SPAM: 101 Cause and Effect



Similar documents
The Latest Internet Threats to Affect Your Organisation. Tom Gillis SVP Worldwide Marketing IronPort Systems, Inc.

Using big data analytics to identify malicious content: a case study on spam s

Who will win the battle - Spammers or Service Providers?

Stop Spam Now! By John Buckman. John Buckman is President of Lyris Technologies, Inc. and programming architect behind Lyris list server.

Acceptable Usage Policy

Acceptable Usage Policy

Promoting Network Security (A Service Provider Perspective)

PHISHING IN SEASON TAX TIME MALWARE, PHISHING AND FRAUD

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

ACCEPTABLE USAGE POLICY

Current counter-measures and responses by CERTs

ACCEPTABLE USAGE PLOICY

Hosting Acceptable Use Policy

Reputation Metrics Troubleshooter. Share it!

DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS

Fraud and Abuse Policy

Broadband Acceptable Use Policy

Cisco & Big Data Security

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Acceptable Use Policy ("AUP")

Axioma Risk Monitor Global Developed Markets 29 June 2016

Spam blocking methods and experiences

Information Security Threat Trends

Spampots Project First Results of the International Phase and its Regional Utilization

What does it take to deliver the most technologically advanced Games ever?

Evolving threats and counter technology

Service Monitoring Discrimination. Prohibited Uses and Activities Spamming Intellectual Property Violations 5

PineApp Anti IP Blacklisting

How to Stop Spam s and Bounces

Stanford Computer Security Lab. TrackBack Spam: Abuse and Prevention. Elie Bursztein, Peifung E. Lam, John C. Mitchell Stanford University

How To Run A Realtime Blackhole List (Rbl) In Hkong Kong Ken Kong

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

Phone Fax

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam

Zscaler Cloud Web Gateway Test

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

NineStar Connect MASS MARKET INTERNET SERVICE POLICIES AND CUSTOMER INFORMATION. Policy Statement:

Malware & Botnets. Botnets

PINELAND TELEPHONE COOPERATIVE DSL SERVICE AGREEMENT

GFI Product Comparison. GFI MailEssentials vs Barracuda Spam Firewall

100% Malware-Free A Guaranteed Approach

How To Get Rid Of A Phish Locker On A Computer (For A Bank)

Deep Security Vulnerability Protection Summary

Software Engineering 4C03 SPAM

Preventing your Network from Being Abused by Spammers

Monitoring the Abuse of Open Proxies for Sending Spam

Security Assessment and Compliance Services

The Network Box Anti-Spam Solution

FIRST WORKING DRAFT FOR PUBLIC COMMENT. StopBadware s Best Practices for Web Hosting Providers: Responding to Malware Reports.

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

The Armstrong Chamberlin Web Hosting Acceptable Use Policy ("AUP")

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

Spam DNA Filtering System

Network Service, Systems and Data Communications Monitoring Policy

Fraud and Phishing Scam Response Arrangements in Brazil

Service Protection Under The Provider's Acceptable Use Policy

(For purposes of this Agreement, "You", " users", and "account holders" are used interchangeably, and where applicable).

A Phased Framework for Countering VoIP SPAM

STAR TELEPHONE MEMBERSHIP CORPORATION ACCEPTABLE USE POLICY FOR BROADBAND INTERNET SERVICES

Initiative for Cyber Security Information sharing Partnership of Japan (J-CSIP) Annual Activity Report FY2012

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Vulnerability Assessment & Compliance

ITU WSIS Thematic Meeting on Countering Spam: The Scope of the problem. Mark Sunner, Chief Technical Officer MessageLabs

s and anti-spam Page 1

STOWE COMMUNICATIONS ACCEPTABLE USE POLICY FOR BUSINESS SERVICES HIGH SPEED INTERNET

Consumer ID Theft Total Costs

BGP route monitoring. Mar, 25, 2008 Matsuzaki maz Yoshinobu

Acceptable Use Policy

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Internet and Network Service Provider Network Abuse Management

