SlideShare a Scribd company logo

spam.ppt

Download as PPT, PDF
J
JayaprabhuPrabhu

Jj

Devices & Hardware
1 of 46
CAP6135: Malware and Software Vulnerability Analysis Spam and Phishing Cliff Zou Spring 2012
2 Acknowledgement  This lecture uses some contents from the lecture notes from:  Dr. Dan Boneh (Stanford): CS155:Computer and Network Security  Jim Kurose, Keith Ross. Computer Networking: A Top Down Approach Featuring the Internet, 5th edition.
3 Electronic Mail Three major components:  user agents  mail servers  simple mail transfer protocol: SMTP User Agent  a.k.a. “mail reader”  composing, editing, reading mail messages  e.g., Eudora, Outlook, elm, Netscape Messenger  outgoing, incoming messages stored on server user mailbox outgoing message queue mail server user agent user agent user agent mail server user agent user agent mail server user agent SMTP SMTP SMTP
4 How email works: SMTP (RFC 821, 1982)  Some SMTP Commands: MAIL FROM: <reverse-path> RCPT TO: <forward-path> RCPT TO: <forward-path> If unknown recipient: response “550 Failure reply” DATA email headers and contents  Use TCP port 25 for connections . Repeated for each recipient
5 Sample fake email sending S: 220 longwood.cs.ucf.edu C: HELO fake.domain S: 250 Hello crepes.fr, pleased to meet you C: MAIL FROM: <alice@crepes.fr> S: 250 alice@crepes.fr... Sender ok C: RCPT TO: <czou@cs.ucf.edu> S: 250 czou@cs.ucf.edu ... Recipient ok C: DATA S: 354 Enter mail, end with "." on a line by itself C: from: “fake man” <fake@fake.fake.fake> C: to: “dr. who” <who@who> C: subject: who am I? C: Do you like ketchup? C: How about pickles? C: . S: 250 Message accepted for delivery C: QUIT S: 221 longwood.cs.ucf.edu closing connection
6 Try SMTP interaction for yourself:  telnet servername 25  see 220 reply from server  enter HELO, MAIL FROM, RCPT TO, DATA, QUIT commands  “mail from:” the domain may need to be existed  “rcpt to:” the user needs to be existed  A mail server may or may not support “relay”  CS email server supports relay for campus network  “from:” “to:” “subject:” are what shown in normal email display
Using Telnet  On department eustics Linux machine:  telnet longwood.cs.ucf.edu 25  In telnet interaction, “backspace” is not supported. You can type “ctrl+backspace” to erase previous two characters  On Windows 7 machine:  Telnet is not installed by default, check this tutorial for install:  http://technet.microsoft.com/en- us/library/cc771275%28v=ws.10%29.aspx 7
 Outside campus network, department email server does not accept:  You need to first setup VPN to campus network, then use telnet  How to set up VPN:  https://publishing.ucf.edu/sites/itr/cst/Pages/VpnHelp.aspx 8
9 Email in the early 1980’s Network 1 Network 2 Network 3 Mail relay Mail relay sender recipient • Mail Relay: forwards mail to next hop. • Sender path includes path through relays.
Why Email Server Support Relay?  Wiki tutorial:  http://en.wikipedia.org/wiki/Open_mail_relay  Old days network constraint makes it necessary  Email agent uses SMTP to send email on behalf of a user  The user could choose which email address to use as the sender  Email server supports email group list:  The “sender” shown in email is the group list address, but the real sender is a different person  Closing Relay:  Messages from local IP addresses to local mailboxes  Messages from local IP addresses to non-local mailboxes  Messages from non-local IP addresses to local mailboxes  Messages from clients that are authenticated and authorized 10
11 Spoofed email  SMTP: designed for a trusting world …  Data in MAIL FROM totally under control of sender  … an old example of improper input validation  Recipient’s mail server:  Only sees IP address of direct peer  Recorded in the first From header
12 The received header  Sending spoofed mail to myself: From someone@somewhere.com (172.24.64.20) ... Received: from cs-smtp-1.stanford.edu Received: from smtp3.stanford.edu Received: from cipher.Stanford.EDU  Received header inserted by relays --- untrustworthy  From header inserted by recipient mail server From relays
