrase.
Header filtering looks at the header of the email which contains information about the origin,
destination and content of the message. Although spammers will often spoof fields in the header
in order to hide their identity, or to try to make the email look more legitimate than it is many of
these spoofing methods can be detected, and any violation of the RFC 5322 standard on how
the header is to be formed can also serve as a basis for rejecting the message.

SMTP callback verification[edit]

Main article: callback verification
Since a large percentage of spam has forged and invalid sender ("from") addresses, some spam
can be detected by checking that this "from" address is valid. A mail server can try to verify the

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
sender address by making an SMTP connection back to the mail exchanger for the address, as if
it was creating a bounce, but stopping just before any email is sent.
Callback verification can be compliant with SMTP RFCs, but it has various drawbacks. Since
nearly all spam has forged return addresses, nearly all callbacks are to innocent third party mail
servers that are unrelated to the spam. At the same time, there will be numerous false negatives
due to spammers abusing real addresses and some false positives. One of the ways of reducing
the load on innocent servers is to use other spam detection methods first and save callback
verification for last.
Another drawback of using callbacks occurs when the spammer uses a trap address as his
sender's address. If the receiving MTA tries to make the callback using the trap address in a
MAIL FROM command, the receiving MTA's IP address will be blacklisted. The VRFY and EXPN
commands have been so exploited by spammers, that few SMTP Admins enable them, and the
existence of DNSBLs and the lack of VRFY or EXPN leave the receiving SMTP server no
effective way to validate the sender's email address.[12]

SMTP proxy[edit]
Main article: SMTP proxy
SMTP proxies allow combating spam in real time, combining sender's behavior controls,
providing legitimate users immediate feedback, eliminating a need for quarantine.

Spamtrapping[edit]
Main article: Spamtrap
Spamtrapping is the seeding of an email address so that spammers can find it, but normal users
can not. If the email address is used then the sender must be a spammer and they are black
listed.
As an example, consider the email address "spamtrap@example.org". If this email address were
placed in the source HTML of our web site in a way that it isn't displayed on the web page,
normal humans would not see it. Spammers, on the other hand, use web page scrapers and
bots to harvest email addresses from HTML source code so they would find this address.
When the spammer sends mail with the destination address of "spamtrap@example.org" the
SpamTrap knows this is highly likely to be a spammer and can take appropriate action.

Statistical content filtering[edit]

Main article: Bayesian spam filtering
Statistical (or Bayesian) filtering once set up, requires no administrative maintenance per se:
instead, users mark messages as spam or nonspam and the filtering software learns from these
judgements. Thus, a statistical filter does not reflect the software author's or administrator's

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
biases as to content, but rather the user's biases. For example, a biochemist who is researching
Viagra won't have messages containing the word "Viagra" automatically flagged as spam,
because "Viagra" will show up often in his or her legitimate messages. Still, spam emails
containing the word "Viagra" do get filtered because the content of the rest of the spam
messages differs significantly from the content of legitimate messages. A statistical filter can also
respond quickly to changes in spam content, without administrative intervention, as long as
users consistently designate false negative messages as spam when received in their email.
Statistical filters can also look at message headers, thereby considering not just the content but
also peculiarities of the transport mechanism of the email.
Typical statistical filtering uses single words in the calculations to decide if a message should be
classified as spam or not. A more powerful calculation can be made using groups of two or more
words taken together. Then random "noise" words can not be used as successfully to fool the
filter.
Software programs that implement statistical filtering
include Bogofilter, DSPAM, SpamBayes, ASSP, the email programs Mozilla and Mozilla
Thunderbird, Mailwasher, and later revisions of SpamAssassin. Another interesting project
is CRM114 which hashes phrases and does bayesian classification on the phrases.
There is also the free mail filter POPFile, which sorts mail in as many categories as the user
wants (family, friends, co-worker, spam, whatever) with Bayesian filtering.

Tarpits[edit]
Main article: Tarpit (networking)
A tarpit is any server software which intentionally responds extremely slowly to client commands.
By running a tarpit which treats acceptable mail normally and known spam slowly or which
appears to be an open mail relay, a site can slow down the rate at which spammers can inject
messages into the mail facility. Many systems will simply disconnect if the server doesn't
respond quickly, which will eliminate the spam. However, a few legitimate email systems will also
not deal correctly with these delays.

Automated techniques for email senders[edit]

There are a variety of techniques that email senders use to try to make sure that they do not
send spam. Failure to control the amount of spam sent, as judged by email receivers, can often
cause even legitimate email to be blocked and for the sender to be put on DNSBLs.

Background checks on new users and customers[edit]

Since spammer's accounts are frequently disabled due to violations of abuse policies, they are
constantly trying to create new accounts. Due to the damage done to an ISP's reputation when it
is the source of spam, many ISPs and web email providers use CAPTCHAs on new accounts to
verify that it is a real human registering the account, and not an automated spamming system.
They can also verify that credit cards are not stolen before accepting new customers, check the
Spamhaus Project ROKSO list, and do other background checks.

