190 likes | 320 Views
563.8.2 Spam. Sonia Jahid University of Illinois Fall 2007. Outline. Definition Problem Spam Categories How email works: quick overview Why is spam still a problem? Spammers’ approach. Definition.
E N D
563.8.2Spam Sonia Jahid University of Illinois Fall 2007
Outline • Definition • Problem • Spam Categories • How email works: quick overview • Why is spam still a problem? • Spammers’ approach
Definition • Submitting the same message to a large group of individuals in an effort to force the message onto people who would otherwise choose not to receive this message. • A message is spam only if it is both Unsolicited and Bulk. • Unsolicited Email is normal email(examples: first contact enquiries, job enquiries, sales enquiries) • Bulk Email is normal email(examples: subscriber newsletters, customer communications, discussion lists) What is spam: SpamLaws What is spam: Spamhaus
Problem The statistics reported below are compiled from confidential data provided by participating MAAWG member service operators for Q1 2007 MAAWG Email Metrics Report 07
Spam Categories According to information compiled by Spam filter review, email spam for 2006 can be categorized as shown in the table Evett 06
How Email Works: Quick Overview helo test 250 mx1.mindspring.com Hello abc.sample.com [220.57.69.37], pleased to meet you mail from: test@sample.com 250 2.1.0 test@sample.com... Sender ok rcpt to: jsmith@mindspring.com 250 2.1.5 jsmith... Recipient ok data 354 Enter mail, end with "." on a line by itself from: test@sample.com to:jsmith@mindspring.com subject: testing John, I am testing... . 250 2.0.0 e1NMajH24604 Message accepted for delivery quit 221 2.0.0 mx1.mindspring.com closing Connection Connection closed by foreign host. Brain
Why Is Spam Still a Problem? • Spoofing • Email system design • Headers allow spoofing • Identity concealing • Bot-networks • Open proxies • Open mail relays • Untraceable Internet connection • Available bulk email tools Boneh 04
Email System Design • SMTP protocol provides no security • email is not private • can be altered en route • no way to validate the identity of the email source • Use SMTP-AUTH ? • Not a solution for spam SMTP-AUTH
Email System Design • Headers are unreliable, can be used for spoofing • Insert fictitious email addresses in the From: lines • Exception: first Received header Received: from unknown (HELO 38.118.132.100) (62.105.106.207) by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000 Received: from [235.16.47.37] by 38.118.132.100 id <5416176-86323>; Sun, 16 Nov 2003 13:38:22 -0600 MS: Mail Server Tschabitscher
How Email Works: Quick Overview helo test 250 mx1.mindspring.com Hello abc.sample.com [220.57.69.37], pleased to meet you mail from: test@sample.com 250 2.1.0 test@sample.com... Sender ok rcpt to: jsmith@mindspring.com 250 2.1.5 jsmith... Recipient ok data 354 Enter mail, end with "." on a line by itself from: test@sample.com to:jsmith@mindspring.com subject: testing John, I am testing... . 250 2.0.0 e1NMajH24604 Message accepted for delivery quit 221 2.0.0 mx1.mindspring.com closing Connection Connection closed by foreign host. Brain
Identity Concealing: Bot-networks • Compromised machines running malicious software • Once infected, spammer can send spam from it • The bot software hides itself and periodically checks for instructions from the human bot-network administrator • Emails appear to come from legitimate users • Example bot-networks: • Phatbot: largest reported bot-network to date, 400,000 drones • Bobax: assimilates machines with high speed Internet connection
Identity Concealing: Open Proxies • An open proxy is one which will create connections for any client to any server, without authentication • Possible for a computer to be running an open proxy server without knowledge of the computer's owner • More difficult to detect when chain of open proxies used
Identity Concealing: Open Mail Relays • An email server configured to allow anyone on the Internet to relay email through it. • Network address of spammer appears in one of the Received: headers • Add fake Received: headers
Combining Open Proxy and Open Relay • Establish TCP connection with Open Proxy1 • Connect with Open Proxy2 • Send email to Open Relay through this chain • Forward to destination SMTP server Andreolini Bulgarelli Colajanni Mazzoni 05
Identity Concealing: Untraceable Internet Connection • Public Internet cafes • Free/stolen wireless connections • Connections not needing identifying users • Need not hide network address • Send email directly to spam recipients • No way to associate email accounts with the spammer
Available Bulk Email Tools • Designed to generate and send about 500, 000 emails per hour hiding spammers’ identity • Send-safe • Search for open proxies, open relays • Download updated list of open proxies • Distribute email load over multiple open proxies • Periodically verify if open proxies working properly • Massive-mailer • Dark-mailer
Spammers’ Approach • Gather address • Email harvesting from web • Gather email address from newsgroups • DNS and WHOIS system • Buy data from 3rd party • Generally spam-bots used for email harvesting • What makes it easy? • Publish email addresses Andreolini Bulgarelli Colajanni Mazzoni 05
Spammers’ Approach • Verify address • A web bug in a spam message written in HTML may cause recipient’s email client to transfer its email address • Unsubscribing from a service • Send messages anonymously
Reading List • D. Boneh, The Difficulties of Tracing Spam Email, September 09, 2004 • M. Andreolini, A. Bulgarelli, M. Colajanni, and F. Mazzoni, HoneySpam: Honeypots fighting spam at the source, In Proc. USENIX SRUTI 2005, Cambridge, MA, July 2005. • H. Tschabitscher, What Email Headers Can Tell You About the Origin of Spam • Spam on Wikipedia