1. No category

Prof. Dr. P. Heinzmann

Computer Associates, IT Security Trends,
Report 2004/05 für Medienschaffende
18. November 2004, SWX Swiss Exchange, Zürich
SPAM
Prof. Dr. P. Heinzmann
cnlab Information Technology Research AG &
HSR Hochschule für Technik Rapperswil
[email protected], www.cnlab.ch
Referenzen:
•Mike Spykerman, “Typical spam characteristics - How to effectively block spam
and junk mail”, White Paper, Red Earth Software.
•E-Mail Spamming countermeasures: http://ciac.llnl.gov/ciac/bulletins/i005c.shtml
•Howto gegen Schweizer SPAM: http://spam.trash.net/
•Michael Heuberger, “Spamming – Spamming the Internet”, Hochschule
Rapperswil, I-Seminar, SS 2001.
•Matthias Rambold, “Wie wird SPAM bekämpft?”, Hochschule Rapperswil, ISeminar, WS 2001/02.
•Adrian Ruoss, Christian Höhn, „SPAM – Distributed Content Checking …
Honeypots“, Hochschule Rapperswil, Studienarbeit Abt. Informatik, WS2004/05.
1
2
Outline
• Wer macht das Geschäft mit SPAM?
• Wie finde ich die Spammer?
(E-Mail Details)
• Wie wehrt man sich gegen SPAM?
(SPAM Abwehrmassnahmen)
18.11.2004
3
3
Wie werde ich Millionär?
Schon vor 40 Jahren waren in Schweizer Zeitungen Inserate für Anleitungen
„Wie werde ich Millionär?“ nach Einsendung einiger Franken erhältlich.
Die lapidare Antwort bzw. Anleitung lautete „machen Sie‘s wie ich“!
4
http://www.spamhaus.org/rokso/index.lasso
• 200 known „Spam Operations“ (500-600 professional
spammers) responsible for 90% of your spam
– operate 'offshore' using servers in Asia and South America
• spammer
– listed in ROKSO if terminated by a minimum of 3 consecutive ISPs for
AUP violations
– spammers IP addresses are automatically sent to Spamhaus Block List
• ROSLO assists
– ISP Abuse Desks
– Law Enforcement Agencies (with special, sensitive information version)
18.11.2004
5
•The Register Of Known Spam Operations (ROKSO) database collates information and evidence
on the known spammers and spam gangs, to assist ISP Abuse Desks and Law Enforcement
Agencies.
•90% of spam received by Internet users in North America and Europe can be traced via redirects,
hosting locations of web sites, domains and aliases, to a hard-core group of around 200 known
spam operations. These spam operations consist of an estimated 500-600 professional spammers
loosely grouped into gangs ("spam gangs"), the vast majority of whom are operating illegally.
•Many of these spam operations pretend to operate 'offshore' using servers in Asia and South
America to disguise the origin. Those who don't pretend to be 'offshore' pretend to be small ISPs
themselves, claiming to their providers the spam is being sent not by them but by their nonexistent 'customers'. Some set up as fake networks, pirate or fraudulently obtain large IP
allocations from ARIN/RIPE and use routing tricks to simulate a network, fooling real ISPs into
supplying them connectivity. When caught, almost all use the age old tactic of lying to each ISP
long enough to buy a few weeks more of spamming and when terminated simply move on to the
next ISP already set up and waiting.
•ROKSO is a "3 Strikes" register: To be listed in ROKSO a spammer must first be terminated by
a minimum of 3 consecutive ISPs for Access User Policy (AUP) violations. IP addresses under
the control of ROKSO-listed spammers are automatically and preemptively listed in the
Spamhaus Block List (SBL).
•For Law Enforcement Agencies there is a special version of this ROKSO database which gives
access to records with information, logs and evidence too sensitive to publish here.
http://www.spamhaus.org/rokso/index.lasso
5
CREATIVE MARKETING ZONE
Alain Ralsky (SPAM King)
• Aliases: Jeff Kramer, Additional Benefits , Creative
Marketing Zone Inc , Sam Smith, William Window, ...
