NZNOG ’07‘Dealing with Joe Jobs’

or how to cope with spam backscatter attacks

Simon Howard

Presentation Overview

• Definition

• Amplifier

• Target

• Bounce Verification Technologies

• Issues to Consider

• Questions

Joe Doll

• Attack on Joe Doll, webmaster of Joe's Cyberpost.

• User had their account removed for advertising spam

• In retaliation, forged an email from Joe Doll

• Caused joes.com to be DoS’ed [Jan 1997]

• Also defined in Wayne's World as a sub-standard job

Definition

• Your email address/domain used as the envelope sender in a spam run.

• Your mail systems end up receiving • bounce messages

• vacation/out-of-office notices

• challenge-responses

• etc.

• Resulting in huge mail gateway, server and administrative overhead

Envelope Headers

$ telnet 192.168.1.1 25

Connected to 192.168.1.1

Escape character is '^]'.

helo dm220-mail70.yourcompany.com ESMTP

220 Welcome to yourcompany.com’s email system

helo domain.com

250 mail70.yourcompany.com

mail from: jane@domain.com

250 sender <jane@domain.com> ok

rcpt to: tracey@yourcompany.com

250 recipient <tracey@yourcompany.com> ok

data

354 go ahead

Email Structure

Envelope Headersmail-from: <jane@domain.com>

rcpt-to: <tracey@yourcompnay.com>

Message HeadersReceived: from test.dmzglobal.com ([1.1.1.1]) by internal.dmzglobal.com with Microsoft SMTPSVC(2,3,4 1234); Tue, 30 Jan 2007 18:02:45 +1300From: “Jane Young” <janey@domain.com>To: <tracey@yourcompany.com>Subject: This is an email!Date: Tue, 25 Jul 2006 14:43:39 +1200Message-ID: <123456789@domain.com>Return-Path: jane@domain.com

Message BodyHi,

It was great to catch up about the latest cross stitch patterns out there last week. Looking forward to this months cross stitch weekly

Regards,Jane

Why am I being Joe Job’ed

• The spammer is using your credentials to legitimise their marketing campaign- Spam- Phishing

• Discredit your company (Competitive sabotage)

• Random – In order to bypass reverse DNS lookup controls.

• Side-effect of a mass-mailing virus

• Blatant Denial of Service

Amplifier

How Amplification Works

Frontend MTA AMPLIFIERBackend MDA

mail-from: admin@bank.comrcpt-to: user1@domain.co.nz

user2@domain.co.nz user3@domain.co.nz userx@domain.co.nz

Frontend MTA AMPLIFIERBackend MDA

Frontend MTA AMPLIFIERBackend MDA

mail-from: < >rcpt-to: admin@bank.com

mail-from: < >rcpt-to: admin@bank.com

mail-from: < >rcpt-to: admin@bank.com

mail-from: < >rcpt-to: admin@bank.com

Amplifier Implications

• Addition to a DNSBL (MAPS/Spamhaus/Spamcop)

• Denial of Service

• Leaking of sensitive information

Amplification of NDR’s

• Gateway accepts all email and relies on downstream servers to generate the NDR (non-delivery report)

• RFC-821 requires an NDR for unsuccessful deliveries to a final destination

1. Notification to failed recipient + reason for the failure

2. Above + original email (or part of it)

3. Above + original email + all attachments

Further Amplification of NDR’s

• For NDR's of messages sent to multiple recipients, RFC-821 provides two options

1. A single notification which lists all failed recipients of that failed message

2. Separate notification for each failed recipient

NDR Payload

• Payload- Viruses

- Spam

- Large files

- Zip-bombs

• "With 105 outbound emails (containing 1000 invalid recipients) totalling 3.60MB of traffic we caused the mail servers under study to generate more than 80,000 emails, totalling 1.15GB of traffic" http://www.techzoom.net/paper-mailbomb.asp?id=mailbomb

