• Like
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008

  • 1,298 views
Published

 

Published in Technology , News & Politics
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,298
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
17
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. AntiSpam Understanding the good, the bad and the ugly By Aseem Jakhar Confidential
  • 2. About Me
    • Security and open source enthusiast.
    • Have Worked on many enterprise security products.
    • Have disclosed many security issues to banks/organizations.
    • Speaker at security/open source conferences.
    • Founder of NULL security community.
  • 3. Agenda
    • What is Spam?
    • Spam Side effects
    • Difficult problem to solve
    • Messaging Primer
    • Getting inside a spammer’s mind
    • Layered Security
    • AntiSpam Technologies
    • Exploiting the Loop Holes
  • 4. What is spam?
    • No it’s not the Hormel product.
    • No Standard definition.
    • Differs on an individual basis.
    • UBE, UCE.
    • Ham: Non Spam.
  • 5. Spam side effects
    • Bandwidth overload.
    • Storage overload.
    • Loss of End user productivity.
  • 6. Difficult problem to solve
    • Human Factor
    • Dynamic nature
    • Coming from valid but compromised source
    • Best of buddies - Virus, worms, trojans and spams i.e help each other in propagating
  • 7. Messaging Primer
    • Sending emails
      • SMTP- Simple Mail Transfer Protocol.
      • MUA - Message User Agent (SMTP Clients – outlook).
      • MSA – Message Submission Agent.
      • MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail).
      • MDA - Message Delivery Agent (SMTP Server/Message Store).
    • Retrieving emails
      • POP - Post Office Protocol.
      • IMAP - Internet Message Access Protocol.
    • Email format
      • Envelope and message
      • MIME – Multipurpose Internet Mail Extensions
  • 8. Path of a Message MUA MSA/MTA MTA/MDA MTAs Message Store MUA
  • 9. Email Format: Received Headers
    • Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST)
    • Return-Path: <xxx@xxxx>
    • Received: from xx.yy.com ( xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST)
    • Received-SPF: pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x;
    • Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530
    • Received: …………….
    • Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT
  • 10. Email Format: Other headers
    • To: yyy@yyyy
    • Cc: xxx xxxx <xxx@xxxx>
    • MIME-Version: 1.0
    • Subject: email format - Attached jpeg image
    • X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971
    • Message-ID: <FOOBAR00000@xxxx>
    • From: xxx xxxx <xxx@xxxx>
    • Date: Thu, 10 Jan 2008 17:16:16 +0530
    • X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18
  • 11. Email Format: MIME contd. And email Body
    • Content-Type: multipart/mixed; boundary=&quot; =_mixed 0040CB5E652573CC_= &quot;
    • --=_mixed 0040CB5E652573CC_=
    • Content-Type: multipart/alternative; boundary=&quot; =_alternative 0040CB60652573CC_= “
    • --=_alternative 0040CB60652573CC_=
    • Content-Type: text/plain; charset=&quot;US-ASCII&quot;
    • Hi,
    • This is the email format with attached jpeg image
    • --=_alternative 0040CB60652573CC_=
    • Content-Type: text/html; charset=&quot;US-ASCII&quot;
    • <br><font size=2 face=&quot;sans-serif&quot;>Hi,</font> <br> <br><font size=2 face=&quot;sans-serif&quot;>&nbsp;This is the email format with attached jpeg image</font>……
    • --=_alternative 0040CB60652573CC_=--
    • --=_mixed 0040CB5E652573CC_=
    • Content-Type: image/jpeg; name=&quot;Flower_1.jpg&quot;
    • Content-Disposition: attachment; filename=&quot;Flower_1.jpg&quot;
    • Content-Transfer-Encoding: base64
    • /9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHY
    • VHpRRW62Doj//Z
    • --=_mixed 0040CB5E652573CC_=--
  • 12. Getting inside a spammer’s mind
    • Intent
      • Marketing
      • Phishing
      • Malware
    • Execution
      • Gathering email addresses
      • Hosting the web site
      • Sending emails
  • 13. Layered Security
    • Sever Layer(MTAs)
      • Network Boundary/Gateways.
      • Mail routers.
      • Message Store.
    • Client Layer(MUAs)
      • POP/IMAP/SMTP Proxies.
      • Plugins.
    • No Single antidote.
  • 14. Anti-Spam Technologies - ACLs
    • Blocklists
      • IP/domain/user
    • Whitelists
      • IP/domain/user
    • Types
      • Internal: Application Specific