• 1997: couple of mailing lists, making $6,000 a week
• 2001: Creative Marketing Zone, Inc., Nevada
• 2002: 250 million valid addresses
–
–
–
–
–
0.25% response rate
0.75% of mails opened (hidden notification code)
89 Million people have opt-out (between 1997 and 2002)
up to $22,000, for single mailing to entire database
stealth spam (Romanian program), detect computers that are
online and then flash them a pop-up ad
• 2004: Hundreds of domains: aboutchpecha.com, ...
18.11.2004
6
Some statements from Alain Ralsky (Mike Wendland: Spam king lives large off others' e-mail troubles,
November 22, 2002 http://www.freep.com/money/tech/mwend22_20021122.htm
and http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky):
•"I've gone overseas," he said. "I now send most of my mail from other countries. And that's a shame. I pay a
fortune to providers to do this, and I'd much rather have it go to American companies. But I have to stay in
business, and if I have to go out of the country, then so be it."
•The computers in Ralsky's basement control 190 e-mail servers -- 110 located in Southfield, 50 in Dallas
and 30 more in Canada, China, Russia and India. Each computer, he said, is capable of sending out 650,000
messages every hour -- more than a billion a day -- routed through overseas Internet companies Ralsky said
are eager to sell him bandwidth.
•"I'll never quit," said the 57-year-old master of spam. "I like what I do. This is the greatest business in the
world." It's made him a millionaire, he said, seated in the wood-paneled first floor library of his new house.
"In fact," he added, "this wing was probably paid for by an e-mail I sent out for a couple of years promoting
a weight-loss plan."
•In 1997 he bought a couple of mailing lists from advertising brokers and, with the help of the computers,
launched a new career that soon was making him $6,000 a week.
•Ralsky said he includes a link on each e-mail he sends that lets the recipient opt out of any future mailings.
He said 89 million people have done just that over the past five years, and he keeps a list of them that grows
by about 1,000 every day. That list is constantly run against his master list of 250 million valid addresses.
•The response rate is the key to the whole operation, said Ralsky. These days, it's about one-quarter of 1
percent.
•Ralsky makes his money by charging the companies that hire him to send bulk e-mail a commission on
sales. He sometimes charges just a flat fee, up to $22,000, for a single mailing to his entire database.
•Ralsky has other ways to monitor the success of his campaigns. Buried in every e-mail he sends is a hidden
code that sends back a message every time the e-mail is opened. About three-quarters of 1 percent of all the
messages are opened by their recipients, he said. The rest are deleted.
•Ralsky, meanwhile, is looking at new technology. Recently he's been talking to two computer programmers
in Romania who have developed what could be called stealth spam. It is intricate computer software, said
Ralsky, that can detect computers that are online and then be programmed to flash them a pop-up ad, much
like the kind that display whenever a particular Web site is opened. "This is even better," he said. "You don't
have to be on a Web site at all. You can just have your computer on, connected to the Internet, reading e-mail
or just idling and, bam, this program detects your presence and up pops the message on your screen, past
firewalls, past anti-spam programs, past anything.
6
SPAM ... Mass Mailing Angebote auf
eBay
18.11.2004
7
SPAM Mass Mailing Angebote sind beispielsweise auf eBay zu finden. Gelegentlich
findet man dort auch „SPAM bot“ Angebote.
7
Type of Spam Categories
(% of total Spam)
Other; 3%
Spiritual; 4%
Leisure; 6%
Products; 25%
Internet; 7%
Health; 7%
Scams; 9%
Financial; 20%
Adult; 19%
2003: http://www.spam-filter-review.toptenreviews.com/spam-statistics.html
18.11.2004
8
The 2003 statistics were derived from a number of different reputable sources
including: Google, Brightmail, Jupiter Research, eMarketer, Gartner, MailShell,
Harris Interactive, and Ferris Research.
•Worst of the Spam - Sporn - How well does the email filter support the blocking
of sporn or spammed pornography? Does it allow you to block all pornography
and/or adult themes? Does it allow you to view quarantined email without
viewing any of the pornographic i?
