1 Spam, Spam and More Spam cs5480/cs6480 Matthew J. Probst *with some slides/graphics adapted from J.F Kurose and K.W. Ross Spammers: Cost to send Assuming a $10/mo dialup account: • 13.4 million messages per month might be sent… • A cost of about 1 penny per 14,300 messages • Free trials make it free!
15
Embed
Spam, Spam and More Spam - my.eng.utah.educs5480/notes/spam-lecture-11-Sep-07.pdf3 Botnets and Spammers • Example: Storm worm currently running on up to 50 million infected computers.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Spam, Spam and More Spam
cs5480/cs6480
Matthew J. Probst*with some slides/graphics adapted from J.F Kurose and K.W. Ross
Spammers: Cost to send
Assuming a $10/mo dialup account:• 13.4 million messages per month might be
sent… • A cost of about 1 penny per 14,300
messages• Free trials make it free!
2
You: Cost to Receive
• 10+ Billion spam sent each day• At 5 seconds per spam (to recognize &
delete).. • That’s 50 billion seconds of lost
productivity each day (39,457 work years)• Assuming $36k average income per
person: $1.5 Billion per day in lost productivity to economy.
• Simple: Source MTA Limits the number/rate of emails from individual senders.
• Limit on: Max recipients per messageMax messages per time periodetc.
Problems:Spammers can code their own MTAsMillions of throttled bots can still spam-a-lot!
useragent
Alice.com MTA
useragent
SMTP SMTP POP3 orIMAP
Bob.com MTA
25M/H
6
SPF (Sender Policy Framework)
• Recipient MTA Filter• TXT dns record on a domain that lists
“Authorized” relays for email marked as coming from that domain.
Problems?Only effective with mass adoption.Spammers comply with SPF
useragent
Alice.com MTA(13.1.1.1)
useragent
SMTP SMTP POP3 orIMAP
Bob.com MTAAlice.comDNS
spf?
13.1.1.1
Relay Blacklists (RBLs)
• Recipient MTA Filter• DB of IP addresses (and blocks) that should
not be allowed to relay email.• 100s of lists publicly available.• Mail servers commonly use several RBLs• Individually and group maintained.• Conservative vs ultraliberal inclusion.
Problems?Take it or leave it one-size-fits-all.(Is either too aggressive or too passive).Central RBL servers easy to DDOS.If done within network, then prevents smtp-auth.
Relay White-lists
• Recipient MTA Filter• Automatically allows email from specific
domains, relays and senders throughProblems?
Easy to get out of date?Spammers can use legitimate email addresses, ISPs and domains. (botnets,etc).
useragent
Alice.com MTA(13.1.1.1)
useragent
SMTP SMTP POP3 orIMAP
Bob.com MTA
DNSwl1
OK!
13.1.1.1 ok?
DNSwl2
DNSwl3
OK!OK!
8
Greylists
• Don’t fully allow (not a whitelist)• Don’t completely block (not a blacklist).• Slow down handshaking & negotiation
(tarpit)… and/or take more time/resources to scan.
Problems?Tarpitting doesn’t block very determined spammers.
Tricking Spammers
• Require MTAs to adhere to full SMTP RFC.• Point primary MX record at null sync.• Secondary MX record point to real MTA.Problems?
Spammers can make their MTAs smarterSome Spammers use existing ISP MTAs
useragentAlice.com MTA
useragent
SMTP
POP3 orIMAP
Bob.com MTA (14.1.1.2)Bob.comDNS
bob.com mx?
14.1.1.1Fake MTA
14.1.1.1, 14.1.12
FAIL!
SMTP
9
Domain Keys Identified Mail (DKIM)
• Sender MTA signs message hash w/ priv key. • Adds signature as new header: “DomainKey-
Signature”• Recipient MTA uses DNS txt record to find
public key to authenticate signature.Problems? Adoption
Spammer domains can conformSpammers can use legitimate ISP account
useragent
Alice.com MTA(Signs Message)
useragent
SMTP SMTP POP3 orIMAP
Bob.com MTA(Authenticates message)
Alice.comDNS
Pub Key?
<PubKey>
S/MIME Signatures
• Senders obtain a digital cert from a legitimate Certificate Authority (CA).
• Can use the cert for both signing as well as encryption of messages.
• Recipients can verify certs via certificate chain (just like web browsers).
Problems? AdoptionCost of per sender cert.
useragent
Alice.com MTA
useragent
SMTP SMTP POP3 orIMAP
Bob.com MTASigns
MessageVerifies
Signature
CA
10
Bayesian Content Filters
• Recipient filter• Individualized DB. Requires training• Learns common words & phrases from spam• Spam “scoring” given to each message.Problems? Randomized spam content
misspellingsjpeg/pdf spam
useragent
Alice.com MTA
useragent
SMTP SMTP POP3 orIMAP
Bob.com MTADB
Hash(“Viagra”)?SPAM!
Vipul’s Razor
• Recipient Filter.• Hash of email body or paragraphs (messages
“signature”). Lookup this signature in centralized DB of known spam.
• Only “Authorized Reporters” can register spam signatures.
Problems?
useragent
Alice.com MTA
useragent
SMTP SMTP POP3 orIMAP
Bob.com MTA(computes signature)
2e821f039 ok?
RazorDB
Razor DB
OK!
OK!
•Randomized content•jpeg/pdf spam.
11
Spam Training Honeypots
• Dedicate an inbox to receive only spam.• Randomly generated name: