Your SlideShare is downloading. ×
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

AntiSpam - Understanding the good, the bad and the ugly

2,559

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,559
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. AntiSpam Understanding the good, the bad and the ugly By Aseem Jakhar Confidential
  • 2. About Me
    • Security and open source enthusiast.
    • Have Worked on many enterprise security products.
    • Have disclosed many security issues to banks/organizations.
    • Speaker at security/open source conferences.
    • Founder of NULL security community.
  • 3. Agenda
    • What is Spam?
    • Spam Side effects
    • Difficult problem to solve
    • Messaging Primer
    • Getting inside a spammer’s mind
    • Layered Security
    • AntiSpam Technologies
    • Exploiting the Loop Holes
  • 4. What is spam?
    • No it’s not the Hormel product.
    • No Standard definition.
    • Differs on an individual basis.
    • UBE, UCE.
    • Ham: Non Spam.
  • 5. Spam side effects
    • Bandwidth overload.
    • Storage overload.
    • Loss of End user productivity.
  • 6. Difficult problem to solve
    • Human Factor
    • Dynamic nature
    • Coming from valid but compromised source
    • Best of buddies - Virus, worms, trojans and spams i.e help each other in propagating
  • 7. Messaging Primer
    • Sending emails
      • SMTP- Simple Mail Transfer Protocol.
      • MUA - Message User Agent (SMTP Clients – outlook).
      • MSA – Message Submission Agent.
      • MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail).
      • MDA - Message Delivery Agent (SMTP Server/Message Store).
    • Retrieving emails
      • POP - Post Office Protocol.
      • IMAP - Internet Message Access Protocol.
    • Email format
      • Envelope and message
      • MIME – Multipurpose Internet Mail Extensions
  • 8. Path of a Message MUA MSA/MTA MTA/MDA MTAs Message Store MUA
  • 9. Email Format: Received Headers
    • Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST)
    • Return-Path: <xxx@xxxx>
    • Received: from xx.yy.com ( xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST)
    • Received-SPF: pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x;
    • Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530
    • Received: …………….
    • Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT
  • 10. Email Format: Other headers
    • To: yyy@yyyy
    • Cc: xxx xxxx <xxx@xxxx>
    • MIME-Version: 1.0
    • Subject: email format - Attached jpeg image
    • X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971
    • Message-ID: <FOOBAR00000@xxxx>
    • From: xxx xxxx <xxx@xxxx>
    • Date: Thu, 10 Jan 2008 17:16:16 +0530
    • X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18
  • 11. Email Format: MIME contd. And email Body
    • Content-Type: multipart/mixed; boundary=&quot; =_mixed 0040CB5E652573CC_= &quot;
    • --=_mixed 0040CB5E652573CC_=
    • Content-Type: multipart/alternative; boundary=&quot; =_alternative 0040CB60652573CC_= “
    • --=_alternative 0040CB60652573CC_=
    • Content-Type: text/plain; charset=&quot;US-ASCII&quot;
    • Hi,
    • This is the email format with attached jpeg image
    • --=_alternative 0040CB60652573CC_=
    • Content-Type: text/html; charset=&quot;US-ASCII&quot;
    • <br><font size=2 face=&quot;sans-serif&quot;>Hi,</font> <br> <br><font size=2 face=&quot;sans-serif&quot;>&nbsp;This is the email format with attached jpeg image</font>……
    • --=_alternative 0040CB60652573CC_=--
    • --=_mixed 0040CB5E652573CC_=
    • Content-Type: image/jpeg; name=&quot;Flower_1.jpg&quot;
    • Content-Disposition: attachment; filename=&quot;Flower_1.jpg&quot;
    • Content-Transfer-Encoding: base64
    • /9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHY
    • VHpRRW62Doj//Z
    • --=_mixed 0040CB5E652573CC_=--
  • 12. Getting inside a spammer’s mind
    • Intent
      • Marketing
      • Phishing
      • Malware
    • Execution
      • Gathering email addresses
      • Hosting the web site
      • Sending emails
  • 13. Layered Security
    • Sever Layer(MTAs)
      • Network Boundary/Gateways.
      • Mail routers.
      • Message Store.
    • Client Layer(MUAs)
      • POP/IMAP/SMTP Proxies.
      • Plugins.
    • No Single antidote.
  • 14. Anti-Spam Technologies - ACLs
    • Blocklists
      • IP/domain/user
    • Whitelists
      • IP/domain/user
    • Types
      • Internal: Application Specific