A short reference guide by Asif ( CCNA,MCSE)

EMAIL

Confirmed opt-in for mailing lists[edit]

Main article: Opt-in email
A malicious person can easily attempt to subscribe another user to a mailing list to harass
them, or to make the company or organisation appear to be spamming. To prevent this, all
modern mailing list management programs (such as GNU Mailman, LISTSERV, Majordomo,
and qmail's ezmlm) support "confirmed opt-in" by default. Whenever an email address is
presented for subscription to the list, the software will send a confirmation message to that
address. The confirmation message contains no advertising content, so it is not construed to be
spam itself, and the address is not added to the live mail list unless the recipient responds to the
confirmation message.

Egress spam filtering[edit]

Main article: Egress filtering
Email senders typically now do the same type of anti-spam checks on email coming from their
users and customers as for inward email coming from the rest of the Internet. This protects their
reputation, which could otherwise be harmed in the case of infection by spam-sending malware.

Limit email backscatter[edit]

Main article: Backscatter (email)
If a receiving server initially fully accepts an email, and only later determines that the message is
spam or to a non-existent recipient, it will generate a bounce message back to the supposed
sender. However, if (as is often the case with spam), the sender information on the incoming
email was forged to be that of an unrelated third party then this bounce message is backscatter
spam. For this reason it is generally preferable for most rejection of incoming email to happen
during the SMTP connection stage, with a 5xx error code, while the sending server is still
connected. In this case then the sending server will report the problem to the real sender cleanly.

Port 25 blocking[edit]
Firewalls and routers can be programmed to not allow SMTP traffic (TCP port 25) from machines
on the network that are not supposed to run Mail Transfer Agents or send email.[13] This practice
is somewhat controversial when ISPs block home users, especially if the ISPs do not allow the
blocking to be turned off upon request. Email can still be sent from these computers to
designated smart hosts via port 25 and to other smart hosts via the email submission port 587.

Port 25 interception[edit]
Network address translation can be used to intercept all port 25 (SMTP) traffic and direct it to a
mail server that enforces rate limiting and egress spam filtering. This is commonly done in hotels,

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
but it can cause email privacy problems, as well making it impossible to
use STARTTLS and SMTP-AUTH if the port 587 submission port isn't used.
[14]

Rate limiting[edit]
Machines that suddenly start sending lots of email may well have become zombie computers. By
limiting the rate that email can be sent around what is typical for the computer in question,
legitimate email can still be sent, but large spam runs can be slowed down until manual
investigation can be done.[15]

Spam report feedback loops[edit]

Main article: Feedback Loop (email)
By monitoring spam reports from places such as spamcop, AOL's feedback loop, and Network
Abuse Clearinghouse, the domain's abuse@ mailbox, etc., ISPs can often learn of problems
before they seriously damage the ISP's reputation and have their mail servers blacklisted.

FROM field control[edit]

Both malicious software and human spam senders often use forged FROM addresses when
sending spam messages. Control may be enforced on SMTP servers to ensure senders can only
use their correct email address in the FROM field of outgoing messages. In an email users
database each user has a record with an email address. The SMTP server must check if the
email address in the FROM field of an outgoing message is the same address that belongs to
the user's credentials, supplied for SMTP authentication. If the FROM field is forged, an SMTP
error will be returned to the email client (e.g. "You do not own the email address you are trying to
send from").

Strong AUP and TOS agreements[edit]

Most ISPs and webmail providers have either an Acceptable Use Policy (AUP) or a Terms of
Service (TOS) agreement that discourages spammers from using their system and allows the
spammer to be terminated quickly for violations.

Legal measures[edit]
See also: Email spam legislation by country
From 2000 onwards, many countries enacted specific legislation to criminalize spamming, and
appropriate legislation and enforcement can have a significant impact on spamming activity.
[16]
Where legislation provides specific text that bulk emailers must include, this also makes
"legitimate" bulk email easier to identify.
Increasingly, anti-spam efforts have led to co-ordination between law enforcement, researchers,
major consumer financial service companies and Internet service providers in monitoring and

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
tracking email spam, identity theft and phishing activities and gathering evidence for criminal
cases.[17]
Analysis of the sites being spamvertised by a given piece of spam can often be followed up with
domain registrars with good results.[18]

New solutions and ongoing research[edit]

Several approaches have been proposed to improve the email system.

Cost-based systems[edit]
Main article: Cost-based anti-spam systems
Since spamming is facilitated by the fact that large volumes of email are very inexpensive to
send, one proposed set of solutions would require that senders pay some cost in order to send
email, making it prohibitively expensive for spammers. Anti-spam activist Daniel
Balsam attempts to make spamming less profitable by bringing lawsuits against spammers. [19]

A short reference guide by Asif ( CCNA,MCSE)

EMAIL

Malware[edit]
A range of malicious email types exist. These range from various types of email scams,
including "social engineering" scams such as advance-fee scam "Nigerian letters",
to phishing, email bombardment and email worms.

