1. NZNOG ’07�‘Dealing with Joe Jobs’�or how to cope with spam backscatter attacks
2. Presentation Overview Definition
Amplifier
Target
Bounce Verification Technologies
Issues to Consider
Questions
3. Joe Doll Attack on Joe Doll, webmaster of Joe's Cyberpost.
User had their account removed for advertising spam
In retaliation, forged an email from Joe Doll
Caused joes.com to be DoS’ed [Jan 1997]
Also defined in Wayne's World as a sub-standard job
4. Definition Your email address/domain used as the envelope sender in a spam run.
Your mail systems end up receiving
bounce messages
vacation/out-of-office notices
challenge-responses
etc.
Resulting in huge mail gateway, server and administrative overhead
5. Envelope Headers $ telnet 192.168.1.1 25
Connected to 192.168.1.1
Escape character is '^]'.
helo dm220-mail70.yourcompany.com ESMTP
220 Welcome to yourcompany.com’s email system
helo domain.com
250 mail70.yourcompany.com
mail from: jane@domain.com
250 sender <jane@domain.com> ok
rcpt to: tracey@yourcompany.com
250 recipient <tracey@yourcompany.com> ok
data
354 go ahead
6. Email Structure
7. Why am I being Joe Job’ed The spammer is using your credentials to legitimise their marketing campaign
Spam
Phishing
Discredit your company (Competitive sabotage)
Random – In order to bypass reverse DNS lookup controls.
Side-effect of a mass-mailing virus
Blatant Denial of Service
8. Amplifier
9. How Amplification Works
10. Amplifier Implications Addition to a DNSBL (MAPS/Spamhaus/Spamcop)
Denial of Service
Leaking of sensitive information
11. Amplification of NDR’s Gateway accepts all email and relies on downstream servers to generate the NDR (non-delivery report)
RFC-821 requires an NDR for unsuccessful deliveries to a final destination
Notification to failed recipient + reason for the failure
Above + original email (or part of it)
Above + original email + all attachments
12. Further Amplification of NDR’s For NDR's of messages sent to multiple recipients, RFC-821 provides two options
A single notification which lists all failed recipients of that failed message
Separate notification for each failed recipient
13. NDR Payload Payload
Viruses
Spam
Large files
Zip-bombs
"With 105 outbound emails (containing 1000 invalid recipients) totalling 3.60MB of traffic we caused the mail servers under study to generate more than 80,000 emails, totalling 1.15GB of traffic" http://www.techzoom.net/paper-mailbomb.asp?id=mailbomb
14. Lessening The Noise Hard bounce mail for invalid recipients at the gateway
Limit the maximum number of recipients per message
Generate minimalistic NDR’s
Generate one NDR for all failed recipients
Send bounces from a server you can afford to have blacklisted
Disable NDR’s altogether… (maybe not)
15. Target
16. Target of a Phishing Attack
17. Example Phishing Message mail-from: admin@bank.com
rcpt-to: <millions of users@domains>
subject: Your Account Details
18. Implications for the Target Denial of Service
User inbox restrictions
Mail queues exploding / mail delays
Unhappy users
19. Invalid Users Accept mail for valid users only
local_recipient_maps (postfix)
Recipient Access Table (Ironport RAT)
LDAP integration
Sometimes we don’t know who our valid users are or it can be too expensive to maintain.
Backend user directory incompatible with front-end MTA
This will stop backscatter for invalid addresses…
What about valid ones?
