Your SlideShare is downloading. ×
0
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

AntiSpam - Understanding the good, the bad and the ugly

2,589

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,589
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. AntiSpam Understanding the good, the bad and the ugly By Aseem Jakhar Confidential
  • 2. About Me <ul><li>Security and open source enthusiast. </li></ul><ul><li>Have Worked on many enterprise security products. </li></ul><ul><li>Have disclosed many security issues to banks/organizations. </li></ul><ul><li>Speaker at security/open source conferences. </li></ul><ul><li>Founder of NULL security community. </li></ul>
  • 3. Agenda <ul><li>What is Spam? </li></ul><ul><li>Spam Side effects </li></ul><ul><li>Difficult problem to solve </li></ul><ul><li>Messaging Primer </li></ul><ul><li>Getting inside a spammer’s mind </li></ul><ul><li>Layered Security </li></ul><ul><li>AntiSpam Technologies </li></ul><ul><li>Exploiting the Loop Holes </li></ul>
  • 4. What is spam? <ul><li>No it’s not the Hormel product. </li></ul><ul><li>No Standard definition. </li></ul><ul><li>Differs on an individual basis. </li></ul><ul><li>UBE, UCE. </li></ul><ul><li>Ham: Non Spam. </li></ul>
  • 5. Spam side effects <ul><li>Bandwidth overload. </li></ul><ul><li>Storage overload. </li></ul><ul><li>Loss of End user productivity. </li></ul>
  • 6. Difficult problem to solve <ul><li>Human Factor </li></ul><ul><li>Dynamic nature </li></ul><ul><li>Coming from valid but compromised source </li></ul><ul><li>Best of buddies - Virus, worms, trojans and spams i.e help each other in propagating </li></ul>
  • 7. Messaging Primer <ul><li>Sending emails </li></ul><ul><ul><li>SMTP- Simple Mail Transfer Protocol. </li></ul></ul><ul><ul><li>MUA - Message User Agent (SMTP Clients – outlook). </li></ul></ul><ul><ul><li>MSA – Message Submission Agent. </li></ul></ul><ul><ul><li>MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail). </li></ul></ul><ul><ul><li>MDA - Message Delivery Agent (SMTP Server/Message Store). </li></ul></ul><ul><li>Retrieving emails </li></ul><ul><ul><li>POP - Post Office Protocol. </li></ul></ul><ul><ul><li>IMAP - Internet Message Access Protocol. </li></ul></ul><ul><li>Email format </li></ul><ul><ul><li>Envelope and message </li></ul></ul><ul><ul><li>MIME – Multipurpose Internet Mail Extensions </li></ul></ul>
  • 8. Path of a Message MUA MSA/MTA MTA/MDA MTAs Message Store MUA
  • 9. Email Format: Received Headers <ul><li>Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST) </li></ul><ul><li>Return-Path: <xxx@xxxx> </li></ul><ul><li>Received: from xx.yy.com ( xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST) </li></ul><ul><li>Received-SPF: pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x; </li></ul><ul><li>Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530 </li></ul><ul><li>Received: ……………. </li></ul><ul><li>Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT </li></ul>
  • 10. Email Format: Other headers <ul><li>To: yyy@yyyy </li></ul><ul><li>Cc: xxx xxxx <xxx@xxxx> </li></ul><ul><li>MIME-Version: 1.0 </li></ul><ul><li>Subject: email format - Attached jpeg image </li></ul><ul><li>X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971 </li></ul><ul><li>Message-ID: <FOOBAR00000@xxxx> </li></ul><ul><li>From: xxx xxxx <xxx@xxxx> </li></ul><ul><li>Date: Thu, 10 Jan 2008 17:16:16 +0530 </li></ul><ul><li>X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18 </li></ul>
