in the Early 1980s

Similar documents
Why to talk about Botnets

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Hosted CanIt. Roaring Penguin Software Inc. 26 April 2011

The Difficulties of Tracing Spam

An Overview of Spam Blocking Techniques

Panda Cloud Protection

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

How to Stop Spam s and Bounces

Software Engineering 4C03 SPAM

CS 356 Lecture 16 Denial of Service. Spring 2013

Management CSCU9B2 CSCU9B2 1

Unica OnDemand. Unica and deliverability. Getting to the inbox. Publication Date: January 19, 2010

Internet Security [1] VU Engin Kirda

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Spam, Spam and More Spam. Spammers: Cost to send

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

security

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

How To Create A Spam Authentication Protocol Called Occam

Anti-Spam Capabilities of Internet Exchange Version 3.1

Transactional Behaviour Based Spam Detection

PineApp Anti IP Blacklisting

An Delivery Report for 2012: Yahoo, Gmail, Hotmail & AOL

escan Anti-Spam White Paper

SPAM FILTER Service Data Sheet

white paper Glossary of Spam Terms The jargon of the spam industry

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

What is a Mail Gateway?... 1 Mail Gateway Setup Peering... 3 Domain Forwarding... 4 External Address Verification... 4

GET THE MESSAGE? Best Practices in Marketing

Stop Spam Now! By John Buckman. John Buckman is President of Lyris Technologies, Inc. and programming architect behind Lyris list server.

SCORECARD MARKETING. Find Out How Much You Are Really Getting Out of Your Marketing

Module: Security. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

How Cisco IT Protects Against Distributed Denial of Service Attacks

Articles Fighting SPAM in Lotus Domino

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

Why Spamhaus is Your Best Approach to Fighting Spam

Certification. Standards & Requirements

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

Comprehensive Filtering. Whitepaper

Analysis of Spam Filter Methods on SMTP Servers Category: Trends in Anti-Spam Development

Blackbaud Communication Services Overview of Delivery and FAQs

Marketing 201. How a SPAM Filter Works. Craig Stouffer Pinpointe On-Demand cstouffer@pinpointe.com (408) x125

Spam DNA Filtering System

How To Ensure Your Is Delivered

The spam economy: the convergent spam and virus threats

How To Prevent Hacker Attacks With Network Behavior Analysis

1 Accessing accounts on the Axxess Mail Server

Anti-SPAM Policy v

Ipswitch IMail Server with Integrated Technology

Reputation Metrics Troubleshooter. Share it!

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

BotNets- Cyber Torrirism

Questions or a need for further clarification should be directed to your College or department administrator.

Deliverability Demystified:

co Characterizing and Tracing Packet Floods Using Cisco R

CipherMail Gateway Quick Setup Guide

White Paper X-Spam for Exchange Server

e-shot Unique Deliverability

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

s and anti-spam Page 1

Collateral Damage. Consequences of Spam and Virus Filtering for the System. Peter Eisentraut 22C3. credativ GmbH.

Antispam Security Best Practices

Being labeled as a spammer will drive your customers way, ruin your business, and can even get you a big fine or a jail sentence!

Spam - A New Phenomenon

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Welcome! Best Current Practices on spam prevention

Unwanted Traffic: Denial of Service and Spam

INFORMATION SECURITY REVIEW

How To Stop Spam From Being A Problem

Deploying Layered Security. What is Layered Security?

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

The What, Why, and How of Authentication

Denial of Service Attacks

Mail system components. Electronic Mail MRA MUA MSA MAA. David Byers

Detection and Prevention Methods of Botnet-generated Spam

Spammer and Hacker, Two Old Friends

IP Addresses in Clients

Comprehensive Filtering: Barracuda Spam Firewall Safeguards Legitimate

Marketing: Methods to Block Spam

Anti-Spam Measures Survey Pascal Manzano ENISA

Seminar Computer Security

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Towards Proactive Spam Filtering (Extended Abstract)

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Recurrent Patterns Detection Technology. White Paper

Denial of Service. Tom Chen SMU

The Spam/Anti-Spam Battlefield. SANS Institute Masters Presentation by T. Brian Granier

Linux Network Security

DomainKeys Identified Mail DKIM authenticates senders, message content

Threat Trend Report Second Quarter 2007

Networking for Caribbean Development

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

SME- Mail to SMS & MMS Gateway with NowSMS Quick Start Guide

SECURING INFORMATION SYSTEMS

Transcription:

1 Email in the Early 1980s sender Network 1 Mail relay Network 2 Mail relay Network 3 Mail relay: forwards mail to next hop Sender path includes path through relays recipient 2 1

Email Spoofing email sent via SMTP No built-in authentication MAIL FROM field set by sender Classical example of improper input validation Recipient s email server only sees IP address of the direct peer from which it received message 3 Open Relays SMTP relay forwards mail to destination 1. Connects via SMTP (TCP port 25) 2. Sends list of recipients via RCPT TO command 3. Sends email body (once for all recipients!) 4. Relay delivers message Honest relay adds correct Received: header revealing source IP Malicious relay does not have to 4 2

SMTP Header 5 A Closer Look at Spam Inserted by relays Received: by 10.78.68.6 with SMTP id q6cs394373hua; Mon, 12 Feb 2007 06:43:30-0800 (PST) Received: by 10.90.113.18 with SMTP id l18mr17307116agc.1171291410432; Mon, 12 Feb 2007 06:43:30-0800 (PST) Bogus! Return-Path: <wvnlwee@aviva.ro> Received: from onelinkpr.net ([203.169.49.172]) by mx.google.com with ESMTP id 30si11317474agc.2007.02.12.06.43.18; Mon, Puerto 12 Feb 2007 Rico 06:43:30 Mongolia -0800 (PST) Received-SPF: neutral (google.com: 203.169.49.172 is neither permitted nor denied by best guess record for domain of wvnlwee@aviva.ro) Message-ID: <20050057765.stank.203.169.49.172@ASAFTU> From: "Barclay Morales" <wvnlwee@aviva.ro> To: <raykwatts@gmail.com> Subject: You can order both Viagra and Cialis. 6 3

Why Hide Sources of Spam? Many email providers blacklist servers and ISPs that generate a lot of spam Use info from spamhaus.org, spamcop.net Real-time blackhole lists stop 15-25% of spam at SMTP connection time Over 90% after message body checks Usually, BW is already consumed by that time Spammers objective: evade blacklists Botnets come very handy! 7 Thin Pipe / Thick Pipe Spam source is a high-speed broadband host (HSB) which controls a low-speed zombie (LSZ) LSZ TCP sequence numbers HSB TCP handshake SMTP bulk mail (Source IP = LSZ) Target SMTP server Hides IP address of HSB; LSZ is blacklisted HSB goes on to the next LSZ 8 4

Open HTTP Proxies Web cache (HTTP/HTTPS proxy), e.g., squid URL: HTTPS://xyz.com CONNECT xyz.com 443 ClientHello ServerHello To spam: CONNECT <Victim s IP> 25, then issue SMTP Commands i.e, start with http://www.victim.com:25 Squid becomes a mail relay Squid web cache ClientHello ServerHello Why is port 25 enabled, anyway? xyz.com Web server 9 Send-Safe Spam Tool 10 5

Open Relays vs. Open Proxies Open proxy Spammer must send message to each recipient through the proxy Open relay Takes a list of addresses and sends to all Can host an open relay on a zombie Listing services for open proxies and relays http://www.multiproxy.org/ http://www.stayinvisible.com/ http://www.openproxies.com/ ($20/month) 11 Spam Surge [Geer] Two years from now, spam will be solved - Bill Gates, January 2004 12 6

Bobax Worm Infects machines with high bandwidth Exploits MS LSASS (Local Security Authority Subsystem Service) buffer overflow vulnerability Slow spreading (thus hard to detect) Upon manual command from operator, randomly scans for vulnerable machines Installs hacked open relay on infected zombies Once spam zombie added to blacklist, spreads to another machine http://www.m86security.com/labs/spambotitem.asp?article=901 13 IP Blacklisting Not Enough [Ramachandran, Feamster] More than half of client IPs appear less than twice 14 7

