Re: Reliable Email

1
Re Reliable Email
2
Basic Terminology

• 50 (or 94) of mail is spam
• False Negatives (FN)
• Spam marked as legitimate email
• Annoying and/or offensive
• False Positives (FP)
• Legitimate email marked as spam
• Can lose important mail
• Email less reliable

3
Our anti-spam software deleted your report
because the flow chart was shaped sort of like a
Nigerian prince.
4
Spam Control

• Blacklists
• false positives, ad hoc, forgery
• Whitelists
• unknown senders must opt in, lose folk
• Learning/filters
• false positives, 1? !!

5
Re Goals

• send addresses cant be forged
• attestations cant be forged
• privacy when exchanging whitelists
• incremental deployability
• compatibility

6
A Typical Spam Defense System
7
Traditional Whitelist Systems
Alice
Bob
From Charlie

• Traditional WLs suffer from two problems
• Spammers can forge sender addresses

8
Traditional Whitelist Systems

• Whitelist
• Debby
• Tom

Use anti-forgery mechanism to handle (1), similar
to existing techniques.Handle (2) with social
networks
Alice
Bob
From Alice

• Traditional WLs suffer from two problems
• Spammers can forge sender addresses
• Whitelists dont help with strangers

9
Approach Use Social Networks
Bob (B)
Accept!
Attestation B?AA is a friend of BB trusts A
not to send him spam
trust
Alice (A)

• Bob whitelists people he trusts
• Bob signs attestation B?A
• No one can forge attestations from Bob
• Bob can share his attestations

10
Approach Use Social Networks
Bob (B)
Accept?
FoF trust relationship
trust
trust
Charlie (C)
Alice (A)

• What if sender recipient are not friends?
• Note that B?A and A?C
• B trusts C because he's a friend-of-friend (FoF)

11
Find FoFs Attestation Servers
Note no changes to SMTP, incremental deployment
Charlie (C)
Bob (B)
A?C
CharliesAttestationServer (AS)
Recipient (Bob) queries senders attestation
server for mutual friends
Sharing attestations revealsyour correspondents!
12
Privacy Goals
Charlie (C)
Bob (B)
X
X
X
Bs list of friends
Charlies AS
Cs list of friends
FoF Query
Debby

• Email recipients never reveal their friends
• Email senders only reveal specific friends
  queried for by recipients
• Only users who have actually received mail from
  the sender can query the sender for attestations

13
Cryptographic Private Matching
Sender (S)s AS
Recipient (R)
friends
friends
14
Restricting FoF Queries
Signed authentication token
Sender (S)
Recipient (R)

• Sender can use token to restrict FoF query
• Users have a public/secret key pair

15
Restricting FoF Queries
Sender (S)
Recipient (R)
SendersAttestationServer (AS)
FoF Query

• Sender can use token to restrict FoF query
• Users have a public/secret key pair
• Recipient can use token to detect forgery

16
Scenario 1 Valid Mail Rejected
Alice
Bob
mortgage...
MailServer
MailClient
SpamAssassin
17
Scenario 2 Direct Acceptance
Bob
Alice

• Bobs Friends
• Alice
• Tom

mortgage...
MailServer
MailClient
Hit!
auth.token
Re
AttestationServer
TokenOK
SpamAssassin
18
Scenario 3 FoF Acceptance
Bob
Charlie

• Bobs Friends
• Alice
• Tom

MailServer
MailClient
mortgage...
auth. token FoF query
Re
AttestationServer
No DirectHit
token OK E(?)E(Alice)
Mutual friendAlice

• Charlie is a friend of
• John
• Alice

SpamAssassin
19
Evaluation

• kills 87 of false positives in one test.

20
Distributed Quota Enforcement for Spam Control

• Pete

21
Using Quotas

• Quotas on the mails a sender can send
• Limit volume w/ semantic discrimination
• Spammers need a lot
• Implement w/ stamps

22
Quotas

• They dont do
• stamp allocation (people decide)
• policy-agnostic
• They do
• technical issues

23
Start

• Principles
• No false positives
• Separate allocation and enforcement
• policy vs implementation
• Scalable
• Enforcer not trusted

24
Enforcement

• Qpub globally known public key of quota
  allocator
• (Spriv,Spub) senders key pair
• what happens
• cert Spub, daily_qotaqpriv
• stamp cert, i, datepriv
• Receiver checks
• in quota
• authentic
• used before?

25
Enforcement, cont
enforcer
receiver

• info not leaked to enforcer

26
Enforcer

• Set
• stores at one of R interior nodes for key
• Test
• checks all possible locations
• Tradeoffs
• ignore failures during single day, because
  failures
• might cause reused stamp to look fresh (false
  neg), but
• do not cause fresh stamps to look used (false
  positives)
• failures can be byzantine

27
Scale

• Required machines
• 100B emails/day 65 smap ? 65B spams/day
• One disk 400 seeks/sec ? 35M seeks/day
• So, 2000 disks, 700 fast servers
• whole world!

.right..
28
Resource Attacks

• Internal (adversarial nodes in enforcer)
• Spurious PUTs and GETs to exhaust storage
• Defense nodes have PUT/GET quotas for each
  other
• External attacks (by adversarial receivers)
• Spurious TESTs and SETs waste enforcer resources
• Defense 1 profile-and-block
• Defense 2 make requests costs bandwidth
• assumes attackers bandwidth limited

29
Stolen Stamps

• Need to hack outbound mail server to steal
• this where stamps stored
• but this vulnerability is not introduced by DQE
• What about botted hosts?
• Use legit stamps of bot networks
• Even 100k hosts, w/ 100 stamps/day is small
  portion of daily mail

30
What if Portal Bad?

• Client can choose portal
• random choice likely to be good
• If much spam appears to have fresh stamps
• client can switch portals
• client can contact mult portals

31
Thinking

• Serious chicken-and-egg problem
• Re is incremental
• white lists intercept main flow
• DQE not incremental, but could be
• authentic stamped mail would avoid filter
• fewer false positives
• but most false positives from unknowns

32
What Do You Do?