1 / 39

BC Fights Against SPAM

BC Fights Against SPAM. Presented by John Bondon Corporate / Walnut Creek. JBondon @ BrwnCald.com 925-210-2242. Everything You Wanted to Know About SPAM But Were Afraid to Ask. The Answer to: “What is Brown & Caldwell doing to combat SPAM? ” How did they get my email address?

todd-perkins
Download Presentation

BC Fights Against SPAM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BC Fights Against SPAM Presented by John Bondon Corporate / Walnut Creek JBondon @ BrwnCald.com 925-210-2242

  2. Everything You Wanted to Know About SPAM But Were Afraid to Ask • The Answer to: “What is Brown & Caldwell doing to combat SPAM?” • How did they get my email address? • What options are available to combat SPAM? • The solution Brown & Caldwell selected & why • Understanding Internet Mail Headers • DEMONSTRATION: How to forge email • DEMO: Harvesting emails from the web • How a Spammer KNOWS whether or not you’ve read an email, even if you never reply! • Why you should never ask to be removed from a spammer’s list…

  3. Agenda • Some Background – why SPAM? • How Did They Find Me? • Why You Should never OPEN or RESPOND to spam • Case Study: BONDON@BONDON.COM • DEMO: How to Forge the FROM: field of an Email Message • DEMO: How to grab email addresses off web pages! • DEMO: How to Read Internet Mail Headers • Comparison of Current Methods to Combat Spam • How to Fool a Spam Filter • The Brown & Caldwell SPAM Filter Explained

  4. Why Fight Spam? • Brown & Caldwell’s SPAM level currently exceeds 40%! • According to Brightmail, 38% of email is spam; last year it was a mere 8%! • Bandwidth • Employee considerations • ”annoyance” factor • Legal ramifications • Ensure B&C’s servers aren’t used for spamming

  5. How Bad Is The Spam Problem? • America Online now blocks up to 80 percent of incoming e-mail traffic, or more than 2 billion messages a day. • According to Ferris Research, spam will cost U.S. businesses an estimated $10 billion this year.

  6. Why SPAM? • It’s CHEAP! • Low Risk • High Return

  7. How Did They Obtain My Email Address? • You (or a friend) Gave It To Them! • Newsletter • Special Offer / Contest • Removal Request • Electronic Greeting Cards • Bought / Sold from other spammers • LDAP Query • Directory Harvest Attack • Dictionary Spamming • Brute-Force

  8. How Did They Obtain My Email Address? • Common Mailbox Names (WebMaster, Sales, Info) • Web Crawl (mailto: tag) • Domain Records • WHOIS • SOA Records (DNS) • Scanning UseNet posts • IRC Channels (whois/identd) • Spyware software • Public Mailing Lists • Validation (opened previous spam!)

  9. Don’t READ or RESPOND toSpam! • The “REMOVE ME” trick • The Dynamic Link trick: • <img src=http://www.spammers-domain.com/images/trans.gif?issue=867&us=39083973> • <a href="http://www.amailbox@abahosting.net/homebasedbiz/?affid=o888&e=amailbox@brwncald.com"><img src="http://210.220.144.198/bizop.gif" width=550 height=400 border=0></a>

  10. DEMONSTRATION: Crawlers • How spammers extract Email addresses • Web crawlers • BOTS • Spiders • Searching for : • mailto: HTML tags • @ symbol

  11. Case Study: BONDON@BONDON.COM • The Significance of Bondon@Bondon.com • Not a “Public” Address • Never used it as a personal address • Never Published on my Personal Homepage • Never disclosed (except to ISP & Network Solutions) • Yet receives 70 – 80 junk emails per day ! • How did Spammers learn of this email address? • WHOIS!

  12. WHOIS Demo • Why use WHOIS? • Compare these Query Examples: • BRWNCALD.COM vs. • BONDON.COM

  13. Internet Mail Headers • What they are • Open Relays • Example • Demonstration

  14. Reading Internet Mail Headers Received: from modus.brwncald.com (172.18.10.25[172.18.10.25]) by bcwck05.brwncald.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 15KVA5NV; Sun, 23 Feb 2003 16:45:16 -0800 Received: from mail.bondon.com (unverified [66.234.209.39]) by modus.brwncald.com (Vircom SMTPRS 1.4.232) with ESMTP id <B0000566700@modus.brwncald.com> for <demo@brwncald.com>; Sun, 23 Feb 2003 16:52:31 -0800 Received: from demonstration ([65.198.3.2]) by mail.bondon.com with Microsoft SMTPSVC(5.0.2195.4905);

  15. DEMO: Internet Mail Headers • Where to find Internet Mail Headers using: • Microsoft Outlook • Microsoft Outlook Express

  16. DEMONSTRATION:Forging the FROM: Address • No validation of sender • KLEZ • SPAM address / Help Desk

  17. MX1 – Primary SMTP Gateway

  18. MX2 – SMTP Failover

  19. The Technologies • Prohibit Open Relaying • Reverse DNS • Real Time Black Lists (RTBLs) • Content Filters • Bayesian Filters • Permission Filters