Distribution Across Domains [Ramachandran, Feamster] 15 Most Bots Send Little Spam [Ramachandran, Feamster] 16 8

Where Does Spam Come From? [Ramachandran, Feamster] IP addresses of spam sources are widely distributed across the Internet In tracking experiments, most IP addresses appear once or twice; 60-80% not reachable by traceroute Vast majority of spam originates from a small fraction of IP address space Same fraction that most legitimate email comes from Spammers exploit routing infrastructure Create short-lived connection to mail relay, then disappear Hijack a large chunk of unallocated dark space 17 Spambot Behavior [Ramachandran, Feamster] Strong correlation with Bobax infections Most are active for a very short time 65% of Bobax victims send spam once; 3 out of 4 are active for less than 2 minutes 99% of bots send fewer than 100 messages regardless of their lifetime 95% of bots already in one or more blacklists Cooperative detection works, but Problem: false positives! Problem: short-lived hijacks of dark address space 18 9

Stormbot Spam Architecture [Kanich, Kreibich, Levchenko et al. ] Spam templates Custom macro language Polymorphic content Dictionaries Email addresses Subject lines Worker bots generate unique messages for each address, try to deliver, report results to their proxies 19 Major Spambots http://www.marshal.com/trace/traceitem.asp?article=615 20 10

McColo McColo was a San Jose-based hosting provider Hosted command-and-control servers of the biggest spam botnets Rustock, Srizbi, Pushdo/Cutwail, others Disconnected by upstream providers on Nov 11, 2008 75% reduction of spam worldwide 21 Srizbi Rootkit + sophisticated spam mailer 500K zombies, 60 billion spam messages daily More than half of all spam worldwide After McColo takedown, fail-safe code inside bots started generating names of backup domains ypouaypu.com, oryitugf.com, prpoqpsy.com Botmasters regained control by registering these domains (through a Russian registrar) and hosting new C&C servers in Estonia shut down later 22 11

SPAM Countermeasures Legal Technical 23 CAN-SPAM Act (passed in 2003) Legal solution to the problem Bans email harvesting, misleading header information, deceptive subject lines, use of proxies Requires opt-out and identification of advertising Imposes penalties (up to $11K per violation) http://www.ftc.gov/spam FTC report on effectiveness (Dec 2005) 50 cases pursued in the US No impact on spam originating outside the US (60%) Open relays hosted on botnets make it difficult to collect evidence 24 12

SPF (Sender Policy Framework) Spammers put popular domains (e.g., hotmail.com) as FROM sources hotmail flooded by bounced responses What if spammer gets a throwaway domain? Used by AOL and others 25 Domain Keys (DKIM) DNS provides verification key to the recipient Sender s server has to sign email From Yahoo 26 13

S/MIME Sender obtains public-key certificate Sender s server has to sign email; includes certified verification key 27 Graylists Recipient s mail server records (stores) the triple: <sender email, recipient email, peer IP> Each triple kept for 3 days (configuration parameter) First time (triple not in DB): 421 reply Busy Records triple in the database Second time (after 5 minutes): let email pass What is this defense based on? Easily spoofable, but works against many current spammers 28 14

Puzzles and CAPTCHAs Generic defenses against spam and DoS Basic idea: sender must solve a puzzle before email or connection request is accepted Takes effort to solve, but solution easy to check Sender has to pay in computation time Example (Hashcash): find collision in a short hash CAPTCHA: prove that the sender is human Solve a reverse Turing test Only in application layer (e.g., Web) Both are difficult to deploy (why?) 29 Worst CAPTCHA Ever? http://depressedprogrammer.wordpress.com/2008/04/20/worst-captcha-ever/ 30 15

Solve CAPTCHAs for Fun and Profit Third-world data entry specialists will solve CAPTCHAs for 60 cents an hour 31 Gone in Six Seconds Spammers like to create a large number of Gmail and Hotmail accounts, use them to send spam DKIM and SPF don t help (why?) But CAPTCHAs do (how?) Botnet = massive distributed computing platform Use them to solve CAPTCHAs 2008: 6 seconds per CAPTCHA, 10-15% success Now: 20 seconds per CAPTCHA, 12-20% success after Microsoft upgraded their CAPTCHA system 32 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information