AntiSpam Understanding the good, the bad and the ugly
description
Transcript of AntiSpam Understanding the good, the bad and the ugly
1
AntiSpam Understanding the good, the
bad and the ugly
By Aseem Jakhar
Confidential
2
About Me
Security and open source enthusiast.
Have Worked on many enterprise security products.
Have disclosed many security issues to banks/organizations.
Speaker at security/open source conferences.
Founder of NULL security community.
3
Agenda
What is Spam? Spam Side effects Difficult problem to solve Messaging Primer Getting inside a spammer’s mind Layered Security AntiSpam Technologies Exploiting the Loop Holes
4
What is spam?
No it’s not the Hormel product. No Standard definition. Differs on an individual basis. UBE, UCE. Ham: Non Spam.
5
Spam side effects
Bandwidth overload. Storage overload. Loss of End user productivity.
6
Difficult problem to solve
Human Factor Dynamic nature Coming from valid but
compromised source Best of buddies - Virus, worms,
trojans and spams i.e help each other in propagating
7
Messaging Primer
Sending emails
• SMTP- Simple Mail Transfer Protocol.
• MUA - Message User Agent (SMTP Clients – outlook).
• MSA – Message Submission Agent.
• MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail).
• MDA - Message Delivery Agent (SMTP Server/Message Store). Retrieving emails
• POP - Post Office Protocol.
• IMAP - Internet Message Access Protocol. Email format
• Envelope and message
• MIME – Multipurpose Internet Mail Extensions
8
Path of a Message
MUA MSA/MTA MTA/MDAMTAs
Message StoreMUA
9
Email Format: Received Headers
Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST)
Return-Path: <xxx@xxxx>
Received: from xx.yy.com (xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST)
Received-SPF: pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x;
Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530
Received: …………….
Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT
10
Email Format: Other headers
To: yyy@yyyy
Cc: xxx xxxx <xxx@xxxx>
MIME-Version: 1.0
Subject: email format - Attached jpeg image
X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971
Message-ID: <FOOBAR00000@xxxx>
From: xxx xxxx <xxx@xxxx>
Date: Thu, 10 Jan 2008 17:16:16 +0530
X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18
11
Email Format: MIME contd. And email Body
Content-Type: multipart/mixed; boundary="=_mixed 0040CB5E652573CC_="
--=_mixed 0040CB5E652573CC_=Content-Type: multipart/alternative; boundary="=_alternative 0040CB60652573CC_=“
--=_alternative 0040CB60652573CC_= Content-Type: text/plain; charset="US-ASCII"
Hi, This is the email format with attached jpeg image
--=_alternative 0040CB60652573CC_=Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Hi,</font> <br> <br><font size=2 face="sans-serif"> This is the email format with attached jpeg image</font>……
--=_alternative 0040CB60652573CC_=-- --=_mixed 0040CB5E652573CC_= Content-Type: image/jpeg; name="Flower_1.jpg" Content-Disposition: attachment; filename="Flower_1.jpg" Content-Transfer-Encoding: base64
/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHYVHpRRW62Doj//Z --=_mixed 0040CB5E652573CC_=--
12
Getting inside a spammer’s mind
Intent• Marketing
• Phishing
• Malware
Execution• Gathering email addresses
• Hosting the web site
• Sending emails
13
Layered Security
Sever Layer(MTAs)• Network Boundary/Gateways.
• Mail routers.
• Message Store.
Client Layer(MUAs)• POP/IMAP/SMTP Proxies.
• Plugins.
No Single antidote.
14
Anti-Spam Technologies - ACLs
Blocklists• IP/domain/user
Whitelists• IP/domain/user
Types• Internal: Application
Specific
• External: Community/Paid servers
• DNSxLs – standard DNS queries.
15
Anti-Spam Technologies - ACLs
Greylisting• Something between whitelist and blocklist
• Exploiting the protocol for good reason.
• Temporary rejection with 4xy error code
• Basic 3 tuple information stored <IP><MFROM><RCPT>
16
Anti-Spam Technologies – Content Filtering
String/Regex filters• static, dumb.
Behavioural Filters• Look for specific
behaviour patterns
Bayesian filters• Intelligent, require
learning time.
• Accuracy decreases when deployed on server.
17
Anti-Spam Technologies – Content Filtering
Signature/fingerprint• Fuzzy(Nilsimsa code), good as an add-on.
OCR (Optical Character Recognition)• Image scanning, not efficient.
18
Anti-Spam Technologies – C/R
Challenge-Response systems• Recipient challenges the sender
• Bounce message/SMTP rejection
• URL click/CAPTCHA test/reply to bounce
• CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)
19
Anti-Spam Technologies – Sender Driven
SPF (Sender Policy Framework)- Anti-forgery- Uses DNS SPF/TXT records, IP, domain name of sender- Authorized Outbound SMTP for a domain
DKIM (Domain Keys Identified Mail)• Signed messages• Anti-forgery, as signing domain claims responsibility• Uses DNS TXT records, DKIM header• DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA=
20
Anti-Spam Technologies – Sender driven
HashCash• Proof of work by sender
• Hard to compute, easy to verify
• square root/square problem.
• Partial Hash collision (with Zero bits)
21
Anti-Spam Technologies - Heuristics
Heuristic filters• A combination of above
techniques• Defines rules, weights and
threshold(s)• Reduces +ve rate.
Reputation systems• Advanced heuristics to create
reputation.• Create reputation of IPs/Domains
sending messages
22
Exploiting the Loop Holes – Evading filters
ACLs: Greylisting• Simulating a simple queue thread with
4 tuple <MSGID><TIME><MFROM><RCPT>
• Resending after a predefined time.
Content Filtering• Run The message content through
filters/free email services• CAPTCHA effect for OCR
Subject: Never agree to be a loser
Buck up, your troubles caused by small dimension will soon be over!
Initiate a natural growth of your masculine muscle! http://veniutk=2Ecom/ control=2E All data was lost at T+5 minutes, 5
seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their
23
Exploiting the Loop Holes
Sender Driven• Creating hashcash (not efficient, not popular)
• Look for open relays with SPF, DKIM functionality.
• Bounce Messages from Valid domains
• Worms sending mails to local MTAs
24
Exploiting the Loop Holes
Reputation• Sending through free webmail accounts• Sample email sent directly and through valid webmail service• Sent directly: Spam mailbox• Through Webmail: Inbox (Bingo!!)
Subject: viagra soma cialis cheap rates oem software low mortgage rates
viagra soma cialis cheap rates low mortgage rates oem software for $1 penis enlargement for good sex live xxx videos
25
Exploiting the Loop Holes
Targeting low priority MX• Helps in bypassing filters altogether (if you are lucky that is :-P).
Mail Reconnaissance • Reading replies from valid (and invalid) addresses
• Exposes enormous amount of information
• Definitely a must for any Pen tester
26
References
SPF - http://www.ietf.org/rfc/rfc4408.txt DKIM - http://www.dkim.org/ SpamAssassin - http://spamassassin.apache.org/ Razor - http://razor.sourceforge.net/ CAPTCHA - http://www.captcha.net/ Bogofilter - http://bogofilter.sourceforge.net/ Mailwasher - http://www.mailwasher.net/ HashCash - http://www.hashcash.org/ Greylisting - http://greylisting.org/ Gartner report - http://news.zdnet.com/2100-9595_22-
955842.html DNSxLs -
http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt
27
Thanks
QA?
Contact me: null _a_t_ null . co . In
NULL is having an official meet on 7th Dec at ClubHack