  • 11. Email Format: MIME contd. And email Body <ul><li>Content-Type: multipart/mixed; boundary=&quot; =_mixed 0040CB5E652573CC_= &quot; </li></ul><ul><li>--=_mixed 0040CB5E652573CC_= </li></ul><ul><li>Content-Type: multipart/alternative; boundary=&quot; =_alternative 0040CB60652573CC_= “ </li></ul><ul><li>--=_alternative 0040CB60652573CC_= </li></ul><ul><li>Content-Type: text/plain; charset=&quot;US-ASCII&quot; </li></ul><ul><li>Hi, </li></ul><ul><li>This is the email format with attached jpeg image </li></ul><ul><li>--=_alternative 0040CB60652573CC_= </li></ul><ul><li>Content-Type: text/html; charset=&quot;US-ASCII&quot; </li></ul><ul><li><br><font size=2 face=&quot;sans-serif&quot;>Hi,</font> <br> <br><font size=2 face=&quot;sans-serif&quot;>&nbsp;This is the email format with attached jpeg image</font>…… </li></ul><ul><li>--=_alternative 0040CB60652573CC_=-- </li></ul><ul><li>--=_mixed 0040CB5E652573CC_= </li></ul><ul><li>Content-Type: image/jpeg; name=&quot;Flower_1.jpg&quot; </li></ul><ul><li>Content-Disposition: attachment; filename=&quot;Flower_1.jpg&quot; </li></ul><ul><li>Content-Transfer-Encoding: base64 </li></ul><ul><li>/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHY </li></ul><ul><li>VHpRRW62Doj//Z </li></ul><ul><li>--=_mixed 0040CB5E652573CC_=-- </li></ul>
  • 12. Getting inside a spammer’s mind <ul><li>Intent </li></ul><ul><ul><li>Marketing </li></ul></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Malware </li></ul></ul><ul><li>Execution </li></ul><ul><ul><li>Gathering email addresses </li></ul></ul><ul><ul><li>Hosting the web site </li></ul></ul><ul><ul><li>Sending emails </li></ul></ul>
  • 13. Layered Security <ul><li>Sever Layer(MTAs) </li></ul><ul><ul><li>Network Boundary/Gateways. </li></ul></ul><ul><ul><li>Mail routers. </li></ul></ul><ul><ul><li>Message Store. </li></ul></ul><ul><li>Client Layer(MUAs) </li></ul><ul><ul><li>POP/IMAP/SMTP Proxies. </li></ul></ul><ul><ul><li>Plugins. </li></ul></ul><ul><li>No Single antidote. </li></ul>
  • 14. Anti-Spam Technologies - ACLs <ul><li>Blocklists </li></ul><ul><ul><li>IP/domain/user </li></ul></ul><ul><li>Whitelists </li></ul><ul><ul><li>IP/domain/user </li></ul></ul><ul><li>Types </li></ul><ul><ul><li>Internal: Application Specific </li></ul></ul><ul><ul><li>External: Community/Paid servers </li></ul></ul><ul><ul><ul><li>DNSxLs – standard DNS queries. </li></ul></ul></ul>
  • 15. Anti-Spam Technologies - ACLs <ul><li>Greylisting </li></ul><ul><ul><li>Something between whitelist and blocklist </li></ul></ul><ul><ul><li>Exploiting the protocol for good reason. </li></ul></ul><ul><ul><li>Temporary rejection with 4xy error code </li></ul></ul><ul><ul><li>Basic 3 tuple information stored <IP><MFROM><RCPT> </li></ul></ul>
  • 16. Anti-Spam Technologies – Content Filtering <ul><li>String/Regex filters </li></ul><ul><ul><li>static, dumb. </li></ul></ul><ul><li>Behavioural Filters </li></ul><ul><ul><li>Look for specific behaviour patterns </li></ul></ul><ul><li>Bayesian filters </li></ul><ul><ul><li>Intelligent, require learning time. </li></ul></ul><ul><ul><li>Accuracy decreases when deployed on server. </li></ul></ul>
  • 17. Anti-Spam Technologies – Content Filtering <ul><li>Signature/fingerprint </li></ul><ul><ul><li>Fuzzy(Nilsimsa code), good as an add-on. </li></ul></ul><ul><li>OCR (Optical Character Recognition) </li></ul><ul><ul><li>Image scanning, not efficient. </li></ul></ul>
  • 18. Anti-Spam Technologies – C/R <ul><li>Challenge-Response systems </li></ul><ul><ul><li>Recipient challenges the sender </li></ul></ul><ul><ul><li>Bounce message/SMTP rejection </li></ul></ul><ul><ul><li>URL click/CAPTCHA test/reply to bounce </li></ul></ul><ul><ul><li>CAPTCHA (C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part ) </li></ul></ul>
  • 19. Anti-Spam Technologies – Sender Driven <ul><li>SPF (Sender Policy Framework) </li></ul><ul><ul><li>Anti-forgery </li></ul></ul><ul><ul><li>Uses DNS SPF/TXT records, IP, domain name of sender </li></ul></ul><ul><ul><li>Authorized Outbound SMTP for a domain </li></ul></ul><ul><li>DKIM ( D omain K eys I dentified M ail) </li></ul><ul><ul><li>Signed messages </li></ul></ul><ul><ul><li>Anti-forgery, as signing domain claims responsibility </li></ul></ul><ul><ul><li>Uses DNS TXT records, DKIM header </li></ul></ul><ul><ul><li>DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA= </li></ul></ul>