13 Spam Blacklists  RBL: Realtime Blackhole Lists  Includes servers or ISPs that generate lots of spam  spamhaus.org , spamcop.net  Effectiveness (stats from spamhaus.org):  RBL can stop about 15-25% of incoming spam at SMTP connection time,  Over 90% of spam with message body URI checks  Spammer goal:  Evade blacklists by hiding its source IP address.
Spamming techniques
15 Open relays  SMTP Relay forwards mail to destination 1. Bulk email tool connects via SMTP (port 25) 2. Sends list of recipients (via RCPT TO command) 3. Sends email body --- once for all recipients 4. Relay delivers message  Honest relay:  Adds Received header revealing source IP  Hacked relay does not
16 Example: bobax worm  Infects machines with high bandwidth  Exploits MS LSASS.exe buffer overflow vulnerability  Slow spreading:  Spreads on manual command from operator  Then randomly scans for vulnerable machines  On infected machine: (spam zombie)  Installs hacked open mail relay. Used for spam.  Once spam zombie added to RBL:  Worm spreads to other machines
17 Open HTTP proxies  Web cache (HTTP/HTTPS proxy) -- e.g. squid  To spam: CONNECT SpamRecipient-IP 25 SMTP Commands Squid becomes a mail relay … Squid Web Cache CONNECT xyz.com 443 ClientHello Web Server xyz.com URL: HTTPS://xyz.com ClientHello ServerHello ServerHello
18 Finding proxies  Squid manual: (squid.conf) acl Safe_ports port 80 443 http_access deny !Safe_ports  URLs for other ports will be denied  Similar problem with SOCKS proxies  Some open proxy and open relay listing services:  http://www.multiproxy.org/ http://www.stayinvisible.com/ http://www.blackcode.com/proxy/ http://www.openproxies.com/ (20$/month)
19 Open Relays vs. Open Proxies  HTTP proxy design problem:  Port 25 should have been blocked by default  Otherwise, violates principal of least privilege  Relay vs. proxy:  Relay takes list of address and send msg to all  Proxy: spammer must send msg body to each recipient through proxy.  zombies typically provide hacked mail relays.
20 Thin pipe / Thick pipe method  Spam source has  High Speed Broadband connection (HSB)  Controls a Low Speed Zombie (LSZ)  Assumes no egress filtering at HSB’s ISP  Hides IP address of HSB. LSZ is blacklisted. Target SMTP Server HSB LSZ TCP handshake TCP Seq #s SMTP bulk mail (Source IP = LSZ)
21 Bulk email tools (spamware)  Automate:  Message personalization  Also test against spam filters (e.g. spamassassin)  Mailing list and proxy list management
22 Send-Safe bulk emailer
Anti-spam methods
24 The law: CAN-SPAM act (Jan. 2004)  Bans false or misleading header information  To: and From: headers must be accurate  Prohibits deceptive subject lines  Requires an opt-out method  Requires that email be identified as advertisement  ... and include sender's physical postal address  Also prohibits various forms of email harvesting and the use of proxies
25 Effectiveness of CAN-SPAM  Enforced by the FTC:  FTC spam archive spam@uce.gov  Penalties: 11K per act  Dec ’05 FTC report on effectiveness of CAN-SPAM:  50 cases in the US pursued by the FTC  No impact on spam originating outside the US  Open relays hosted on bot-nets make it difficult to collect evidence http://www.ftc.gov/spam/
26 Sender verification I: SPF (sender policy framework)  Goal: prevent spoof email claiming to be from HotMail  Why? Bounce messages flood HotMail system DNS hotmail.com: SPF record: 64.4.33.7 64.4.33.8 Recipient Mail Server (MUA) Sender MAIL FROM xyz@hotmail.com hotmail.com 64.4.33.7 64.4.33.8 Is SenderIP in list? More precisely: hotmail.com TXT v=spf1 a:mailers.hotmail.com -all
27 Sender verification II: DKIM  Domain Keys Identified Mail (DKIM)  Same goal as SPF. Harder to spoof.  Basic idea:  Sender’s MTA signs email  Including body and selected header fields  Receiver’s MUA checks signature  Rejects email if invalid  Sender’s public key managed by DNS  Subdomain: _domainkey.hotmail.com
28 Graylists  Recipient’s mail server records triples:  (sender email, recipient email, peer IP)  Mail server maintains DB of triples  First time: triple not in DB:  Mail server sends 421 reply: “I am busy”  Records triple in DB  Second time (after 5 minutes): allow email to pass  Triples kept for 3 days (configurable)  Easy to defeat but currently works well.
29 Puzzles and CAPTCHA  General DDoS defense techniques  Puzzles: slow down spam server  Every email contains solution to puzzle where challenge = (sender, recipient, time)  CAPTCHA:  Completely Automated Public Turing test to tell Computers and Humans Apart  Every email contains a token  Sender obtains tokens from a CAPTCHA server  Say: 100 tokens for solving a CAPTCHA  CAPTCHA server ensures tokens are not reused  Either method is difficult to deploy.
SpamAssasin  Wiki tutorial:  http://en.wikipedia.org/wiki/SpamAssassin  Mainly a rule-based spam filter  Many rules to give scores for all fields in an email  Email header, special keywords in email, URLs in email, images in email, …..  Final decision is the combined score compared with a threshold  Has false positive (treat normal as spam), and false negative (treat spam as normal)  False positive is very damaging!  Nobody wants to lose an important email!  Also contains Bayesian filtering to match a user’s statistical profile  Need known “ham” and “spam” email samples for training  30
Part II: Phishing & Pharming
32 Oct. 2004 to July 2005 APWG
33
34 Note: no SSL. Typically: short lived sites.
35 Common Phishing Methods  Often phishing sites hosted on bot-net drones.  Move from bot to bot using dynamic DNS.  Use domain names such as: www.ebay.com.badguy.com  Use URLs with multiple redirections: http://www.chase.com/url.php?url=“http://www.phish.com”  Use randomized links:  http://www.some-poor-sap.com/823548jd/
36 Industry Response  Anti-phishing toolbars: Netcraft, EBay, Google, IE7  IE7 phishing filter:  Whitelisted sites are not checked  Other sites: (stripped) URL sent to MS server  Server responds with “OK” or “phishing”
37 Pharming  Cause DNS to point to phishing site  Examples: 1. DNS cache poisoning 2. Write an entry into machine’s /etc/hosts file: “ Phisher-IP Victim-Name ”  URL of phishing site is identical to victim’s URL  … will bypass all URL checks
38 Response: High assurance certs  More careful validation of cert issuance  On browser (IE7) : … but most phishing sites do not use HTTPS
39 Other industry responses: BofA, PassMark ING bank login
40 Industry Response: Bank of Adelaide
41 ING PIN Guard
42 T.G.s: The next phishing wave  Transaction generation malware:  Wait for user to login to banking sites  Issue money transfer requests on behalf of user.  Reported malware in UK targeting all four major banks.  Note: These are social engineering attacks. Not just a windows problem.
43 Some ID Protection Tools  SpoofGuard: (NDSS ’04)  Alerts user when viewing a spoofed web page.  Uses variety of heuristics to identify spoof pages.  Some SpoofGuard heuristics used in eBay toolbar and Earthlink ScamBlocker.  PwdHash: (Usenix Sec ’05)  Browser extension for strengthening pwd web auth.  Being integrated with RSA SecurID.
44 Password Hashing (pwdhash.com)  Generate a unique password per site  HMACfido:123(banka.com)  Q7a+0ekEXb  HMACfido:123(siteb.com)  OzX2+ICiqc  Hashed password is not usable at any other site Bank A Site B pwdA pwdB =
Our New Proposed Approach: PwdIP-Hash  Problem of PwdHash:  cannot deal with Phishing attack  Basic Idea: User password is first hashed with remote server’s IP address + domain name, then transmit to the remote server  Reason: a remote server cannot lie about its IP address  TCP connection has already set up, very hard to lie  Result: The remote server receives a hashed password  The real server has the plain password and can verify  The phishing server cannot use the hashed password for login  See our prototype at:  http://www.cs.ucf.edu/~czou/PwdIP-Hash/  Paper published in conference IEEE NCA 2010. 45
46 Take home message  Deployed insecure services (proxies, relays)  Quickly exploited  Cause trouble for everyone  Current web user authentication is vulnerable to spoofing  Users are easily fooled into entering password in an insecure location

