Spam, Spam, Spam, Spit and Spim CS5480/6480 17-Sep-2008 Matthew J. Probst *with some slides/graphics...
-
date post
21-Dec-2015 -
Category
Documents
-
view
220 -
download
0
Transcript of Spam, Spam, Spam, Spit and Spim CS5480/6480 17-Sep-2008 Matthew J. Probst *with some slides/graphics...
Spam, Spam, Spam,Spit and Spim
CS5480/6480
17-Sep-2008
Matthew J. Probst*with some slides/graphics adapted from J.F Kurose and K.W. Ross
Announcements
• HW1 due by 11:59:59pm MT 18-Sep-08 (tomorrow).
• Hard copy can be turned in now or you can hand it in the cs5480/6480 box outside the SoC office
Spammers: Cost to send?
Assuming a $10/mo dialup account:• 13.4 million messages per month might be
sent… • A cost of about 1 penny per 14,300
messages• Free trials and virus infected computers
(zombies/bots) make it free!• Side benefits of bots to spammers: Email
address harvesting.
You: Cost to Receive?
• 10+ Billion spam received each day
• At 5 seconds per spam (to recognize & delete)..
• That’s 50 billion seconds of lost productivity each day (39,457 work years)
• Assuming $36k average income per person: $1.5 Billion per day in lost productivity to economy.
$$$$
Driving Business Incentives?• Pump and dump penny-stocks• Scams-Nigerian investments, phishing,etc.• Botnet Viruses• Meds• Insurance• Porn• Loans/Mortgages• Others…ROI? Assuming: 13.4M spam/month @ 0.05% take rate (1/2000) on a $20 pill that “cures cancer, eliminates all joint pain AND pleases your significant other”, you could make $134K/month
Botnets and Spammers
• Example: Storm worm currently running on up to 40 million infected computers.
• More computing power than top 500 supercomputers in world combined!
• Used for DDOS attacks, penny stock spam and propagating itself via email.
• Sends ~186 Billion spam messages a day.
Bot controller
DDOS
Replication
SpamSpammerVender
Interesting stats from Spamhaus (widely used RBL):http://www.spamhaus.org/statistics/countries.lasso
Mail access protocols
• SMTP: delivery to receiver’s server (w/queuing) • Mail access protocol: retrieval from server
– POP: Post Office Protocol [RFC 1939]• authorization (agent <-->server) and download
– IMAP: Internet Mail Access Protocol [RFC 1730]• more features (more complex)• manipulation of stored msgs on server
– HTTP: Hotmail , Yahoo! Mail, gmail etc.
useragent
Alice.com MTA
useragent
SMTP SMTP HTTP,POP3 or
IMAPBob.com MTA
Delivered!
Ideal place to filter spam?
• Source machine
• Source MTA server
• In middle of network
• Recipient MTA server
• Recipient machine
Pros & Cons of each?
useragent
Alice.com MTA
useragent
SMTP SMTP HTTPPOP3 or
IMAPBob.com MTA
ISP IP block white-listing
• Source MTA filter.
• ISPs allow any IP blocks on their network to relay through their mail servers.
Problems?
Disallows mobility
Allows botnets, viruses, etc
useragent
Alice.com MTA
useragent
SMTP SMTP HTTPPOP3 or
IMAPBob.com MTA
12.1.1.5
Only 12.1.X.X allowed!
Delivered!
SMTP-AUTH
• Source MTA requires username/password before relaying a message.
• Only ISP’s own customers allowed to relay
• Optional: Block all other outgoing SMTP
• Allows mobility, Blocks dumb viruses
Problems?
Free Trial & Fraudulant accounts.
Can source MTA itself be trusted? (no)
useragent
Alice.com MTA
useragent
SMTP SMTP HTTPPOP3 or
IMAPBob.com MTA
+Username+Password
Delivered!
Rate throttling
• Simple: Source MTA Limits the number/rate of emails from individual senders.
• Limit on: Max recipients per message
Max messages per time period
etc.
Problems?
Again: spammers can code their own MTAs
Millions of throttled bots can still spam-a-lot!
useragent
Alice.com MTA
useragent
SMTP SMTP HTTPPOP3 or
IMAPBob.com MTA
25M/M
Delivered!
SPF (Sender Policy Framework)
• Recipient MTA Filter
• TXT dns record on a domain that lists “Authorized” relays for email marked as coming from that domain.
Problems?
Only effective with mass adoption.
Spammers happily comply with SPF
useragent
Alice.com MTA(13.1.1.1)
useragent
SMTP SMTP HTTPPOP3 or
IMAPBob.com MTA
Alice.com DNS
spf?
13.1.1.1
Delivered!
Relay Blacklists (RBLs)
• Recipient MTA Filter
• DB of IP addresses (& IP blocks) that should not be allowed to relay email.
• 100s of RBLs publicly available.
• Mail servers commonly use several RBLs
• Individually or group maintained.
• Conservative vs ultraliberal inclusion.
useragent
Alice.com MTA(13.1.1.1)
useragent
SMTP SMTP HTTPPOP3 or
IMAPBob.com MTA
DNSrbl1
OK!
13.1.1.1 ok?
DNSrbl2
DNSrbl3
OK!OK!Delivered!
Relay Blacklists (RBLs) cont.
Problems?
Take it or leave it one-size-fits-all.
(Is either too aggressive or too passive).
Central RBL servers easy to DDOS.If done within network, then prevents smtp-auth.
Relay White-lists
• Recipient MTA Filter• Automatically allows specific domains, relays
& senders. All others blocked by default.Problems?
Easy to get out of date?Spammers can use legitimate email addresses, ISPs and domains. (botnets,etc).
useragent
Alice.com MTA(13.1.1.1)
useragent
SMTP SMTP HTTP, POP3 orIMAP
Bob.com MTA
DNSwl1
OK!
