Upload
avery
View
42
Download
0
Tags:
Embed Size (px)
DESCRIPTION
AntiSpam Understanding the good, the bad and the ugly. By Aseem Jakhar. Confidential. About Me. Security and open source enthusiast. Have Worked on many enterprise security products. Have disclosed many security issues to banks/organizations. Speaker at security/open source conferences. - PowerPoint PPT Presentation
Citation preview
1
AntiSpam Understanding the good, the
bad and the ugly
By Aseem Jakhar
Confidential
2
About Me
Security and open source enthusiast.
Have Worked on many enterprise security products.
Have disclosed many security issues to banks/organizations.
Speaker at security/open source conferences.
Founder of NULL security community.
3
Agenda
What is Spam? Spam Side effects Difficult problem to solve Messaging Primer Getting inside a spammer’s mind Layered Security AntiSpam Technologies Exploiting the Loop Holes
4
What is spam?
No it’s not the Hormel product. No Standard definition. Differs on an individual basis. UBE, UCE. Ham: Non Spam.
5
Spam side effects
Bandwidth overload. Storage overload. Loss of End user productivity.
6
Difficult problem to solve
Human Factor Dynamic nature Coming from valid but
compromised source Best of buddies - Virus, worms,
trojans and spams i.e help each other in propagating
7
Messaging Primer
Sending emails
• SMTP- Simple Mail Transfer Protocol.
• MUA - Message User Agent (SMTP Clients – outlook).
• MSA – Message Submission Agent.
• MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail).
• MDA - Message Delivery Agent (SMTP Server/Message Store). Retrieving emails
• POP - Post Office Protocol.
• IMAP - Internet Message Access Protocol. Email format
• Envelope and message
• MIME – Multipurpose Internet Mail Extensions
8
Path of a Message
MUA MSA/MTA MTA/MDAMTAs
Message StoreMUA
9
Email Format: Received Headers
Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST)
Return-Path: <xxx@xxxx>
Received: from xx.yy.com (xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST)
Received-SPF: pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x;
Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530
Received: …………….
Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT
10
Email Format: Other headers
To: yyy@yyyy
Cc: xxx xxxx <xxx@xxxx>
MIME-Version: 1.0
Subject: email format - Attached jpeg image
X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971
Message-ID: <FOOBAR00000@xxxx>
From: xxx xxxx <xxx@xxxx>
Date: Thu, 10 Jan 2008 17:16:16 +0530
X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18
11
Email Format: MIME contd. And email Body
Content-Type: multipart/mixed; boundary="=_mixed 0040CB5E652573CC_="
--=_mixed 0040CB5E652573CC_=Content-Type: multipart/alternative; boundary="=_alternative 0040CB60652573CC_=“
--=_alternative 0040CB60652573CC_= Content-Type: text/plain; charset="US-ASCII"
Hi, This is the email format with attached jpeg image
--=_alternative 0040CB60652573CC_=Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Hi,</font> <br> <br><font size=2 face="sans-serif"> This is the email format with attached jpeg image</font>……
--=_alternative 0040CB60652573CC_=-- --=_mixed 0040CB5E652573CC_= Content-Type: image/jpeg; name="Flower_1.jpg" Content-Disposition: attachment; filename="Flower_1.jpg" Content-Transfer-Encoding: base64
/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHYVHpRRW62Doj//Z --=_mixed 0040CB5E652573CC_=--
12
Getting inside a spammer’s mind
Intent• Marketing
• Phishing
• Malware
Execution• Gathering email addresses
• Hosting the web site
• Sending emails
13
Layered Security
Sever Layer(MTAs)• Network Boundary/Gateways.
• Mail routers.
• Message Store.
Client Layer(MUAs)• POP/IMAP/SMTP Proxies.
• Plugins.
No Single antidote.
14
Anti-Spam Technologies - ACLs
Blocklists• IP/domain/user
Whitelists• IP/domain/user
Types• Internal: Application
Specific
• External: Community/Paid servers
• DNSxLs – standard DNS queries.