Acceptable Use Policy

How To Stop Spam From Being A Problem

Webinar: Reputation Services The first line of defense. July 26, 2005

Cablelynx Acceptable Use Policy

VOIP Attacks On The Rise

The Japanese Experience Countering Spam ITU TELECOM WORLD 2006

Top tips for improved network security

SPAM FILTER Service Data Sheet

Comprehensive Filtering. Whitepaper

Terms and Conditions. Acceptable Use Policy Introduction. Compliance with UK Law. Compliance with foreign law

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Hosted Web Security

Embedded Network Solutions Australia Pty Ltd (ENSA) INTERNET ACCEPTABLE USE POLICY

eprism Security Appliance 6.0 Release Notes What's New in 6.0

2012 NORTON CYBERCRIME REPORT

FKCC AUP/LOCAL AUTHORITY

McAfee Endpoint Protection Products

FRANKFORT PLANT BOARD CABLE MODEM INTERNET BROADBAND INTERNET SERVICE DISCLOSURES

On and off premises technologies Which is best for you?

ACCEPTABLE USE POLICY

Dividends Tax: Summary of withholding tax rates per South African Double Taxation Agreements currently in force Version: 2 Updated:

CERT.br Incident Handling and Network Monitoring Activities

Migration Project Plan for Cisco Cloud Security

Executive Summary. McAfee Labs Threats Report: Third Quarter 2013

CentralNic Privacy Policy Last Updated: July 31, 2012 Page 1 of 12. CentralNic. Version 1.0. July 31,

GFI Product Comparison. GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

Best Practices Top 10: Keep your e-marketing safe from threats

escan Anti-Spam White Paper

Japan s Countermeasures against Spam

An Anti-Spam Action Plan for Canada. Industry Canada

Transcription:

SPAM: 101 Cause and Effect Table of Contents Background: JARING SPAM 101 Effects Lesson Learned Challenges and Propositions 1

Part I: Background on JARING (We're the good guys.) What is JARING? The first ISP in Malaysia (1992: 28 subscribers). Today: 800,000 subscribers Services:- Dial Up, Office Broadband, Wireless Broadband, Dedicated Access, Secure VPN, VOIP Secure Internet Data Centre, Web Hosting, Firewall Solution, E-mail. 6 * /16, 2 * /17, 1 * /18 = 475,136 addresses 8% is allocated for dynamic IP addresses 2

Part II: SPAM 101 (A lot of good things, just focusing on one of the not so good ones, with spammers mostly.) What is Spam and Malware in E-Mail Context? Definitions in the context of JARING E-Mail Service:- Spam: Unsolicited, bulk mail operations. Examples:- Mails duplicated and sent to a high percentage of users, sometimes in a distributed fashion Dictionary attacks launched to harvest working ISP e- mail addresses Malware: Unsolicited mail with virus or worm attached to it. Normally a seasonal phenomena Sizable increase of malware in mails in 2004. 3

Incoming Spam: Impacts to ISPs Waste of Resources: 50-80% of e-mail traffic is Spam. Difficulty of Management: E-mail traffic has spikes, i.e. seasonal malware attacks (MyDoom, Bagle, Netsky). Performance Impact: performance hit in delivering, fetching and managing mails. Inconvenience/Nuisance to customers: A JARING E- mail account receives on average 5-20 spam e-mails per day, depending on popularity of e-mail address in spammers' databases. Incoming Spam: How do ISPs get spammed? Spammers or malware harvest addresses by collecting published / semi-published information using multiple harvesting techniques:- Collect e-mail addresses from websites Collect e-mail addresses from newsgroups Collect e-mail addresses from mailing list archives Fake mails to ISPs to collect probably active e-mail addresses (dictionary attacks). Spam gets sent from:- Spammer-friendly networks (i.e. networks in blocklists) Compromised systems by crackers or malware (increasing!) 4

