AntiSpam Understanding the good, the bad and the ugly - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

AntiSpam Understanding the good, the bad and the ugly

Description:

Have Worked on many enterprise security products. Have disclosed many security issues to banks/organizations. ... Subject: Never agree to be a loser ... – PowerPoint PPT presentation

Number of Views:377
Avg rating:3.0/5.0
Slides: 28
Provided by: IBMU611
Category:

less

Transcript and Presenter's Notes

Title: AntiSpam Understanding the good, the bad and the ugly


1
AntiSpam Understanding the good, the bad and the
ugly
  • By Aseem Jakhar

Confidential
2
About Me
  • Security and open source enthusiast.
  • Have Worked on many enterprise security products.
  • Have disclosed many security issues to
    banks/organizations.
  • Speaker at security/open source conferences.
  • Founder of NULL security community.

3
Agenda
  • What is Spam?
  • Spam Side effects
  • Difficult problem to solve
  • Messaging Primer
  • Getting inside a spammers mind
  • Layered Security
  • AntiSpam Technologies
  • Exploiting the Loop Holes

4
What is spam?
  • No its not the Hormel product.
  • No Standard definition.
  • Differs on an individual basis.
  • UBE, UCE.
  • Ham Non Spam.

5
Spam side effects
  • Bandwidth overload.
  • Storage overload.
  • Loss of End user productivity.

6
Difficult problem to solve
  • Human Factor
  • Dynamic nature
  • Coming from valid but compromised source
  • Best of buddies - Virus, worms, trojans and spams
    i.e help each other in propagating

7
Messaging Primer
  • Sending emails
  • SMTP- Simple Mail Transfer Protocol.
  • MUA - Message User Agent (SMTP Clients
    outlook).
  • MSA Message Submission Agent.
  • MTA - Message Transfer Agent (SMTP
    Servers(clients) sendmail).
  • MDA - Message Delivery Agent (SMTP
    Server/Message Store).
  • Retrieving emails
  • POP - Post Office Protocol.
  • IMAP - Internet Message Access Protocol.
  • Email format
  • Envelope and message
  • MIME Multipurpose Internet Mail Extensions

8
Path of a Message
MUA
MSA/MTA
MTA/MDA
MTAs
Message Store
MUA
9
Email Format Received Headers
  • Received by w.w.w.w with SMTP id foobar Thu, 10
    Jan 2008 040407 -0800 (PST)
  • Return-Path ltxxx_at_xxxxgt
  • Received from xx.yy.com (xx.yy.com x.x.x.x) by
    zz.xx.com with ESMTP id foobar1 Thu, 10 Jan 2008
    040407 -0800 (PST)
  • Received-SPF pass (xyz.com domain of xxx_at_xxxx
    designates x.x.x.x as permitted sender)
    client-ipx.x.x.x
  • Received from zz.com (zz.com z.z.z.z) by
    xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2
    for ltyyy_at_yyyygt Thu, 10 Jan 2008 171611 0530
  • Received .
  • Received from aa.com (aa.com a.a.a.a) by
    bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for
    ltyyy_at_yyyygt Thu, 10 Jan 2008 114610 GMT

10
Email Format Other headers
  • To yyy_at_yyyy
  • Cc xxx xxxx ltxxx_at_xxxxgt
  • MIME-Version 1.0
  • Subject email format - Attached jpeg image
  • X-Mailer Lotus Notes Release X.Y.Z FOOO Jan 01,
    1971
  • Message-ID ltFOOBAR00000_at_xxxxgt
  • From xxx xxxx ltxxx_at_xxxxgt
  • Date Thu, 10 Jan 2008 171616 0530
  • X-MIMETrack Serialize by Router on
    fooo/oo/bar/barfoo (Release x.y.z Jan 01 1971)
    at 01/10/2008 171618

11
Email Format MIME contd. And email Body
  • Content-Type multipart/mixed boundary"_mixed
    0040CB5E652573CC_"
  • --_mixed 0040CB5E652573CC_
  • Content-Type multipart/alternative
    boundary"_alternative 0040CB60652573CC_
  • --_alternative 0040CB60652573CC_
  • Content-Type text/plain charset"US-ASCII"
  • Hi,
  • This is the email format with attached jpeg
    image
  • --_alternative 0040CB60652573CC_
  • Content-Type text/html charset"US-ASCII"
  • ltbrgtltfont size2 face"sans-serif"gtHi,lt/fontgt
    ltbrgt ltbrgtltfont size2 face"sans-serif"gtnbspThis
    is the email format with attached jpeg
    imagelt/fontgt
  • --_alternative 0040CB60652573CC_--
  • --_mixed 0040CB5E652573CC_
  • Content-Type image/jpeg name"Flower_1.jpg"

12
Getting inside a spammers mind
  • Intent
  • Marketing
  • Phishing
  • Malware
  • Execution
  • Gathering email addresses
  • Hosting the web site
  • Sending emails

13
Layered Security
  • Sever Layer(MTAs)
  • Network Boundary/Gateways.
  • Mail routers.
  • Message Store.
  • Client Layer(MUAs)
  • POP/IMAP/SMTP Proxies.
  • Plugins.
  • No Single antidote.