Recommended

ScavengerEXA
ScavengerEXAScavengerEXA
ScavengerEXA
Thomas Mangin
 
EmailTracing.ppt
EmailTracing.pptEmailTracing.ppt
EmailTracing.ppt
govindanonymous143
 
Technical Background Overview Ppt
Technical Background Overview PptTechnical Background Overview Ppt
Technical Background Overview Ppt
Antonio Ieranò
 
Blockmail Technical White Paper
Blockmail Technical White PaperBlockmail Technical White Paper
Blockmail Technical White Paper
niallmmackey
 
window server 2008 mail configuration
window server 2008 mail configurationwindow server 2008 mail configuration
window server 2008 mail configuration
anwarkade1
 
La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9
Eventos Creativos
 
vishal_sharma: python email sending software
vishal_sharma: python email sending software vishal_sharma: python email sending software
vishal_sharma: python email sending software
vishal sharma
 
CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015 CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015
CoLaboraDK
 

Recommended

ScavengerEXA
ScavengerEXAScavengerEXA
ScavengerEXA
Thomas Mangin
 
EmailTracing.ppt
EmailTracing.pptEmailTracing.ppt
EmailTracing.ppt
govindanonymous143
 
Technical Background Overview Ppt
Technical Background Overview PptTechnical Background Overview Ppt
Technical Background Overview Ppt
Antonio Ieranò
 
Blockmail Technical White Paper
Blockmail Technical White PaperBlockmail Technical White Paper
Blockmail Technical White Paper
niallmmackey
 
window server 2008 mail configuration
window server 2008 mail configurationwindow server 2008 mail configuration
window server 2008 mail configuration
anwarkade1
 
La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9
Eventos Creativos
 
vishal_sharma: python email sending software
vishal_sharma: python email sending software vishal_sharma: python email sending software
vishal_sharma: python email sending software
vishal sharma
 
CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015 CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015
CoLaboraDK
 
Electronic mail
Electronic mailElectronic mail
Electronic mail
Bhojak Rajendra(rahul)
 
An Effective Spam Protection System
An Effective Spam Protection SystemAn Effective Spam Protection System
An Effective Spam Protection System
Apollo_n
 
E mail protocol - SMTP
E mail protocol - SMTPE mail protocol - SMTP
E mail protocol - SMTP
Md Syed Ahamad
 
Email
EmailEmail
Email
Roy Thomas
 
Email
EmailEmail
Email
Siddharth Chandel
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharya
sankhadeep
 
SMTP and TCP protocol
SMTP and TCP protocolSMTP and TCP protocol
SMTP and TCP protocol
DivyaKS18
 
Hacking
HackingHacking
Hacking
Sweta Leena Panda
 
2.communcation in distributed system
2.communcation in distributed system2.communcation in distributed system
2.communcation in distributed system
Gd Goenka University
 
Article on SMPT
Article on SMPTArticle on SMPT
Article on SMPT
fatima javaid
 
Mail services and mail commands in linux
Mail services and mail commands in linuxMail services and mail commands in linux
Mail services and mail commands in linux
Gracia Marcom
 
Detecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSDetecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBS
ijsrd.com
 
Spamming and Spam Filtering
Spamming and Spam FilteringSpamming and Spam Filtering
Spamming and Spam Filtering
iNazneen
 
Email ftp
Email ftpEmail ftp
Email ftp
Nitesh Singh
 
Spam and Anti Spam Techniques
Spam and Anti Spam TechniquesSpam and Anti Spam Techniques
Spam and Anti Spam Techniques
Mạnh Nguyễn Văn
 
internet applications
internet applicationsinternet applications
internet applications
Srinivasa Rao
 
10135 a 05
10135 a 0510135 a 05
10135 a 05
Bố Su
 
Collateral Damage: Consequences of Spam and Virus Filtering for the E-Mail S...
Collateral Damage: Consequences of Spam and Virus Filtering for the E-Mail S...Collateral Damage: Consequences of Spam and Virus Filtering for the E-Mail S...
Collateral Damage: Consequences of Spam and Virus Filtering for the E-Mail S...
Peter Eisentraut
 
Electronic Mail
Electronic MailElectronic Mail
Electronic Mail
Owaîs Járå
 
Lecture 9 electronic_mail_representation_and_transfer
Lecture 9 electronic_mail_representation_and_transferLecture 9 electronic_mail_representation_and_transfer
Lecture 9 electronic_mail_representation_and_transfer
Serious_SamSoul
 
SM-N975F esquematico completo - reparación.pdf
SM-N975F esquematico completo - reparación.pdfSM-N975F esquematico completo - reparación.pdf
SM-N975F esquematico completo - reparación.pdf
StefanoBiamonte1
 
➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...
➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...
➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...
amitlee9823
 

More Related Content

Similar to spam.ppt

An Effective Spam Protection System
An Effective Spam Protection SystemAn Effective Spam Protection System
An Effective Spam Protection System
Apollo_n
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharya
sankhadeep
 
Detecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSDetecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBS
ijsrd.com
 
10135 a 05
10135 a 0510135 a 05
10135 a 05
Bố Su
 

Similar to spam.ppt (20)

Electronic mail
Electronic mailElectronic mail
Electronic mail
 
An Effective Spam Protection System
An Effective Spam Protection SystemAn Effective Spam Protection System
An Effective Spam Protection System
 
E mail protocol - SMTP
E mail protocol - SMTPE mail protocol - SMTP
E mail protocol - SMTP
 
Email
EmailEmail
Email
 
Email
EmailEmail
Email
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharya
 
SMTP and TCP protocol
SMTP and TCP protocolSMTP and TCP protocol
SMTP and TCP protocol
 
Hacking
HackingHacking
Hacking
 
2.communcation in distributed system
2.communcation in distributed system2.communcation in distributed system
2.communcation in distributed system
 
Article on SMPT
Article on SMPTArticle on SMPT
Article on SMPT
 
Mail services and mail commands in linux
Mail services and mail commands in linuxMail services and mail commands in linux
Mail services and mail commands in linux
 
Detecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSDetecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBS
 
Spamming and Spam Filtering
Spamming and Spam FilteringSpamming and Spam Filtering
Spamming and Spam Filtering
 
Email ftp
Email ftpEmail ftp
Email ftp
 
Spam and Anti Spam Techniques
Spam and Anti Spam TechniquesSpam and Anti Spam Techniques
Spam and Anti Spam Techniques
 
internet applications
internet applicationsinternet applications
internet applications
 
10135 a 05
10135 a 0510135 a 05
10135 a 05
 
Collateral Damage: Consequences of Spam and Virus Filtering for the E-Mail S...
Collateral Damage: Consequences of Spam and Virus Filtering for the E-Mail S...Collateral Damage: Consequences of Spam and Virus Filtering for the E-Mail S...
Collateral Damage: Consequences of Spam and Virus Filtering for the E-Mail S...
 
Electronic Mail
Electronic MailElectronic Mail
Electronic Mail
 
Lecture 9 electronic_mail_representation_and_transfer
Lecture 9 electronic_mail_representation_and_transferLecture 9 electronic_mail_representation_and_transfer
Lecture 9 electronic_mail_representation_and_transfer
 

Recently uploaded

➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...
➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...
➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...
amitlee9823
 
Top Rated Pune Call Girls Shirwal ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Shirwal ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...Top Rated Pune Call Girls Shirwal ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Shirwal ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Call Girls in Nagpur High Profile
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
tufbav
 
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
drmarathore
 
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Call Girls in Nagpur High Profile
 
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
tufbav
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
VVIP Pune Call Girls Gahunje WhatSapp Number 8005736733 With Elite Staff And ...
VVIP Pune Call Girls Gahunje WhatSapp Number 8005736733 With Elite Staff And ...VVIP Pune Call Girls Gahunje WhatSapp Number 8005736733 With Elite Staff And ...
VVIP Pune Call Girls Gahunje WhatSapp Number 8005736733 With Elite Staff And ...
SUHANI PANDEY
 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
tanu pandey
 
Bommasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Bommasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Bommasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Bommasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
amitlee9823
 
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
gajnagarg
 
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
ehyxf
 
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
amitlee9823
 
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
amitlee9823
 
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
amitlee9823
 
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
Call Girls in Nagpur High Profile Call Girls
 
Call Girls Chickpet ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Call Girls Chickpet ☎ 7737669865☎ Book Your One night Stand (Bangalore)Call Girls Chickpet ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Call Girls Chickpet ☎ 7737669865☎ Book Your One night Stand (Bangalore)
amitlee9823
 

Recently uploaded (20)

SM-N975F esquematico completo - reparación.pdf
SM-N975F esquematico completo - reparación.pdfSM-N975F esquematico completo - reparación.pdf
SM-N975F esquematico completo - reparación.pdf
 
➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...
➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...
➥🔝 7737669865 🔝▻ Vijayawada Call-girls in Women Seeking Men 🔝Vijayawada🔝 E...
 
