AntiSpam  Understanding the good, the bad and the ugly By Aseem Jakhar Confidential
About Me <ul><li>Security and open source enthusiast. </li></ul><ul><li>Have Worked on many enterprise security products. ...
Agenda <ul><li>What is Spam? </li></ul><ul><li>Spam Side effects </li></ul><ul><li>Difficult problem to solve </li></ul><u...
What is spam? <ul><li>No it’s not the Hormel product. </li></ul><ul><li>No Standard definition. </li></ul><ul><li>Differs ...
Spam side effects <ul><li>Bandwidth overload. </li></ul><ul><li>Storage overload. </li></ul><ul><li>Loss of End user produ...
Difficult problem to solve <ul><li>Human Factor </li></ul><ul><li>Dynamic nature </li></ul><ul><li>Coming from valid but c...
Messaging Primer <ul><li>Sending emails </li></ul><ul><ul><li>SMTP- Simple Mail Transfer Protocol. </li></ul></ul><ul><ul>...
Path of a Message MUA MSA/MTA MTA/MDA MTAs Message  Store MUA
Email Format:  Received Headers <ul><li>Received:  by  w.w.w.w  with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST)...
Email Format:  Other headers <ul><li>To:  yyy@yyyy </li></ul><ul><li>Cc:  xxx xxxx <xxx@xxxx>  </li></ul><ul><li>MIME-Vers...
Email Format:  MIME contd. And email Body <ul><li>Content-Type:  multipart/mixed; boundary=&quot; =_mixed 0040CB5E652573CC...
Getting inside a spammer’s mind <ul><li>Intent </li></ul><ul><ul><li>Marketing </li></ul></ul><ul><ul><li>Phishing </li></...
Layered Security <ul><li>Sever Layer(MTAs) </li></ul><ul><ul><li>Network Boundary/Gateways. </li></ul></ul><ul><ul><li>Mai...
Anti-Spam Technologies - ACLs <ul><li>Blocklists </li></ul><ul><ul><li>IP/domain/user </li></ul></ul><ul><li>Whitelists </...
Anti-Spam Technologies - ACLs <ul><li>Greylisting </li></ul><ul><ul><li>Something between whitelist and blocklist </li></u...
Anti-Spam Technologies – Content Filtering <ul><li>String/Regex filters </li></ul><ul><ul><li>static, dumb. </li></ul></ul...
Anti-Spam Technologies  – Content Filtering <ul><li>Signature/fingerprint </li></ul><ul><ul><li>Fuzzy(Nilsimsa code), good...
Anti-Spam Technologies – C/R <ul><li>Challenge-Response systems </li></ul><ul><ul><li>Recipient challenges the sender </li...
Anti-Spam Technologies – Sender Driven <ul><li>SPF (Sender Policy Framework) </li></ul><ul><ul><li>Anti-forgery </li></ul>...
Anti-Spam Technologies – Sender driven <ul><li>HashCash </li></ul><ul><ul><li>Proof of work by sender </li></ul></ul><ul><...
Anti-Spam Technologies - Heuristics <ul><li>Heuristic filters </li></ul><ul><ul><li>A combination of above techniques </li...
Exploiting the Loop Holes – Evading filters <ul><li>ACLs: Greylisting </li></ul><ul><ul><li>Simulating a simple queue thre...
Exploiting the Loop Holes <ul><li>Sender Driven </li></ul><ul><ul><li>Creating hashcash (not efficient, not popular) </li>...
Exploiting the Loop Holes <ul><li>Reputation </li></ul><ul><ul><li>Sending through free webmail accounts </li></ul></ul><u...
Exploiting the Loop Holes <ul><li>Targeting low priority MX </li></ul><ul><ul><li>Helps in bypassing filters altogether (i...
References <ul><li>SPF   - http://www.ietf.org/rfc/rfc4408.txt </li></ul><ul><li>DKIM   - http://www.dkim.org/ </li></ul><...
Thanks <ul><li>QA? </li></ul><ul><li>Contact me: null _a_t_ null . co . In </li></ul><ul><li>NULL is having an official me...
