NZNOG ’07 ‘Dealing with Joe Jobs’ or how to cope with spam backscatter attacks Simon Howard.
-
Upload
gavin-allison -
Category
Documents
-
view
217 -
download
0
Transcript of NZNOG ’07 ‘Dealing with Joe Jobs’ or how to cope with spam backscatter attacks Simon Howard.
Presentation Overview
• Definition
• Amplifier
• Target
• Bounce Verification Technologies
• Issues to Consider
• Questions
Joe Doll
• Attack on Joe Doll, webmaster of Joe's Cyberpost.
• User had their account removed for advertising spam
• In retaliation, forged an email from Joe Doll
• Caused joes.com to be DoS’ed [Jan 1997]
• Also defined in Wayne's World as a sub-standard job
Definition
• Your email address/domain used as the envelope sender in a spam run.
• Your mail systems end up receiving • bounce messages
• vacation/out-of-office notices
• challenge-responses
• etc.
• Resulting in huge mail gateway, server and administrative overhead
Envelope Headers
$ telnet 192.168.1.1 25
Connected to 192.168.1.1
Escape character is '^]'.
helo dm220-mail70.yourcompany.com ESMTP
220 Welcome to yourcompany.com’s email system
helo domain.com
250 mail70.yourcompany.com
mail from: [email protected]
250 sender <[email protected]> ok
rcpt to: [email protected]
250 recipient <[email protected]> ok
data
354 go ahead
Email Structure
Envelope Headersmail-from: <[email protected]>
rcpt-to: <[email protected]>
Message HeadersReceived: from test.dmzglobal.com ([1.1.1.1]) by internal.dmzglobal.com with Microsoft SMTPSVC(2,3,4 1234); Tue, 30 Jan 2007 18:02:45 +1300From: “Jane Young” <[email protected]>To: <[email protected]>Subject: This is an email!Date: Tue, 25 Jul 2006 14:43:39 +1200Message-ID: <[email protected]>Return-Path: [email protected]
Message BodyHi,
It was great to catch up about the latest cross stitch patterns out there last week. Looking forward to this months cross stitch weekly
Regards,Jane
Why am I being Joe Job’ed
• The spammer is using your credentials to legitimise their marketing campaign- Spam- Phishing
• Discredit your company (Competitive sabotage)
• Random – In order to bypass reverse DNS lookup controls.
• Side-effect of a mass-mailing virus
• Blatant Denial of Service
How Amplification Works
Frontend MTA AMPLIFIERBackend MDA
mail-from: [email protected]: [email protected]
[email protected] [email protected] [email protected]
Frontend MTA AMPLIFIERBackend MDA
Frontend MTA AMPLIFIERBackend MDA
mail-from: < >rcpt-to: [email protected]
mail-from: < >rcpt-to: [email protected]
mail-from: < >rcpt-to: [email protected]
mail-from: < >rcpt-to: [email protected]
Amplifier Implications
• Addition to a DNSBL (MAPS/Spamhaus/Spamcop)
• Denial of Service
• Leaking of sensitive information
Amplification of NDR’s
• Gateway accepts all email and relies on downstream servers to generate the NDR (non-delivery report)
• RFC-821 requires an NDR for unsuccessful deliveries to a final destination
1. Notification to failed recipient + reason for the failure
2. Above + original email (or part of it)
3. Above + original email + all attachments
Further Amplification of NDR’s
• For NDR's of messages sent to multiple recipients, RFC-821 provides two options
1. A single notification which lists all failed recipients of that failed message
2. Separate notification for each failed recipient
NDR Payload
• Payload- Viruses
- Spam
- Large files
- Zip-bombs
• "With 105 outbound emails (containing 1000 invalid recipients) totalling 3.60MB of traffic we caused the mail servers under study to generate more than 80,000 emails, totalling 1.15GB of traffic" http://www.techzoom.net/paper-mailbomb.asp?id=mailbomb
Lessening The Noise
• Hard bounce mail for invalid recipients at the gateway
• Limit the maximum number of recipients per message
• Generate minimalistic NDR’s
• Generate one NDR for all failed recipients
• Send bounces from a server you can afford to have blacklisted
• Disable NDR’s altogether… (maybe not)
Target of a Phishing Attack
MTA A
MTA B
MTA C
mail-from: [email protected]: <millions of users@domains>Subject: Your Account Details
Bank.com MTAmail-from: < >rcpt-to: [email protected]
MTA A
MTA B
MTA C
Example Phishing Message
mail-from: [email protected]
rcpt-to: <millions of users@domains>
subject: Your Account Details
Dear BANK.com Customer,
In an effort to continually measure the service quality give to New Zealand and Australia, BANK.com members were sent out random survey asking valuable feedback on how we are doing and how we can approve.
There are only a few questions to score and only take few minutes of your time
Your patience will be rewarded with $20 direct deposit to your account and your name will automatically be entered into our quarterly drawing for $2500 grand prize
If you are ready for feedback, go to http://wwwwbank.com/bankmain.php . If this link does not work, just copy and paste it into your browser
Thank You!
Sincerely Yours,
Board of Directors
BANK.com
BANK.comBANK.com
Implications for the Target
• Denial of Service
• User inbox restrictions
• Mail queues exploding / mail delays
• Unhappy users
Invalid Users
• Accept mail for valid users only • local_recipient_maps (postfix)• Recipient Access Table (Ironport RAT)• LDAP integration
• Sometimes we don’t know who our valid users are or it can be too expensive to maintain.
• Backend user directory incompatible with front-end MTA
• This will stop backscatter for invalid addresses… • What about valid ones?