  20. Open Relays • What are they? • When are they appropriate? • When are they not? • Why spammers like to use them • Risk of being labeled an “Open Relay”

  21. Reverse DNS & RTBLs • DNS • What’s the IP address for BCWCK05.BRWNCALD.COM? •  65.198.3.62 • Reverse DNS • Who is 65.198.3.62? •  BCWCK05.BrwnCald.com • Real Time Black Lists (RTBLs) • Block email from select IP addresses

  22. Why These Methods Don’t Work • Concept of BlackLists • Reject versus quarantine • Prove your innocence! • Guilt by association? • Administrative cost

  23. Content Filtering • Keyword/phrase identification • Simple or Threshold driven • Checksum Databases • Compile a list of checksums • Sum of all the bytes of a message • These numbers Uniquely identify each message tagged as spam • Heuristics • Automated mechanisms to categorize email as spam based on known patterns

  24. How to Outsmart a Filter • Add bogus spaces or characters • sexual  s/e/x/u/a/l • MORTAGE  M O R T A G E • FREE  F*R*E*E* • Add random numbers in subject or body • Use of Invisible Text • Add extra words in Header • White text on white background • Use of HTML comments • “millionare”  milli‹!-- xe64 --›ionaire

  25. More Ways 2 Outsmart a Filter • Use of ISO Entities (aka. iso8859-1) • $  &#36; • Use of extremely complex table HTML tags • Changes the order of letters in a message • Decoded/Reconstructed by email client • Use of 2 part MIME documents • Spam in HTML part – bogus text in plain section • Other Encoding tricks include: • Decimal, hex, octal or JavaScript encoding

  26. Bayesian Filters • Bayesian Logic • Probability theorem based on 1763 work of Thomas Bayes • Determines probability of future trials based on occurrences in prior trials • How does it work? • Looks for statistical differences between unwanted email and legitimate personal or business email

  27. Bayesian Filters • Why all the Buzz? • Auto-Adaptive --- it “learns” • Where to Find it? • http://email.about.com/cs/bayesianspamsw/ • http://www.paulgraham.com/filters.html

  28. Bayesian Filtering Examples of some of the current probabilities: Subject*FREE 0.9999 free!! 0.9999 To*free 0.9998 Subject*free 0.9782 free! 0.9199 Free 0.9198 Url*free 0.9091 FREE 0.8747 From*free 0.7636 free 0.6546

  29. Permission Filters • Reject all email EXCEPT from Authorized Sources! first time you send an email to a person you will receive an auto-response inviting you to visit a web page and enter some information. Your email then becomes authorized and any future emails you send will be accepted

  30. Approaches to Combat Spam • Desktop Solutions • Outlook JunkMail Filter • SpamNet • McAfee Spam Killer • Enterprise Solutions • In-House • Vircom • SurfControl • Message Inspector • MIMESweeper • Outsourced • Postini

  31. The BC Filter: How It Works • The Product: Vircom’s Modus Gate • The Solution: Sieve Scripting

  32. BC Spam Filter: First 72 Hours • 158 Viruses Blocked • 13,493 Emails Blocked! • 55 legit messages RELEASED • 47 newsletter or Opt-in related • 8 Gray area – jokes/fun, news, etc. • Zero Client or Personal! • COST: 90 Minutes Administrative Labor • False Positive Rate: < 0.5%

  33. DEMO: What It Looks Like • The Quarantine Folder • Administrator’s Perspective • Releasing Blocked Messages

  34. Sieve Technology • Internet Scripting Standard (RFC 3028) • For filtering incoming email at the server • Content “Keyword/phrase” type filtering • Scripts shared & continuously updated by worldwide VASC community • Single line of code can easily block millions of variations • Can be quickly adapted due to human feedback • Lowest TCO!

  35. Sieve Script Examples • if header :contains "Subject" "win your dream vacation" { discard; stop; } • if body :contains ["text/plain","text/html"] "Call a travel professional or NCL at" { discard; stop; } • if body :contains ["text/plain","text/html"] "giving away FREE Vacation Packages. No gimmicks" { discard; stop; } • if body :contains ["text/plain","text/html"] "888-737-6011" { discard; stop; }

  36. What if My Email is BLOCKED? • Notify the HELP DESK if: • You suspect a message has been blocked Or • Want to prevent your newsletter(s) from being blocked

  37. Summary • Methods spammers use to obtain your email address • Countermeasures used to try to stop spam • Explanation of Internet Mail Headers • How to respond to spam and why • Demonstration of the Brown & Caldwell Email Spam Filter

  38. More Information • Pipeline • http://www.bc.com/Spam/ • Spammers' Technology Secrets Exposed! • http://www.internetweek.com/story/showArticle.jhtml?articleID=6900020 • Spam & Anti-Spam Techniques • http://www.vicomsoft.com/knowledge/reference/spam.html • A Plan for Spam • http://www.paulgraham.com/antispam.html

More Related