Top Rated Pune Call Girls Shirwal ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Shirwal ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...Top Rated Pune Call Girls Shirwal ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Shirwal ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
 
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
 
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
 
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
 
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
 
VVIP Pune Call Girls Gahunje WhatSapp Number 8005736733 With Elite Staff And ...
VVIP Pune Call Girls Gahunje WhatSapp Number 8005736733 With Elite Staff And ...VVIP Pune Call Girls Gahunje WhatSapp Number 8005736733 With Elite Staff And ...
VVIP Pune Call Girls Gahunje WhatSapp Number 8005736733 With Elite Staff And ...
 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
 
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
 
Bommasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Bommasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Bommasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Bommasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
 
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
 
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
 
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
 
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
 
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
 
Call Girls Chickpet ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Call Girls Chickpet ☎ 7737669865☎ Book Your One night Stand (Bangalore)Call Girls Chickpet ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Call Girls Chickpet ☎ 7737669865☎ Book Your One night Stand (Bangalore)
 

spam.ppt

  • 1. CAP6135: Malware and Software Vulnerability Analysis Spam and Phishing Cliff Zou Spring 2012
  • 2. 2 Acknowledgement  This lecture uses some contents from the lecture notes from:  Dr. Dan Boneh (Stanford): CS155:Computer and Network Security  Jim Kurose, Keith Ross. Computer Networking: A Top Down Approach Featuring the Internet, 5th edition.
  • 3. 3 Electronic Mail Three major components:  user agents  mail servers  simple mail transfer protocol: SMTP User Agent  a.k.a. “mail reader”  composing, editing, reading mail messages  e.g., Eudora, Outlook, elm, Netscape Messenger  outgoing, incoming messages stored on server user mailbox outgoing message queue mail server user agent user agent user agent mail server user agent user agent mail server user agent SMTP SMTP SMTP
  • 4. 4 How email works: SMTP (RFC 821, 1982)  Some SMTP Commands: MAIL FROM: <reverse-path> RCPT TO: <forward-path> RCPT TO: <forward-path> If unknown recipient: response “550 Failure reply” DATA email headers and contents  Use TCP port 25 for connections . Repeated for each recipient
  • 5. 5 Sample fake email sending S: 220 longwood.cs.ucf.edu C: HELO fake.domain S: 250 Hello crepes.fr, pleased to meet you C: MAIL FROM: <alice@crepes.fr> S: 250 alice@crepes.fr... Sender ok C: RCPT TO: <czou@cs.ucf.edu> S: 250 czou@cs.ucf.edu ... Recipient ok C: DATA S: 354 Enter mail, end with "." on a line by itself C: from: “fake man” <fake@fake.fake.fake> C: to: “dr. who” <who@who> C: subject: who am I? C: Do you like ketchup? C: How about pickles? C: . S: 250 Message accepted for delivery C: QUIT S: 221 longwood.cs.ucf.edu closing connection
  • 6. 6 Try SMTP interaction for yourself:  telnet servername 25  see 220 reply from server  enter HELO, MAIL FROM, RCPT TO, DATA, QUIT commands  “mail from:” the domain may need to be existed  “rcpt to:” the user needs to be existed  A mail server may or may not support “relay”  CS email server supports relay for campus network  “from:” “to:” “subject:” are what shown in normal email display
  • 7. Using Telnet  On department eustics Linux machine:  telnet longwood.cs.ucf.edu 25  In telnet interaction, “backspace” is not supported. You can type “ctrl+backspace” to erase previous two characters  On Windows 7 machine:  Telnet is not installed by default, check this tutorial for install:  http://technet.microsoft.com/en- us/library/cc771275%28v=ws.10%29.aspx 7
  • 8.  Outside campus network, department email server does not accept:  You need to first setup VPN to campus network, then use telnet  How to set up VPN:  https://publishing.ucf.edu/sites/itr/cst/Pages/VpnHelp.aspx 8
  • 9. 9 Email in the early 1980’s Network 1 Network 2 Network 3 Mail relay Mail relay sender recipient • Mail Relay: forwards mail to next hop. • Sender path includes path through relays.