Email spoofing[edit]
Main article: Email spoofing
Email spoofing occurs when the email message header is designed to make the message
appear to come from a known or trusted source. Email spam and phishing methods typically use
spoofing to mislead the recipient about the true message origin. Email spoofing may be done as
a prank, or as part of a criminal effort to defraud an individual or organization. An example of a
potentially fraudulent email spoofing is if an individual creates an email which appears to be an
invoice from a major company, and then sends it to one or more recipients. In some cases, these
fraudulent emails incorporate the logo of the purported organization and even the email address
may appear legitimate.

Email bombing[edit]
Main article: Email bomb
Email bombing is the intentional sending of large volumes of messages to a target address. The
overloading of the target email address can render it unusable and can even cause the mail
server to crash.

Privacy concerns[edit]
Main article: Internet privacy
Today it can be important to distinguish between Internet and internal email systems. Internet
email may travel and be stored on networks and computers without the sender's or the
recipient's control. During the transit time it is possible that third parties read or even modify the
content. Internal mail systems, in which the information never leaves the organizational network,
may be more secure, although information technology personnel and others whose function may
involve monitoring or managing may be accessing the email of other employees.

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
Email privacy, without some security precautions, can be compromised because:
email messages are generally not encrypted.
email messages have to go through intermediate computers before reaching their destination,
meaning it is relatively easy for others to intercept and read messages.
many Internet Service Providers (ISP) store copies of email messages on their mail servers
before they are delivered. The backups of these can remain for up to several months on their
server, despite deletion from the mailbox.
the "Received:"-fields and other information in the email can often identify the sender, preventing
anonymous communication.
There are cryptography applications that can serve as a remedy to one or more of the above.
For example, Virtual Private Networks or the Tor anonymity network can be used to encrypt
traffic from the user machine to a safer network while GPG, PGP, SMEmail,[111] or S/MIME can be
used for end-to-end message encryption, and SMTP STARTTLS or SMTP over Transport Layer
Security/Secure Sockets Layer can be used to encrypt communications for a single mail hop
between the SMTP client and the SMTP server.
Additionally, many mail user agents do not protect logins and passwords, making them easy to
intercept by an attacker. Encrypted authentication schemes such as SASL prevent this. Finally,
attached files share many of the same hazards as those found in peer-to-peer filesharing.
Attached files may contain trojans or viruses.

Flaming[edit]
Flaming occurs when a person sends a message (or many messages) with angry or antagonistic
content. The term is derived from the use of the word "incendiary" to describe particularly heated
email discussions. The ease and impersonality of email communications mean that the social
norms that encourage civility in person or via telephone do not exist and civility may be forgotten.
[112]

Email bankruptcy[edit]
Main article: Email bankruptcy
Also known as "email fatigue", email bankruptcy is when a user ignores a large number of email
messages after falling behind in reading and answering them. The reason for falling behind is
often due to information overload and a general sense there is so much information that it is not
possible to read it all. As a solution, people occasionally send a "boilerplate" message explaining
that their email inbox is full, and that they are in the process of clearing out all the
messages. Harvard University law professor Lawrence Lessigis credited with coining this term,
but he may only have popularized it.[113]

Tracking of sent mail[edit]

A short reference guide by Asif ( CCNA,MCSE)

EMAIL
The original SMTP mail service provides limited mechanisms for tracking a transmitted message,
and none for verifying that it has been delivered or read. It requires that each mail server must
either deliver it onward or return a failure notice (bounce message), but both software bugs and
system failures can cause messages to be lost. To remedy this, the IETF introduced Delivery
Status Notifications (delivery receipts) and Message Disposition Notifications (return receipts);
however, these are not universally deployed in production. (A complete Message Tracking
mechanism was also defined, but it never gained traction; see RFCs 3885[114] through 3888.[115])
Many ISPs now deliberately disable non-delivery reports (NDRs) and delivery receipts due to the
activities of spammers:
Delivery Reports can be used to verify whether an address exists and if so, this indicates to a
spammer that it is available to be spammed.
If the spammer uses a forged sender email address (email spoofing), then the innocent email
address that was used can be flooded with NDRs from the many invalid email addresses the
spammer may have attempted to mail. These NDRs then constitute spam from the ISP to the
innocent user.
In the absence of standard methods, a range of system based around the use of web bugs have
been developed. However, these are often seen as underhand or raising privacy concerns, [116][117]
[118]
and only work with e-mail clients that support rendering of HTML. Many mail clients now
default to not showing "web content".[119] Webmail providers can also disrupt web bugs by precaching images.[

A short reference guide by Asif ( CCNA,MCSE)