Total Pageviews

Wednesday, May 14, 2014

python paramiko module

Paramiko is a module that implements the SSH2 protocol for secure (encrypted and authenticated)
connections to remote machines.
SSHClient is the main class provided by the paramkio module.

agnel@agn-lnx:~/scripts/python$ more ./ssh.py
#!/usr/bin/python
import paramiko
ssh = paramiko.SSHClient()
# “paramiko.AutoAddPolicy()” will auto-accept unknown keys.
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
conn=ssh.connect(hostname='localhost',port=22, username='agnel',password='welcome')
if conn is None:
         print "Successfully Authenticated"
stdin,stdout,stderr=ssh.exec_command("uname -a")
print stdout.readlines()
ssh.close()

agnel@agn-lnx:~/scripts/python$ ./ssh.py
Successfully Authenticated
['Linux agn-lnx 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux\n']
agnel@agn-lnx:~/scripts/python$

Use an SSH key to connect :
import os
privatekeyfile = os.path.expanduser('~/.ssh/id_rsa')
mykey = paramiko.RSAKey.from_private_key_file(privatekeyfile)
ssh.connect('10.105.236.208', username = 'agnel', pkey = mykey)


Interactive commands :
cmd = "sudo /etc/init.d/apache2 restart"
stdin, stdout, stderr = ssh.exec_command(cmd)
stdin.write('secret\n')
stdin.flush()
print stdout.readlines()

Packet Capturing on linux

Using tshark
root@bng-sql-1:~# tshark -i eth2 -R diameter -V
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Capturing on eth2

Count how many times a string occurs in all files

grep -c string *
to get only files that have one or more occurrence:
grep -c string * | grep -v :0
for multiple occurrences per line:
grep -o string * | wc -l

Shared library management with ldconfig

Ldconfig is a basic system program which determines run-time
linkbindings between ld.so and shared libraries. Ldconfig scans a
running system and sets up the symbolic links that are used to load
shared libraries properly. It also creates a cache (/etc/ld.so.cache)
which speeds the loading of programs which use shared libraries.

To see lib used by a binary
[root@nsetcindia-web ~]# ldd /usr/bin/curl-loader
        libdl.so.2 => /lib64/libdl.so.2 (0x0000003b47e00000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003b48600000)
        librt.so.1 => /lib64/librt.so.1 (0x0000003b48e00000)
        libz.so.1 => /usr/lib64/libz.so.1 (0x0000003b48a00000)
        libcares.so.2 => not found
        libc.so.6 => /lib64/libc.so.6 (0x0000003b47a00000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003b47600000)
[root@nsetcindia-web ~]#


Add your custom lib locations to /etc/ld.so.conf
and do
ldconfig
To see  
ldconfig -p | less

Delete a file with spaces in linux

Get innode Number
ls -il
find . -inum 270016 -exec rm -i {} \;

Wednesday, April 3, 2013

Cryptography Basics

By definition cryptography is the process of converting recognisable data into an encrypted code for transmitting it over a network
(either trusted or untrusted). Data is encrypted at the source, i.e. sender's end and decrypted at the destination, i.e. receiver's end.
In all cases, the initial unencrypted data is referred to as plaintext. It is encrypted into ciphertext, which will in turn (usually) be decrypted into usable plaintext using different encryption algorithms.

The Purpose :-
* Authentication : The process of proving one's identity.
* Authorization :  Upon proving identity, the individual is then provided with the key or password that will allow access to some resource.
* Privacy/confidentiality : Ensuring that no one can read the message except the intended receiver.
* Integrity : Assuring the receiver that the received message has not been altered in any way from the original.
* Non-repudiation : A mechanism to prove that the sender really sent this message.

Key Terms :
Plaintext -- Encryption --> Ciphertext --- Decryption ---> Plaintext
Algorithm , Key , KeySpace
In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm or cipher.
In cryptography, an algorithm's key space refers to the set of all possible keys that can be used to initialize it.For example, if an algorithm works using a key that is a string of 10 bits, then its key space is the set of all binary strings of length 10. i.e. we have key space of size 2 raised to power 10 = 1024.
The security of an encryption system in most cases relies on how key being kept secret.

Kerckhoffs’ Principle : The algorithm should be publicly known,the only secrecy involved with a cryptography system should be the key.