•As much as 8% of all e-mail is pornographic in nature, what we at Spam Filter
Review call “Sporn” or spammed pornography.
http://www.spam-filter-review.toptenreviews.com/spam-statistics.html
8
"419" Scam (Advance Fee Scam)
http://www.joewein.de/sw/419scam.htm
• Nigeria or West African Scam
–
–
–
–
large sum of money sitting in a bank account
making payments through you to us
At some point, the victim is asked to pay up front an Advance Fee of some sort
http://home.rica.net/alphae/419coal/
• Fake Lottery Scam (Elgordo Lottery Madrid, Microsoft Email Lottery)
– you have therefore been approved for a lump sum pay out of US$ 500,000.00
– To file for your claim, please contact …
• Ghana Gold Scam
– prepared to provide quantities of up to 400 kilograms of 22.karat alluvial gold
monthly
– offer the quantity of gold required to the Buyer [or their representative] upon their
arrival here in Accra
– kindly contact me at the numbers listed above
18.11.2004
9
The so-called "419" scam (aka "Nigeria scam" or "West African" scam) is a type
of fraud named after an article of the Nigerian legal code under which it is
prosecuted. Most "normal" spam uses bogus sender addresses. For 419 spam
existing mailboxes at legitimate mail providers are used. When such mailboxes
get cancelled for abuse, often similarly names mailboxes are created at the same
provider. Most 419 scams originate from about a dozen freemailer domains
(netscape.net, yahoo.com/yahoo.*, tiscali.co.uk, libero.it, telstra.com,
bigpond.com, indiatimes.com, 123.com (Chile), zwallet.com, fsmail.net,
hotmail.com, etc., see addresses by domain). A small minority uses throw-away
domains registered via MSN (see example), Rediffmail, XO/Concentric,
Yahoo/Geocities or other webhosters (ns.sign-on-africa1.net) as the sender
instead of a freemailer service, particularly for fake companies and fake banks
(e.g. firstcapitalft.com).
http://home.rica.net/alphae/419coal/
http://www.joewein.de/sw/419scam.htm
9
Nigeria
http://www.lagosestores.com/419/index.htm
18.11.2004
10
Portal mit Scams and Frauds Beispielen (Nigeria Mail): When fraud, 419 or
scams come up anywhere on the internet Nigeria will be mentioned even when
the particular fraud, 419 or scam has nothing to do with Nigeria. This image that
we have cut for ourselves through our actions and inactions isn't the best and that
image we must change through our collective effort if we must be accorded our
due respect
http://portal.pensys.com/index.cfm?sector=news&page=topic&topic=Scams%20
and%20Frauds
http://www.lagosestores.com/419/index.htm
10
Info Grabber
•
•
•
•
Personal Information (Addresses)
Credit Card Information
Banking Information (Phishing)
Spyware / Trojan Installation
– Keyboard logger
– Bots (Zombies)
18.11.2004
11
11
Cheap Rolex?
18.11.2004
12
Lockvogelangebote für Rolex-Uhren, Windows Software, Wettbewerbe, …
Gefälschte Bestellung, mit falscher MC Nummer und Junk e-Mail am 17.11.04
abgeschickt:
•Keine Verschlüsselung
•Falsche Kreditkartennummer nicht detektiert
•Keine E-Mail-Bestätigung für die Bestellung
… wahrscheinlich geht es nur darum, Kreditkarten- und Personen Informatinen
zu sammeln.
http://www.onlinereplicastore.com/checkout.php
12
Phishing
Real site
3. Spoofed Web Site
1. Spoof E-Mail (Spam)
2. Camouflaged
Hyperlink
Fake Pop-Up
<A HREF=www.stealmyinfo.com>www.yourbank.com/myaccount</A>
Ref. Gartner Group, Cannes 2004
Phishing is a spam-based scam that has grown in popularity. Phishing is not a "cyberattack," such as
propagating malicious code. It is a social-engineering attack, in which attackers (or "phishers") trick users
into doing something that will harm them or their companies.
The phisher sends an e-mail message that looks like it comes from a legitimate source — for example, an
online merchant. In many cases, the message states that there is a problem with the user's account and
requests that the user confirm the merchant's information by entering sensitive account information (such as
a credit card number, address, user name and password) into the phisher's Web site, which resembles the
merchant's site. Using this information, the phisher can steal access to the account or perpetrate identity
fraud. In addition, phishing could provide attackers with access to an organization's internal systems, but it is
used for identity theft in most cases.
13
Botnet Providing
• networks of zombie PCs used
– anonymous relays for spam
– to launch denial of service attacks on websites
– to steal confidential information about a PC's owner
• More than 30‘000 PCs per day are being taken over
to spread spam and viruses (bot nets peak of new
recruits was 75‘000 in one day)
• 4‘496 Windows viruses were detected in the first six
months of 2004
• October 5, 2004, Spy Act
18.11.2004
14
The 75’000 new recruits per day peak in 2004 is due to a “battle” between the
MyDoom and Bagle virus teams.
October 5, 2004, the U.S. House of Representatives passed a bill to criminalize
the act of altering PC configurations (Spy Act ), taking control and downloading
software onto a PC without the owner's consent: By a 399-1 vote, House
members approved legislation prohibiting "taking control" of a computer,
surreptitiously modifying a Web browser's home page, or disabling antivirus
software without proper authorization.
The Spy Act would also create a complicated set of rules governing software
capable of transmitting information across the Internet. It would give the Federal
Trade Commission authority to police violations of the law and to levy fines of
up to $3 million in the most pernicious cases.
14
Sendmails Corp
• offers members $5 for downloading and
installing the company's VirtualMDA (mail
delivery agent) software
• pay an additional $1 for every hour of
computing time that the VirtualMDA software
spends blasting out e-mails on behalf of
Sendmails and its clients
18.11.2004
15
http://www.wired.com/news/business/0,1367,63146,00.html
After downloading and analyzing the VirtualMDA software last week, Jones said
he concluded that Sendmails' "primary reason for doing that service is so their
clients' IP addresses don't get blocked by all the spam lists. Instead, all these
cable-modem users who install the software get banned."
VirtualMDA was developed as a result of marketing companies not being able to
get e-mail delivered," said Haberstroh. "We were sequestered by a rather large
Fortune 1000 company to create an e-mail deployment service that would
basically get their e-mail delivered to the recipients whose addresses they were
paying for." VirtualMDA was developed as a result of marketing companies not
being able to get e-mail delivered," said Haberstroh. "We were sequestered by a
rather large Fortune 1000 company to create an e-mail deployment service that
would basically get their e-mail delivered to the recipients whose addresses they
were paying for."
Haberstroh, VirtualMDA, Sendmails and its parent company, Atriks, have not
managed to keep themselves off the Spamhaus Register of Known Spam
Operations. Run by a British nonprofit, the online directory contains hundreds of
records of suspected spammers.
15
Beagle_J Mass Mailing Worm
Attachment
Backdoor
SMTP /
HTTP
File
Sys.
18.11.2004
16
•Beagle_J is a mass-mailing worm that opens a backdoor on TCP port 2745 and
uses its own SMTP engine to spread through email.
•Sends the attacker the port on which the backdoor listens, as well as the IP
address.
•Attempts to spread through file-sharing networks, such as Kazaa and iMesh, by
dropping itself into the folders that contain "shar" in their names.
16
IP-Adressen von infizierten Rechnern
verkaufen
•
•
•
•
21.02.2004: C’t Redaktion kauft bei Virenverbreitern ein
Trojaner auf tausenden Rechnern installiert (Virus "Randex" )
Nimmt per Chat-Protokoll IRC Kontakt zu seinem "Master" auf.
empfängt Befehle wie etwa,
– nach CD-Keys von Spielen suchen
– vom infizierten System aus SYN-Flood-Attacken starten
– weitere Software nachladen (z.B. zur Weiterleitung von Spam)
• verbreitet sich über den Windows-Verzeichnisdienst
insbesondere in Sub-Netzen weiter
18.11.2004
17
Ferngesteuerte Spam-Armeen, Nachgewiesen: Virenschreiber liefern SpamInfrastruktur, c't 5/04, S. 18.
URL dieses Artikels:
http://www.heise.de/newsticker/meldung/44869
Links in diesem Artikel:
[1] http://vil.nai.com/vil/content/v_100401.htm
[2] http://www.heise.de/security/artikel/43066
[3] http://www.socks.permeo.com/TechnicalResources/ProtocolDocuments.asp
[4] http://www.heise.de/newsticker/meldung/44849
[5] http://www.ctmagazin.de
[6] http://www.heise.de/english/newsticker/news/44879
[7] http://www.groklaw.net/article.php?story=20040221051056136
17
E-Mail an cnlab.ch
Mail
3%
unerkannte
SPAM
3%
erkannte
SPAM
53%
Falsche
Empfänger
30%
Viren
11%
Juni 2003
18.11.2004
18
18
Mail auf dem Setziertisch
19
Electronic Mail (e-mail)
Internet
[email protected]
Mail Client
Server 1
Server 3
[email protected]
Router
Router
Send Server
Host 1
Router
Router
Receive Server
Send Server
Host 1
bbb.ch
Host 1
aaa.com
Router
Relay Server
18.11.2004
20
An open mail relay occurs when a mail server processes a mail message
where neither the sender nor the recipient is a local user. In this example,
both the sender and the recipient are outside the local domain (or rather,
the local IP range, for the technically inclined). The mail server is an
entirely unrelated third party to this transaction. The message really has
no business passing through this server.
The legitimate use of a mail relay is threatened by influx of spam email
originating from a third party, the spammer. Abuse occurs when massive
amounts of mail are relayed through an otherwise unrelated server. Most
such abusive sessions are initiated by junk emailers - the so-called
spammers - attempting to covertly distribute their unwanted messages all
over the Internet. In the past, third party mail relaying was a useful tool.
These days, thanks to the spammers, open mail relays pose a significant
threat to the usefulness of email.
ORDB.org is the Open Relay Database. ORDB.org is a non-profit
organisation which stores a IP-addresses of verified open SMTP relays.
These relays are, or are likely to be, used as conduits for sending
unsolicited bulk email, also known as spam. By accessing this list, system
administrators are allowed to choose to accept or deny email exchange
with servers at these addresses.
20
Typical E-Mail Server Setup
Interner Mailserver
(Exchange Server)
Externer Mail Gateway
Exchange
(port 25)
McAffee
WebShield
(port 2525)
qmail
queue
Spamassassin
SMTPD
(port 2225)
Antivir Mailgate
(port 25)
SMTP
Group
Shield
Outlook
Client
Junkmail
VirusScan
18.11.2004
21
•Antivir Mailgate macht Relay Check und Virencheck (Mails mit Viren werden gelöscht)
•Spamassassin kennzeichnet Mails, welche als Spam klassiert werden
•Zweiter VirenScanner (McAffee) detektiert Viren, welche von Antivir nicht gefunden
wurden (z.B. aufgrund unterschiedlich aktueller Virensignatur-Files)
•GroupShield untersucht Exchange Store bzw. bereits empfangen Mails (welche
beispielsweise angekommen sind, bevor die Virensignaturen bekannt waren)
Es wäre durchaus sinnvoll, Spam- und Virenchecking auch für ausgehende Mails zu
machen:
•Spam-Filter Training mit „guten Mails“
•Alarmierung bei „echten Mails“, welche als SPAM detektiert würden
•Interne Spammer detektieren
•Verhindern, dass Viren nach aussen gesendet werden
21
Mail message format RFC 822: standard
for text message format
• SMTP-Envelope
(written by servers)
Envelope
– RCPT To:
– Mail From:
• header lines
–
–
–
–
To:
From:
Subject:
…
• body
– the “message”, ASCII
characters only
DATA
header
blank
line
body
18.11.2004
22
Die Header-Informationen werden beim normalen e-Mail Client vom ClientProgramm an den SMTP Prozess übergeben. D.h. beim Versand einer
normalen E-Mail werden die Adressen, die im Mailprogramm des
Absenders in die Felder "To:" und "CC:" eingetragen wurden,
nicht nur zur Generierung dieser beiden Headerzeilen benutzt,
sondern auch beim SMTP-Dialog als "RCPT TO:" und „Mail
From:“ auf den Umschlag übertragen.
Die Envelope enthält die für die Zustellung einer E-Mail
relevanten Informationen, welche vor allem durch die MailServer interpretiert werden. Dem Client interessieren die
Envelope-Informationen in der Regel nicht. Allerdings werden
manchmal gewisse Daten aus der Envelope in den Header
übertragen.
http://sites.inka.de/ancalagon/faq/headerfaq.php3#Section_2.1
22
Mail header additions by involved
SMTP servers
• Each SMTP recipient adds his Domain Name (with IP
Address) and a „Time Stamp“ to the Mail Header
sky.itr.ch
(SMTP/POP Server)
mail.iprolink.ch
(SMTP Server)
tslzgp157.iprolink.ch
(Mail Client/SMTP)
18.11.2004
23
These “stamps” are placed on the envelope of the mail by each SMTP server. The
SMTP/ESMTP IDs as well as the time stamp have local significance only (i.e. it
is just the local time of the corresponding server).
[see also http://www.stopspam.org/email/headers/headers.html]
23
Return-Path: <[email protected]>
Received: from mx3.gmx.example ([email protected] [195.63.104.129])
by ancalagon.rhein-neckar.de (8.8.5/8.8.5) with SMTP id SAA25291
for <[email protected]>; Thu, 16 Sep 1998 17:36:20 +0200 (MET DST)
Received: (qmail 1935 invoked by alias); 16 Sep 1998 15:36:06 -0000
Delivered-To: GMX delivery to [email protected]
Received: (qmail 27698 invoked by uid 0); 16 Sep 1998 15:36:02 -0000
Received: from pbox.rz.rwth-aachen.example (137.226.144.252)
by mx3.gmx.example with SMTP; 16 Sep 1998 15:36:02 -0000
Received: from post.rwth-aachen..example (slip-vertech.dialup.RWTH-Aachen.EXAMPLE [134.130.73.8])
by pbox.rz.rwth-aachen.example (8.9.1/8.9.0) with ESMTP id RAA28830
for <[email protected]>; Wed, 16 Sep 1998 17:35:59 +0200
Message-ID: <[email protected]>
Date: Wed, 16 Sep 1998 17:33:35 +0200
From: Heinz-Gustav Hinz <[email protected]>
Organization: RWTH Aachen
X-Mailer: Mozilla 4.05 [de] (Win95; I)
To: Karl-Heinz Schmitt <[email protected]>
MIME-Version: 1.0 | Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: Hallo Nachbar!
References: <[email protected]>
Reply-To: [email protected]
X-Resent-By: Global Message Exchange <[email protected]>
X-Resent-For: [email protected] | X-Resent-To: [email protected]
18.11.2004
24
•Die Return-Path Zeile sollte, wenn sie existiert, ganz am Anfang
der E-Mail stehen. Sie enthält den Envelope-From (also die
Absenderangabe aus dem SMTP-Umschlag). Diese kann
allerdings bei SMTP beliebig angegeben werden.
•Die "eigentlichen" Zustellvermerke sind die "Received:"Headerzeilen, die jeweils vor dem Weiterschicken einer E-Mail
vom Mailserver vorne angefügt werden.
•Die oberste "Received:"- Zeile wurde vom eigenen Mailserver
(bzw. dem des Providers) erzeugt. Eine "Received:"-Zeile gibt
immer an, wer die Mail von wem empfangen hat.
•Gewisse Received-Zeilen können je nach verwendetem MailServer sehr speziell aussehen (vgl. Received: (qmail ...) und
Delivered-To: GMS ..., bei welchen es sich um eine Spezialität
des GMX-Mailers handelt.
•Die Message-ID ist eine eindeutige Kennung der E-Mail
(vergleichbar einer Seriennummer). Sie sollte aus einer
unverwechselbaren Zeichenfolge vor dem "@" (meistens Datum
und Benutzerkennung in einer kodierten Form) und einem
Rechnernamen hinter dem "@" bestehen. Häufig wird die
Message-ID bereits vom Mailprogramm des Absenders erzeugt;
ansonsten tragen die meisten Mailserver sie nach, soweit sie
fehlt.
•Alle
mit
"X-"
beginnenden
Headerzeilen
sind
nicht
standardisiert und können von verschiedenen Programmen (oder
auch Benutzern) beliebig eingefügt werden.
24
Anzeigen von Header Informationen
• Outlook Express 4, 5, & 6 (Windows)
– While viewing the message, click the File menu, then click Properties. On the
Details tab, you will need to right click, choose select all (this should highlight all
the text). Then right click again, and choose copy. You must then paste the
headers into the forwarded message (click the Edit menu, then choose Paste)
• