1 / 19

563.8.2 Spam

563.8.2 Spam. Sonia Jahid University of Illinois Fall 2007. Outline. Definition Problem Spam Categories How email works: quick overview Why is spam still a problem? Spammers’ approach. Definition.

gudrun
Download Presentation

563.8.2 Spam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 563.8.2Spam Sonia Jahid University of Illinois Fall 2007

  2. Outline • Definition • Problem • Spam Categories • How email works: quick overview • Why is spam still a problem? • Spammers’ approach

  3. Definition • Submitting the same message to a large group of individuals in an effort to force the message onto people who would otherwise choose not to receive this message. • A message is spam only if it is both Unsolicited and Bulk. • Unsolicited Email is normal email(examples: first contact enquiries, job enquiries, sales enquiries) • Bulk Email is normal email(examples: subscriber newsletters, customer communications, discussion lists) What is spam: SpamLaws What is spam: Spamhaus

  4. Problem The statistics reported below are compiled from confidential data provided by participating MAAWG member service operators for Q1 2007 MAAWG Email Metrics Report 07

  5. Spam Categories According to information compiled by Spam filter review, email spam for 2006 can be categorized as shown in the table Evett 06

  6. How Email Works: Quick Overview helo test 250 mx1.mindspring.com Hello abc.sample.com [220.57.69.37], pleased to meet you mail from: test@sample.com 250 2.1.0 test@sample.com... Sender ok rcpt to: jsmith@mindspring.com 250 2.1.5 jsmith... Recipient ok data 354 Enter mail, end with "." on a line by itself from: test@sample.com to:jsmith@mindspring.com subject: testing John, I am testing... . 250 2.0.0 e1NMajH24604 Message accepted for delivery quit 221 2.0.0 mx1.mindspring.com closing Connection Connection closed by foreign host. Brain

  7. Why Is Spam Still a Problem? • Spoofing • Email system design • Headers allow spoofing • Identity concealing • Bot-networks • Open proxies • Open mail relays • Untraceable Internet connection • Available bulk email tools Boneh 04

  8. Email System Design • SMTP protocol provides no security • email is not private • can be altered en route • no way to validate the identity of the email source • Use SMTP-AUTH ? • Not a solution for spam SMTP-AUTH

  9. Email System Design • Headers are unreliable, can be used for spoofing • Insert fictitious email addresses in the From: lines • Exception: first Received header Received: from unknown (HELO 38.118.132.100) (62.105.106.207) by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000 Received: from [235.16.47.37] by 38.118.132.100 id <5416176-86323>; Sun, 16 Nov 2003 13:38:22 -0600 MS: Mail Server Tschabitscher

  10. How Email Works: Quick Overview helo test 250 mx1.mindspring.com Hello abc.sample.com [220.57.69.37], pleased to meet you mail from: test@sample.com 250 2.1.0 test@sample.com... Sender ok rcpt to: jsmith@mindspring.com 250 2.1.5 jsmith... Recipient ok data 354 Enter mail, end with "." on a line by itself from: test@sample.com to:jsmith@mindspring.com subject: testing John, I am testing... . 250 2.0.0 e1NMajH24604 Message accepted for delivery quit 221 2.0.0 mx1.mindspring.com closing Connection Connection closed by foreign host. Brain

  11. Identity Concealing: Bot-networks • Compromised machines running malicious software • Once infected, spammer can send spam from it • The bot software hides itself and periodically checks for instructions from the human bot-network administrator • Emails appear to come from legitimate users • Example bot-networks: • Phatbot: largest reported bot-network to date, 400,000 drones • Bobax: assimilates machines with high speed Internet connection

  12. Identity Concealing: Open Proxies • An open proxy is one which will create connections for any client to any server, without authentication • Possible for a computer to be running an open proxy server without knowledge of the computer's owner • More difficult to detect when chain of open proxies used

  13. Identity Concealing: Open Mail Relays • An email server configured to allow anyone on the Internet to relay email through it. • Network address of spammer appears in one of the Received: headers • Add fake Received: headers

  14. Combining Open Proxy and Open Relay • Establish TCP connection with Open Proxy1 • Connect with Open Proxy2 • Send email to Open Relay through this chain • Forward to destination SMTP server Andreolini Bulgarelli Colajanni Mazzoni 05

  15. Identity Concealing: Untraceable Internet Connection • Public Internet cafes • Free/stolen wireless connections • Connections not needing identifying users • Need not hide network address • Send email directly to spam recipients • No way to associate email accounts with the spammer

  16. Available Bulk Email Tools • Designed to generate and send about 500, 000 emails per hour hiding spammers’ identity • Send-safe • Search for open proxies, open relays • Download updated list of open proxies • Distribute email load over multiple open proxies • Periodically verify if open proxies working properly • Massive-mailer • Dark-mailer

  17. Spammers’ Approach • Gather address • Email harvesting from web • Gather email address from newsgroups • DNS and WHOIS system • Buy data from 3rd party • Generally spam-bots used for email harvesting • What makes it easy? • Publish email addresses Andreolini Bulgarelli Colajanni Mazzoni 05

  18. Spammers’ Approach • Verify address • A web bug in a spam message written in HTML may cause recipient’s email client to transfer its email address • Unsubscribing from a service • Send messages anonymously

  19. Reading List • D. Boneh, The Difficulties of Tracing Spam Email, September 09, 2004 • M. Andreolini, A. Bulgarelli, M. Colajanni, and F. Mazzoni, HoneySpam: Honeypots fighting spam at the source, In Proc. USENIX SRUTI 2005, Cambridge, MA, July 2005. • H. Tschabitscher, What Email Headers Can Tell You About the Origin of Spam • Spam on Wikipedia

More Related