Final Lab - SpamFinal Lab - Spam

Group 10:Group 10:Scott DurrScott Durr

Stephen ThompsonStephen Thompson

OutlineOutline• IntroductionIntroduction• Set upSet up• Obtaining Email AddressesObtaining Email Addresses• Sending Mass EmailsSending Mass Emails• Filtering & Stopping SpamFiltering & Stopping Spam

IntroductionIntroductionAlmost 90% of email is now considered Almost 90% of email is now considered

Spam!Spam!– Messaging Anti-Abuse Working Group Report #6, Oct 2007Messaging Anti-Abuse Working Group Report #6, Oct 2007

• Huge drain on resourcesHuge drain on resources• Strains the infrastructureStrains the infrastructure• Distracts/Annoys us allDistracts/Annoys us all

• Major delivery mechanism for Malware!Major delivery mechanism for Malware!

The CostsThe Costs• The State of California estimates Spam The State of California estimates Spam

cost the state’s economy $1.2 billion in cost the state’s economy $1.2 billion in 2003. The estimate the entire US 2003. The estimate the entire US suffered a $10 billion loss in that same suffered a $10 billion loss in that same year.year.– http://www.spamlaws.com/state/ca.shtmlhttp://www.spamlaws.com/state/ca.shtml

• That was in 2003…That was in 2003…

Our Set UpOur Set Up

Host Machine: 57.35.6.131

RedHat7.2 Machine: 57.35.6.132

Servers

WinXP: 57.35.6.133

WinXP2: 57.35.6.134

Clients

Major Software PackagesMajor Software Packages• Apache2 Web ServerApache2 Web Server• Sendmail Email Server w/ SpamAssasinSendmail Email Server w/ SpamAssasin

– Included on lab installs of Redhat 7.2 and Included on lab installs of Redhat 7.2 and Redhat WS 4.0Redhat WS 4.0

• QpopperQpopper– POP3 serverPOP3 server

• PINEPINE• Outlook ExpressOutlook Express

– Included with WinXPIncluded with WinXP• Evolution Evolution

– Included with RedHatIncluded with RedHat• Spam software: Spam software:

– Atomic Email Hunter & Atomic Email SenderAtomic Email Hunter & Atomic Email Sender

Two Email ServersTwo Email Servers• Set up with slightly different rules for Set up with slightly different rules for

comparisoncomparison

• Were NOT able to SMTP between Were NOT able to SMTP between Sendmail servers because Sendmail Sendmail servers because Sendmail MUST have DNS running in order to find MUST have DNS running in order to find other servers.other servers.– We didn’t want to tackle the additional We didn’t want to tackle the additional

setup.setup.– We could accomplish what we wanted We could accomplish what we wanted

without it.without it.

Obtaining Email AddressesObtaining Email Addresses• Many different methods, but we Many different methods, but we

focus on:focus on:– Email address spiderEmail address spider– Anonymous FTP trickAnonymous FTP trick– Verification of Email addresses at the Verification of Email addresses at the

serverserver

Email Address SpidersEmail Address Spiders• Crawl the web and copy anything that Crawl the web and copy anything that

looks like an email address.looks like an email address.

• Implemented a basic one with wget Implemented a basic one with wget and grep, using a regular expression:and grep, using a regular expression:wget –rFO lotsofhtml.txt http://localhost/wget –rFO lotsofhtml.txt http://localhost/egrep –rhoie ‘[[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}’ lotsofhtml.txtegrep –rhoie ‘[[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}’ lotsofhtml.txt

That regex is: That regex is: [[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}[[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}

• ExampleExample

““Atomic Email Hunter”Atomic Email Hunter”• Commercial Windows program that Commercial Windows program that

implements an email address spider.implements an email address spider.• Tested on the same dummy websites Tested on the same dummy websites

as our homemade one.as our homemade one.• Has a lot more features.Has a lot more features.

Anonymous FTPAnonymous FTP• A throwback from the days of old: A throwback from the days of old:

Anonymous FTP logins require an email Anonymous FTP logins require an email address as a password!address as a password!

• Set up your web page to grab images via Set up your web page to grab images via FTP vice HTML and some browsers will FTP vice HTML and some browsers will cough up an email address.cough up an email address.

• Tested on Mozilla and IE: they give dummy Tested on Mozilla and IE: they give dummy addresses.addresses.

Verifying Email AddressesVerifying Email Addresses• Why is this important?Why is this important?

– A “good” email list will minimize alerts that A “good” email list will minimize alerts that might catch the spammer.might catch the spammer.

– Allows for a ‘guess and test’ method of Allows for a ‘guess and test’ method of email address discovery.email address discovery.

• VRFY and EXPNVRFY and EXPN– Ask the server if an address is good (VRFY)Ask the server if an address is good (VRFY)– Ask the server about an alias/list (EXPN)Ask the server about an alias/list (EXPN)– Disable these!Disable these!

Verifying Email AddressesVerifying Email Addresses•During the SMTP exchange, you pass a During the SMTP exchange, you pass a “TO” address to the server. It will come “TO” address to the server. It will come back and tell you if it is good!back and tell you if it is good!