Outgoing/Linked Spam: How do ISP networks get enlisted into SPAM and Anti SPAMMER s database Hosts machines vulnerable to intrusions and exploits by crackers and/or spammers:- Open Relay/Proxy: mis-configured / worminfected host which allows anyone, anywhere to send mail to any address in the Internet. Mis-configured open relays/proxies: often occur in leased line customers who run their own mail or proxy servers. Worm-infected open relays: often occur in individual dial-up or broadband users, i.e. dynamic IP range. Part III: Effects 5

Enlistment into Anti-SPAMMER s database Spamvertizing. Example: JARING's past SPEWS entry:- SPEWS evidence S2062: the 2 parties:- PERPAY-TWO (PerPay.com / PerPay Sdn Bhd):- JARING delegated 61.6.67.88 61.6.67.95 range Range used to host DNS records for Bullet9 (ns1.exubient.com), Range used to host web space for spammer, i.e. spamvertizing : http://www.wwecourse.com/ :- The URL is linked to in spam mails. Basically hosts more information / supporting system fpr the products and services being advertised by spammers. Bullet9 (Bullet9 Communications):- Major spammer web hosting and bulk mail advertiser, with resources in Malaysia and Russia). July 2003: Listing in Popular Blocklists (Countries) Listings in SPEWS: Countries > Malaysia 102 216 8484 188 568 1279 102 144 153 90 542 65 196 59 324 641 166 Argentina (AR) Australia (AU) Brazil (BR) Canada (CA) China (CN) Germany (DE) Great Britain (GB) Hong Kong (HK) India (IN) Korea, Republic of (KR) Malaysia (MY) Netherlands (NL) Nigeria (NG) Russian Federation (RU) Taiwan (TW) unknown USA (US) 6

July 2003: Addresses in Popular Blocklists (Countries) Addresses in SPEWS: Countries > Malaysia 3006339 Australia (AU) AU, US Canada (CA) China (CN) 679892 Germany (DE) Denmark (DK) Great Britain (GB) 50147 196025 65668 60809 55931 85187 59019 136433 71951 89315 2294432 131350 125996 512 220613 India (IN) Korea, Republic of (KR) Malaysia (MY) Netherlands (NL) New Zealand (NZ) Russian Federation (RU) Taiwan (TW) unknown USA (US) South Africa (ZA) Total Addresses in SPEWS: 7347714 14000 JARING Incident Reports (2003) 12000 10000 8000 6000 4000 2000 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Source : Emails sent to abuse@jaring.my Harrasment Email Abuse Fraud & Forgery Intrusion Virus Billing Open Relay Hack Threat Spamming 7

JARING Incident Reports (2004) 2500 2000 1500 1000 500 0 Jan Feb Mar Apr May Jun Source : Emails sent to abuse@jaring.my Harrassment Email Abuse Fraud & Forgery Intrusion Virus Copyright Issues Billing Open Relay Hack Threat Spamming JARING Spam Incident Reports (2004) 2000 1770 1795 1800 1615 1632 1600 1496 1400 1274 1200 1000 800 600 400 200 0 Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04 Source : Emails sent to abuse@jaring.my From Customer To Customer To Internal Teams Total Spam Incidents 8

Part IV: Lessons Learned "Experience is a harsh teacher. It first gives you the test then the lesson." What Really Happened? In February 2003, 4 new accounts started operating under 2 company names. 2 more accounts started operating in May and June 2003, each under 2 different companies. During these periods, spam complaints shot up, and each company were dealt with separately (given ample time to respond, 2 nd chances, etc). We monitored and found out in July 2003 that all these companies are actually the same spammer using spam-vertised mode. Suspended them immediately, and started termination process. Finally removed from SPEWS October 2003. 9

How did we get delisted? Only people behind SPEWS knows. But what we did was:- Trace spamvertizing accounts (6) to their root (identified as one spammer), and blacklist the person. Clean up our networks from these accounts: Suspend+disconnect them immediately, then terminate them. Renew AUP, improve and detail out antispam enforcements. http://www.jaring.my/corporate/aup/index.html I thought we are handling spam cases? Current processes were inadequate. Examples:- Inadequate policy, its enforcements and awareness, especially to downstream providers / hosting companies. Many customers are unaware of how to handle spamming cases in networks delegated to them Some are not sensitive to spam, I.e. subscribe to spammers services to promote their products and services Meanwhile, antispam community, especially blocklist maintainers, push for ISPs to play much greater role in ensuring that all their customers networks are spamsource-free. (i.e. no open relays, spammers, worm-infected hosts, etc). Spammers are terminated, but able to register again. Global spammer networks like Bullet9 possibly have agents in Malaysia, registering company names used to hop around JARING (and other ISPs) networks. 10

