© copyright 2003 – chesapeake netcraftsmen, llc spam joe roundy senior security consultant...

© Copyright 2003 – Chesapeake NetCraftsmen, LLC

SPAM

Joe Roundy

Senior Security Consultant

[email protected]

© Copyright 2005– Chesapeake NetCraftsmen

About the Presenter

Joe RoundySenior Security ConsultantChesapeake NetCraftsmen, LLCCISSP #4848jroundy@netcraftsmen,net


Agenda

Introduction to SPAM Stopping Spam Tracking, Blocking, and Filtering Spam Spam Filtering Architectures and

Examples


Introduction to SPAM


What is SPAM

Hawaii residents consume nearly 7 million cans of Spam a year, 11,000 cans per day, an average of about six for every man, woman and child. Spam fried rice is a local classic.

http://www.azstarnet.com/dailystar/relatedarticles/14264.php http://www.letsgo.com/HAW/02-LifeTimes-57

From dictionary.com: spam (n): Unsolicited e-mail, often of a commercial

nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups; junk e-mail.


SPAM


The Problem

"Spamming is the scourge of electronic-mail and newsgroups on the Internet. It can seriously interfere with the operation of public services, to say nothing of the effect it may have on any individual's e-mail mail system. ... Spammers are, in effect, taking resources away from users and service suppliers without compensation and without authorization."

-- Vint Cerf, Senior Vice President, MCI


Why All the Fuss?

Loss of Productivity Discouraged Users Loss of Efficiency Legal Issues Communications Quality Business Continuity Company Reputation


Fraud

Spammers know that in survey after survey, the overwhelming majority (often approaching 95%) of recipients don't want to receive their messages.

In many cases, ISPs and consumers have set up "filters" to help dispose of SPAM. While filters often consume more resources at the ISP, making mail delivery and web surfing slower, they can sometimes help end-users cope a little bit better.

Another common trick that spammers use is to forge the headers of messages, making it appear as though the message originated elsewhere, again providing a convenient target.


Profile of a SPAMer

Used ~20 computers, to send SPAM to list of over 250 million addresses, ~650,000 message/hour

Controlled/used ~200 servers in Michigan, Texas and Asia, routing primarily through overseas ISPs.

Charge to send one solicitation to his entire list: up to $22,000

"When you're sending out 250 million e-mails, even a blind squirrel will find a nut.“

Mr. Ralsky has amassed his fortune with an e-mail response rate of less than one quarter of one percent

During the time he was in business, spam has increased from 8% to 36% of all electronic mail. It is expected to increase to 50% by 2005.


Profile

Sanford Wallace and his companies, SmartBot.net Inc. of Richboro, Pa., and Seismic Entertainment Productions Inc. of Rochester, N.H., are required by the agreement to send online ads only to people who visit their Web sites.

Wallace used spyware to infiltrate computers, overwhelming them with ads and other programs. Then, he tried to sell programs he claimed would fix the problems.

He headed a company called Cyber Promotions that sent as many as 30 million junk e-mails daily to consumers, earning him the nicknames “Spam King” and “Spamford”. He left the company after lawsuits from America Online and CompuServe


Statistics

Early 2003, spam accounted for about 50% of all e-mail

Postini, (Redwood City, CA) anti-spam firm, scans ~400 million messages/day

End of 2003, grown to roughly 75 percent. Throughout 2004, spam accounted for 75 to 80

percent of all e-mail (Postini) Denver-based MX Logic reported spam at ~77 percent

of the messages scanned in 2004. In December 2003, spam accounted for 67 percent of

messages.


Stopping Spam


What Can We Do?

1. Make it illegal to send spam

2. Policy, Policy, Policy

3. Technically blocking spam


The Legal Avenue

# CAN-SPAM Act of 2003 (S. 877) (Burns-Wyden) Signed, Dec. 16, 2003 Illegal to falsify the "from" and "subject" lines of e-mail Required senders of bulk e-mail to include a working

"unsubscribe" link The law doesn't allow individual e-mail users to sue

spammers AOL reported a drop-off both in the volume of e-mail hitting

its network and in the amount of spam delivered to users' inboxes in 2004.