A cryptosystem :  made up of at least the following:
Software, Protocols ,Algorithms ,Keys
Ex: Pretty Good Privacy (PGP)

Two basic types of ciphers are substitution and transposition :
1)Substitution ciphers replace bits, characters, or character blocks in plaintext with alternate bits, characters, or character blocks to produce ciphertext
A substitution cipher may be monoalphabetic or polyalphabetic:
Monoalphabetic: A single alphabet is used to encrypt the entire plaintext message.
Polyalphabetic: A more complex substitution that uses a different alphabet to encrypt each bit, character, or character block of a plaintext message.
2)Transposition ciphers rearrange bits, characters, or character blocks in plaintext to produce ciphertext
Other types of ciphers include :
1)Running (or book) ciphers:
use a key that does not require an electronic algorithm and bit alterations, but cleverly uses components in the physical world around you. For instance, the algorithm could be a set of books agreed upon by the sender and re- ceiver. The key in this type of cipher could be a book page, line number, and column count.
2)Vernam ciphers: Also known as one-time pads, which are random keystreams that can only be used once. Both the sender and receiver have the same one-time pad that contains a keystream that is the same length as the message
3)Concealment ciphers: These include steganography, in which the message itself isn't encrypted, but the very existence of the message is concealed within some other medium, such as over digital traffic noise or in a digital image.

In general cryptographic algorithms are classified into three categories as follows :
1) Secret Key Cryptography (SKC) : Uses a single key for both encryption and decryption.
2) Public Key Cryptography (PKC) : Uses one key for encryption and another for decryption.
3) Hash Functions : Uses a mathematical transformation to irreversibly "encrypt" information.

Secret Key Cryptography :- With secret key cryptography, a single key is used for both encryption and decryption. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.

Secret key cryptography algorithms that are in use today include :

1) Data Encryption Standard (DES) : DES is a block-cipher employing a 56-bit key that operates on 64-bit blocks. DES uses a key of only 56 bits, and thus it is now susceptible to "brute force" attacks.
Triple-DES (3DES) and DESX are the two important variants that strengthen DES.

2) Advanced Encryption Standard (AES ) : The algorithm can use a variable block length and key length; the latest specification allowed any combination of keys lengths of 128, 192, or 256 bits and blocks of length 128, 192, or 256 bits.

3 ) International Data Encryption Algorithm (IDEA) : Secret-key cryptosystem written by Xuejia Lai and James Massey, in 1992 and patented by Ascom; a 64-bit SKC block cipher using a 128-bit key. Also available internationally.

4) Rivest Ciphers : Named for Ron Rivest, a series of SKC algorithms.

RC1 : Designed on paper but never implemented.
RC2 : A 64-bit block cipher using variable-sized keys designed to replace DES. It's code has not been made public although many companies have licensed RC2 for use in their products. Described in RFC 2268.
RC3 : Found to be breakable during development.
RC4 : A stream cipher using variable-sized keys; it is widely used in commercial cryptography products, although it can only be exported using keys that are 40 bits or less in length.
RC5 : A block-cipher supporting a variety of block sizes, key sizes, and number of encryption passes over the data. Described in RFC 2040.
RC6 : An improvement over RC5, RC6 was one of the AES Round 2 algorithms.

5) Blowfish : A symmetric 64-bit block cipher invented by Bruce Schneier; optimized for 32-bit processors with large data caches, it is significantly faster than DES on a Pentium/PowerPC-class machine. Key lengths can vary from 32 to 448 bits in length. Blowfish, available freely and intended as a substitute for DES or IDEA, is in use in over 80 products.

Public-Key Cryptography :- Generic PKC employs two keys that are mathematically related although knowledge of one key does not allow someone to easily determine the other key. One key is used to encrypt the plaintext and the other key is used to decrypt the ciphertext. No matter which key is applied first, but both the keys are required for the process to work. Because a pair of keys are required, this approach is also called asymmetric cryptography.
In PKC, one of the keys is designated the public key and may be advertised as widely as the owner wants. The other key is designated the private key and is never revealed to another party.

Public-key cryptography algorithms that are in use today for key exchange or digital signatures include :

1) RSA : One of the most popular encryption algorithm, invented in 1977 by three MIT scientists (Ronald Rivest, Adi Shamir, and Leonard Adleman)
The key-pair is derived from a very large number, n, that is the product of two prime numbers chosen according to special rules; these primes may be 100 or more digits in length each, yielding an n with roughly twice as many digits as the prime factors. The public key information includes n and a derivative of one of the factors of n; an attacker cannot determine the prime factors of n (and, therefore, the private key) from this information alone and that is what makes the RSA algorithm so secure.