  • 20. Anti-Spam Technologies – Sender driven <ul><li>HashCash </li></ul><ul><ul><li>Proof of work by sender </li></ul></ul><ul><ul><li>Hard to compute, easy to verify </li></ul></ul><ul><ul><li>square root/square problem. </li></ul></ul><ul><ul><li>Partial Hash collision (with Zero bits) </li></ul></ul>
  • 21. Anti-Spam Technologies - Heuristics <ul><li>Heuristic filters </li></ul><ul><ul><li>A combination of above techniques </li></ul></ul><ul><ul><li>Defines rules, weights and threshold(s) </li></ul></ul><ul><ul><li>Reduces +ve rate. </li></ul></ul><ul><li>Reputation systems </li></ul><ul><ul><li>Advanced heuristics to create reputation. </li></ul></ul><ul><ul><li>Create reputation of IPs/Domains sending messages </li></ul></ul>
  • 22. Exploiting the Loop Holes – Evading filters <ul><li>ACLs: Greylisting </li></ul><ul><ul><li>Simulating a simple queue thread with 4 tuple <MSGID><TIME><MFROM><RCPT> </li></ul></ul><ul><ul><li>Resending after a predefined time. </li></ul></ul><ul><li>Content Filtering </li></ul><ul><ul><li>Run The message content through filters/free email services </li></ul></ul><ul><ul><li>CAPTCHA effect for OCR </li></ul></ul><ul><ul><li>Subject: Never agree to be a loser </li></ul></ul><ul><ul><li>Buck up, your troubles caused by small dimension will soon be over! </li></ul></ul><ul><ul><li>Initiate a natural growth of your masculine muscle! </li></ul></ul><ul><ul><li>http://veniutk=2Ecom/ </li></ul></ul><ul><ul><li>control=2E All data was lost at T+5 minutes, 5 seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their </li></ul></ul>
  • 23. Exploiting the Loop Holes <ul><li>Sender Driven </li></ul><ul><ul><li>Creating hashcash (not efficient, not popular) </li></ul></ul><ul><ul><li>Look for open relays with SPF, DKIM functionality. </li></ul></ul><ul><ul><li>Bounce Messages from Valid domains </li></ul></ul><ul><ul><li>Worms sending mails to local MTAs </li></ul></ul>
  • 24. Exploiting the Loop Holes <ul><li>Reputation </li></ul><ul><ul><li>Sending through free webmail accounts </li></ul></ul><ul><ul><li>Sample email sent directly and through valid webmail service </li></ul></ul><ul><ul><li>Sent directly: Spam mailbox </li></ul></ul><ul><ul><li>Through Webmail: Inbox (Bingo!!) </li></ul></ul><ul><li>Subject: viagra soma cialis cheap rates oem software low mortgage rates </li></ul><ul><li>viagra soma cialis cheap rates </li></ul><ul><li>low mortgage rates oem software for $1 </li></ul><ul><li>penis enlargement for good sex </li></ul><ul><li>live xxx videos </li></ul>
  • 25. Exploiting the Loop Holes <ul><li>Targeting low priority MX </li></ul><ul><ul><li>Helps in bypassing filters altogether (if you are lucky that is :-P). </li></ul></ul><ul><li>Mail Reconnaissance </li></ul><ul><ul><li>Reading replies from valid (and invalid ) addresses </li></ul></ul><ul><ul><li>Exposes enormous amount of information </li></ul></ul><ul><ul><li>Definitely a must for any Pen tester </li></ul></ul>
  • 26. References <ul><li>SPF - http://www.ietf.org/rfc/rfc4408.txt </li></ul><ul><li>DKIM - http://www.dkim.org/ </li></ul><ul><li>SpamAssassin - http://spamassassin.apache.org/ </li></ul><ul><li>Razor - http://razor.sourceforge.net/ </li></ul><ul><li>CAPTCHA - http://www.captcha.net/ </li></ul><ul><li>Bogofilter - http://bogofilter.sourceforge.net/ </li></ul><ul><li>Mailwasher - http://www.mailwasher.net/ </li></ul><ul><li>HashCash - http://www.hashcash.org/ </li></ul><ul><li>Greylisting - http://greylisting.org/ </li></ul><ul><li>Gartner report - http://news.zdnet.com/2100-9595_22-955842.html </li></ul><ul><li>DNSxLs - http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt </li></ul>
  • 27. Thanks <ul><li>QA? </li></ul><ul><li>Contact me: null _a_t_ null . co . In </li></ul><ul><li>NULL is having an official meet on 7 th Dec at ClubHack </li></ul>

×