13.1.1.1 ok?
DNSwl2
DNSwl3
OK!OK!Delivered!
Greylists
• Don’t fully allow (not a whitelist)
• Don’t completely block (not a blacklist).
• Slow down handshake & negotiation (tarpit) and/or take more time/resources to scan.
Problems? Tarpitting doesn’t block determined spammers with effectively unlimited resources.
useragent
Alice.com MTA(13.1.1.1)
useragent
SMTP SMTP
Bob.com MTA
DNSgl1
Grey!
13.1.1.1 ok?
DNSgl2
DNSgl3
Grey!Grey!Temporarily
Reject!
SMTPTricking Spammers dumb MTAs
• Require MTAs to adhere to full SMTP RFC.• Point primary MX record at null sync.• Secondary MX record point to real MTA.
Problems?
Spammers can make their MTAs smarter
Some Spammers use existing ISP MTAs
useragentAlice.com
MTA
useragent
HTTPPOP3 or
IMAPBob.com MTA (14.1.1.2)Bob.com
DNS
bob.com m
x?
14.1.1.1Fake MTA
MX10: 14.1.1.1
MX20: 14.1.12
FAIL!
SMTP
Delivered!
Domain Keys Identified Mail (DKIM)
• Sender MTA signs message hash w/ priv key.
• Adds signature as new header: “DomainKey-Signature”
• Recipient MTA uses DNS txt record to find public key to authenticate signature.
Problems?
Spammer domains can conform
Spammers can hijack legitimate accounts
useragent
Alice.com MTA(Signs Message)
useragent
SMTP SMTP HTTPPOP3 or
IMAPBob.com MTA
(Authenticates message)
Alice.com DNS
Pub Key?
<PubKey>
Adoption
Delivered!
S/MIME Signatures
• Senders obtain a digital cert from a trusted Certificate Authority (CA).
• Can use the cert for both signing as well as encryption of messages.
• Recipients can verify certs via certificate chain (just like web browsers).
Problems?
Cost of per sender cert.
useragent
Alice.com MTA
useragent
SMTP SMTP POP3 orIMAP
Bob.com MTASigns
MessageTrusted
CA
VerifiesSignature
Adoption
Delivered!
Bayesian Content Filters
• Recipient filter
• Individualized DB. Requires training
• Learns common words & phrases from spam
• Spam “scoring” given to each message.
Problems?
misspellings
jpeg/pdf spam
useragent
Alice.com MTA
useragent
SMTP SMTP
Bob.com MTA
DB
Hash(“Viagra”)?SPAM!
Randomized spam content
X-Rejected-X
Vipul’s Razor
• Recipient Filter.
• Hash of email body, html links or paragraphs (messages “signature”). Lookup this signature in centralized DB of known spam.
• Only “Authorized Reporters” can register spam signatures.
Problems?
useragent
Alice.com MTA
useragent
SMTP SMTP HTTP, POP3 or IMAP
Bob.com MTA(computes signature)
2e821f039 ok?
Razor DB2
Razor DB1
OK!
OK!
•Randomized content•jpeg/pdf spam.
Delivered!
Spam Training Honeypots
• Dedicate an inbox to only attract and profile spam.
• Randomly generated address:
or common (but unused) address:
• Email received by this box can be fed to bayesian filter, vipuls razor & personal RBLs.
What is used today?
• Combination of all of these techniques.
• Spamassassin as an example.
• RBLs are low hanging fruit… Commonly block 80%+ of spam.
Remaining Problems
• Not only smtp needs protection (spit,spim)
• Increased client mobility & P2P messaging
• P2P spit (no reliance on central scanners or CA).
• Fast vs slow path selection based on trust of sender & sender’s email path.
• Fast reaction to entity behavior changes (iZombie?)
Idea: Micro-payments
• Senders pay fraction of a cent for each email they send.
• Won’t deter normal email users, but would definitely stop many spammers.
• Variation: Rather than charge for each email… Force all email users to put $$ in escrow… only charging account upon receiving complaints.
Idea:Social-net Transitive Trust
Alice
Nancy
Bob
JimCarol
opensocial myspacefb
• Based off of “Small Worlds”• No centralized filters required• Online or P2P (with social net caching)• Trust levels are constantly changing (fast
reaction to observed mis-behaviors)
useragent
Alice.com MTA
useragent
SMTP SMTP HTTPPOP3 or
IMAPBob.com MTA
Accept or Reject?
Accept!
P2P Experience & RBL
• User agents collect their own experience (positive and negative) and share them with their social peers.
• User agents generate their own personal RBLs mods based off of their “experience DB”.
• User agents query for neighbor’s experiences via multicast.
Dynamic Grey-listing
• Selectively decide which message to send on fast-path (Layer 3) vs through tarpit (Layer-7..for further inspection).
• Fast path may include no scanning at all freeing up scanning resources to be used on un-trusted messages.
ExperienceCache
Trust Processor
Layer 7 email & IM filter/scanner
Automatically created
experience records
Manually created
experience records
Sharing of highly weighted experience records with social
peers. Piggyback onto existing communication
NACK based multicast queries for experience
records
User selected public RBLs
Social NetworkUserfb,myspace,linkedin,etc
Best single current method of avoiding spam: HIDE!
• Use BCC when two recipients have no need of knowing each other’s email addr.
• Keep your anti virus software up to date (or use a Mac).
• Don’t allow your email address to be posted on public web sites.
• Use at least two email accounts… one for your smart friends (that know how to use bcc and how to keep their system’s virus free) and one for everyone else.
Questions?• Questions / Comments / Feedback?
*costume available at spamgift.com