Hash Functions :- Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key. Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a measure of the integrity of a file.
Hash algorithms that are in common use today include:
1) Message Digest (MD) algorithms : A series of byte-oriented algorithms that produce a 128-bit hash value from an arbitrary-length message.
MD2 : Designed for systems with limited memory, such as smart cards.
MD4 : Developed by Rivest, similar to MD2 but designed specifically for fast processing in software.
MD5 : Also developed by Rivest in 1991 after potential weaknesses were reported in MD4; this scheme is similar to MD4 but is slower because more manipulation is made to the original data.It accepts variable length message from the user and converts it into a fixed 128-bit message digest value.
One interesting and important aspect of the MD5 hash function is that it is a one way algorithm. This means you can produce the 128-bit fingerprint if the data chunk is available to you. You cannot, however, generate the entire data if only the fingerprint of the data is known.
2) Secure Hash Algorithm (SHA) : Algorithm for NIST's Secure Hash Standard (SHS). SHA-1 produces a 160-bit hash value and was originally published as FIPS 180-1 and RFC 3174. FIPS 180-2 describes five algorithms in the SHS: SHA-1 plus SHA-224, SHA-256, SHA-384, and SHA-512 which can produce hash values that are 224, 256, 384, or 512 bits in length, respectively. SHA-224, -256, -384, and -52 are also described in RFC 4634.
3) RIPEMD : A series of message digests that initially came from the RIPE (RACE Integrity Primitives Evaluation) project. RIPEMD-160 was designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, and optimized for 32-bit processors to replace the then-current 128-bit hash functions. Other versions include RIPEMD-256, RIPEMD-320, and RIPEMD-128.
4) HAVAL (HAsh of VAriable Length) : Designed by Y. Zheng, J. Pieprzyk and J. Seberry, a hash algorithm with many levels of security
. HAVAL can create hash values that are 128, 160, 192, 224, or 256 bits in length.
5) Whirlpool : A relatively new hash function, designed by V. Rijmen and P.S.L.M. Barreto. Whirlpool operates on messages less than 2256 bits in length, and produces a message digest of 512 bits. The design of this hash function is very different than that of MD5 and SHA-1, making it immune to the same attacks as on those hashes.
6) Tiger : Designed by Ross Anderson and Eli Biham, Tiger is designed to be secure, run efficiently on 64-bit processors, and easily replace MD4, MD5, SHA and SHA-1 in other applications. Tiger/192 produces a 192-bit output and is compatible with 64-bit architectures; Tiger/128 and Tiger/160 produce the first 128 and 160 bits, respectively, to provide compatibility with the other hash functions.

Tuesday, April 17, 2012

Enable SSH Version 1 on linux


Most of the linux flavors have disabled ssh version 1 due to security issues.
If you need to enable it for some reasons below are the steps.
Snip from sshd_config -->
Protocol 2,1
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

Generate hostkey -->
sudo ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""

Restart sshd

agnel@ubuntu:/var/log$ ssh -1 localhost
agnel@localhost's password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-16-generic i686)

* Documentation:  https://help.ubuntu.com/

Last login: Mon Apr 16 05:27:26 2012 from localhost
agnel@ubuntu:~$

Saturday, April 14, 2012

Cloud Servives Terms Explained

IaaS (Infrastructure as a Service) is when the consumer does not deal with the infrastructure, instead the responsibility of the equipment is outsourced to the Service Provider. The Service Provider not only owns the equipment but will also be responsible for its running and maintenance, where the consumer will be charged on a ‘pay as you use’ basis. IaaS is often offered as a horizontally integrated service that includes not only the server and storage but also the connectivity domains. For example while the consumer may deploy and run their own applications and operating systems, the Iaas provider would typically provide the replication, backup and archiving (Storage), the powerful computing requirements (Server) or the network load balancing and firewalls (Connectivity domains).


Platform as a service (PaaS) is a category of cloud computing services that provide a computing platform and a solution stack as a service. In the classic layered model of cloud computing,[1] the PaaS layer lies between the SaaS and the IaaS layers.

Software as a service (SaaS) is the ability for a consumer to use on demand software that is provided by the service provider via a thin client device e.g. a web browser over the Internet. With SaaS the consumer has not only no management or control of the infrastructure such as the storage, servers, network, or operating systems, but also no control over the application’s capabilities. Culled from what were originally referred to as (ASPs) Application Service Providers, SaaS is a quick and efficient delivery model for key business applications such as customer relationship management (CRM), enterprise resource planning (ERP), HR and payroll.