Upcoming SlideShare
Loading in...5
×

Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008

1,390

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,390
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008

  1. 1. AntiSpam Understanding the good, the bad and the ugly By Aseem Jakhar Confidential
  2. 2. About Me <ul><li>Security and open source enthusiast. </li></ul><ul><li>Have Worked on many enterprise security products. </li></ul><ul><li>Have disclosed many security issues to banks/organizations. </li></ul><ul><li>Speaker at security/open source conferences. </li></ul><ul><li>Founder of NULL security community. </li></ul>
  3. 3. Agenda <ul><li>What is Spam? </li></ul><ul><li>Spam Side effects </li></ul><ul><li>Difficult problem to solve </li></ul><ul><li>Messaging Primer </li></ul><ul><li>Getting inside a spammer’s mind </li></ul><ul><li>Layered Security </li></ul><ul><li>AntiSpam Technologies </li></ul><ul><li>Exploiting the Loop Holes </li></ul>
  4. 4. What is spam? <ul><li>No it’s not the Hormel product. </li></ul><ul><li>No Standard definition. </li></ul><ul><li>Differs on an individual basis. </li></ul><ul><li>UBE, UCE. </li></ul><ul><li>Ham: Non Spam. </li></ul>
  5. 5. Spam side effects <ul><li>Bandwidth overload. </li></ul><ul><li>Storage overload. </li></ul><ul><li>Loss of End user productivity. </li></ul>
  6. 6. Difficult problem to solve <ul><li>Human Factor </li></ul><ul><li>Dynamic nature </li></ul><ul><li>Coming from valid but compromised source </li></ul><ul><li>Best of buddies - Virus, worms, trojans and spams i.e help each other in propagating </li></ul>
  7. 7. Messaging Primer <ul><li>Sending emails </li></ul><ul><ul><li>SMTP- Simple Mail Transfer Protocol. </li></ul></ul><ul><ul><li>MUA - Message User Agent (SMTP Clients – outlook). </li></ul></ul><ul><ul><li>MSA – Message Submission Agent. </li></ul></ul><ul><ul><li>MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail). </li></ul></ul><ul><ul><li>MDA - Message Delivery Agent (SMTP Server/Message Store). </li></ul></ul><ul><li>Retrieving emails </li></ul><ul><ul><li>POP - Post Office Protocol. </li></ul></ul><ul><ul><li>IMAP - Internet Message Access Protocol. </li></ul></ul><ul><li>Email format </li></ul><ul><ul><li>Envelope and message </li></ul></ul><ul><ul><li>MIME – Multipurpose Internet Mail Extensions </li></ul></ul>
  8. 8. Path of a Message MUA MSA/MTA MTA/MDA MTAs Message Store MUA
  9. 9. Email Format: Received Headers <ul><li>Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST) </li></ul><ul><li>Return-Path: <xxx@xxxx> </li></ul><ul><li>Received: from xx.yy.com ( xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST) </li></ul><ul><li>Received-SPF: pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x; </li></ul><ul><li>Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530 </li></ul><ul><li>Received: ……………. </li></ul><ul><li>Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT </li></ul>
  10. 10. Email Format: Other headers <ul><li>To: yyy@yyyy </li></ul><ul><li>Cc: xxx xxxx <xxx@xxxx> </li></ul><ul><li>MIME-Version: 1.0 </li></ul><ul><li>Subject: email format - Attached jpeg image </li></ul><ul><li>X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971 </li></ul><ul><li>Message-ID: <FOOBAR00000@xxxx> </li></ul><ul><li>From: xxx xxxx <xxx@xxxx> </li></ul><ul><li>Date: Thu, 10 Jan 2008 17:16:16 +0530 </li></ul><ul><li>X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18 </li></ul>