15
Anti-Spam Technologies - ACLs
Greylisting• Something between whitelist and blocklist
• Exploiting the protocol for good reason.
• Temporary rejection with 4xy error code
• Basic 3 tuple information stored <IP><MFROM><RCPT>
16
Anti-Spam Technologies – Content Filtering
String/Regex filters• static, dumb.
Behavioural Filters• Look for specific
behaviour patterns
Bayesian filters• Intelligent, require
learning time.
• Accuracy decreases when deployed on server.
17
Anti-Spam Technologies – Content Filtering
Signature/fingerprint• Fuzzy(Nilsimsa code), good as an add-on.
OCR (Optical Character Recognition)• Image scanning, not efficient.
18
Anti-Spam Technologies – C/R
Challenge-Response systems• Recipient challenges the sender
• Bounce message/SMTP rejection
• URL click/CAPTCHA test/reply to bounce
• CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)
19
Anti-Spam Technologies – Sender Driven
SPF (Sender Policy Framework)- Anti-forgery- Uses DNS SPF/TXT records, IP, domain name of sender- Authorized Outbound SMTP for a domain
DKIM (Domain Keys Identified Mail)• Signed messages• Anti-forgery, as signing domain claims responsibility• Uses DNS TXT records, DKIM header• DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA=
20
Anti-Spam Technologies – Sender driven
HashCash• Proof of work by sender
• Hard to compute, easy to verify
• square root/square problem.
• Partial Hash collision (with Zero bits)
21
Anti-Spam Technologies - Heuristics
Heuristic filters• A combination of above
techniques• Defines rules, weights and
threshold(s)• Reduces +ve rate.
Reputation systems• Advanced heuristics to create
reputation.• Create reputation of IPs/Domains
sending messages
22
Exploiting the Loop Holes – Evading filters
ACLs: Greylisting• Simulating a simple queue thread with
4 tuple <MSGID><TIME><MFROM><RCPT>
• Resending after a predefined time.
Content Filtering• Run The message content through
filters/free email services• CAPTCHA effect for OCR
Subject: Never agree to be a loser
Buck up, your troubles caused by small dimension will soon be over!
Initiate a natural growth of your masculine muscle! http://veniutk=2Ecom/ control=2E All data was lost at T+5 minutes, 5
seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their
23
Exploiting the Loop Holes
Sender Driven• Creating hashcash (not efficient, not popular)
• Look for open relays with SPF, DKIM functionality.
• Bounce Messages from Valid domains
• Worms sending mails to local MTAs
24
Exploiting the Loop Holes
Reputation• Sending through free webmail accounts• Sample email sent directly and through valid webmail service• Sent directly: Spam mailbox• Through Webmail: Inbox (Bingo!!)
Subject: viagra soma cialis cheap rates oem software low mortgage rates
viagra soma cialis cheap rates low mortgage rates oem software for $1 penis enlargement for good sex live xxx videos
25
Exploiting the Loop Holes
Targeting low priority MX• Helps in bypassing filters altogether (if you are lucky that is :-P).
Mail Reconnaissance • Reading replies from valid (and invalid) addresses
• Exposes enormous amount of information
• Definitely a must for any Pen tester
26
References
SPF - http://www.ietf.org/rfc/rfc4408.txt DKIM - http://www.dkim.org/ SpamAssassin - http://spamassassin.apache.org/ Razor - http://razor.sourceforge.net/ CAPTCHA - http://www.captcha.net/ Bogofilter - http://bogofilter.sourceforge.net/ Mailwasher - http://www.mailwasher.net/ HashCash - http://www.hashcash.org/ Greylisting - http://greylisting.org/ Gartner report - http://news.zdnet.com/2100-9595_22-
955842.html DNSxLs -
http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt
27
Thanks
QA?
Contact me: null _a_t_ null . co . In
NULL is having an official meet on 7th Dec at ClubHack