  • 10. Why Email Server Support Relay?  Wiki tutorial:  http://en.wikipedia.org/wiki/Open_mail_relay  Old days network constraint makes it necessary  Email agent uses SMTP to send email on behalf of a user  The user could choose which email address to use as the sender  Email server supports email group list:  The “sender” shown in email is the group list address, but the real sender is a different person  Closing Relay:  Messages from local IP addresses to local mailboxes  Messages from local IP addresses to non-local mailboxes  Messages from non-local IP addresses to local mailboxes  Messages from clients that are authenticated and authorized 10
  • 11. 11 Spoofed email  SMTP: designed for a trusting world …  Data in MAIL FROM totally under control of sender  … an old example of improper input validation  Recipient’s mail server:  Only sees IP address of direct peer  Recorded in the first From header
  • 12. 12 The received header  Sending spoofed mail to myself: From someone@somewhere.com (172.24.64.20) ... Received: from cs-smtp-1.stanford.edu Received: from smtp3.stanford.edu Received: from cipher.Stanford.EDU  Received header inserted by relays --- untrustworthy  From header inserted by recipient mail server From relays
  • 13. 13 Spam Blacklists  RBL: Realtime Blackhole Lists  Includes servers or ISPs that generate lots of spam  spamhaus.org , spamcop.net  Effectiveness (stats from spamhaus.org):  RBL can stop about 15-25% of incoming spam at SMTP connection time,  Over 90% of spam with message body URI checks  Spammer goal:  Evade blacklists by hiding its source IP address.
  • 15. 15 Open relays  SMTP Relay forwards mail to destination 1. Bulk email tool connects via SMTP (port 25) 2. Sends list of recipients (via RCPT TO command) 3. Sends email body --- once for all recipients 4. Relay delivers message  Honest relay:  Adds Received header revealing source IP  Hacked relay does not
  • 16. 16 Example: bobax worm  Infects machines with high bandwidth  Exploits MS LSASS.exe buffer overflow vulnerability  Slow spreading:  Spreads on manual command from operator  Then randomly scans for vulnerable machines  On infected machine: (spam zombie)  Installs hacked open mail relay. Used for spam.  Once spam zombie added to RBL:  Worm spreads to other machines
  • 17. 17 Open HTTP proxies  Web cache (HTTP/HTTPS proxy) -- e.g. squid  To spam: CONNECT SpamRecipient-IP 25 SMTP Commands Squid becomes a mail relay … Squid Web Cache CONNECT xyz.com 443 ClientHello Web Server xyz.com URL: HTTPS://xyz.com ClientHello ServerHello ServerHello
  • 18. 18 Finding proxies  Squid manual: (squid.conf) acl Safe_ports port 80 443 http_access deny !Safe_ports  URLs for other ports will be denied  Similar problem with SOCKS proxies  Some open proxy and open relay listing services:  http://www.multiproxy.org/ http://www.stayinvisible.com/ http://www.blackcode.com/proxy/ http://www.openproxies.com/ (20$/month)
  • 19. 19 Open Relays vs. Open Proxies  HTTP proxy design problem:  Port 25 should have been blocked by default  Otherwise, violates principal of least privilege  Relay vs. proxy:  Relay takes list of address and send msg to all  Proxy: spammer must send msg body to each recipient through proxy.  zombies typically provide hacked mail relays.
  • 20. 20 Thin pipe / Thick pipe method  Spam source has  High Speed Broadband connection (HSB)  Controls a Low Speed Zombie (LSZ)  Assumes no egress filtering at HSB’s ISP  Hides IP address of HSB. LSZ is blacklisted. Target SMTP Server HSB LSZ TCP handshake TCP Seq #s SMTP bulk mail (Source IP = LSZ)
  • 21. 21 Bulk email tools (spamware)  Automate:  Message personalization  Also test against spam filters (e.g. spamassassin)  Mailing list and proxy list management
  • 24. 24 The law: CAN-SPAM act (Jan. 2004)  Bans false or misleading header information  To: and From: headers must be accurate  Prohibits deceptive subject lines  Requires an opt-out method  Requires that email be identified as advertisement  ... and include sender's physical postal address  Also prohibits various forms of email harvesting and the use of proxies
  • 25. 25 Effectiveness of CAN-SPAM  Enforced by the FTC:  FTC spam archive spam@uce.gov  Penalties: 11K per act  Dec ’05 FTC report on effectiveness of CAN-SPAM:  50 cases in the US pursued by the FTC  No impact on spam originating outside the US  Open relays hosted on bot-nets make it difficult to collect evidence http://www.ftc.gov/spam/
  • 26. 26 Sender verification I: SPF (sender policy framework)  Goal: prevent spoof email claiming to be from HotMail  Why? Bounce messages flood HotMail system DNS hotmail.com: SPF record: 64.4.33.7 64.4.33.8 Recipient Mail Server (MUA) Sender MAIL FROM xyz@hotmail.com hotmail.com 64.4.33.7 64.4.33.8 Is SenderIP in list? More precisely: hotmail.com TXT v=spf1 a:mailers.hotmail.com -all
  • 27. 27 Sender verification II: DKIM  Domain Keys Identified Mail (DKIM)  Same goal as SPF. Harder to spoof.  Basic idea:  Sender’s MTA signs email  Including body and selected header fields  Receiver’s MUA checks signature  Rejects email if invalid  Sender’s public key managed by DNS  Subdomain: _domainkey.hotmail.com
  • 28. 28 Graylists  Recipient’s mail server records triples:  (sender email, recipient email, peer IP)  Mail server maintains DB of triples  First time: triple not in DB:  Mail server sends 421 reply: “I am busy”  Records triple in DB  Second time (after 5 minutes): allow email to pass  Triples kept for 3 days (configurable)  Easy to defeat but currently works well.
  • 29. 29 Puzzles and CAPTCHA  General DDoS defense techniques  Puzzles: slow down spam server  Every email contains solution to puzzle where challenge = (sender, recipient, time)  CAPTCHA:  Completely Automated Public Turing test to tell Computers and Humans Apart  Every email contains a token  Sender obtains tokens from a CAPTCHA server  Say: 100 tokens for solving a CAPTCHA  CAPTCHA server ensures tokens are not reused  Either method is difficult to deploy.
  • 30. SpamAssasin  Wiki tutorial:  http://en.wikipedia.org/wiki/SpamAssassin  Mainly a rule-based spam filter  Many rules to give scores for all fields in an email  Email header, special keywords in email, URLs in email, images in email, …..  Final decision is the combined score compared with a threshold  Has false positive (treat normal as spam), and false negative (treat spam as normal)  False positive is very damaging!  Nobody wants to lose an important email!  Also contains Bayesian filtering to match a user’s statistical profile  Need known “ham” and “spam” email samples for training  30
  • 32. 32 Oct. 2004 to July 2005 APWG
  • 33. 33
  • 34. 34 Note: no SSL. Typically: short lived sites.
  • 35. 35 Common Phishing Methods  Often phishing sites hosted on bot-net drones.  Move from bot to bot using dynamic DNS.  Use domain names such as: www.ebay.com.badguy.com  Use URLs with multiple redirections: http://www.chase.com/url.php?url=“http://www.phish.com”  Use randomized links:  http://www.some-poor-sap.com/823548jd/
  • 36. 36 Industry Response  Anti-phishing toolbars: Netcraft, EBay, Google, IE7  IE7 phishing filter:  Whitelisted sites are not checked  Other sites: (stripped) URL sent to MS server  Server responds with “OK” or “phishing”
  • 37. 37 Pharming  Cause DNS to point to phishing site  Examples: 1. DNS cache poisoning 2. Write an entry into machine’s /etc/hosts file: “ Phisher-IP Victim-Name ”  URL of phishing site is identical to victim’s URL  … will bypass all URL checks
  • 38. 38 Response: High assurance certs  More careful validation of cert issuance  On browser (IE7) : … but most phishing sites do not use HTTPS
  • 39. 39 Other industry responses: BofA, PassMark ING bank login
  • 42. 42 T.G.s: The next phishing wave  Transaction generation malware:  Wait for user to login to banking sites  Issue money transfer requests on behalf of user.  Reported malware in UK targeting all four major banks.  Note: These are social engineering attacks. Not just a windows problem.
  • 43. 43 Some ID Protection Tools  SpoofGuard: (NDSS ’04)  Alerts user when viewing a spoofed web page.  Uses variety of heuristics to identify spoof pages.  Some SpoofGuard heuristics used in eBay toolbar and Earthlink ScamBlocker.  PwdHash: (Usenix Sec ’05)  Browser extension for strengthening pwd web auth.  Being integrated with RSA SecurID.
  • 44. 44 Password Hashing (pwdhash.com)  Generate a unique password per site  HMACfido:123(banka.com)  Q7a+0ekEXb  HMACfido:123(siteb.com)  OzX2+ICiqc  Hashed password is not usable at any other site Bank A Site B pwdA pwdB =
  • 45. Our New Proposed Approach: PwdIP-Hash  Problem of PwdHash:  cannot deal with Phishing attack  Basic Idea: User password is first hashed with remote server’s IP address + domain name, then transmit to the remote server  Reason: a remote server cannot lie about its IP address  TCP connection has already set up, very hard to lie  Result: The remote server receives a hashed password  The real server has the plain password and can verify  The phishing server cannot use the hashed password for login  See our prototype at:  http://www.cs.ucf.edu/~czou/PwdIP-Hash/  Paper published in conference IEEE NCA 2010. 45
  • 46. 46 Take home message  Deployed insecure services (proxies, relays)  Quickly exploited  Cause trouble for everyone  Current web user authentication is vulnerable to spoofing  Users are easily fooled into entering password in an insecure location