Monitoring as a Service (MaaS) is at present still an emerging piece of the Cloud jigsaw but an integral one for the future. In the same way that businesses realised that their infrastructure and key applications required monitoring tools that would ensure the proactive elimination of any downtime risks, Monitoring as a Service provides the option to offload a large majority of those costs by having it run as a service as opposed to a fully invested in house tool. So for example by logging onto a thin client or central web based dashboard which is hosted by the service provider, the consumer can monitor the status of their key applications regardless of location. Add the advantages of an easy set up and purchasing process and MaaS could be a key pay as you use model for the de-risking of applications that are initially being migrated to the Cloud.

Communication as a Service (CaaS), enables the consumer to utilize Enterprise level VoIP, VPNs, PBX and Unified Communications without the costly investment of purchasing, hosting and managing the infrastructure. With the service provider responsible for the management and running of these services also, the other advantage the consumer has is that they needn’t require their own trained personnel, bringing significant OPEX as well as CAPEX costs.

XaaS or ‘anything as a service’ is the delivery of IT as a Service through hybrid Cloud computing and is a reference to either one or a combination of Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS). communications as a service (CaaS) or monitoring as a service (Maas).

Tcpdump

tcpdump - dump traffic on a network
1)To capture ipv6 traffic
tcpdump ip6 -i eth0
2)tcpdump host hope
In the above example tcpdump would print all packets arriving at or departing from hope.
3)tcpdump -i eth0
Capture data on eth0 interface.
4)tcpdump host helios and \( hot or ace \)
Print traffic between helios and either hot or ace.
5)tcpdump 'gateway snup and (port ftp or ftp-data)'
Print
 all ftp traffic through Internet gateway snup: (note that the
expression is quoted to prevent the shell from (mis-)interpreting the
parentheses).
6)To print all IP packets between ace and any host except helios
tcpdump ip host ace and not helios
7)To print all ICMP packets that are not echo requests/replies (i.e., not ping packets)
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
8)tcpdump -w ./log
Write the raw packets to file rather than parsing and printing them out.
9)
option -s1514 for the tcpdump which will cause the tcpdump NOT to truncate any packets10)-vv : More verbose output-x : When parsing and printing, in addition to printing the headers of each packet, print the data of each packet.-X
 : hen parsing and printing, in addition to printing the headers of each
 packet, print the data of each packet (minus its link level header) in
hex and ASCII. This is very handy for analysing new protocols.-s 1500: Snarf snaplen bytes of data from each packet rather than the default of 68. This is useful to see lots of information.-i eth1 : Monitor eth1 interface
10) tcpdump udp and src port 53
11)It's
 also important to note that tcpdump only takes the first 96 bytes of
data from a packet by default. If you would like to look at more, add
the -s number option to the mix, where number is the number of bytes you want to capture. I usually give it 1514 (to get everything) if I use this option.
12)TCPDump on RTP
tcpdump -T rtp -vvv src 192.168.0.2 and dst port 1234
tcpdump -i eth1 -T rtp -vvv src 8.8.8.53 and dst port 20000

Spamming

Spamming is populating the user’s inbox with unsolicited or junk emails
Spam email contains malicious computer programs such as viruses and Trojans which change the computer settings or track the system
Spamming is also used for product advertisements

Techniques Used by Spammers :
Spoofing the domain:  Message appears to be from user’s own domain
Poisoning or spoofing filters: Addition of invisible text or numbering in message
Social Engineering: Used to manipulate people to perform actions or divulge confidential information
Directory harvesting: By sending messages to possible addresses and then building a list of valid email addresses through non-delivery reports
Phishing attacks: Convinces the user that the mail is sent by a trusted source
Sending virus attached files: It installs Trojan horse and viruses that malfunctions host computer
Database Poisoning: Using innocuous words (ham words) in a SPAM, thereby effectively poisoning the database in the long run
Junk Tags: Hiding spam words by inserting invalid HTML tags in between words
Invalid Words: Spam word like mortgage etc. are masked by inserting special characters or junk characters in between

How Spamming is Performed :
Getting the email ID’s :  Spammers get access to the email ID’s when the user registers to any email service, forums, or blogs by hacking the information or registering as genuine users. Spiders are used which searches the code in web pages that looks as email ID’s and copies it to the
database. E-mail extraction tools that have built in search engines to find email ID’s of companies based on the key words entered are used.On-line Ad Tracking tools help the spammers to analyze details of the number of users who opened the spam mails, the responses to it, and which ad brought the best results

How Spam is Relayed:  Rogue ISPs obtain their own network numbering and multiple domain names from the interNIC using which
spammers manage to get across spam blocks. On-the-fly Spammers - Spammers register as genuine users for trial accounts with ISPs and use forged identities to start spam hits. Blind Relayers – Some servers relay a message without authentication which is send as genuine mail.

