advertisement

AntiSpam - Understanding the good, the bad and the ugly

60 %
40 %
advertisement
Information about AntiSpam - Understanding the good, the bad and the ugly
Technology

Published on January 1, 2009

Author: amiable_indian

Source: slideshare.net

advertisement

AntiSpam Understanding the good, the bad and the ugly By Aseem Jakhar Confidential

About Me Security and open source enthusiast. Have Worked on many enterprise security products. Have disclosed many security issues to banks/organizations. Speaker at security/open source conferences. Founder of NULL security community.

Security and open source enthusiast.

Have Worked on many enterprise security products.

Have disclosed many security issues to banks/organizations.

Speaker at security/open source conferences.

Founder of NULL security community.

Agenda What is Spam? Spam Side effects Difficult problem to solve Messaging Primer Getting inside a spammer’s mind Layered Security AntiSpam Technologies Exploiting the Loop Holes

What is Spam?

Spam Side effects

Difficult problem to solve

Messaging Primer

Getting inside a spammer’s mind

Layered Security

AntiSpam Technologies

Exploiting the Loop Holes

What is spam? No it’s not the Hormel product. No Standard definition. Differs on an individual basis. UBE, UCE. Ham: Non Spam.

No it’s not the Hormel product.

No Standard definition.

Differs on an individual basis.

UBE, UCE.

Ham: Non Spam.

Spam side effects Bandwidth overload. Storage overload. Loss of End user productivity.

Bandwidth overload.

Storage overload.

Loss of End user productivity.

Difficult problem to solve Human Factor Dynamic nature Coming from valid but compromised source Best of buddies - Virus, worms, trojans and spams i.e help each other in propagating

Human Factor

Dynamic nature

Coming from valid but compromised source

Best of buddies - Virus, worms, trojans and spams i.e help each other in propagating

Messaging Primer Sending emails SMTP- Simple Mail Transfer Protocol. MUA - Message User Agent (SMTP Clients – outlook). MSA – Message Submission Agent. MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail). MDA - Message Delivery Agent (SMTP Server/Message Store). Retrieving emails POP - Post Office Protocol. IMAP - Internet Message Access Protocol. Email format Envelope and message MIME – Multipurpose Internet Mail Extensions

Sending emails

SMTP- Simple Mail Transfer Protocol.

MUA - Message User Agent (SMTP Clients – outlook).

MSA – Message Submission Agent.

MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail).

MDA - Message Delivery Agent (SMTP Server/Message Store).

Retrieving emails

POP - Post Office Protocol.

IMAP - Internet Message Access Protocol.

Email format

Envelope and message

MIME – Multipurpose Internet Mail Extensions

Path of a Message MUA MSA/MTA MTA/MDA MTAs Message Store MUA

Email Format: Received Headers Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST) Return-Path: <xxx@xxxx> Received: from xx.yy.com ( xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST) Received-SPF: pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x; Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530 Received: ……………. Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT

Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST)

Return-Path: <xxx@xxxx>

Received: from xx.yy.com ( xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST)

Received-SPF: pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x;

Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530

Received: …………….

Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT

Email Format: Other headers To: yyy@yyyy Cc: xxx xxxx <xxx@xxxx> MIME-Version: 1.0 Subject: email format - Attached jpeg image X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971 Message-ID: <FOOBAR00000@xxxx> From: xxx xxxx <xxx@xxxx> Date: Thu, 10 Jan 2008 17:16:16 +0530 X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18

