270 likes | 431 Views
AntiSpam Understanding the good, the bad and the ugly. By Aseem Jakhar. Confidential. About Me. Security and open source enthusiast. Have Worked on many enterprise security products. Have disclosed many security issues to banks/organizations. Speaker at security/open source conferences.
E N D
AntiSpam Understanding the good, the bad and the ugly By Aseem Jakhar Confidential
About Me • Security and open source enthusiast. • Have Worked on many enterprise security products. • Have disclosed many security issues to banks/organizations. • Speaker at security/open source conferences. • Founder of NULL security community.
Agenda • What is Spam? • Spam Side effects • Difficult problem to solve • Messaging Primer • Getting inside a spammer’s mind • Layered Security • AntiSpam Technologies • Exploiting the Loop Holes
What is spam? • No it’s not the Hormel product. • No Standard definition. • Differs on an individual basis. • UBE, UCE. • Ham: Non Spam.
Spam side effects • Bandwidth overload. • Storage overload. • Loss of End user productivity.
Difficult problem to solve • Human Factor • Dynamic nature • Coming from valid but compromised source • Best of buddies - Virus, worms, trojans and spams i.e help each other in propagating
Messaging Primer • Sending emails • SMTP- Simple Mail Transfer Protocol. • MUA - Message User Agent (SMTP Clients – outlook). • MSA – Message Submission Agent. • MTA - Message Transfer Agent (SMTP Servers(clients) – sendmail). • MDA - Message Delivery Agent (SMTP Server/Message Store). • Retrieving emails • POP - Post Office Protocol. • IMAP - Internet Message Access Protocol. • Email format • Envelope and message • MIME – Multipurpose Internet Mail Extensions
Path of a Message MUA MSA/MTA MTAs MTA/MDA Message Store MUA
Email Format: Received Headers Received: by w.w.w.w with SMTP id foobar; Thu, 10 Jan 2008 04:04:07 -0800 (PST) Return-Path: <xxx@xxxx> Received: from xx.yy.com (xx.yy.com [x.x.x.x]) by zz.xx.com with ESMTP id foobar1; Thu, 10 Jan 2008 04:04:07 -0800 (PST) Received-SPF:pass (xyz.com: domain of xxx@xxxx designates x.x.x.x as permitted sender) client-ip=x.x.x.x; Received: from zz.com (zz.com [z.z.z.z]) by xx.yy.com (8.13.1/8.13.1) with ESMTP id foobar2 for <yyy@yyyy>; Thu, 10 Jan 2008 17:16:11 +0530 Received: ……………. Received: from aa.com (aa.com [a.a.a.a]) by bb.com (8.13.1/8.12.11) with ESMTP id foobar3 for <yyy@yyyy>; Thu, 10 Jan 2008 11:46:10 GMT
Email Format: Other headers To: yyy@yyyy Cc: xxx xxxx <xxx@xxxx> MIME-Version: 1.0 Subject: email format - Attached jpeg image X-Mailer: Lotus Notes Release X.Y.Z FOOO Jan 01, 1971 Message-ID: <FOOBAR00000@xxxx> From: xxx xxxx <xxx@xxxx> Date: Thu, 10 Jan 2008 17:16:16 +0530 X-MIMETrack: Serialize by Router on fooo/oo/bar/barfoo (Release x.y.z | Jan 01 1971) at 01/10/2008 17:16:18
Email Format: MIME contd. And email Body Content-Type: multipart/mixed; boundary="=_mixed 0040CB5E652573CC_=" --=_mixed 0040CB5E652573CC_= Content-Type: multipart/alternative; boundary="=_alternative 0040CB60652573CC_=“ --=_alternative 0040CB60652573CC_= Content-Type: text/plain; charset="US-ASCII" Hi, This is the email format with attached jpeg image --=_alternative 0040CB60652573CC_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">Hi,</font> <br> <br><font size=2 face="sans-serif"> This is the email format with attached jpeg image</font>…… --=_alternative 0040CB60652573CC_=-- --=_mixed 0040CB5E652573CC_= Content-Type: image/jpeg; name="Flower_1.jpg" Content-Disposition: attachment; filename="Flower_1.jpg" Content-Transfer-Encoding: base64 /9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHY VHpRRW62Doj//Z --=_mixed 0040CB5E652573CC_=--
Getting inside a spammer’s mind • Intent • Marketing • Phishing • Malware • Execution • Gathering email addresses • Hosting the web site • Sending emails
Layered Security • Sever Layer(MTAs) • Network Boundary/Gateways. • Mail routers. • Message Store. • Client Layer(MUAs) • POP/IMAP/SMTP Proxies. • Plugins. • No Single antidote.
