563.8.2Spam

Sonia Jahid

University of IllinoisFall 2007

2

Outline

• Definition

• Problem

• Spam Categories

• How email works: quick overview

• Why is spam still a problem?

• Spammers’ approach

3

Definition

• Submitting the same message to a large group of individuals in an effort to force the message onto people who would otherwise choose not to receive this message.

• A message is spam only if it is both Unsolicited and Bulk.– Unsolicited Email is normal email

(examples: first contact enquiries, job enquiries, sales enquiries)

– Bulk Email is normal email(examples: subscriber newsletters, customer communications, discussion lists)

What is spam: SpamLaws What is spam: Spamhaus

4

Problem

MAAWG Email Metrics Report 07

The statistics reported below are compiled from confidential data provided by participating MAAWG member service operators for Q1 2007

5

Spam Categories

Products 25%

Financial 20%

Adult 19%

Scams 9%

Health 7%

Internet 7%

Leisure 6%

Spiritual 4%

Other 3%

Evett 06

According to information compiled by Spam filter review, email spam for 2006 can be categorized as shown in the table

6

How Email Works: Quick Overview

helo test250 mx1.mindspring.com Helloabc.sample.com[220.57.69.37], pleased to meet youmail from: test@sample.com250 2.1.0 test@sample.com... Sender okrcpt to: jsmith@mindspring.com250 2.1.5 jsmith... Recipient okdata354 Enter mail, end with "." on a line byitselffrom: test@sample.comto:jsmith@mindspring.comsubject: testingJohn, I am testing....250 2.0.0 e1NMajH24604 Message acceptedfor deliveryquit221 2.0.0 mx1.mindspring.com closingConnectionConnection closed by foreign host.

Brain

7

Why Is Spam Still a Problem?

• Spoofing– Email system design

• Headers allow spoofing

– Identity concealing • Bot-networks• Open proxies• Open mail relays• Untraceable Internet connection

– Available bulk email tools

Boneh 04

8

Email System Design

• SMTP protocol provides no security– email is not private– can be altered en route– no way to validate the identity of the email

source

• Use SMTP-AUTH ?– Not a solution for spam

SMTP-AUTH

9

Email System Design

• Headers are unreliable, can be used for spoofing– Insert fictitious email addresses in the From: lines– Exception: first Received headerReceived: from unknown (HELO 38.118.132.100) (62.105.106.207) by

mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000Received: from [235.16.47.37] by 38.118.132.100 id <5416176-86323>;

Sun, 16 Nov 2003 13:38:22 -0600

MS: Mail ServerTschabitscher

10

How Email Works: Quick Overview

helo test250 mx1.mindspring.com Helloabc.sample.com[220.57.69.37], pleased to meet youmail from: test@sample.com250 2.1.0 test@sample.com... Sender okrcpt to: jsmith@mindspring.com250 2.1.5 jsmith... Recipient okdata354 Enter mail, end with "." on a line byitselffrom: test@sample.comto:jsmith@mindspring.comsubject: testingJohn, I am testing....250 2.0.0 e1NMajH24604 Message acceptedfor deliveryquit221 2.0.0 mx1.mindspring.com closingConnectionConnection closed by foreign host.

Brain

11

Identity Concealing: Bot-networks

• Compromised machines running malicious software

• Once infected, spammer can send spam from it• The bot software hides itself and periodically

checks for instructions from the human bot-network administrator

• Emails appear to come from legitimate users• Example bot-networks:

– Phatbot: largest reported bot-network to date, 400,000 drones

– Bobax: assimilates machines with high speed Internet connection

12

Identity Concealing: Open Proxies

• An open proxy is one which will create connections for any client to any server, without authentication

• Possible for a computer to be running an open proxy server without knowledge of the computer's owner

• More difficult to detect when chain of open proxies used

13

Identity Concealing: Open Mail Relays

• An email server configured to allow anyone on the Internet to relay email through it.

• Network address of spammer appears in one of the Received: headers

• Add fake Received: headers

14

Combining Open Proxy and Open Relay

• Establish TCP connection with Open Proxy1

• Connect with Open Proxy2

• Send email to Open Relay through this chain

• Forward to destination SMTP server

Andreolini Bulgarelli Colajanni Mazzoni 05

15

Identity Concealing: Untraceable Internet Connection

• Public Internet cafes

• Free/stolen wireless connections

• Connections not needing identifying users

• Need not hide network address– Send email directly to spam recipients– No way to associate email accounts with the

spammer

16

Available Bulk Email Tools

• Designed to generate and send about

500, 000 emails per hour hiding spammers’ identity– Send-safe

• Search for open proxies, open relays• Download updated list of open proxies• Distribute email load over multiple open proxies• Periodically verify if open proxies working properly

– Massive-mailer– Dark-mailer

17

Spammers’ Approach

• Gather address– Email harvesting from web– Gather email address from

newsgroups– DNS and WHOIS system– Buy data from 3rd party

• Generally spam-bots used for email harvesting

• What makes it easy?– Publish email addresses

Andreolini Bulgarelli Colajanni Mazzoni 05

18

Spammers’ Approach

• Verify address– A web bug in a spam message written in

HTML may cause recipient’s email client to transfer its email address

– Unsubscribing from a service

• Send messages anonymously

19

Reading List

• D. Boneh, The Difficulties of Tracing Spam Email, September 09, 2004

• M. Andreolini, A. Bulgarelli, M. Colajanni, and F. Mazzoni, HoneySpam: Honeypots fighting spam at the source, In Proc. USENIX SRUTI 2005, Cambridge, MA, July 2005.

• H. Tschabitscher, What Email Headers Can Tell You About the Origin of Spam

• Spam on Wikipedia