14
Anti-Spam Technologies - ACLs
  • Blocklists
  • IP/domain/user
  • Whitelists
  • IP/domain/user
  • Types
  • Internal Application Specific
  • External Community/Paid servers
  • DNSxLs standard DNS queries.

15
Anti-Spam Technologies - ACLs
  • Greylisting
  • Something between whitelist and blocklist
  • Exploiting the protocol for good reason.
  • Temporary rejection with 4xy error code
  • Basic 3 tuple information stored
    ltIPgtltMFROMgtltRCPTgt

16
Anti-Spam Technologies Content Filtering
  • String/Regex filters
  • static, dumb.
  • Behavioural Filters
  • Look for specific behaviour patterns
  • Bayesian filters
  • Intelligent, require learning time.
  • Accuracy decreases when deployed on server.

17
Anti-Spam Technologies Content Filtering
  • Signature/fingerprint
  • Fuzzy(Nilsimsa code), good as an add-on.
  • OCR (Optical Character Recognition)
  • Image scanning, not efficient.

18
Anti-Spam Technologies C/R
  • Challenge-Response systems
  • Recipient challenges the sender
  • Bounce message/SMTP rejection
  • URL click/CAPTCHA test/reply to bounce
  • CAPTCHA (Completely Automated Public Turing test
    to tell Computers and Humans Apart)

19
Anti-Spam Technologies Sender Driven
  • SPF (Sender Policy Framework)
  • Anti-forgery
  • Uses DNS SPF/TXT records, IP, domain name of
    sender
  • Authorized Outbound SMTP for a domain
  • DKIM (Domain Keys Identified Mail)
  • Signed messages
  • Anti-forgery, as signing domain claims
    responsibility
  • Uses DNS TXT records, DKIM header
  • DKIM-Signature v1 arsa-sha256
    crelaxed/relaxed dgmail.com sgamma
    hdomainkey-signaturereceivedreceivedmessage-id
    datefromto subjectmime-versioncontent-type
    bhYm0p23riCgT3uCfIGqubQUvvGjrTpD0McUL7kqm7KE
    bm2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfX
    rC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/H
    VMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn
    qv6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdkwA

20
Anti-Spam Technologies Sender driven
  • HashCash
  • Proof of work by sender
  • Hard to compute, easy to verify
  • square root/square problem.
  • Partial Hash collision (with Zero bits)

21
Anti-Spam Technologies - Heuristics
  • Heuristic filters
  • A combination of above techniques
  • Defines rules, weights and threshold(s)
  • Reduces ve rate.
  • Reputation systems
  • Advanced heuristics to create reputation.
  • Create reputation of IPs/Domains sending messages

22
Exploiting the Loop Holes Evading filters
  • ACLs Greylisting
  • Simulating a simple queue thread with 4 tuple
    ltMSGIDgtltTIMEgtltMFROMgtltRCPTgt
  • Resending after a predefined time.
  • Content Filtering
  • Run The message content through filters/free
    email services
  • CAPTCHA effect for OCR
  • Subject Never agree to be a loser
  • Buck up, your troubles caused by small dimension
    will soon be over!
  • Initiate a natural growth of your masculine
    muscle!
  • http//veniutk2Ecom/
  • control2E All data was lost at T5 minutes, 5
    seconds2Ethings happen2E We just believed that
    he was going to berescuers at 1100 a2Em2E
    EST2E _BOOK_4in a retirement home2EIn
    February, three couples refused to pled ge their

23
Exploiting the Loop Holes
  • Sender Driven
  • Creating hashcash (not efficient, not popular)
  • Look for open relays with SPF, DKIM
    functionality.
  • Bounce Messages from Valid domains
  • Worms sending mails to local MTAs

24
Exploiting the Loop Holes
  • Reputation
  • Sending through free webmail accounts
  • Sample email sent directly and through valid
    webmail service
  • Sent directly Spam mailbox
  • Through Webmail Inbox (Bingo!!)
  • Subject viagra soma cialis cheap rates oem
    software low mortgage rates
  • viagra soma cialis cheap rates
  • low mortgage rates oem software for 1
  • penis enlargement for good sex
  • live xxx videos

25
Exploiting the Loop Holes
  • Targeting low priority MX
  • Helps in bypassing filters altogether (if you are
    lucky that is -P).
  • Mail Reconnaissance
  • Reading replies from valid (and invalid)
    addresses
  • Exposes enormous amount of information
  • Definitely a must for any Pen tester

26
References
  • SPF - http//www.ietf.org/rfc/rf
    c4408.txt
  • DKIM - http//www.dkim.org/
  • SpamAssassin - http//spamassassin.apache.org/
  • Razor - http//razor.sourceforge.n
    et/
  • CAPTCHA - http//www.captcha.net/
  • Bogofilter - http//bogofilter.sourceforg
    e.net/
  • Mailwasher - http//www.mailwasher.net/
  • HashCash - http//www.hashcash.org/
  • Greylisting - http//greylisting.org/
  • Gartner report - http//news.zdnet.com/2100-9595
    _22-955842.html
  • DNSxLs - http//www.potaroo.net/ietf
    /all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt

27
Thanks
  • QA?
  • Contact me null _a_t_ null . co . In
  • NULL is having an official meet on 7th Dec at
    ClubHack
Write a Comment
User Comments (0)
About PowerShow.com