final lab - spam
DESCRIPTION
Final Lab - Spam. Group 10: Scott Durr Stephen Thompson. Outline. Introduction Set up Obtaining Email Addresses Sending Mass Emails Filtering & Stopping Spam. Introduction. Almost 90% of email is now considered Spam! Messaging Anti-Abuse Working Group Report #6, Oct 2007 - PowerPoint PPT PresentationTRANSCRIPT
Final Lab - SpamFinal Lab - Spam
Group 10:Group 10:Scott DurrScott Durr
Stephen ThompsonStephen Thompson
OutlineOutline• IntroductionIntroduction• Set upSet up• Obtaining Email AddressesObtaining Email Addresses• Sending Mass EmailsSending Mass Emails• Filtering & Stopping SpamFiltering & Stopping Spam
IntroductionIntroductionAlmost 90% of email is now considered Almost 90% of email is now considered
Spam!Spam!– Messaging Anti-Abuse Working Group Report #6, Oct 2007Messaging Anti-Abuse Working Group Report #6, Oct 2007
• Huge drain on resourcesHuge drain on resources• Strains the infrastructureStrains the infrastructure• Distracts/Annoys us allDistracts/Annoys us all
• Major delivery mechanism for Malware!Major delivery mechanism for Malware!
The CostsThe Costs• The State of California estimates Spam The State of California estimates Spam
cost the state’s economy $1.2 billion in cost the state’s economy $1.2 billion in 2003. The estimate the entire US 2003. The estimate the entire US suffered a $10 billion loss in that same suffered a $10 billion loss in that same year.year.– http://www.spamlaws.com/state/ca.shtmlhttp://www.spamlaws.com/state/ca.shtml
• That was in 2003…That was in 2003…
Our Set UpOur Set Up
Host Machine: 57.35.6.131
RedHat7.2 Machine: 57.35.6.132
Servers
WinXP: 57.35.6.133
WinXP2: 57.35.6.134
Clients
Major Software PackagesMajor Software Packages• Apache2 Web ServerApache2 Web Server• Sendmail Email Server w/ SpamAssasinSendmail Email Server w/ SpamAssasin
– Included on lab installs of Redhat 7.2 and Included on lab installs of Redhat 7.2 and Redhat WS 4.0Redhat WS 4.0
• QpopperQpopper– POP3 serverPOP3 server
• PINEPINE• Outlook ExpressOutlook Express
– Included with WinXPIncluded with WinXP• Evolution Evolution
– Included with RedHatIncluded with RedHat• Spam software: Spam software:
– Atomic Email Hunter & Atomic Email SenderAtomic Email Hunter & Atomic Email Sender
Two Email ServersTwo Email Servers• Set up with slightly different rules for Set up with slightly different rules for
comparisoncomparison
• Were NOT able to SMTP between Were NOT able to SMTP between Sendmail servers because Sendmail Sendmail servers because Sendmail MUST have DNS running in order to find MUST have DNS running in order to find other servers.other servers.– We didn’t want to tackle the additional We didn’t want to tackle the additional
setup.setup.– We could accomplish what we wanted We could accomplish what we wanted
without it.without it.
Obtaining Email AddressesObtaining Email Addresses• Many different methods, but we Many different methods, but we
focus on:focus on:– Email address spiderEmail address spider– Anonymous FTP trickAnonymous FTP trick– Verification of Email addresses at the Verification of Email addresses at the
serverserver
Email Address SpidersEmail Address Spiders• Crawl the web and copy anything that Crawl the web and copy anything that
looks like an email address.looks like an email address.
• Implemented a basic one with wget Implemented a basic one with wget and grep, using a regular expression:and grep, using a regular expression:wget –rFO lotsofhtml.txt http://localhost/wget –rFO lotsofhtml.txt http://localhost/egrep –rhoie ‘[[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}’ lotsofhtml.txtegrep –rhoie ‘[[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}’ lotsofhtml.txt
That regex is: That regex is: [[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}[[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}
• ExampleExample
““Atomic Email Hunter”Atomic Email Hunter”• Commercial Windows program that Commercial Windows program that
implements an email address spider.implements an email address spider.• Tested on the same dummy websites Tested on the same dummy websites
as our homemade one.as our homemade one.• Has a lot more features.Has a lot more features.
Anonymous FTPAnonymous FTP• A throwback from the days of old: A throwback from the days of old:
Anonymous FTP logins require an email Anonymous FTP logins require an email address as a password!address as a password!
• Set up your web page to grab images via Set up your web page to grab images via FTP vice HTML and some browsers will FTP vice HTML and some browsers will cough up an email address.cough up an email address.
• Tested on Mozilla and IE: they give dummy Tested on Mozilla and IE: they give dummy addresses.addresses.
Verifying Email AddressesVerifying Email Addresses• Why is this important?Why is this important?
– A “good” email list will minimize alerts that A “good” email list will minimize alerts that might catch the spammer.might catch the spammer.
– Allows for a ‘guess and test’ method of Allows for a ‘guess and test’ method of email address discovery.email address discovery.
• VRFY and EXPNVRFY and EXPN– Ask the server if an address is good (VRFY)Ask the server if an address is good (VRFY)– Ask the server about an alias/list (EXPN)Ask the server about an alias/list (EXPN)– Disable these!Disable these!
Verifying Email AddressesVerifying Email Addresses•During the SMTP exchange, you pass a During the SMTP exchange, you pass a “TO” address to the server. It will come “TO” address to the server. It will come back and tell you if it is good!back and tell you if it is good!
•Email header implemented by many Email header implemented by many clients:clients:
Return-Receipt-To: <email-address>Return-Receipt-To: <email-address>X-Confirm-Reading-To: <email-address>X-Confirm-Reading-To: <email-address>
Make sure you disable these as defaults in Outlook and Make sure you disable these as defaults in Outlook and others!others!
Defeating those Email Defeating those Email SpidersSpiders• Two choicesTwo choices
– Hide your email addressHide your email address– Actively counter spidersActively counter spiders
Hide your email addressHide your email address• Use script to return an email address Use script to return an email address
instead of putting the address in code.instead of putting the address in code.
• ECE does this for their faculty!ECE does this for their faculty!
• Great example, courtesy of Mr. Tim Great example, courtesy of Mr. Tim Williams at U. Arizona:Williams at U. Arizona:http://www.u.arizona.edu/~trw/spam/spam4.htmhttp://www.u.arizona.edu/~trw/spam/spam4.htm
WPoisonWPoison• Available at Available at
http://www.monkeys.com/wpoison/http://www.monkeys.com/wpoison/• Actively thwarts spiders by generating Actively thwarts spiders by generating
random pages with more links and random pages with more links and email addresses.email addresses.
• Each link leads right back to WPoison!Each link leads right back to WPoison!– Run the spider in a circle, filling it with Run the spider in a circle, filling it with
garbage.garbage.– We have a videoWe have a video
WPoison MovieWPoison Movie
Sending Mass EmailsSending Mass Emails• MethodsMethods
1. Use your own (school/isp) SMTP server1. Use your own (school/isp) SMTP server•You will probably get caught and shut down!You will probably get caught and shut down!
2. Use another, third party SMTP server2. Use another, third party SMTP server•You will probably be blocked from RelayingYou will probably be blocked from Relaying
3. Connect directly to the recipient’s server3. Connect directly to the recipient’s server•This takes some work, and you might get This takes some work, and you might get
blacklistedblacklisted4. Do any of the above via a Bot Net4. Do any of the above via a Bot Net
•Even if you get caught, you don’t get blocked!Even if you get caught, you don’t get blocked!
Our SimulationsOur Simulations
Host Machine: 57.35.6.131
RedHat7.2 Machine: 57.35.6.132
Servers
WinXP: 57.35.6.133
WinXP2: 57.35.6.134
Clients
Fictional yahoo.com
Method #4:Bot Net
Method # 1: Use your
SMTP Server
Method #2: Use a Third Party SMTP
Server
Method #3: Connect Directly to Victim’s
SMTP Server
Mass Email Mass Email CountermeasuresCountermeasures• Limit who can send on your serverLimit who can send on your server
– Only users on the domain can “RELAY”Only users on the domain can “RELAY”– Use a blacklist to prevent connections Use a blacklist to prevent connections
from known spammersfrom known spammers
• Filter messages as they come inFilter messages as they come in
SpamAssassinSpamAssassin• Open source & extremely commonOpen source & extremely common• Very complexVery complex
– Lots of rulesLots of rules– Uses scores to determine what is spamUses scores to determine what is spam– Has learning capabilitiesHas learning capabilities
• Can connect to services to receive rules and Can connect to services to receive rules and blacklistsblacklists– www.spamhaus.orgwww.spamhaus.org
• More info at: http://spamassassin.apache.orgMore info at: http://spamassassin.apache.org
SpamAssassin in the LabSpamAssassin in the Lab• We walk through the setup of some basic rules.We walk through the setup of some basic rules.
required_score 5report_safe 0rewrite_header Subject [**SPAM** _SCORE_]
body FIRST_RULE /BUY ME/describe FIRST_RULE Check if "BUY ME" is in the bodyscore FIRST_RULE 4.0
header SECOND_RULE Subject =~ /Cheap/describe SECOND_RULE Check of Cheap is in the subject linescore SECOND_RULE 4.0
body THIRD_RULE /Safe/idescribe THIRD_RULE Check for Safe to make it safescore THIRD_RULE -10.0
# Blacklist all mail from domain spam.orgblacklist_from *.spam.org
Your Last Line of Defense…Your Last Line of Defense…• The email clientThe email client
• Web-based email clients can rapidly Web-based email clients can rapidly aggregate feedback and build more aggregate feedback and build more responsive filters.responsive filters.
• Gmail, Yahoo, Hotmail, etc.Gmail, Yahoo, Hotmail, etc.
In the Lab SummaryIn the Lab Summary• Set up ServersSet up Servers• Harvest emailsHarvest emails
– Email Address Spiders: wget/grep & AtomicEmail Address Spiders: wget/grep & Atomic– FTP methodFTP method
• Experiment with address verificationExperiment with address verification• Send mass emails through each scenarioSend mass emails through each scenario
– Use manual connection and Atomic Email SenderUse manual connection and Atomic Email Sender• Implement some countermeasuresImplement some countermeasures
– RELAY limitationsRELAY limitations– WPoisonWPoison– Hide Email AddressesHide Email Addresses
• Install, setup, and test SpamAssassinInstall, setup, and test SpamAssassin
Questions?Questions?