Valid Users
• Message Headers• Received-from
• Message-ID
• Looking for signs that it didn’t actually leave your network in the first place
• Resource Intensive
Bounce Verification Technologies
• We can’t rely on session verification techniques • e.g. SPF
• Bounce Verification• BATV (Bounce Address Tag Validation)
• Authbounce
• ABBS (Anti-Bogus-Bounce-Scheme)
• SES (Signed Envelope Sender)
BATV (Bounce Address Tag Validation)
Envelope Headersmail-from: <[email protected]>
rcpt-to: <[email protected]>
1. Sign the envelope sender and sendprvs=jane/[email protected]
2. Email delivered to [email protected]
yourcompany.com MTA
Envelope Headersmail-from: <>
rcpt-to: <prvs=jane/[email protected]>
4. Check envelope recipient address and ensure signature is valid
yourcompany.com MTA
3. NDR delivered to jane/[email protected]
BATV Specification
• The envelope sender address is signed.
mail-from: [email protected] becomes
mail-from: prvs=mailbox/[email protected]
• tag-val = K DDD SSSSSS
- K = key number- DDD = low 3 digits of the number of days since 1970
when the address will expire - SSSSSS = Hex of the first three bytes of the SHA-1 HMAC
of <hash-source> and a key - hash-source = K DDD <orig-mailfrom> - orig-mailfrom = {original RFC2821.MailFrom address}
BATV cont…
• Supported on the following MTAs• netqmail • Ironport AsyncOS• Exim
• Documentation available for other MTAs
• Pursuing IETF standardisation
How Authbounce works
yourcompany.com MTA
3. NDR delivered to [email protected]
1. Sign the envelope sender and sendprvs=jane/[email protected]
Message HeadersFrom: “Jane Young” <[email protected]>To: <[email protected]>Message-ID: <[email protected]>
1. Add an additional signed X-HeaderX-bounce-key:domain.com-1;[email protected];1077198109;fb7e6ffa;
1. Sign the envelope sender and sendprvs=jane/[email protected]
Message HeadersFrom: “Jane Young” <[email protected]>To: <[email protected]>Message-ID: <[email protected]>X-bounce-key:domain.com-1;[email protected];1077198109;fb7e6ffa;
4. X-bounce-key checked to ensure signature is valid
2. Email delivered to [email protected]
yourcompany.com MTA
Authbounce for Exim
• Addition of a signed X-Header: X-bounce-key:example.net-
1;[email protected];1077198109;fb7e6ffa; (1) (2) (3) (4)
1. A key identifier, typically the ISP's domain plus a number.
2. The E-mail address to which a bounce may be sent.
3. The time when the message was sent out. Bounces older than a certain age are ignored.
4. 32-bit cryptographic checksum, calculated as a hash over (1), (2), (3) and a secret value
ABBS (Anti-Bogus-Bounce-Scheme)
• Similar to BATV
• Signed envelope sender
mail-from: [email protected] becomesmail-from: [email protected]
- timestamp is time()- hmac is HMAC-SHA1-nn- Timeout defaults to 1296000 seconds (15 days) - Supported in qmail safari
SES (Signed Envelope Sender)
• Challenge response system for SMTP
• UDP call back service
• Send hash value to the server that claims to have originated the message
• If the query is positive, mail is accepted as valid, if not, its rejected
• Website is dead, probably a good thing
Advantages / Disadvantages
• BATV
Modifies the envelope sender address
Stops invalid bounces after the rcpt-to header is received
• Authbounce
Doesn’t modify the envelope sender address
More overhead as X-headers need to be processed
• ABBS
BATV for qmail with a few differences
• SES
project is dead?
Issues to Consider
• Too many different standards, none settled on
• CPU overhead for large mail volumes• All outbound messages tagged, all inbound checked
• Greylisting (451)
• Mail-listings validate on envelope sender
• Challenge-Response systems
More Issues…
• Legitimate DSNs are rejected unless the original mail has been sent via your server
• Roaming users…
Conclusion
• Know and control your environment
• Determine if you are an amplifier
• Decide which technology fits best
• Implement technology before you are targeted
Conclusion
• You don’t want to be hacking up custom Sendmail rules at 3:00am
Kphishsrc regex -a@MATCH ^(customercare|customerssupport|customersupport|custservice|custsupport|infonum|online_support|onlinesupport|operate|operator|reference|support|supprefnum)(\-ref|\_ref|\-reference|\_reference|\-id|\_id)?(\-|\_)?[0-9]+$
SLocal_check_rcpt
R$* $: $>Parse0 $>3 $1
R$+ < @ domain.co.nz. > $* $: $(phishsrc $1 $)
References
ABBS - http://msgs.securepoint.com/cgi-bin/get/qmail0403/161.html
Anti-Phishing Workging Group: http://www.antiphishing.org/phishing_archive.html
Anti-spam Email Research http://spamlinks.net/prevent-research.htm
Authbounce - http://psg.com/%7Ebrian/software/authbounce/configure-authbounce.txt
BATV - http://mipassoc.org/batv/
Mail Non-Delivery Notice Attacks: http://www.techzoom.net/paper-mailbomb.asp?id=mailbomb
Postfix Backscatter Howto: http://www.postfix.org/BACKSCATTER_README.html
Signed Envelope Sender: http://www.advogato.org/proj/Signed%20Envelope%20Sender/
Sender Policy Framework http://www.openspf.org/
Signed Return Address: http://www.tuffmail.com/backscatter.php
Why are auto responders bad? : http://www.spamcop.net/fom-serve/cache/329.html