      • External: Community/Paid servers
        • DNSxLs – standard DNS queries.
  • 15. Anti-Spam Technologies - ACLs
    • Greylisting
      • Something between whitelist and blocklist
      • Exploiting the protocol for good reason.
      • Temporary rejection with 4xy error code
      • Basic 3 tuple information stored <IP><MFROM><RCPT>
  • 16. Anti-Spam Technologies – Content Filtering
    • String/Regex filters
      • static, dumb.
    • Behavioural Filters
      • Look for specific behaviour patterns
    • Bayesian filters
      • Intelligent, require learning time.
      • Accuracy decreases when deployed on server.
  • 17. Anti-Spam Technologies – Content Filtering
    • Signature/fingerprint
      • Fuzzy(Nilsimsa code), good as an add-on.
    • OCR (Optical Character Recognition)
      • Image scanning, not efficient.
  • 18. Anti-Spam Technologies – C/R
    • Challenge-Response systems
      • Recipient challenges the sender
      • Bounce message/SMTP rejection
      • URL click/CAPTCHA test/reply to bounce
      • CAPTCHA (C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part )
  • 19. Anti-Spam Technologies – Sender Driven
    • SPF (Sender Policy Framework)
      • Anti-forgery
      • Uses DNS SPF/TXT records, IP, domain name of sender
      • Authorized Outbound SMTP for a domain
    • DKIM ( D omain K eys I dentified M ail)
      • Signed messages
      • Anti-forgery, as signing domain claims responsibility
      • Uses DNS TXT records, DKIM header
      • DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA=
  • 20. Anti-Spam Technologies – Sender driven
    • HashCash
      • Proof of work by sender
      • Hard to compute, easy to verify
      • square root/square problem.
      • Partial Hash collision (with Zero bits)
  • 21. Anti-Spam Technologies - Heuristics
    • Heuristic filters
      • A combination of above techniques
      • Defines rules, weights and threshold(s)
      • Reduces +ve rate.
    • Reputation systems
      • Advanced heuristics to create reputation.
      • Create reputation of IPs/Domains sending messages
  • 22. Exploiting the Loop Holes – Evading filters
    • ACLs: Greylisting
      • Simulating a simple queue thread with 4 tuple <MSGID><TIME><MFROM><RCPT>
      • Resending after a predefined time.
    • Content Filtering
      • Run The message content through filters/free email services
      • CAPTCHA effect for OCR
      • Subject: Never agree to be a loser
      • Buck up, your troubles caused by small dimension will soon be over!
      • Initiate a natural growth of your masculine muscle!
      • http://veniutk=2Ecom/
      • control=2E All data was lost at T+5 minutes, 5 seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their
  • 23. Exploiting the Loop Holes
    • Sender Driven
      • Creating hashcash (not efficient, not popular)
      • Look for open relays with SPF, DKIM functionality.
      • Bounce Messages from Valid domains
      • Worms sending mails to local MTAs
  • 24. Exploiting the Loop Holes
    • Reputation
      • Sending through free webmail accounts
      • Sample email sent directly and through valid webmail service
      • Sent directly: Spam mailbox
      • Through Webmail: Inbox (Bingo!!)
    • Subject: viagra soma cialis cheap rates oem software low mortgage rates
    • viagra soma cialis cheap rates
    • low mortgage rates oem software for $1
    • penis enlargement for good sex
    • live xxx videos
  • 25. Exploiting the Loop Holes
    • Targeting low priority MX
      • Helps in bypassing filters altogether (if you are lucky that is :-P).
    • Mail Reconnaissance
      • Reading replies from valid (and invalid ) addresses
      • Exposes enormous amount of information
      • Definitely a must for any Pen tester
  • 26. References
    • SPF - http://www.ietf.org/rfc/rfc4408.txt
    • DKIM - http://www.dkim.org/
    • SpamAssassin - http://spamassassin.apache.org/
    • Razor - http://razor.sourceforge.net/
    • CAPTCHA - http://www.captcha.net/
    • Bogofilter - http://bogofilter.sourceforge.net/
    • Mailwasher - http://www.mailwasher.net/
    • HashCash - http://www.hashcash.org/
    • Greylisting - http://greylisting.org/
    • Gartner report - http://news.zdnet.com/2100-9595_22-955842.html
    • DNSxLs - http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt
  • 27. Thanks
    • QA?
    • Contact me: null _a_t_ null . co . In
    • NULL is having an official meet on 7 th Dec at ClubHack