Title: AntiSpam Understanding the good, the bad and the ugly
1AntiSpam Understanding the good, the bad and the
ugly
Confidential
2About Me
- Security and open source enthusiast.
- Have Worked on many enterprise security products.
- Have disclosed many security issues to
banks/organizations. - Speaker at security/open source conferences.
- Founder of NULL security community.
3Agenda
- What is Spam?
- Spam Side effects
- Difficult problem to solve
- Messaging Primer
- Getting inside a spammers mind
- Layered Security
- AntiSpam Technologies
- Exploiting the Loop Holes
4What is spam?
- No its not the Hormel product.
- No Standard definition.
- Differs on an individual basis.
- UBE, UCE.
- Ham Non Spam.
5Spam side effects
- Bandwidth overload.
- Storage overload.
- Loss of End user productivity.
6Difficult problem to solve
- Human Factor
- Dynamic nature
- Coming from valid but compromised source
- Best of buddies - Virus, worms, trojans and spams
i.e help each other in propagating
7Messaging Primer
- Sending emails
- SMTP- Simple Mail Transfer Protocol.
- MUA - Message User Agent (SMTP Clients
outlook). - MSA Message Submission Agent.
- MTA - Message Transfer Agent (SMTP
Servers(clients) sendmail). - MDA - Message Delivery Agent (SMTP
Server/Message Store). - Retrieving emails
- POP - Post Office Protocol.
- IMAP - Internet Message Access Protocol.
- Email format
- Envelope and message
- MIME Multipurpose Internet Mail Extensions
8Path of a Message
MUA
MSA/MTA
MTA/MDA
MTAs
Message Store
MUA
9Email Format Received Headers
- Received by w.w.w.w with SMTP id foobar Thu, 10
Jan 2008 040407 -0800 (PST) - Return-Path ltxxx_at_xxxxgt
- Received from xx.yy.com (xx.yy.com x.x.x.x) by
zz.xx.com with ESMTP id foobar1 Thu, 10 Jan 2008
040407 -0800 (PST) - Received-SPF pass (xyz.com domain of xxx_at_xxxx
designates x.x.x.x as permitted sender)
client-ipx.x.x.x - Received from zz.com (zz.com z.z.z.z) by
xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2
for ltyyy_at_yyyygt Thu, 10 Jan 2008 171611 0530 - Received .
- Received from aa.com (aa.com a.a.a.a) by
bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for
ltyyy_at_yyyygt Thu, 10 Jan 2008 114610 GMT
10Email Format Other headers
- To yyy_at_yyyy
- Cc xxx xxxx ltxxx_at_xxxxgt
- MIME-Version 1.0
- Subject email format - Attached jpeg image
- X-Mailer Lotus Notes Release X.Y.Z FOOO Jan 01,
1971 - Message-ID ltFOOBAR00000_at_xxxxgt
- From xxx xxxx ltxxx_at_xxxxgt
- Date Thu, 10 Jan 2008 171616 0530
- X-MIMETrack Serialize by Router on
fooo/oo/bar/barfoo (Release x.y.z Jan 01 1971)
at 01/10/2008 171618
11Email Format MIME contd. And email Body
- Content-Type multipart/mixed boundary"_mixed
0040CB5E652573CC_" - --_mixed 0040CB5E652573CC_
- Content-Type multipart/alternative
boundary"_alternative 0040CB60652573CC_ - --_alternative 0040CB60652573CC_
- Content-Type text/plain charset"US-ASCII"
- Hi,
- This is the email format with attached jpeg
image - --_alternative 0040CB60652573CC_
- Content-Type text/html charset"US-ASCII"
- ltbrgtltfont size2 face"sans-serif"gtHi,lt/fontgt
ltbrgt ltbrgtltfont size2 face"sans-serif"gtnbspThis
is the email format with attached jpeg
imagelt/fontgt - --_alternative 0040CB60652573CC_--
- --_mixed 0040CB5E652573CC_
- Content-Type image/jpeg name"Flower_1.jpg"
12Getting inside a spammers mind
- Intent
- Marketing
- Phishing
- Malware
- Execution
- Gathering email addresses
- Hosting the web site
- Sending emails
13Layered Security
- Sever Layer(MTAs)
- Network Boundary/Gateways.
- Mail routers.
- Message Store.
- Client Layer(MUAs)
- POP/IMAP/SMTP Proxies.
- Plugins.
- No Single antidote.
14Anti-Spam Technologies - ACLs
- Blocklists
- IP/domain/user
- Whitelists
- IP/domain/user
- Types
- Internal Application Specific
- External Community/Paid servers
- DNSxLs standard DNS queries.