Anti-Spam Technologies - ACLs • Blocklists • IP/domain/user • Whitelists • IP/domain/user • Types • Internal: Application Specific • External: Community/Paid servers • DNSxLs – standard DNS queries.
Anti-Spam Technologies - ACLs • Greylisting • Something between whitelist and blocklist • Exploiting the protocol for good reason. • Temporary rejection with 4xy error code • Basic 3 tuple information stored <IP><MFROM><RCPT>
Anti-Spam Technologies – Content Filtering • String/Regex filters • static, dumb. • Behavioural Filters • Look for specific behaviour patterns • Bayesian filters • Intelligent, require learning time. • Accuracy decreases when deployed on server.
Anti-Spam Technologies – Content Filtering • Signature/fingerprint • Fuzzy(Nilsimsa code), good as an add-on. • OCR (Optical Character Recognition) • Image scanning, not efficient.
Anti-Spam Technologies – C/R • Challenge-Response systems • Recipient challenges the sender • Bounce message/SMTP rejection • URL click/CAPTCHA test/reply to bounce • CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)
Anti-Spam Technologies – Sender Driven • SPF (Sender Policy Framework) • Anti-forgery • Uses DNS SPF/TXT records, IP, domain name of sender • Authorized Outbound SMTP for a domain • DKIM (Domain Keys Identified Mail) • Signed messages • Anti-forgery, as signing domain claims responsibility • Uses DNS TXT records, DKIM header • DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=Ym0p23riCgT3uCfIGq+ubQUvvGjrTpD0McUL7kqm7KE=; b=m2RFjx6YEXdpluXfh4aZapRW5gIneKZW6jGvtXGaZTHxjFfXrC/2qq3A/W49WszZG6Pvq0HwNyTPi4B0kIsDhMtT6jbNcpOM/HVMNBzSkBpvgTDNlLLlPtjCHxNU4ydpA5SjMn q+v6EnNPu8vdf2ZbZvgPuSJa/AscbxjPdk+wA=
Anti-Spam Technologies – Sender driven • HashCash • Proof of work by sender • Hard to compute, easy to verify • square root/square problem. • Partial Hash collision (with Zero bits)
Anti-Spam Technologies - Heuristics • Heuristic filters • A combination of above techniques • Defines rules, weights and threshold(s) • Reduces +ve rate. • Reputation systems • Advanced heuristics to create reputation. • Create reputation of IPs/Domains sending messages
Exploiting the Loop Holes – Evading filters • ACLs: Greylisting • Simulating a simple queue thread with 4 tuple <MSGID><TIME><MFROM><RCPT> • Resending after a predefined time. • Content Filtering • Run The message content through filters/free email services • CAPTCHA effect for OCR Subject: Never agree to be a loser Buck up, your troubles caused by small dimension will soon be over! Initiate a natural growth of your masculine muscle! http://veniutk=2Ecom/ control=2E All data was lost at T+5 minutes, 5 seconds=2Ethings happen=2E= We just believed that he was going to berescuers at 11:00 a=2Em=2E EST=2E= {_BOOK_4in a retirement home=2EIn February, three couples refused to pled= ge their
Exploiting the Loop Holes • Sender Driven • Creating hashcash (not efficient, not popular) • Look for open relays with SPF, DKIM functionality. • Bounce Messages from Valid domains • Worms sending mails to local MTAs
Exploiting the Loop Holes • Reputation • Sending through free webmail accounts • Sample email sent directly and through valid webmail service • Sent directly: Spam mailbox • Through Webmail: Inbox (Bingo!!) Subject: viagra soma cialis cheap rates oem software low mortgage rates viagra soma cialis cheap rates low mortgage rates oem software for $1 penis enlargement for good sex live xxx videos
Exploiting the Loop Holes • Targeting low priority MX • Helps in bypassing filters altogether (if you are lucky that is :-P). • Mail Reconnaissance • Reading replies from valid (and invalid) addresses • Exposes enormous amount of information • Definitely a must for any Pen tester
References • SPF - http://www.ietf.org/rfc/rfc4408.txt • DKIM - http://www.dkim.org/ • SpamAssassin - http://spamassassin.apache.org/ • Razor - http://razor.sourceforge.net/ • CAPTCHA - http://www.captcha.net/ • Bogofilter - http://bogofilter.sourceforge.net/ • Mailwasher - http://www.mailwasher.net/ • HashCash - http://www.hashcash.org/ • Greylisting - http://greylisting.org/ • Gartner report - http://news.zdnet.com/2100-9595_22-955842.html • DNSxLs - http://www.potaroo.net/ietf/all-ids/draft-irtf-asrg-dnsbl- 01.txt-16252.txt
Thanks • QA? • Contact me: null _a_t_ null . co . In • NULL is having an official meet on 7th Dec at ClubHack