•Email header implemented by many Email header implemented by many clients:clients:

Return-Receipt-To: <email-address>Return-Receipt-To: <email-address>X-Confirm-Reading-To: <email-address>X-Confirm-Reading-To: <email-address>

Make sure you disable these as defaults in Outlook and Make sure you disable these as defaults in Outlook and others!others!

Defeating those Email Defeating those Email SpidersSpiders• Two choicesTwo choices

– Hide your email addressHide your email address– Actively counter spidersActively counter spiders

Hide your email addressHide your email address• Use script to return an email address Use script to return an email address

instead of putting the address in code.instead of putting the address in code.

• ECE does this for their faculty!ECE does this for their faculty!

• Great example, courtesy of Mr. Tim Great example, courtesy of Mr. Tim Williams at U. Arizona:Williams at U. Arizona:http://www.u.arizona.edu/~trw/spam/spam4.htmhttp://www.u.arizona.edu/~trw/spam/spam4.htm

WPoisonWPoison• Available at Available at

http://www.monkeys.com/wpoison/http://www.monkeys.com/wpoison/• Actively thwarts spiders by generating Actively thwarts spiders by generating

random pages with more links and random pages with more links and email addresses.email addresses.

• Each link leads right back to WPoison!Each link leads right back to WPoison!– Run the spider in a circle, filling it with Run the spider in a circle, filling it with

garbage.garbage.– We have a videoWe have a video

WPoison MovieWPoison Movie

Sending Mass EmailsSending Mass Emails• MethodsMethods

1. Use your own (school/isp) SMTP server1. Use your own (school/isp) SMTP server•You will probably get caught and shut down!You will probably get caught and shut down!

2. Use another, third party SMTP server2. Use another, third party SMTP server•You will probably be blocked from RelayingYou will probably be blocked from Relaying

3. Connect directly to the recipient’s server3. Connect directly to the recipient’s server•This takes some work, and you might get This takes some work, and you might get

blacklistedblacklisted4. Do any of the above via a Bot Net4. Do any of the above via a Bot Net

•Even if you get caught, you don’t get blocked!Even if you get caught, you don’t get blocked!

Our SimulationsOur Simulations

Host Machine: 57.35.6.131

RedHat7.2 Machine: 57.35.6.132

Servers

WinXP: 57.35.6.133

WinXP2: 57.35.6.134

Clients

Fictional yahoo.com

Method #4:Bot Net

Method # 1: Use your

SMTP Server

Method #2: Use a Third Party SMTP

Server

Method #3: Connect Directly to Victim’s

SMTP Server

Mass Email Mass Email CountermeasuresCountermeasures• Limit who can send on your serverLimit who can send on your server

– Only users on the domain can “RELAY”Only users on the domain can “RELAY”– Use a blacklist to prevent connections Use a blacklist to prevent connections

from known spammersfrom known spammers

• Filter messages as they come inFilter messages as they come in

SpamAssassinSpamAssassin• Open source & extremely commonOpen source & extremely common• Very complexVery complex

– Lots of rulesLots of rules– Uses scores to determine what is spamUses scores to determine what is spam– Has learning capabilitiesHas learning capabilities

• Can connect to services to receive rules and Can connect to services to receive rules and blacklistsblacklists– www.spamhaus.orgwww.spamhaus.org

• More info at: http://spamassassin.apache.orgMore info at: http://spamassassin.apache.org

SpamAssassin in the LabSpamAssassin in the Lab• We walk through the setup of some basic rules.We walk through the setup of some basic rules.

required_score 5report_safe 0rewrite_header Subject [**SPAM** _SCORE_]

body FIRST_RULE /BUY ME/describe FIRST_RULE Check if "BUY ME" is in the bodyscore FIRST_RULE 4.0

header SECOND_RULE Subject =~ /Cheap/describe SECOND_RULE Check of Cheap is in the subject linescore SECOND_RULE 4.0

body THIRD_RULE /Safe/idescribe THIRD_RULE Check for Safe to make it safescore THIRD_RULE -10.0

# Blacklist all mail from domain spam.orgblacklist_from *.spam.org

Your Last Line of Defense…Your Last Line of Defense…• The email clientThe email client

• Web-based email clients can rapidly Web-based email clients can rapidly aggregate feedback and build more aggregate feedback and build more responsive filters.responsive filters.

• Gmail, Yahoo, Hotmail, etc.Gmail, Yahoo, Hotmail, etc.

In the Lab SummaryIn the Lab Summary• Set up ServersSet up Servers• Harvest emailsHarvest emails

– Email Address Spiders: wget/grep & AtomicEmail Address Spiders: wget/grep & Atomic– FTP methodFTP method

• Experiment with address verificationExperiment with address verification• Send mass emails through each scenarioSend mass emails through each scenario

– Use manual connection and Atomic Email SenderUse manual connection and Atomic Email Sender• Implement some countermeasuresImplement some countermeasures

– RELAY limitationsRELAY limitations– WPoisonWPoison– Hide Email AddressesHide Email Addresses

• Install, setup, and test SpamAssassinInstall, setup, and test SpamAssassin

Questions?Questions?