Fielded 1.6 billion e-mail messages in 2004, down from 2.1 billion in 2003

March 2004, file several lawsuits targeting some of the most prolific spammers, more to follow

Approximately 20 states have local laws -http://www.spamlaws.com/state/summary.html


The Legal Avenue

Summary of Bills in front of 108th Congress (109th now) # Anti-Spam Act of 2003 (H.R. 2515) (Wilson) # Ban on Deceptive Unsolicited Bulk Electronic Mail Act of

2003 (S. 1052) (Bill Nelson) # Computer Owners' Bill of Rights (S. 563) (Dayton) # Criminal Spam Act of 2003 (S. 1293) (Hatch) # Reduction in Distribution of Spam Act of 2003 (H.R. 2214)

(Burr) # REDUCE Spam Act of 2003 (H.R. 1933) (Lofgren) # Stop Pornography and Abusive Marketing Act (S. 1231)

(Schumer) # Wireless Telephone Spam Protection Act (H.R. 122)

(Holt) Resource at http://www.spamlaws.com


Stopping Spammers From Sending Spam

Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail across the Internet

Designed when the Internet was small and friendly

Very efficient at forwarding and delivering email. Not intended to manage content, Post Office


The ISP

Why Can't the ISP Just Block it? Data movers, what would they block? Often it is difficult for ISPs to block

spam to everyone. Expensive to implement Difficult to maintain Often inconvenient for users


Kill the Relay

'Simple Mail Transfer Protocol‘, used does not check passwords or any other sort of access when it is accepting messages for delivery.

If a spammer connects to your email server all they have to do is give it a list of addresses. The MTA then 'fans out' the lists of email addresses into real attempts to connect to remote sites.

While this simple technique works fairly well, not all mail server packages support this feature.

Third-party software, such as Lyris MailShield, can add anti-relay security to servers that do not support filtering of TCP/IP addresses or other anti-relay techniques.

If your company has employees who travel or telecommute, you may wish to only allow specific "From:" addresses to prevent unauthorized relaying.

Use a mail proxy server with anti-relay features, and a regular mail server that is protected by a firewall, internal TCP/IP address, or port-moving technique.


Stopping Spammers From Sending Spam (2)

Open mail relays are a serious impediment to stopping spam!

Internet

spammer.com

openrelay.com

victim.com


Address Munging

Address munging is the act of modifying one's email address so that email sent to that address will not be delivered to the person doing the modifications.

The Jargon File defines 'mung' as `Mash Until No Good', probably originating at MIT.

Munging DOES NOT MEAN MAKING YOURSELF ANONYMOUS

Trying to hide your identity by faking your email address simply does not work.

Trying to hide from spammers by changing the "name" or "real name" portion of your posted address also does not work.


Should I “unsubscribe”?

Often a plot to appear responsible Spammers would be out of business

very quickly if everyone unsubscribed. Unsubscribing provides proof that

your e-mail address is active.


What Can I do?

Forward a message with your spam complaint to the Internet Service Provider (ISP) that hosts the spammer's e-mail account.

For example, if you received spam from [email protected], then go to the Web site www.llama-boy.com and look for a "contact us" page.

Often ISPs have an e-mail account called "abuse" for such purposes.

You could also try [email protected] or [email protected].

Try to verify what the correct address is first so you don't waste anyone else's time.

Reputable ISPs will investigate spammers


Mail Clients

Outlook Automatically flag suspect email Place it in the “Junk Mail”. Users can flag email and move to Junk Email “Junk” all email from a domain can be marked as Junk.

Netscape Netscape Mail automatically detects incoming messages that appear to

be spam. When it detects a message that appears to be unwanted, it marks the

message's Junk Status column with a special junk mail icon. Need to “teach” Netscape Mail what is spam

Yahoo Web Email In "Mail Options“, provides address blocking features, filters and spam

protection Hotmail

Various anti-spam features, including three automatic levels


Third Party Add-ons

Cloudmark offers a plug-in for Outlook and Outlook Express that allows you to mark specific emails as spam and registers those emails on its network. When enough people mark a message as spam it automatically deletes the message from every member’s inbox.

SpamArrest takes a different approach. It filters all your mail through its mail server and only forwards mail from those senders who have been approved by you or those that have been challenged to type in a special keyword.

MailBlocks: Offers a web-based email service like Hotmail but it has a built in challenge/response system similar to the one employed by the SpamArrest service.


Ban header text

Many spam programs include telltale text in the headers of messages they send. For example: "public.com" or "friend@public."

Other examples of telltale text and tags include: "savetrees.com," "relay.comanche.denmark," and "x-advert.“

If you ban header text, you can eliminate a significant amount of spam created by automated programs.


Filtering

In addition to filtering TCP/IP addresses and header text, it is also important that your server or anti-spam software filter body text.

The email address given in the body of the text may not be the same as the "From:" address, an indicator that the mail could be spam.

Filtering body text and subject lines also allows you protection against the recent Melissa virus since "Melissa-tainted" email often includes the following telltale information:

* A subject line of: "Important Message From [sender's name]" * A body with the following content: "Here is that document you

asked for ... don't show anyone else ;-)"


Tarpit spammers

Tarpitting involves creating delays that slow down the mail-sending sessions of spammers.

Evidence shows that when tarpitting slows down mail-sending from a server that is used for unauthorized relaying, the owner of the server may (1) become aware of the unauthorized relaying if he or she wasn't aware of it before and (2) adopt higher security measures to avoid being tarpitted.

Besides tarpitting specific domains, one might also tarpit users that attempt to send mail to large numbers of people. Spam software works by sending a single message, and a huge BCC (blind carbon copy) list to the server for delivery.

If you know that your customers (in the case of an ISP) or employees do not need to send mail to more than 20 recipients per message, you might tarpit a mail-sending session that attempts to send mail to 50 recipients.

Some anti-spam software also allows you to tarpit specific TCP/IP addresses.


Enforce Email Standards

Internet email standards basically state the following:

* All mail must include a "From:" header. * All mail must include "To:" header. * All mail servers must have a reverse DNS host entry.

Spammers typically violate Internet mail standards.

Anti-spam software like Lyris MailShield allows you to modify the rules for filtering mail and send an explanation message to users that their mail was rejected

Although not explicitly stated, valid host values for the HELO command are also encouraged by the Internet standards.


Tracking, Blocking, and Filtering Spam


Example: Standard E-Mail Message

Date: Tue, 25 Mar 1997 12:00:48 -0500 (EST) From: John Smith <[email protected]> To: Joe Roundy <[email protected]> Subject: Hello

This is a perfectly good e-mail message.


Example: All Message Headers

From [email protected] Wed Jan 15 12:00:50 2003 Return-Path: jsmith Received: (from jsmith@localhost) by

netcraftsmen.net (8.6.12/8.6.9) id MAA00135; Wed, 15 Jan 2003 12:00:48 -0500

Date: Wed, 15 Jan 2003 12:00:48 -0500 (EST) From: John Smith <[email protected]> To: Joe Roundy <[email protected]> Subject: Hello Message-ID: <Pine.LNX.3.91.970325115954.130A-

[email protected]> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status:

This is a perfectly good e-mail message.


Example: Forged Mail Headers

Date: Tue, 25 Mar 1997 12:25:57 -0500

From: [email protected]

Hello. This is a really horrible piece of forged e-mail.


Forged Mail Headers: Who Is Responsible?

From [email protected] Wed Jan 15 12:26:29 2003 Return-Path: [email protected] Received: from nowhere.com (jsmith@localhost [127.0.0.1]) by

netcraftsmen.net (8.6.12/8.6.9) with SMTP id MAA00153 for jroundy; Wed, 15 Jan 2003 12:25:57 -0500

Date: Wed, 15 Jan 2003 12:25:57 -0500 From: [email protected] Message-Id: <[email protected]> Apparently-To: [email protected] Status: RO X-Status:

Hello. This is a really horrible piece of forged e-mail.


Example: Actual Spam

Return-Path: <[email protected]>Received: from mindless.com ([202.7.209.122]) by netcraftsmen.net

(netcraftsmen.net mail service) with SMTP id 18xLfy7t43Nl3oW0 Sun, 12 Jan 2003 11:46:12 -0500 (EST)

Received: from 115.131.120.61 ([115.131.120.61]) by webmail.halftomorrow.com with esmtp; Sun, 12 Jan 2003 04:47:29 -1100

Received: from unknown (HELO mxs.perenter.com) (190.44.249.166) by public.micromail.com.au with NNFMP; Sat, 11 Jan 2003 17:46:47 +0900

Received: from unknown (85.121.248.18) by asx121.turbo-inline.com with asmtp; 12 Jan 2003 02:46:05 +1000

Received: from [98.109.171.85] by external.newsubdomain.com with local; 12 Jan 2003 12:45:23 -0300