  11. 11. Email Format: MIME contd. And email Body <ul><li>Content-Type: multipart/mixed; boundary=&quot; =_mixed 0040CB5E652573CC_= &quot; </li></ul><ul><li>--=_mixed 0040CB5E652573CC_= </li></ul><ul><li>Content-Type: multipart/alternative; boundary=&quot; =_alternative 0040CB60652573CC_= “ </li></ul><ul><li>--=_alternative 0040CB60652573CC_= </li></ul><ul><li>Content-Type: text/plain; charset=&quot;US-ASCII&quot; </li></ul><ul><li>Hi, </li></ul><ul><li>This is the email format with attached jpeg image </li></ul><ul><li>--=_alternative 0040CB60652573CC_= </li></ul><ul><li>Content-Type: text/html; charset=&quot;US-ASCII&quot; </li></ul><ul><li><br><font size=2 face=&quot;sans-serif&quot;>Hi,</font> <br> <br><font size=2 face=&quot;sans-serif&quot;>&nbsp;This is the email format with attached jpeg image</font>…… </li></ul><ul><li>--=_alternative 0040CB60652573CC_=-- </li></ul><ul><li>--=_mixed 0040CB5E652573CC_= </li></ul><ul><li>Content-Type: image/jpeg; name=&quot;Flower_1.jpg&quot; </li></ul><ul><li>Content-Disposition: attachment; filename=&quot;Flower_1.jpg&quot; </li></ul><ul><li>Content-Transfer-Encoding: base64 </li></ul><ul><li>/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHY </li></ul><ul><li>VHpRRW62Doj//Z </li></ul><ul><li>--=_mixed 0040CB5E652573CC_=-- </li></ul>
  12. 12. Getting inside a spammer’s mind <ul><li>Intent </li></ul><ul><ul><li>Marketing </li></ul></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Malware </li></ul></ul><ul><li>Execution </li></ul><ul><ul><li>Gathering email addresses </li></ul></ul><ul><ul><li>Hosting the web site </li></ul></ul><ul><ul><li>Sending emails </li></ul></ul>
  13. 13. Layered Security <ul><li>Sever Layer(MTAs) </li></ul><ul><ul><li>Network Boundary/Gateways. </li></ul></ul><ul><ul><li>Mail routers. </li></ul></ul><ul><ul><li>Message Store. </li></ul></ul><ul><li>Client Layer(MUAs) </li></ul><ul><ul><li>POP/IMAP/SMTP Proxies. </li></ul></ul><ul><ul><li>Plugins. </li></ul></ul><ul><li>No Single antidote. </li></ul>
  14. 14. Anti-Spam Technologies - ACLs <ul><li>Blocklists </li></ul><ul><ul><li>IP/domain/user </li></ul></ul><ul><li>Whitelists </li></ul><ul><ul><li>IP/domain/user </li></ul></ul><ul><li>Types </li></ul><ul><ul><li>Internal: Application Specific </li></ul></ul><ul><ul><li>External: Community/Paid servers </li></ul></ul><ul><ul><ul><li>DNSxLs – standard DNS queries. </li></ul></ul></ul>
  15. 15. Anti-Spam Technologies - ACLs <ul><li>Greylisting </li></ul><ul><ul><li>Something between whitelist and blocklist </li></ul></ul><ul><ul><li>Exploiting the protocol for good reason. </li></ul></ul><ul><ul><li>Temporary rejection with 4xy error code </li></ul></ul><ul><ul><li>Basic 3 tuple information stored <IP><MFROM><RCPT> </li></ul></ul>
  16. 16. Anti-Spam Technologies – Content Filtering <ul><li>String/Regex filters </li></ul><ul><ul><li>static, dumb. </li></ul></ul><ul><li>Behavioural Filters </li></ul><ul><ul><li>Look for specific behaviour patterns </li></ul></ul><ul><li>Bayesian filters </li></ul><ul><ul><li>Intelligent, require learning time. </li></ul></ul><ul><ul><li>Accuracy decreases when deployed on server. </li></ul></ul>
  17. 17. Anti-Spam Technologies – Content Filtering <ul><li>Signature/fingerprint </li></ul><ul><ul><li>Fuzzy(Nilsimsa code), good as an add-on. </li></ul></ul><ul><li>OCR (Optical Character Recognition) </li></ul><ul><ul><li>Image scanning, not efficient. </li></ul></ul>
  18. 18. Anti-Spam Technologies – C/R <ul><li>Challenge-Response systems </li></ul><ul><ul><li>Recipient challenges the sender </li></ul></ul><ul><ul><li>Bounce message/SMTP rejection </li></ul></ul><ul><ul><li>URL click/CAPTCHA test/reply to bounce </li></ul></ul><ul><ul><li>CAPTCHA (C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part ) </li></ul></ul>
  19. 19. Anti-Spam Technologies – Sender Driven <ul><li>SPF (Sender Policy Framework) </li></ul><ul><ul><li>Anti-forgery </li></ul></ul><ul><ul><li>Uses DNS SPF/TXT records, IP, domain name of sender </li></ul></ul><ul><ul><li>Authorized Outbound SMTP for a domain </li></ul></ul><ul><li>DKIM ( D omain K eys I dentified M ail) </li></ul><ul><ul><li>Signed messages </li></ul></ul><ul><ul><li>Anti-forgery, as signing domain claims responsibility </li></ul></ul><ul><ul><li>Uses DNS TXT records, DKIM header </li></ul></ul><ul><ul><li>DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA= </li></ul></ul>
  20. 20. Anti-Spam Technologies – Sender driven <ul><li>HashCash </li></ul><ul><ul><li>Proof of work by sender </li></ul></ul><ul><ul><li>Hard to compute, easy to verify </li></ul></ul><ul><ul><li>square root/square problem. </li></ul></ul><ul><ul><li>Partial Hash collision (with Zero bits) </li></ul></ul>
  21. 21. Anti-Spam Technologies - Heuristics <ul><li>Heuristic filters </li></ul><ul><ul><li>A combination of above techniques </li></ul></ul><ul><ul><li>Defines rules, weights and threshold(s) </li></ul></ul><ul><ul><li>Reduces +ve rate. </li></ul></ul><ul><li>Reputation systems </li></ul><ul><ul><li>Advanced heuristics to create reputation. </li></ul></ul><ul><ul><li>Create reputation of IPs/Domains sending messages </li></ul></ul>
  22. 22. Exploiting the Loop Holes – Evading filters <ul><li>ACLs: Greylisting </li></ul><ul><ul><li>Simulating a simple queue thread with 4 tuple <MSGID><TIME><MFROM><RCPT> </li></ul></ul><ul><ul><li>Resending after a predefined time. </li></ul></ul><ul><li>Content Filtering </li></ul><ul><ul><li>Run The message content through filters/free email services </li></ul></ul><ul><ul><li>CAPTCHA effect for OCR </li></ul></ul><ul><ul><li>Subject: Never agree to be a loser </li></ul></ul><ul><ul><li>Buck up, your troubles caused by small dimension will soon be over! </li></ul></ul><ul><ul><li>Initiate a natural growth of your masculine muscle! </li></ul></ul><ul><ul><li>http://veniutk=2Ecom/ </li></ul></ul><ul><ul><li>control=2E All data was lost at T+5 minutes, 5 seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their </li></ul></ul>
  23. 23. Exploiting the Loop Holes <ul><li>Sender Driven </li></ul><ul><ul><li>Creating hashcash (not efficient, not popular) </li></ul></ul><ul><ul><li>Look for open relays with SPF, DKIM functionality. </li></ul></ul><ul><ul><li>Bounce Messages from Valid domains </li></ul></ul><ul><ul><li>Worms sending mails to local MTAs </li></ul></ul>
  24. 24. Exploiting the Loop Holes <ul><li>Reputation </li></ul><ul><ul><li>Sending through free webmail accounts </li></ul></ul><ul><ul><li>Sample email sent directly and through valid webmail service </li></ul></ul><ul><ul><li>Sent directly: Spam mailbox </li></ul></ul><ul><ul><li>Through Webmail: Inbox (Bingo!!) </li></ul></ul><ul><li>Subject: viagra soma cialis cheap rates oem software low mortgage rates </li></ul><ul><li>viagra soma cialis cheap rates </li></ul><ul><li>low mortgage rates oem software for $1 </li></ul><ul><li>penis enlargement for good sex </li></ul><ul><li>live xxx videos </li></ul>
  25. 25. Exploiting the Loop Holes <ul><li>Targeting low priority MX </li></ul><ul><ul><li>Helps in bypassing filters altogether (if you are lucky that is :-P). </li></ul></ul><ul><li>Mail Reconnaissance </li></ul><ul><ul><li>Reading replies from valid (and invalid ) addresses </li></ul></ul><ul><ul><li>Exposes enormous amount of information </li></ul></ul><ul><ul><li>Definitely a must for any Pen tester </li></ul></ul>
  26. 26. References <ul><li>SPF - http://www.ietf.org/rfc/rfc4408.txt </li></ul><ul><li>DKIM - http://www.dkim.org/ </li></ul><ul><li>SpamAssassin - http://spamassassin.apache.org/ </li></ul><ul><li>Razor - http://razor.sourceforge.net/ </li></ul><ul><li>CAPTCHA - http://www.captcha.net/ </li></ul><ul><li>Bogofilter - http://bogofilter.sourceforge.net/ </li></ul><ul><li>Mailwasher - http://www.mailwasher.net/ </li></ul><ul><li>HashCash - http://www.hashcash.org/ </li></ul><ul><li>Greylisting - http://greylisting.org/ </li></ul><ul><li>Gartner report - http://news.zdnet.com/2100-9595_22-955842.html </li></ul><ul><li>DNSxLs - http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt </li></ul>
  27. 27. Thanks <ul><li>QA? </li></ul><ul><li>Contact me: null _a_t_ null . co . In </li></ul><ul><li>NULL is having an official meet on 7 th Dec at ClubHack </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×