Action #1: AUP Review Previous AUP (Terms and Conditions):- You agree not to use the Forums or any other service provided by JARING to: b) Upload, post, e-mail, publish, transmit or distribute any material containing any unsolicited or unauthorized advertising, promotions, surveys, junk mail, chain letters, pyramid schemes, or any other form of solicitation of goods and services; Needed stronger emphasis and detail. Published and Enforced new AUP:- http://www.jaring.my/corporate/aup/index.html Action #2: Improve Enforcements (Part 1) Be strict:- Terminate customers who are proven to spam at first proven record of spam, I.e. no second chances (Exceptions: genuine negligence such as open relay). Be thorough:- Monitor posting in blocklists, NANAE and NANAS, and take action on them ASAP. Maintain own terminated companies / CEOs / contact persons responsible for spammer accounts, to be used for background checks on each new account, and made available to public, or at least all downstream providers. 11

Action #2: Improve Enforcements (Part 2) Be proactive:- Downstream providers / hosting companies must be required to employ at least the same standards as JARING in terms of abuse management and policy enforcements Maintain awareness among the downstream admins, I.e. set up mailing list for abuse-related discussions and announcements. Action #3: Review Registration Process Do background checks on ALL potential corporate customers:- Check company details, profile, key persons, etc. against JARING blocklist database Check for any current or past affiliation with major global spammers like bullet9 or others found in Spamhaus s ROKSO database. If potential customer is a provider / hosting company, ensure they are aware of their responsibilities etc. as in our AUP and abuse management policies. 12

Action #4: Technical Preventive Steps Re-arrange networks to distance different classes of users (avoid mixed dynamic and static ranges) For e-mail services: scan and remove as much malware and spam as feasibly possible at the e-mail gateway (MX) level, while minimizing false positives and provide as much control to the customer as feasibly possible. Monitor smtp traffic for spikes and spam patterns, and alert standby personnel for verification. Block the spamming host if verified. Monitor other traffic and resources (e.g. newsgroups) for spam instances attributed to the ISP. Part V: Challenges and Propositions 13

Challenge #1: Spammers Are Still Here JARING booted them out, but they move to other ISPs. Watch out! Check for your ISP range in blocklists. Spam prevention Spam filter Policies and framework Laws and regulation 14

Proposition #1: ISPs Unite Against Spammers Proposition: ISPs need to work together! Some suggestions of what we have to maintain:- A shared resource among Asian ISPs, or at least among local ISPs, of blacklisted customers (companies, individuals, etc). A shared whitelist networks (ISP architecture networks, for exceptions in each others' blocklists) Publish ISP's dynamic IP range (for blocking certain activities such as direct-to-mx) Raise awareness / enforce security on users (e.g. audit customer networks and notify). Proposition #2: Stronger Antispam Legislation Stronger policies, e.g.:- http://www.jaring.my/corporate/aup/index.html Proposition: Work with regulators to discuss ways to close holes exploited by spammers (after termination, registering as some other company under someone else's name). Include Spam as part of Cyber Crime. ISPs and regulators work together with international antispam efforts, to regain back the country's tarnished reputation w.r.t. Spam. 15

Proposition #3: Education, Education The actions outlined in new policies require educating every level within the ISP organisation:- Enforcers Sales Technical Downstream providers End users Customer/User Education also vital: e.g. FAQs on spam and other security issues. (http://www.jaring.my/corporate/aup/index.html) Raise awareness on other areas prone to spam (mobile, fax, phone, etc). Thank You. Mahizzan@jaring.my Abuse@jaring.my 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information