563.8.2 spam
DESCRIPTION
563.8.2 Spam. Sonia Jahid University of Illinois Fall 2007. Outline. Definition Problem Spam Categories How email works: quick overview Why is spam still a problem? Spammers’ approach. Definition. - PowerPoint PPT PresentationTRANSCRIPT
563.8.2Spam
Sonia Jahid
University of IllinoisFall 2007
2
Outline
• Definition
• Problem
• Spam Categories
• How email works: quick overview
• Why is spam still a problem?
• Spammers’ approach
3
Definition
• Submitting the same message to a large group of individuals in an effort to force the message onto people who would otherwise choose not to receive this message.
• A message is spam only if it is both Unsolicited and Bulk.– Unsolicited Email is normal email
(examples: first contact enquiries, job enquiries, sales enquiries)
– Bulk Email is normal email(examples: subscriber newsletters, customer communications, discussion lists)
What is spam: SpamLaws What is spam: Spamhaus
4
Problem
MAAWG Email Metrics Report 07
The statistics reported below are compiled from confidential data provided by participating MAAWG member service operators for Q1 2007
5
Spam Categories
Products 25%
Financial 20%
Adult 19%
Scams 9%
Health 7%
Internet 7%
Leisure 6%
Spiritual 4%
Other 3%
Evett 06
According to information compiled by Spam filter review, email spam for 2006 can be categorized as shown in the table
6
How Email Works: Quick Overview
helo test250 mx1.mindspring.com Helloabc.sample.com[220.57.69.37], pleased to meet youmail from: [email protected] 2.1.0 [email protected]... Sender okrcpt to: [email protected] 2.1.5 jsmith... Recipient okdata354 Enter mail, end with "." on a line byitselffrom: [email protected]:[email protected]: testingJohn, I am testing....250 2.0.0 e1NMajH24604 Message acceptedfor deliveryquit221 2.0.0 mx1.mindspring.com closingConnectionConnection closed by foreign host.
Brain
7
Why Is Spam Still a Problem?
• Spoofing– Email system design
• Headers allow spoofing
– Identity concealing • Bot-networks• Open proxies• Open mail relays• Untraceable Internet connection
– Available bulk email tools
Boneh 04
8
Email System Design
• SMTP protocol provides no security– email is not private– can be altered en route– no way to validate the identity of the email
source
• Use SMTP-AUTH ?– Not a solution for spam
SMTP-AUTH
9
Email System Design
• Headers are unreliable, can be used for spoofing– Insert fictitious email addresses in the From: lines– Exception: first Received headerReceived: from unknown (HELO 38.118.132.100) (62.105.106.207) by
mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000Received: from [235.16.47.37] by 38.118.132.100 id <5416176-86323>;
Sun, 16 Nov 2003 13:38:22 -0600
MS: Mail ServerTschabitscher
10
How Email Works: Quick Overview
helo test250 mx1.mindspring.com Helloabc.sample.com[220.57.69.37], pleased to meet youmail from: [email protected] 2.1.0 [email protected]... Sender okrcpt to: [email protected] 2.1.5 jsmith... Recipient okdata354 Enter mail, end with "." on a line byitselffrom: [email protected]:[email protected]: testingJohn, I am testing....250 2.0.0 e1NMajH24604 Message acceptedfor deliveryquit221 2.0.0 mx1.mindspring.com closingConnectionConnection closed by foreign host.
Brain
11
Identity Concealing: Bot-networks
• Compromised machines running malicious software
• Once infected, spammer can send spam from it• The bot software hides itself and periodically
checks for instructions from the human bot-network administrator
• Emails appear to come from legitimate users• Example bot-networks:
– Phatbot: largest reported bot-network to date, 400,000 drones
– Bobax: assimilates machines with high speed Internet connection
12
Identity Concealing: Open Proxies
• An open proxy is one which will create connections for any client to any server, without authentication
• Possible for a computer to be running an open proxy server without knowledge of the computer's owner
• More difficult to detect when chain of open proxies used
13
Identity Concealing: Open Mail Relays
• An email server configured to allow anyone on the Internet to relay email through it.
• Network address of spammer appears in one of the Received: headers
• Add fake Received: headers
14
Combining Open Proxy and Open Relay
• Establish TCP connection with Open Proxy1
• Connect with Open Proxy2
• Send email to Open Relay through this chain
• Forward to destination SMTP server
Andreolini Bulgarelli Colajanni Mazzoni 05
15
Identity Concealing: Untraceable Internet Connection
• Public Internet cafes
• Free/stolen wireless connections
• Connections not needing identifying users
• Need not hide network address– Send email directly to spam recipients– No way to associate email accounts with the
spammer
16
Available Bulk Email Tools
• Designed to generate and send about
500, 000 emails per hour hiding spammers’ identity– Send-safe
• Search for open proxies, open relays• Download updated list of open proxies• Distribute email load over multiple open proxies• Periodically verify if open proxies working properly
– Massive-mailer– Dark-mailer
17
Spammers’ Approach
• Gather address– Email harvesting from web– Gather email address from
newsgroups– DNS and WHOIS system– Buy data from 3rd party
• Generally spam-bots used for email harvesting
• What makes it easy?– Publish email addresses
Andreolini Bulgarelli Colajanni Mazzoni 05
18
Spammers’ Approach
• Verify address– A web bug in a spam message written in
HTML may cause recipient’s email client to transfer its email address
– Unsubscribing from a service
• Send messages anonymously
19
Reading List
• D. Boneh, The Difficulties of Tracing Spam Email, September 09, 2004
• M. Andreolini, A. Bulgarelli, M. Colajanni, and F. Mazzoni, HoneySpam: Honeypots fighting spam at the source, In Proc. USENIX SRUTI 2005, Cambridge, MA, July 2005.
• H. Tschabitscher, What Email Headers Can Tell You About the Origin of Spam
• Spam on Wikipedia