Received: from unknown (HELO qnx.mdrost.com) (205.236.177.234) by nntp.pinxodet.net with NNFMP; Sun, 12 Jan 2003 09:44:41 -0500

<- SNIP ->


Mail Filtering

Modern mail software packages have features to filter mail based on:Message headersMessage bodySending host, including:

• IP address• DNS lookup• SMTP responses

Many more …


Real-Time Blocking Lists (RBL)

RBLs provide efficient and consensual blocking of mail hosts known to harbor spammers

Examples include:http://www.dnsbl.orghttp://relays.osirusoft.com

Caution is advised when choosing your RBL!


Example: RBL

1. Spammer starts to send spam to the victim

Internet

spammer.com

rbl.com

victim.com


Example: RBL (2)

2. Victim checks with RBL to determine if spamking.net is a known spammer

Internet

spammer.com

rbl.com

victim.com


Example: RBL (3)

3. RBL responds that spamking.net is a confirmed spammer

Internet

spammer.com

rbl.com

victim.com


Example: RBL (4)

4. Victim blocks mail transmission

Internet

spammer.com

rbl.com

victim.comX


Regular Expression Matching

Searches incoming messages for patterns of text that are known to be used by spammers

Improper sensitivity levels may miss spam or mark legitimate messages as spam

Very commonly used method


Example: Regular Expression Matching

Set up regular expression filter Search for the regular expression:

“Buy Widgets”“Hot Date!”Drawbacks?


Regular Expression Matching: Hit Lists

Method used to avoid mislabeling legitimate messages

Every regular expression “hit” is associated with some number of “points”

When a threshold is met, the mail is marked as spam


Text Searches Vs. Language

Computers search text for specific strings

People read text and comprehend language

How do we program a computer to recognize language in terms that it can understand?


Bayesian Filtering

Filters spam based on a statistical analysis of the contents

Calculate the probability of a message being spam based on its contents and previous email.

Learns from spam and from good mail Scoring content-based spam filters look for words and

other characteristics typical of spam. Every characteristic element is assigned a score, and

a spam score for the whole message is computed from the individual score

Adaptive


Implementing Bayesian Filtering

Build two collections of mail:SpamNon-spam

Collections should be at least 4000 messages for accurate results

Filter breaks apart messages into a collection of tokens and creates a hash


Compare E-Mail to the Token Hash

As e-mail is received:Separate the e-mail into tokensCompare it to the hashBased on the outcome, mark it

appropriately


Spam Filtering Architectures and Examples


Example Network: No Filtering

MicrosoftExchange

Server

Firew all

Mail Client

Mail Client

Mail Client

Internet


Example Network: Mail Relay

MicrosoftExchange

Server

Firew all

Mail Client

Mail Client

Mail Client

Internet

Mail Relay


Preparing the Mail Relay

The mail relay should:Run on a stable, fault-tolerant

operating systemOnly be running mail applicationsBe hardened against attack


Example Network: Redundant Relays

MicrosoftExchange

Server

Firew all

Mail Client

Mail Client

Mail Client

Internet

Mail Relay Mail Relay


Relay Filtering Options

MailScannerhttp://www.mailscanner.info

Separates incoming and outgoing mail into separate queues

Runs external anti-virus and spam filtering software to scan incoming mail


MailScanner Architecture

Outbound Queue

Anti-Virus Spam Filter

Inbound Queue MailScannerInbound QueueMailScanner


Spam Filtering Options

SpamAssassinhttp://www.spamassassin.org

Supports:RBLRegular expression matchingText analysisBayesian filtering


Example Network: Outgoing Mail

MicrosoftExchange

Server

Firew all

Mail Client

Mail Client

Mail Client

Internet

Mail Relay Mail Relay


Questions

Joe Roundy

Senior Security Consultant

[email protected]

Resources http://www.letsgo.com/HAW/02-LifeTimes-57 http://www.spamfilterreview.com/spam-statistics.html http://www.spamlaws.com http://email.about.com/cs/bayesianfilters/a/bayesian_filter.htm http://www.spamfilterreview.com/index.html

© copyright 2003 – chesapeake netcraftsmen, llc spam joe roundy senior security consultant...

Documents

cans of spam

spam tracking

spam act

spam n

spam hawaii residents

spam fried rice

nicknames spam king

mci slide