      • External: Community/Paid servers
        • DNSxLs – standard DNS queries.
  • 15. Anti-Spam Technologies - ACLs
    • Greylisting
      • Something between whitelist and blocklist
      • Exploiting the protocol for good reason.
      • Temporary rejection with 4xy error code
      • Basic 3 tuple information stored <IP><MFROM><RCPT>
  • 16. Anti-Spam Technologies – Content Filtering
    • String/Regex filters
      • static, dumb.
    • Behavioural Filters
      • Look for specific behaviour patterns
    • Bayesian filters
      • Intelligent, require learning time.
      • Accuracy decreases when deployed on server.
  • 17. Anti-Spam Technologies – Content Filtering
    • Signature/fingerprint
      • Fuzzy(Nilsimsa code), good as an add-on.
    • OCR (Optical Character Recognition)
      • Image scanning, not efficient.
  • 18. Anti-Spam Technologies – C/R
    • Challenge-Response systems
      • Recipient challenges the sender
      • Bounce message/SMTP rejection
      • URL click/CAPTCHA test/reply to bounce
      • CAPTCHA (C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part )
  • 19. Anti-Spam Technologies – Sender Driven
    • SPF (Sender Policy Framework)
      • Anti-forgery
      • Uses DNS SPF/TXT records, IP, domain name of sender
      • Authorized Outbound SMTP for a domain
    • DKIM ( D omain K eys I dentified M ail)
      • Signed messages
      • Anti-forgery, as signing domain claims responsibility
      • Uses DNS TXT records, DKIM header
      • DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA=
  • 20. Anti-Spam Technologies – Sender driven
    • HashCash
      • Proof of work by sender
      • Hard to compute, easy to verify
      • square root/square problem.
      • Partial Hash collision (with Zero bits)
  • 21. Anti-Spam Technologies - Heuristics
    • Heuristic filters
      • A combination of above techniques
      • Defines rules, weights and threshold(s)
      • Reduces +ve rate.
    • Reputation systems
      • Advanced heuristics to create reputation.
      • Create reputation of IPs/Domains sending messages
  • 22. Exploiting the Loop Holes – Evading filters
    • ACLs: Greylisting
      • Simulating a simple queue thread with 4 tuple <MSGID><TIME><MFROM><RCPT>
      • Resending after a predefined time.
    • Content Filtering
      • Run The message content through filters/free email services
      • CAPTCHA effect for OCR
      • Subject: Never agree to be a loser
      • Buck up, your troubles caused by small dimension will soon be over!
      • Initiate a natural growth of your masculine muscle!
      • http://veniutk=2Ecom/
      • control=2E All data was lost at T+5 minutes, 5 seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their
  • 23. Exploiting the Loop Holes
    • Sender Driven
      • Creating hashcash (not efficient, not popular)
      • Look for open relays with SPF, DKIM functionality.
      • Bounce Messages from Valid domains
      • Worms sending mails to local MTAs
  • 24. Exploiting the Loop Holes
    • Reputation
      • Sending through free webmail accounts
      • Sample email sent directly and through valid webmail service
      • Sent directly: Spam mailbox
      • Through Webmail: Inbox (Bingo!!)
    • Subject: viagra soma cialis cheap rates oem software low mortgage rates
    • viagra soma cialis cheap rates
    • low mortgage rates oem software for $1
    • penis enlargement for good sex
    • live xxx videos
  • 25. Exploiting the Loop Holes
    • Targeting low priority MX
      • Helps in bypassing filters altogether (if you are lucky that is :-P).
    • Mail Reconnaissance
      • Reading replies from valid (and invalid ) addresses
      • Exposes enormous amount of information
      • Definitely a must for any Pen tester
  • 26. References
    • SPF - http://www.ietf.org/rfc/rfc4408.txt
    • DKIM - http://www.dkim.org/
    • SpamAssassin - http://spamassassin.apache.org/
    • Razor - http://razor.sourceforge.net/
    • CAPTCHA - http://www.captcha.net/
    • Bogofilter - http://bogofilter.sourceforge.net/
    • Mailwasher - http://www.mailwasher.net/
    • HashCash - http://www.hashcash.org/
    • Greylisting - http://greylisting.org/
    • Gartner report - http://news.zdnet.com/2100-9595_22-955842.html
    • DNSxLs - http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt
  • 27. Thanks
    • QA?
    • Contact me: null _a_t_ null . co . In
    • NULL is having an official meet on 7 th Dec at ClubHack

×