Welcome! In the next hour: > About Spamhaus > Zombies: problems, current state > What you can do (and how can we help you) > PBL

Similar documents
Why Spamhaus is Your Best Approach to Fighting Spam

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

PineApp Anti IP Blacklisting

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Networking for Caribbean Development

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

M 3 AAWG: Hosting Past, Present & Future

Firewalls. Steven M. Bellovin Matsuzaki maz Yoshinobu

Solution Brief FortiMail for Service Providers. Nathalie Rivat

SES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012

One Minute in Cyber Security

Using Traffic Analysis to Detect Spam

WHITE PAPER. How Spamhaus Cost-Effectively Eliminates Spam, Malware and Botnet Threats SPON. Published January 2015 SPONSORED BY

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Zscaler Internet Security Frequently Asked Questions

About Botnet, and the influence that Botnet gives to broadband ISP

Internet Special Ops Stalking Badness Through Data Mining. Paul Vixie Andrew Fried Dr. Chris Lee

escan SBS 2008 Installation Guide

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

FRANKFORT PLANT BOARD CABLE MODEM INTERNET BROADBAND INTERNET SERVICE DISCLOSURES

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

Technical Note. FORTIMAIL Configuration For Enterprise Deployment. Rev 2.1

Content Filters A WORD TO THE WISE WHITE PAPER BY LAURA ATKINS, CO- FOUNDER

Protecting the Infrastructure: Symantec Web Gateway

How To Filter From A Spam Filter

Emerging Trends in Fighting Spam

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

The Growing Problem of Outbound Spam

Rogue DNS servers a case study

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

AbuseHUB: a national Abuse Report. Clearing House. Phons Bloemen. ISD Congress September 24,

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

F-Secure Internet Gatekeeper

Methods for Sharing Dynamic IP Address Space Information with Others

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Deciphering and Mitigating Blackhole Spam from -borne Threats

Symantec RuleSpace Data Sheet

Panda Cloud Protection

DDoS Attacks & Defenses

Empirical research on IP blacklisting

A TASTE OF HTTP BOTNETS

Hosted CanIt. Roaring Penguin Software Inc. 26 April 2011

Comprehensive Anti-Spam Service

VESZPROG ANTI-MALWARE TEST BATTERY

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Threat Intelligence UPDATE: Cymru EIS Report. cymru.com

A Domain Name for your PC

FAQ (Frequently Asked Questions)

Shared Incident Response

Implementing Microsoft Exchange Mail on Demand

Port evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently.

Configuring Your Gateman Server

GFI Product Comparison. GFI MailEssentials vs Barracuda Spam Firewall

Configuring Trend Micro Content Security

Configuration Example

GFI Product Comparison. GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

PART D NETWORK SERVICES

SR B17. The Threat Landscape Continues to Change: How are You Keeping Pace? Dean Turner

Cape Girardeau Career Center CISCO Networking Academy Bill Link, Instructor. 2.,,,, and are key services that ISPs can provide to all customers.

Smart Network Data Services Windows Live & MSN Hotmail Postmaster Services

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Security Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC

Anti-Spam Measures Survey Pascal Manzano ENISA

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

High Speed Internet - User Guide. Welcome to. your world.

Web server botnets and hosting farms as attack platforms

FortiMail Filtering Course 221-v2.2 Course Overview

Cisco Security Intelligence Operations

AT&T Real-Time Network Security Overview

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

15 Trade Secrets Of Service Providers

How to Configure edgebox as an Server

Configuration Example

Internet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology

Symantec Hosted Mail Security Getting Started Guide

Arbor s Solution for ISP

GFI Product Manual. Administration and Configuration Manual

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

Serial Deployment Quick Start Guide

APPLICATION PROGRAMMING INTERFACE

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

The spam economy: the convergent spam and virus threats

How to Stop Spam s and Bounces

Looking Ahead The Path to Moving Security into the Cloud

UNMASKCONTENT: THE CASE STUDY

Transferring Your Internet Services

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

Enhancing Your Network Security

Reviewer s Guide. PureMessage for Windows/Exchange Product tour 1

Detecting peer-to-peer botnets

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

Transcription:

RIPE54-8th May 2007

Welcome! In the next hour: > About Spamhaus > Zombies: problems, current state > What you can do (and how can we help you) > PBL

About Spamhaus > Founded in late 90 s, non-profit > Headquartered in the UK > 25+ specialists around the world > DNSBLs: SBL, XBL and PBL > ROKSO, DROP > Corporate research team

Spamhaus SBL > Spamhaus Block List > 100% human input > Static spam sources > Spam webhosting / DNS > Other spam support services > Escalations if needed

Spamhaus SBL > Take SBL listings seriously (they are not another spam complaint!)

Spamhaus XBL > Spamhaus exploits Block List > 100% automated input > Lists illegal 3rd party exploits > Only /32 listings > No-questions-asked (but limited) removals

Spamhaus PBL > Spamhaus Policy Block List > List ranges that should not do direct-to-mx > Input by Spamhaus and ISPs (you!) > More on this later

ZEN: One-stop-shopping > All zones roled into one > One query, result shows listing type > www.spamhaus.org/zen/ > Query zen.spamhaus.org

ROKSO > Register Of Known Spam Operations > ~200 spammers, 80% of all spam > Vetting of customers

Spamhaus DROP > Don t Route Or Peer list > Known rogue networks / IP ranges / ASNs, 100% under spammer control > Excellent for no-traffic policies and router usage

Spamhaus DROP > Using DROP makes lots of Botnet C&Cs, rogue DNS servers and web-based exploits drop off the net > We re working on a BGP feed

Spamhaus relations > ISPs / ESPs / xsps > Networks, Registrars and Regulators > Law enforcement > Research community

Spamhaus users > ISPs, ESPs, xsps, governments, universities, military, etc > Over 800 million mailboxes protected

The zombie problem

982565

982565 New zombies detected by XBL on 8th of may 2007 (unique IP addresses)

36

36 seconds between infection and first-spam-sent (W32/Warezov)

Zombies - How do they work?

Attack vectors > Network scanning (135-139) > Email viruses (25) > Webpages / browserexploits (80) > Social engineering postcard_newyear.jpg.exe, Video codecs

Multi stage > User installs software > Software downloads malware > Malware installs proxy/mailer > Spam flows > Other exploits installed (DDOS!)

Evolution > Proxies > Private (ACL ed) proxies > Mail engines > Windows rootkits > P2P for payload retrieval

Evolution > Proxies > Private (ACL ed) proxies > Mail engines > Windows rootkits > P2P for payload retrieval > What s coming next?

Command & Control (C&C) > Hosted in dark alleys > Esthost > Small number of IP addresses causes lots of trouble > Many ISPs do not know that they are hosting a C&C

Command & Control (C&C) > If C&C locations were known: > could you block? > would you block?

Zombies - Have uses apart from mail

Yambo webhosting > HTTP and DNS served on zombies > Zombie is really a uni-directional proxy > which proxies to another proxy > automated blocking > Linux hosted

Fast Flux hosting > URL served on 5-10 IP addresses > Low TTL - 1-5 minutes > After expiry: new zombies > DNS fast fluxed too

Fast Flux combatting > Difficult to track! > Difficult to shut down > Port blocking (80 & 53)! > The only effective point of control is in the hands of the registrar

Zombies - What can you do?

Using traffic patterns > DNS traffic > Port 25 outgoing > But: expensive equipment > Network may need change

Using feedback loops > abuse@ > Feedback loops > AOL, Outblaze, Hotmail SNDS > Larger networks willing to share data can contact us for a more effective solution

Why you should care > Large consumer networks will block parts of your network if high levels of zombie traffic are perceived > Reputation amongst peers

Spamhaus PBL

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer s use.

The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-mta customer IP ranges.

Spamhaus Policy Blocklist > End user ranges > Two categories: > Data by participating ISP > Data by Spamhaus > Recognizable by DNS response

Spamhaus Policy Blocklist > No-questions-asked automated single IP removal > ISP interface for your managing your own IP ranges

How not to use PBL > Do NOT use on smarthosts or SMTP AUTH for your own customers! > Do NOT use for other than checking IP addresses that hand of to your mailservers (no deep parsing )

PBL: A win-win-win opportunity > Cuts down on bandwith being stolen and damage being done and deliverability problems > Cuts down the complaints (which frees staff for other things) > Stops damage to your reputation

www.spamhaus.org/pbl/

Closing up... > We must try harder. Problems are getting more serious and harder to solve. > Balance between prevention of harm and the traditional freedoms of the net

Closing up... > Governments are not empowered to solve these problems. They are looking to the industry to implement self-regulation.

Closing up... > What other data can we provide that would help you protect your network?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information