Getting passed the anti spam softwares: The subject line of the email is given as ‘Re: or Fw:’ assures the anti spam softwares that it is a genuine
reply to users message. The spam message is enclosed as an image in the mail to make the anti spam software trust the source.

Ways of Spamming : Usenet spam - It is a single message sent to 20 or more Usenet newsgroups. It robs users of the newsgroups by
overwhelming them with a barrage of advertising or other irrelevant posts. USEr NETwork) A public access network on the Internet that provides group discussions and group e-mail. It is a giant, dispersed bulletin board that is maintained by volunteers who provide news and mail feeds to other nodes. All the content that travels over the Internet is called "NetNews," and a running collection of messages about a particular subject is called a "newsgroup." Usenet began in 1979 as a bulletin board between two universities in North Carolina. Today, there are more than 50,000 newsgroups, and news can be read with a news-enabled Web browser, popular newsreader applications such as News Rover (www.newsrover.com) or via venerable Unix-based utilities such as pine, tin and nn. Some newsgroups are "moderated"; in these newsgroups, the articles are first sent to a moderator for approval before appearing in the newsgroup.
Email Spam : Email spam targets individual users with direct mail messages. Email spam lists are often created by scanning Usenet postings, stealing Internet mailing lists, or searching the Web for addresses.

Types of Spam Attacks : 
Hidden text & links : Making the text look same as the back ground color

Double tags : Giving duplicate title tags and Meta tags

Cloaking :  This is done by showing different pages to search engine and users.Also known as stealth, a technique used by some Web sites to deliver one page to a search engine for indexing while serving an entirely different page to everyone else. The search engine thinks it is selecting a prime match to its request based on the meta tags that the site administrator has input. However, the search result is misleading because the meta tags do not correspond to what actually exists on the page.

Blog & Wiki spamming :  Wiki’s are used to add or update the content of any page on the website.This spamming allows the spammers to automatically run crawlers which hunt out blogs and then post keyword text links.Adding links that point to the spammer's web site artificially increases the site's search engine ranking. An increased ranking often results in the spammer's commercial site being listed ahead of other sites for certain searches, increasing the number of potential visitors and paying customers.A method to block automated spam comments is requiring a validation prior to publishing the contents of the reply form. The goal is to verify that the form is being submitted by a real human being and not by a spam tool.Many forms on websites take advantage of the CAPTCHA technique, displaying a combination of numbers and letters embedded in an image which must be entered literally into the reply form to pass the test. In order to keep out spam tools with built-in text recognition the characters in the images are customarily misaligned, distorted, and noisy.A simple alternative to CAPTCHAs is the validation in the form of a password question, providing a hint to human visitors that the password is the answer to a simple question like "The Earth revolves around the... [Sun]".

Image Spam : In this type of spamming, emails containing only images without any text are sent by spammers to evade security systems/controls.

Hijacking/pagejacking : Redirecting a page which improves the page rank of the redirected page
For pagejacking First, a copy of your page is taken. A page is then created on the pagejackers site that is basically a carbon copy of your content - including meta-tags. The pagejacker then adds extra scripting to allow only search engine robots to be able to read the content of the page. A 302 .htaccess redirect or meta-refresh is then used to automatically redirect human viewers to a totally different page - they never see your content.

Bulk Emailing Tools
FairlogicWorldcast bulk emailing tool : a customized mailer and also an address validator.It detects many common bad addresses existing
on the mailing lists.It provides a detailed logs of the entire delivering process and reports if there is any kind of error

123 Hidden Sender : sends absolute anonymous bulk emails.The IP address is not shown in the email headers.

YL Mail Man : a flexible email addresses management and email delivering software

Sendblaster : Bulk email software for email marketing

Direct Sender : quickly and easily send unlimited numbers of personalized email messages using any kind of database.

Hotmailer is a bulk email sender, email address finder, and verifier.

PackPal Bulk Email Server : safe and fast bulk email sender .It can run as a background service

IEmailer : safe to use since it does not use or go through the local ISPs email server.

Anti-Spam Techniques
Heuristic/Signature-based Content Filtering : Messages received are checked to match certain patterns.Scores are assigned based on the patterns and if the score is higher, then the email is an undesired email.

Bayesian Content Filtering :  It filters and sorts the emails into different folders based on the good and undesired mail feed to it
Bayesian spam filters calculate the probability of a message being spam based on its contents. Bayesian spam filtering learns from spam and from good mail, resulting in a very robust, adapting and efficient anti-spam approach that, best of all, returns hardly any false positives. Ideally, you start with a (big) bunch of emails that you have classified as spam, and another bunch of good mail. The filters look at both, and analyze the legitimate mail as well as the spam to calculate the probability of various characteristics appearing in spam, and in good mail.
The characteristics a Bayesian spam filter can look at can be : the words in the body of the message, of course, and its headers (senders and message paths, for example!), but also other aspects such as HTML code (like colors), or even word pairs, phrases and meta information (where a particular phrase appears, for example). 

Collaborative Content Filtering :  Many users share their judgment about what is a desired mail and undesired mail. Every time the user receives a mail, a special application suggest whether it is SPAM or not

Black Listing (RBL) :  It uses various spam detection tools, to report bad-behavior IP address as a list.The information is collected and stored in a database to filter the spam email based on this information

White Listing :  It accepts all the emails from certain IP addresses. No other filters can stop an email once it is accepted. 

Greylisting : It does not accept the messages from IP address which are not previously successfully connected to the mail server

Sender Policy Framework :  To prevent the sender address forgery, SPF proposes valid email sender register i.e. the IPs of the machines
they send email from, using extended DNS records
The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely protects the envelope sender address, which is used for the delivery of messages.
Sender Addresses in E-Mails
Like paper mail letters, e-mail messages have at least two kinds of sender addresses: one on the envelope and one in the letterhead.
The envelope sender address (sometimes also called the return-path) is used during the transport of the message from mail server to mail server, e.g. to return the message to the sender in the case of a delivery failure. It is usually not displayed to the user by mail programs.
The header sender address of an e-mail message is contained in the "From" or "Sender" header and is what is displayed to the user by mail programs. Generally, mail servers do not care about the header sender address when delivering a message.
SPF allows the owner of an Internet domain to use special format of DNS records ("SPF", type 99) to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.com domain can designate which machines are authorized to send e-mail whose sender e-mail address ends with "@example.com". Receivers checking SPF can reject messages from unauthorized machines before receiving the body of the message.

DNS-based Block Lists :  It is used to add the spam IP addresses to a local block list

MX Callbacks :  It supports callbacks which verifies the sender of a message with their MX server

Teergrubing :  It responds slowly to connected mail servers by using multi line SMTP responses.apply a delay to all servers before accepting the mail (e.g. applying a 60 second delay is unlikely to impact a legitimate server, but would cost a spammer several tens of message deliveries).

Reputation Control :  It analyzes the email sent by the sender and assigns a score. If the email is found to be legitimate - score improves, if not - the score reduces

Transparent SMTP Proxy : This software blocks SMTP sessions used by e mail worms and viruses on the NA(P)T router. It acts like proxy,intercepting
outgoing SMTP connections and scanning session data on-the-fly. Anti-Spam-SMTP-Proxy (ASSP) : http://assp.sourceforge.net/

Anti-Spamming Tools
AEVITA Stop SPAM Email : hide email addresses from spambots.It will replace all the email addresses on the page with specifically
encoded email addresses

SpamExperts Desktop :

SpamEater Pro : 

SpamWeasel :

Spytech SpamAgent : It filters based on the sender, recipient, subject, body, as well as attachment type, forwards, and more

AntispamSniper : integrates with Outlook Express to filter incomingmails

Spam Reader :anti-spam add-on for Microsoft Outlook,uses a Bayesian engine

Spam Assassin Proxy (SA) Proxy : Spam Assassin Proxy is based on open source software.It runs on the local proxy server which is situated between email program and POP3 mail account.Spam Assassin Proxy uses Bayesian filtering which is accurate and detects new spam.It does not delete spam but marks it

MailWasher Free : 

Spam Bully : anti-spam tool for MS Outlook