Lessening The Noise

• Hard bounce mail for invalid recipients at the gateway

• Limit the maximum number of recipients per message

• Generate minimalistic NDR’s

• Generate one NDR for all failed recipients

• Send bounces from a server you can afford to have blacklisted

• Disable NDR’s altogether… (maybe not)

Target

Target of a Phishing Attack

MTA A

MTA B

MTA C

mail-from: admin@bank.comrcpt-to: <millions of users@domains>Subject: Your Account Details

Bank.com MTAmail-from: < >rcpt-to: admin@bank.com

MTA A

MTA B

MTA C

Example Phishing Message

mail-from: admin@bank.com

rcpt-to: <millions of users@domains>

subject: Your Account Details

Dear BANK.com Customer,

In an effort to continually measure the service quality give to New Zealand and Australia, BANK.com members were sent out random survey asking valuable feedback on how we are doing and how we can approve.

There are only a few questions to score and only take few minutes of your time

Your patience will be rewarded with $20 direct deposit to your account and your name will automatically be entered into our quarterly drawing for $2500 grand prize

If you are ready for feedback, go to http://wwwwbank.com/bankmain.php . If this link does not work, just copy and paste it into your browser

Thank You!

Sincerely Yours,

Board of Directors

BANK.com

BANK.comBANK.com

Implications for the Target

• Denial of Service

• User inbox restrictions

• Mail queues exploding / mail delays

• Unhappy users

Invalid Users

• Accept mail for valid users only • local_recipient_maps (postfix)• Recipient Access Table (Ironport RAT)• LDAP integration

• Sometimes we don’t know who our valid users are or it can be too expensive to maintain.

• Backend user directory incompatible with front-end MTA

• This will stop backscatter for invalid addresses… • What about valid ones?

Valid Users

• Message Headers• Received-from

• Message-ID

• Looking for signs that it didn’t actually leave your network in the first place

• Resource Intensive

Bounce Verification Technologies

• We can’t rely on session verification techniques • e.g. SPF

• Bounce Verification• BATV (Bounce Address Tag Validation)

• Authbounce

• ABBS (Anti-Bogus-Bounce-Scheme)

• SES (Signed Envelope Sender)

BATV (Bounce Address Tag Validation)

Envelope Headersmail-from: <jane@domain.com>

rcpt-to: <tracey@yourcompnay.com>

1. Sign the envelope sender and sendprvs=jane/ABCD12345@domain.com

2. Email delivered to tracey@yourcompany.com

yourcompany.com MTA

Envelope Headersmail-from: <>

rcpt-to: <prvs=jane/ABCD12345@domain.com>

4. Check envelope recipient address and ensure signature is valid

yourcompany.com MTA

3. NDR delivered to jane/ABCD12345@domain.com

BATV Specification

• The envelope sender address is signed.

mail-from: mailbox@domain.com becomes

mail-from: prvs=mailbox/tag-val@domain.com

• tag-val = K DDD SSSSSS

- K = key number- DDD = low 3 digits of the number of days since 1970

when the address will expire - SSSSSS = Hex of the first three bytes of the SHA-1 HMAC

of <hash-source> and a key - hash-source = K DDD <orig-mailfrom> - orig-mailfrom = {original RFC2821.MailFrom address}

BATV cont…

• Supported on the following MTAs• netqmail • Ironport AsyncOS• Exim

• Documentation available for other MTAs

• Pursuing IETF standardisation

How Authbounce works

yourcompany.com MTA

3. NDR delivered to jane@domain.com

1. Sign the envelope sender and sendprvs=jane/ABCD12345@domain.com

Message HeadersFrom: “Jane Young” <janey@domain.com>To: <tracey@yourcompany.com>Message-ID: <123456789@domain.com>

1. Add an additional signed X-HeaderX-bounce-key:domain.com-1;jane@domain.com;1077198109;fb7e6ffa;

1. Sign the envelope sender and sendprvs=jane/ABCD12345@domain.com

Message HeadersFrom: “Jane Young” <janey@domain.com>To: <tracey@yourcompany.com>Message-ID: <123456789@domain.com>X-bounce-key:domain.com-1;jane@domain.com;1077198109;fb7e6ffa;

4. X-bounce-key checked to ensure signature is valid

2. Email delivered to tracey@yourcompany.com

yourcompany.com MTA

Authbounce for Exim

• Addition of a signed X-Header: X-bounce-key:example.net-

1;you@example.com;1077198109;fb7e6ffa; (1) (2) (3) (4)

1. A key identifier, typically the ISP's domain plus a number.

2. The E-mail address to which a bounce may be sent.

3. The time when the message was sent out. Bounces older than a certain age are ignored.

4. 32-bit cryptographic checksum, calculated as a hash over (1), (2), (3) and a secret value

ABBS (Anti-Bogus-Bounce-Scheme)

• Similar to BATV

• Signed envelope sender

mail-from: user-b@b.example.com becomesmail-from: user-b=timestamp-hmac@b.example.com

- timestamp is time()- hmac is HMAC-SHA1-nn- Timeout defaults to 1296000 seconds (15 days) - Supported in qmail safari

SES (Signed Envelope Sender)

• Challenge response system for SMTP

• UDP call back service

• Send hash value to the server that claims to have originated the message

• If the query is positive, mail is accepted as valid, if not, its rejected

• Website is dead, probably a good thing

Advantages / Disadvantages

• BATV

Modifies the envelope sender address

Stops invalid bounces after the rcpt-to header is received

• Authbounce

Doesn’t modify the envelope sender address

More overhead as X-headers need to be processed

• ABBS

BATV for qmail with a few differences

• SES

project is dead?

Security Considerations

• Cryptographic weaknesses

• Replay attacks

Issues to Consider

• Too many different standards, none settled on

• CPU overhead for large mail volumes• All outbound messages tagged, all inbound checked

• Greylisting (451)

• Mail-listings validate on envelope sender

• Challenge-Response systems

More Issues…

• Legitimate DSNs are rejected unless the original mail has been sent via your server

• Roaming users…

Knowing Your Environment

• Which servers send out email?

Conclusion

• Know and control your environment

• Determine if you are an amplifier

• Decide which technology fits best

• Implement technology before you are targeted

Conclusion

• You don’t want to be hacking up custom Sendmail rules at 3:00am

Kphishsrc regex -a@MATCH ^(customercare|customerssupport|customersupport|custservice|custsupport|infonum|online_support|onlinesupport|operate|operator|reference|support|supprefnum)(\-ref|\_ref|\-reference|\_reference|\-id|\_id)?(\-|\_)?[0-9]+$

SLocal_check_rcpt

R$* $: $>Parse0 $>3 $1

R$+ < @ domain.co.nz. > $* $: $(phishsrc $1 $)

Questions?

References

ABBS - http://msgs.securepoint.com/cgi-bin/get/qmail0403/161.html

Anti-Phishing Workging Group: http://www.antiphishing.org/phishing_archive.html

Anti-spam Email Research http://spamlinks.net/prevent-research.htm

Authbounce - http://psg.com/%7Ebrian/software/authbounce/configure-authbounce.txt

BATV - http://mipassoc.org/batv/

Mail Non-Delivery Notice Attacks: http://www.techzoom.net/paper-mailbomb.asp?id=mailbomb

Postfix Backscatter Howto: http://www.postfix.org/BACKSCATTER_README.html

Signed Envelope Sender: http://www.advogato.org/proj/Signed%20Envelope%20Sender/

Sender Policy Framework http://www.openspf.org/

Signed Return Address: http://www.tuffmail.com/backscatter.php

Why are auto responders bad? : http://www.spamcop.net/fom-serve/cache/329.html