1

Spam, Spam and More Spam

cs5480/cs6480

Matthew J. Probst*with some slides/graphics adapted from J.F Kurose and K.W. Ross

Spammers: Cost to send

Assuming a $10/mo dialup account:• 13.4 million messages per month might be

sent… • A cost of about 1 penny per 14,300

messages• Free trials make it free!

2

You: Cost to Receive

• 10+ Billion spam sent each day• At 5 seconds per spam (to recognize &

delete).. • That’s 50 billion seconds of lost

productivity each day (39,457 work years)• Assuming $36k average income per

person: $1.5 Billion per day in lost productivity to economy.

$$$$

Driving Business Incentives

• Pump and dump penny-stocks• Scams-Nigerian investments, phishing,etc.• Meds• Insurance• Porn• Loans/Mortgages• Others…

3

Botnets and Spammers

• Example: Storm worm currently running on up to 50 million infected computers.

• More computing power than top 500 supercomputers in world combined!

• Used for DDOS attacks, penny stock spam and propagating itself via email.

Bot controller

DDOS

Replication

SpamSpammerVender

Mail access protocols

• SMTP: delivery/storage to receiver’s server• Mail access protocol: retrieval from server

– POP: Post Office Protocol [RFC 1939]• authorization (agent <-->server) and download

– IMAP: Internet Mail Access Protocol [RFC 1730]• more features (more complex)• manipulation of stored msgs on server

– HTTP: Hotmail , Yahoo! Mail, etc.

useragent

Alice.com MTA

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTA

4

Ideal place to filter filter?

• Source machine• Source MTA server• In middle of network• Recipient MTA server• Recipient machinePros & Cons of each.

useragent

Alice.com MTA

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTA

ISP IP block white-listing

• Source MTA filter.• ISPs allow any IP blocks on their network

to relay through their mail servers.Problems?

Disallows mobilityAllows viruses

useragent

Alice.com MTA

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTA12.1.1.5

Only 12.1.X.X allowed!

5

SMTP-AUTH

• Source MTA requires username/password before relaying a message.

• Only ISP’s own customers allowed to relay• Optional: Block all other outgoing SMTP• Allows mobility, Blocks dumb virusesProblems?

Free Trial ISP accounts.Fraudulently acquired accounts.

useragent

Alice.com MTA

useragent SMTP

SMTP POP3 orIMAP

Bob.com MTA

UsernamePassword

Rate throttling

• Simple: Source MTA Limits the number/rate of emails from individual senders.

• Limit on: Max recipients per messageMax messages per time periodetc.

Problems:Spammers can code their own MTAsMillions of throttled bots can still spam-a-lot!

useragent

Alice.com MTA

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTA

25M/H

6

SPF (Sender Policy Framework)

• Recipient MTA Filter• TXT dns record on a domain that lists

“Authorized” relays for email marked as coming from that domain.

Problems?Only effective with mass adoption.Spammers comply with SPF

useragent

Alice.com MTA(13.1.1.1)

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTAAlice.comDNS

spf?

13.1.1.1

Relay Blacklists (RBLs)

• Recipient MTA Filter• DB of IP addresses (and blocks) that should

not be allowed to relay email.• 100s of lists publicly available.• Mail servers commonly use several RBLs• Individually and group maintained.• Conservative vs ultraliberal inclusion.

useragent

Alice.com MTA(13.1.1.1)

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTA

DNSrbl1

OK!

13.1.1.1 ok?

DNSrbl2

DNSrbl3

OK!OK!

7

Relay Blacklists (RBLs) cont.

Spamhaus Stats: http://www.spamhaus.org/statistics/

Problems?Take it or leave it one-size-fits-all.(Is either too aggressive or too passive).Central RBL servers easy to DDOS.If done within network, then prevents smtp-auth.

Relay White-lists

• Recipient MTA Filter• Automatically allows email from specific

domains, relays and senders throughProblems?

Easy to get out of date?Spammers can use legitimate email addresses, ISPs and domains. (botnets,etc).

useragent

Alice.com MTA(13.1.1.1)

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTA

DNSwl1

OK!

13.1.1.1 ok?

DNSwl2

DNSwl3

OK!OK!

8

Greylists

• Don’t fully allow (not a whitelist)• Don’t completely block (not a blacklist).• Slow down handshaking & negotiation

(tarpit)… and/or take more time/resources to scan.

Problems?Tarpitting doesn’t block very determined spammers.

Tricking Spammers

• Require MTAs to adhere to full SMTP RFC.• Point primary MX record at null sync.• Secondary MX record point to real MTA.Problems?

Spammers can make their MTAs smarterSome Spammers use existing ISP MTAs

useragentAlice.com MTA

useragent

SMTP

POP3 orIMAP

Bob.com MTA (14.1.1.2)Bob.comDNS

bob.com mx?

14.1.1.1Fake MTA

14.1.1.1, 14.1.12

FAIL!

SMTP

9

Domain Keys Identified Mail (DKIM)

• Sender MTA signs message hash w/ priv key. • Adds signature as new header: “DomainKey-

Signature”• Recipient MTA uses DNS txt record to find

public key to authenticate signature.Problems? Adoption

Spammer domains can conformSpammers can use legitimate ISP account

useragent

Alice.com MTA(Signs Message)

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTA(Authenticates message)

Alice.comDNS

Pub Key?

<PubKey>

S/MIME Signatures

• Senders obtain a digital cert from a legitimate Certificate Authority (CA).

• Can use the cert for both signing as well as encryption of messages.

• Recipients can verify certs via certificate chain (just like web browsers).

Problems? AdoptionCost of per sender cert.

useragent

Alice.com MTA

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTASigns

MessageVerifies

Signature

CA

10

Bayesian Content Filters

• Recipient filter• Individualized DB. Requires training• Learns common words & phrases from spam• Spam “scoring” given to each message.Problems? Randomized spam content

misspellingsjpeg/pdf spam

useragent

Alice.com MTA

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTADB

Hash(“Viagra”)?SPAM!

Vipul’s Razor

• Recipient Filter.• Hash of email body or paragraphs (messages

“signature”). Lookup this signature in centralized DB of known spam.

• Only “Authorized Reporters” can register spam signatures.

Problems?

useragent

Alice.com MTA

useragent

SMTP SMTP POP3 orIMAP

Bob.com MTA(computes signature)

2e821f039 ok?

RazorDB

Razor DB

OK!

OK!

•Randomized content•jpeg/pdf spam.

11

Spam Training Honeypots

• Dedicate an inbox to receive only spam.• Randomly generated name:

asdf@domain.comor common (unused) name:

bob@jones.com• Email received by this box can be fed to

bayesian filter, vipuls razor & personal RBLs.

What is used today?

• Combination of all of these techniques.• Spamassassin as an example.• RBLs are low hanging fruit… Commonly

block 80%+ of spam.

12

Remaining Problems

• Increased client mobility• P2P email (no reliance on central

scanners or CA).• Fast vs slow path selection based on trust

of sender & sender’s email path.• Fast reaction to entity behavior changes

(“Zombiefication” of hosts)

Micro-payments

• Senders pay fraction of a cent for each email they send.

• Won’t deter normal email users, but would definitely stop many spammers.

• Variation: Rather than charge for each email… Force all email users to put $$ in escrow… only charging account upon receiving complaint.

13

Transitive Social-net Trust

Alice

Nancy

Bob

JimCarol

Email

trusttrust

trust

trust

• Based off of “Small Worlds”• No centralized filters• Can be completely P2P• Trust levels are constantly changing (fast

reaction to observed mis-behaviors)

P2P Experience & RBL

• User agents collect their own experience (positive and negative) and share them with their social peers.

• User agents generate their own personal RBLs mods based off of their “experience DB”.

• User agents query for neighbor’s experiences using multi-casting.

14

Dynamic Grey-listing

• Selectively decide which message to send on fast-path (Layer 3) vs through tarpit(Layer-7..for further inspection).

• Fast path may include no scanning at all freeing up scanning resources to be used on un-trusted messages.

15

Questions?

• Questions / Comments / Feedback?