AntiSpam Understanding the good, the bad and the ugly

1

AntiSpam Understanding the good, the

bad and the ugly

By Aseem Jakhar

Confidential

2

About Me

Security and open source enthusiast.

Have Worked on many enterprise security products.

Have disclosed many security issues to banks/organizations.

Speaker at security/open source conferences.

Founder of NULL security community.

3

Agenda

What is Spam? Spam Side effects Difficult problem to solve Messaging Primer Getting inside a spammer’s mind Layered Security AntiSpam Technologies Exploiting the Loop Holes

4

What is spam?

No it’s not the Hormel product. No Standard definition. Differs on an individual basis. UBE, UCE. Ham: Non Spam.

5

Spam side effects

Bandwidth overload. Storage overload. Loss of End user productivity.

6

Difficult problem to solve

Human Factor Dynamic nature Coming from valid but

compromised source Best of buddies - Virus, worms,

trojans and spams i.e help each other in propagating

7

Messaging Primer

Sending emails

• SMTP- Simple Mail Transfer Protocol.

• MUA - Message User Agent (SMTP Clients – outlook).

• MSA – Message Submission Agent.

• MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail).

• MDA - Message Delivery Agent (SMTP Server/Message Store). Retrieving emails

• POP - Post Office Protocol.

• IMAP - Internet Message Access Protocol. Email format

• Envelope and message

• MIME – Multipurpose Internet Mail Extensions

8

Path of a Message

MUA MSA/MTA MTA/MDAMTAs

Message StoreMUA

9

Email Format: Received Headers

Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST)

Return-Path: <xxx@xxxx>

Received: from xx.yy.com (xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST)

Received-SPF: pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x;

Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530

Received: …………….

Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT

10

Email Format: Other headers

To: yyy@yyyy

Cc: xxx xxxx <xxx@xxxx>

MIME-Version: 1.0

Subject: email format - Attached jpeg image

X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971

Message-ID: <FOOBAR00000@xxxx>

From: xxx xxxx <xxx@xxxx>

Date: Thu, 10 Jan 2008 17:16:16 +0530

X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18

11

Email Format: MIME contd. And email Body

Content-Type: multipart/mixed; boundary="=_mixed 0040CB5E652573CC_="

--=_mixed 0040CB5E652573CC_=Content-Type: multipart/alternative; boundary="=_alternative 0040CB60652573CC_=“

--=_alternative 0040CB60652573CC_= Content-Type: text/plain; charset="US-ASCII"

Hi, This is the email format with attached jpeg image

--=_alternative 0040CB60652573CC_=Content-Type: text/html; charset="US-ASCII"

 Hi, This is the email format with attached jpeg image……

--=_alternative 0040CB60652573CC_=-- --=_mixed 0040CB5E652573CC_= Content-Type: image/jpeg; name="Flower_1.jpg" Content-Disposition: attachment; filename="Flower_1.jpg" Content-Transfer-Encoding: base64

/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHYVHpRRW62Doj//Z --=_mixed 0040CB5E652573CC_=--

12

Getting inside a spammer’s mind

Intent• Marketing

• Phishing

• Malware

Execution• Gathering email addresses

• Hosting the web site

• Sending emails

13

Layered Security

Sever Layer(MTAs)• Network Boundary/Gateways.

• Mail routers.

• Message Store.

Client Layer(MUAs)• POP/IMAP/SMTP Proxies.

• Plugins.

No Single antidote.

14

Anti-Spam Technologies - ACLs

Blocklists• IP/domain/user

Whitelists• IP/domain/user

Types• Internal: Application

Specific

• External: Community/Paid servers

• DNSxLs – standard DNS queries.

15

Anti-Spam Technologies - ACLs

Greylisting• Something between whitelist and blocklist

• Exploiting the protocol for good reason.

• Temporary rejection with 4xy error code

• Basic 3 tuple information stored <IP><MFROM><RCPT>

16

Anti-Spam Technologies – Content Filtering

String/Regex filters• static, dumb.

Behavioural Filters• Look for specific

behaviour patterns

Bayesian filters• Intelligent, require

learning time.

• Accuracy decreases when deployed on server.

17

Anti-Spam Technologies – Content Filtering

Signature/fingerprint• Fuzzy(Nilsimsa code), good as an add-on.

OCR (Optical Character Recognition)• Image scanning, not efficient.

18

Anti-Spam Technologies – C/R

Challenge-Response systems• Recipient challenges the sender

• Bounce message/SMTP rejection

• URL click/CAPTCHA test/reply to bounce

• CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)

19

Anti-Spam Technologies – Sender Driven

SPF (Sender Policy Framework)- Anti-forgery- Uses DNS SPF/TXT records, IP, domain name of sender- Authorized Outbound SMTP for a domain

DKIM (Domain Keys Identified Mail)• Signed messages• Anti-forgery, as signing domain claims responsibility• Uses DNS TXT records, DKIM header• DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;

h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA=

20

Anti-Spam Technologies – Sender driven

HashCash• Proof of work by sender

• Hard to compute, easy to verify

• square root/square problem.

• Partial Hash collision (with Zero bits)

21

Anti-Spam Technologies - Heuristics

Heuristic filters• A combination of above

techniques• Defines rules, weights and

threshold(s)• Reduces +ve rate.

Reputation systems• Advanced heuristics to create

reputation.• Create reputation of IPs/Domains

sending messages

22

Exploiting the Loop Holes – Evading filters

ACLs: Greylisting• Simulating a simple queue thread with

4 tuple <MSGID><TIME><MFROM><RCPT>

• Resending after a predefined time.

Content Filtering• Run The message content through

filters/free email services• CAPTCHA effect for OCR

Subject: Never agree to be a loser

Buck up, your troubles caused by small dimension will soon be over!

Initiate a natural growth of your masculine muscle! http://veniutk=2Ecom/ control=2E All data was lost at T+5 minutes, 5

seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their

23

Exploiting the Loop Holes

Sender Driven• Creating hashcash (not efficient, not popular)

• Look for open relays with SPF, DKIM functionality.

• Bounce Messages from Valid domains

• Worms sending mails to local MTAs

24


Reputation• Sending through free webmail accounts• Sample email sent directly and through valid webmail service• Sent directly: Spam mailbox• Through Webmail: Inbox (Bingo!!)

Subject: viagra soma cialis cheap rates oem software low mortgage rates

viagra soma cialis cheap rates low mortgage rates oem software for $1 penis enlargement for good sex live xxx videos

25


Targeting low priority MX• Helps in bypassing filters altogether (if you are lucky that is :-P).

Mail Reconnaissance • Reading replies from valid (and invalid) addresses

• Exposes enormous amount of information

• Definitely a must for any Pen tester

26

References

SPF - http://www.ietf.org/rfc/rfc4408.txt DKIM - http://www.dkim.org/ SpamAssassin - http://spamassassin.apache.org/ Razor - http://razor.sourceforge.net/ CAPTCHA - http://www.captcha.net/ Bogofilter - http://bogofilter.sourceforge.net/ Mailwasher - http://www.mailwasher.net/ HashCash - http://www.hashcash.org/ Greylisting - http://greylisting.org/ Gartner report - http://news.zdnet.com/2100-9595_22-

955842.html DNSxLs -

http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt

27

Thanks

QA?

Contact me: null _a_t_ null . co . In

NULL is having an official meet on 7th Dec at ClubHack

Documents

AntiSpam Understanding the good, the bad and the ugly