15Anti-Spam Technologies - ACLs
- Greylisting
- Something between whitelist and blocklist
- Exploiting the protocol for good reason.
- Temporary rejection with 4xy error code
- Basic 3 tuple information stored
ltIPgtltMFROMgtltRCPTgt
16Anti-Spam Technologies Content Filtering
- String/Regex filters
- static, dumb.
- Behavioural Filters
- Look for specific behaviour patterns
- Bayesian filters
- Intelligent, require learning time.
- Accuracy decreases when deployed on server.
17Anti-Spam Technologies Content Filtering
- Signature/fingerprint
- Fuzzy(Nilsimsa code), good as an add-on.
- OCR (Optical Character Recognition)
- Image scanning, not efficient.
18Anti-Spam Technologies C/R
- Challenge-Response systems
- Recipient challenges the sender
- Bounce message/SMTP rejection
- URL click/CAPTCHA test/reply to bounce
- CAPTCHA (Completely Automated Public Turing test
to tell Computers and Humans Apart)
19Anti-Spam Technologies Sender Driven
- SPF (Sender Policy Framework)
- Anti-forgery
- Uses DNS SPF/TXT records, IP, domain name of
sender - Authorized Outbound SMTP for a domain
- DKIM (Domain Keys Identified Mail)
- Signed messages
- Anti-forgery, as signing domain claims
responsibility - Uses DNS TXT records, DKIM header
- DKIM-Signature v1 arsa-sha256
crelaxed/relaxed dgmail.com sgamma
hdomainkey-signaturereceivedreceivedmessage-id
datefromto subjectmime-versioncontent-type
bhYm0p23riCgT3uCfIGqubQUvvGjrTpD0McUL7kqm7KE
bm2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfX
rC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/H
VMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn
qv6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdkwA
20Anti-Spam Technologies Sender driven
- HashCash
- Proof of work by sender
- Hard to compute, easy to verify
- square root/square problem.
- Partial Hash collision (with Zero bits)
21Anti-Spam Technologies - Heuristics
- Heuristic filters
- A combination of above techniques
- Defines rules, weights and threshold(s)
- Reduces ve rate.
- Reputation systems
- Advanced heuristics to create reputation.
- Create reputation of IPs/Domains sending messages
22Exploiting the Loop Holes Evading filters
- ACLs Greylisting
- Simulating a simple queue thread with 4 tuple
ltMSGIDgtltTIMEgtltMFROMgtltRCPTgt - Resending after a predefined time.
- Content Filtering
- Run The message content through filters/free
email services - CAPTCHA effect for OCR
- Subject Never agree to be a loser
- Buck up, your troubles caused by small dimension
will soon be over! - Initiate a natural growth of your masculine
muscle! - http//veniutk2Ecom/
- control2E All data was lost at T5 minutes, 5
seconds2Ethings happen2E We just believed that
he was going to berescuers at 1100 a2Em2E
EST2E _BOOK_4in a retirement home2EIn
February, three couples refused to pled ge their
23Exploiting the Loop Holes
- Sender Driven
- Creating hashcash (not efficient, not popular)
- Look for open relays with SPF, DKIM
functionality. - Bounce Messages from Valid domains
- Worms sending mails to local MTAs
24Exploiting the Loop Holes
- Reputation
- Sending through free webmail accounts
- Sample email sent directly and through valid
webmail service - Sent directly Spam mailbox
- Through Webmail Inbox (Bingo!!)
- Subject viagra soma cialis cheap rates oem
software low mortgage rates - viagra soma cialis cheap rates
- low mortgage rates oem software for 1
- penis enlargement for good sex
- live xxx videos
25Exploiting the Loop Holes
- Targeting low priority MX
- Helps in bypassing filters altogether (if you are
lucky that is -P). - Mail Reconnaissance
- Reading replies from valid (and invalid)
addresses - Exposes enormous amount of information
- Definitely a must for any Pen tester
26References
- SPF - http//www.ietf.org/rfc/rf
c4408.txt - DKIM - http//www.dkim.org/
- SpamAssassin - http//spamassassin.apache.org/
- Razor - http//razor.sourceforge.n
et/ - CAPTCHA - http//www.captcha.net/
- Bogofilter - http//bogofilter.sourceforg
e.net/ - Mailwasher - http//www.mailwasher.net/
- HashCash - http//www.hashcash.org/
- Greylisting - http//greylisting.org/
- Gartner report - http//news.zdnet.com/2100-9595
_22-955842.html - DNSxLs - http//www.potaroo.net/ietf
/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt
27Thanks
- QA?
- Contact me null _a_t_ null . co . In
- NULL is having an official meet on 7th Dec at
ClubHack