To: yyy@yyyy

Cc: xxx xxxx <xxx@xxxx>

MIME-Version: 1.0

Subject: email format - Attached jpeg image

X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971

Message-ID: <FOOBAR00000@xxxx>

From: xxx xxxx <xxx@xxxx>

Date: Thu, 10 Jan 2008 17:16:16 +0530

X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18

Email Format: MIME contd. And email Body Content-Type: multipart/mixed; boundary=&quot; =_mixed 0040CB5E652573CC_= &quot; --=_mixed 0040CB5E652573CC_= Content-Type: multipart/alternative; boundary=&quot; =_alternative 0040CB60652573CC_= “ --=_alternative 0040CB60652573CC_= Content-Type: text/plain; charset=&quot;US-ASCII&quot; Hi, This is the email format with attached jpeg image --=_alternative 0040CB60652573CC_= Content-Type: text/html; charset=&quot;US-ASCII&quot; <br><font size=2 face=&quot;sans-serif&quot;>Hi,</font> <br> <br><font size=2 face=&quot;sans-serif&quot;>&nbsp;This is the email format with attached jpeg image</font>…… --=_alternative 0040CB60652573CC_=-- --=_mixed 0040CB5E652573CC_= Content-Type: image/jpeg; name=&quot;Flower_1.jpg&quot; Content-Disposition: attachment; filename=&quot;Flower_1.jpg&quot; Content-Transfer-Encoding: base64 /9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHY VHpRRW62Doj//Z --=_mixed 0040CB5E652573CC_=--

Content-Type: multipart/mixed; boundary=&quot; =_mixed 0040CB5E652573CC_= &quot;

--=_mixed 0040CB5E652573CC_=

Content-Type: multipart/alternative; boundary=&quot; =_alternative 0040CB60652573CC_= “

--=_alternative 0040CB60652573CC_=

Content-Type: text/plain; charset=&quot;US-ASCII&quot;

Hi,

This is the email format with attached jpeg image

--=_alternative 0040CB60652573CC_=

Content-Type: text/html; charset=&quot;US-ASCII&quot;

<br><font size=2 face=&quot;sans-serif&quot;>Hi,</font> <br> <br><font size=2 face=&quot;sans-serif&quot;>&nbsp;This is the email format with attached jpeg image</font>……

--=_alternative 0040CB60652573CC_=--

--=_mixed 0040CB5E652573CC_=

Content-Type: image/jpeg; name=&quot;Flower_1.jpg&quot;

Content-Disposition: attachment; filename=&quot;Flower_1.jpg&quot;

Content-Transfer-Encoding: base64

/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHY

VHpRRW62Doj//Z

--=_mixed 0040CB5E652573CC_=--

Getting inside a spammer’s mind Intent Marketing Phishing Malware Execution Gathering email addresses Hosting the web site Sending emails

Intent

Marketing

Phishing

Malware

Execution

Gathering email addresses

Hosting the web site

Sending emails

Layered Security Sever Layer(MTAs) Network Boundary/Gateways. Mail routers. Message Store. Client Layer(MUAs) POP/IMAP/SMTP Proxies. Plugins. No Single antidote.

Sever Layer(MTAs)

Network Boundary/Gateways.

Mail routers.

Message Store.

Client Layer(MUAs)

POP/IMAP/SMTP Proxies.

Plugins.

No Single antidote.

Anti-Spam Technologies - ACLs Blocklists IP/domain/user Whitelists IP/domain/user Types Internal: Application Specific External: Community/Paid servers DNSxLs – standard DNS queries.

Blocklists

IP/domain/user

Whitelists

IP/domain/user

Types

Internal: Application Specific

External: Community/Paid servers

DNSxLs – standard DNS queries.

Anti-Spam Technologies - ACLs Greylisting Something between whitelist and blocklist Exploiting the protocol for good reason. Temporary rejection with 4xy error code Basic 3 tuple information stored <IP><MFROM><RCPT>

Greylisting

Something between whitelist and blocklist

Exploiting the protocol for good reason.

Temporary rejection with 4xy error code

Basic 3 tuple information stored <IP><MFROM><RCPT>

Anti-Spam Technologies – Content Filtering String/Regex filters static, dumb. Behavioural Filters Look for specific behaviour patterns Bayesian filters Intelligent, require learning time. Accuracy decreases when deployed on server.

String/Regex filters

static, dumb.

Behavioural Filters

Look for specific behaviour patterns

Bayesian filters

Intelligent, require learning time.

Accuracy decreases when deployed on server.

Anti-Spam Technologies – Content Filtering Signature/fingerprint Fuzzy(Nilsimsa code), good as an add-on. OCR (Optical Character Recognition) Image scanning, not efficient.

Signature/fingerprint

Fuzzy(Nilsimsa code), good as an add-on.

OCR (Optical Character Recognition)

Image scanning, not efficient.

Anti-Spam Technologies – C/R Challenge-Response systems Recipient challenges the sender Bounce message/SMTP rejection URL click/CAPTCHA test/reply to bounce CAPTCHA (C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part )

Challenge-Response systems

Recipient challenges the sender

Bounce message/SMTP rejection

URL click/CAPTCHA test/reply to bounce

CAPTCHA (C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part )

Anti-Spam Technologies – Sender Driven SPF (Sender Policy Framework) Anti-forgery Uses DNS SPF/TXT records, IP, domain name of sender Authorized Outbound SMTP for a domain DKIM ( D omain K eys I dentified M ail) Signed messages Anti-forgery, as signing domain claims responsibility Uses DNS TXT records, DKIM header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA=

SPF (Sender Policy Framework)

Anti-forgery

Uses DNS SPF/TXT records, IP, domain name of sender

Authorized Outbound SMTP for a domain

DKIM ( D omain K eys I dentified M ail)

Signed messages

Anti-forgery, as signing domain claims responsibility

Uses DNS TXT records, DKIM header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA=

Anti-Spam Technologies – Sender driven HashCash Proof of work by sender Hard to compute, easy to verify square root/square problem. Partial Hash collision (with Zero bits)

HashCash

Proof of work by sender

Hard to compute, easy to verify

square root/square problem.

Partial Hash collision (with Zero bits)

Anti-Spam Technologies - Heuristics Heuristic filters A combination of above techniques Defines rules, weights and threshold(s) Reduces +ve rate. Reputation systems Advanced heuristics to create reputation. Create reputation of IPs/Domains sending messages

Heuristic filters

A combination of above techniques

Defines rules, weights and threshold(s)

Reduces +ve rate.

Reputation systems

Advanced heuristics to create reputation.

Create reputation of IPs/Domains sending messages

Exploiting the Loop Holes – Evading filters ACLs: Greylisting Simulating a simple queue thread with 4 tuple <MSGID><TIME><MFROM><RCPT> Resending after a predefined time. Content Filtering Run The message content through filters/free email services CAPTCHA effect for OCR Subject: Never agree to be a loser Buck up, your troubles caused by small dimension will soon be over! Initiate a natural growth of your masculine muscle! http://veniutk=2Ecom/ control=2E All data was lost at T+5 minutes, 5 seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their

ACLs: Greylisting

Simulating a simple queue thread with 4 tuple <MSGID><TIME><MFROM><RCPT>

Resending after a predefined time.

Content Filtering

Run The message content through filters/free email services

CAPTCHA effect for OCR

Subject: Never agree to be a loser

Buck up, your troubles caused by small dimension will soon be over!

Initiate a natural growth of your masculine muscle!

http://veniutk=2Ecom/

control=2E All data was lost at T+5 minutes, 5 seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their

Exploiting the Loop Holes Sender Driven Creating hashcash (not efficient, not popular) Look for open relays with SPF, DKIM functionality. Bounce Messages from Valid domains Worms sending mails to local MTAs

Sender Driven

Creating hashcash (not efficient, not popular)

Look for open relays with SPF, DKIM functionality.

Bounce Messages from Valid domains

Worms sending mails to local MTAs

Exploiting the Loop Holes Reputation Sending through free webmail accounts Sample email sent directly and through valid webmail service Sent directly: Spam mailbox Through Webmail: Inbox (Bingo!!) Subject: viagra soma cialis cheap rates oem software low mortgage rates viagra soma cialis cheap rates low mortgage rates oem software for $1 penis enlargement for good sex live xxx videos

Reputation

Sending through free webmail accounts

Sample email sent directly and through valid webmail service

Sent directly: Spam mailbox

Through Webmail: Inbox (Bingo!!)