20. Valid Users Message Headers
Received-from
Message-ID
Looking for signs that it didn’t actually leave your network in the first place
Resource Intensive
21. Bounce Verification Technologies We can’t rely on session verification techniques
e.g. SPF
Bounce Verification
BATV (Bounce Address Tag Validation)
Authbounce
ABBS (Anti-Bogus-Bounce-Scheme)
SES (Signed Envelope Sender)
22. BATV (Bounce Address Tag Validation)
23. BATV Specification The envelope sender address is signed.
mail-from: mailbox@domain.com becomes
mail-from: prvs=mailbox/tag-val@domain.com
tag-val = K DDD SSSSSS
K = key number
DDD = low 3 digits of the number of days since 1970 when the address will expire
SSSSSS = Hex of the first three bytes of the SHA-1 HMAC of <hash-source> and a key
hash-source = K DDD <orig-mailfrom>
orig-mailfrom = {original RFC2821.MailFrom address}
24. BATV cont… Supported on the following MTAs
netqmail
Ironport AsyncOS
Exim
Documentation available for other MTAs
Pursuing IETF standardisation
25. How Authbounce works
26. Authbounce for Exim Addition of a signed X-Header:
X-bounce-key:example.net-1;you@example.com;1077198109;fb7e6ffa;
(1) (2) (3) (4)
A key identifier, typically the ISP's domain plus a number.
The E-mail address to which a bounce may be sent.
The time when the message was sent out. Bounces older than a certain age are ignored.
32-bit cryptographic checksum, calculated as a hash over (1), (2), (3) and a secret value
27. ABBS (Anti-Bogus-Bounce-Scheme) Similar to BATV
Signed envelope sender
mail-from: user-b@b.example.com becomes
mail-from: user-b=timestamp-hmac@b.example.com
timestamp is time()
hmac is HMAC-SHA1-nn
Timeout defaults to 1296000 seconds (15 days)
Supported in qmail safari
28. SES (Signed Envelope Sender) Challenge response system for SMTP
UDP call back service
Send hash value to the server that claims to have originated the message
If the query is positive, mail is accepted as valid, if not, its rejected
Website is dead, probably a good thing
29. Advantages / Disadvantages BATV
? Modifies the envelope sender address
? Stops invalid bounces after the rcpt-to header is received
Authbounce
? Doesn’t modify the envelope sender address
? More overhead as X-headers need to be processed
ABBS
? BATV for qmail with a few differences
SES
? project is dead?
30. Security Considerations Cryptographic weaknesses
Replay attacks
31. Issues to Consider Too many different standards, none settled on
CPU overhead for large mail volumes
All outbound messages tagged, all inbound checked
Greylisting (451)
Mail-listings validate on envelope sender
Challenge-Response systems
32. More Issues… Legitimate DSNs are rejected unless the original mail has been sent via your server
Roaming users…
33. Knowing Your Environment Which servers send out email?
34. Conclusion Know and control your environment
Determine if you are an amplifier
Decide which technology fits best
Implement technology before you are targeted
35. Conclusion You don’t want to be hacking up custom Sendmail rules at 3:00am
Kphishsrc regex -a@MATCH ^(customercare|customerssupport|customersupport|custservice|custsupport|infonum|online_support|onlinesupport|operate|operator|reference|support|supprefnum)(\-ref|\_ref|\-reference|\_reference|\-id|\_id)?(\-|\_)?[0-9]+$
SLocal_check_rcpt
R$* $: $>Parse0 $>3 $1
R$+ < @ domain.co.nz. > $* $: $(phishsrc $1 $)
36. Questions?
37. References ABBS - http://msgs.securepoint.com/cgi-bin/get/qmail0403/161.html
Anti-Phishing Workging Group: http://www.antiphishing.org/phishing_archive.html
Anti-spam Email Research http://spamlinks.net/prevent-research.htm
Authbounce - http://psg.com/%7Ebrian/software/authbounce/configure-authbounce.txt
BATV - http://mipassoc.org/batv/
Mail Non-Delivery Notice Attacks: http://www.techzoom.net/paper-mailbomb.asp?id=mailbomb
Postfix Backscatter Howto: http://www.postfix.org/BACKSCATTER_README.html
Signed Envelope Sender: http://www.advogato.org/proj/Signed%20Envelope%20Sender/
Sender Policy Framework http://www.openspf.org/
Signed Return Address: http://www.tuffmail.com/backscatter.php
Why are auto responders bad? : http://www.spamcop.net/fom-serve/cache/329.html
