1 / 14

Slicing Spam with Occam’s Razor

Introduction. Slicing Spam with Occam’s Razor. Chris Fleizach , Geoffrey M. Voelker , Stefan Savage University of California, San Diego. We all know spam is a blight on the Internet Billions of spam messages sent everyday

teagan
Download Presentation

Slicing Spam with Occam’s Razor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University of California, San Diego

  2. We all know spam is a blight on the Internet • Billions of spam messages sent everyday • Millions of PCs have been harvested, sold and employed to send spam • Many existing anti-spam techniques: Why another one? • Existing solutions are complex and/or don’t impose a burden on spammers • There are billions of messages still being sent by many bots • Occam is an email authentication protocol that is: • Simple to deploy and administer • Forces senders to expose online resources • Designed to decrease the utility of spam bots Introduction Motivation

  3. Mail authentication aims to verify that the purported sender is the actual sender • Eliminates the ability to spoof a domain in an email message • We have studied authentication from the simplest angle possible: • Asking the sender. • For this reason, we refer to the protocol as the Occam protocol Occam’s Razor Occam’s Goals

  4. The Occam Protocol The Occam Protocol Servers can keep logs for some time after they have been contacted in case of a failure on the other end If a receiver does not get a response immediately, they can back off and rate limit, continuing to try to contact the server until a timeout

  5. Ease of Administration • DKIM and SPF require administrators to insert keys into DNS • Easy for knowledgeable admins, hard for many small domain owners • Occam is just a software upgrade Slicing Spam Advantages

  6. Enhanced culpability • Occam authenticates the sender of a message much like SPF and DKIM • However, DKIM requires an expensive cryptographic operation on the receiving side • Occam forces the burden of authentication onto the sender of the message • A spammer can easily insert a SPF rule that allows all IP addresses to send email • Occam makes it harder to use a botnet to send spam Slicing Spam Advantages

  7. Real-time Validation • SPF and DKIM allow for caching of authentication data • Result is that senders need not be online while being authenticated • Occam requires that the authentication “work” be performed online and in a timely fashion • The spammer is forced to expose higher value, online resources, which can then be blacklisted Slicing Spam Advantages

  8. Anti-phishing Capabilities • An unexpected side-effect of Occam is that if any spammer tries to spoof a domain, the actual server has a method to determine who was being phished • The ability to notify customers being phished or take other actions can be a boon to popular phishing targets Slicing Spam Advantages

  9. Put the bots to work • Spammers could try to use their bots to respond to the Occam protocol, but… • Occam uses MX record, meaning bots • Must have existing domain name with a MX record • Or be assigned a domain name or sub-domain • Bots must also be able to respond to incoming queries on low ports • Result: • Bots (and possibly botnet structure) are exposed, leading to blacklisting • Occam ensures using bots to send spam is difficult Slicing Spam The Spammer Response

  10. Centralization • Spammers could try to centralize the Occam reply, rather than distributing load • Spammers must keep track of Message-Ids and To fields • Need a server that can handle millions of queries • Exposes this higher value server to blacklisting • Spam campaign can be derailed if only one domain was used Slicing Spam The Spammer Response

  11. Using Occam as a DDoS Reflector • Internet malcreants could use Occam to cause other domains to surreptiouslyDoS a server. • However, Occam does not enable DDoS amplification • Indeed, the Occam protocol is a low-overhead protocol, meaning other DDoS methods would be significantly more effective and attractive Slicing Spam The Spammer Response

  12. Mobile Mailers • Some users send mail from hosts intermittently connected to the Internet and allow other servers to handle incoming mail • Occam would effectively end this practice. • However, we believe this flexibility in SMTP is abused more by spammers than used by legitimate mailers Slicing Spam Disadvantages

  13. We have developed a prototype implementation integrated with Sendmail. • Initial testing shows similar overhead to SPF (effectively very little) • Larger sites would roll their own solution • Naive solution: Centralize logging systems • A better solution: Use the domain name of the sending server in the Occam header. • Allow the sending servers to respond to queries. • No centralization needed. Implementation Implementation

  14. Conclusion Questions and Answers

More Related