Subject: viagra soma cialis cheap rates oem software low mortgage rates

viagra soma cialis cheap rates

low mortgage rates oem software for $1

penis enlargement for good sex

live xxx videos

Exploiting the Loop Holes Targeting low priority MX Helps in bypassing filters altogether (if you are lucky that is :-P). Mail Reconnaissance Reading replies from valid (and invalid ) addresses Exposes enormous amount of information Definitely a must for any Pen tester

Targeting low priority MX

Helps in bypassing filters altogether (if you are lucky that is :-P).

Mail Reconnaissance

Reading replies from valid (and invalid ) addresses

Exposes enormous amount of information

Definitely a must for any Pen tester

References SPF - http://www.ietf.org/rfc/rfc4408.txt DKIM - http://www.dkim.org/ SpamAssassin - http://spamassassin.apache.org/ Razor - http://razor.sourceforge.net/ CAPTCHA - http://www.captcha.net/ Bogofilter - http://bogofilter.sourceforge.net/ Mailwasher - http://www.mailwasher.net/ HashCash - http://www.hashcash.org/ Greylisting - http://greylisting.org/ Gartner report - http://news.zdnet.com/2100-9595_22-955842.html DNSxLs - http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt

SPF - http://www.ietf.org/rfc/rfc4408.txt

DKIM - http://www.dkim.org/

SpamAssassin - http://spamassassin.apache.org/

Razor - http://razor.sourceforge.net/

CAPTCHA - http://www.captcha.net/

Bogofilter - http://bogofilter.sourceforge.net/

Mailwasher - http://www.mailwasher.net/

HashCash - http://www.hashcash.org/

Greylisting - http://greylisting.org/

Gartner report - http://news.zdnet.com/2100-9595_22-955842.html

DNSxLs - http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt

Thanks QA? Contact me: null _a_t_ null . co . In NULL is having an official meet on 7 th Dec at ClubHack

QA?

Contact me: null _a_t_ null . co . In

NULL is having an official meet on 7 th Dec at ClubHack

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

AntiSpam Understanding the good, the bad and the ugly ...

Title: AntiSpam Understanding the good, the bad and the ugly
Read more

The Good, the Bad and the Ugly - Wikipedia, the free ...

The Good, the Bad and the Ugly (Italian title: Il buono, il brutto, ... (The Good, the Ugly, the Bad), which Leone loved. In the United States, ...
Read more

The Good, the Bad and the Ugly Trailer - IMDb

The Good, the Bad and the Ugly Trailer: Description: Trailer for this Clint Eastwood classic: ... The Good, the Bad and the Ugly: Related Names: Clint ...
Read more

The Good, the Bad and the Ugly (1966) - IMDb

Title: The Good, the Bad and the Ugly (1966) 8.9 /10. Want to share IMDb's ... Good brother, Bad brother movie combinations; Greedy Characters!
Read more

Zwei glorreiche Halunken – Wikipedia

Zwei glorreiche Halunken (Originaltitel: Il buono, il brutto, il cattivo; internationaler Titel: The Good, the Bad and the Ugly (zu Dt. Der gute, ...
Read more

The Good, The Bad & the Ugly [Original Motion Picture ...

... Ennio Morricone on AllMusic - 1966 ... Find album reviews, stream songs, credits and award information for The Good, The Bad & the Ugly ...
Read more

The Good, the Bad and the Ugly (soundtrack) - Wikipedia ...

The Good, the Bad and the Ugly: Original Motion Picture Soundtrack. theme music; Category; Ennio Morricone. Soundtracks: The Good, the Bad and the Ugly;
Read more

The Good, the Bad & the Ugly - Ennio Morricone: Amazon.de ...

The Good, The Bad and the Ugly oder wie er in deutsch heißt "Zwei glorreiche Halunken" zählt meiner Ansicht nach nicht nur zu den besten Italowestern er ...
Read more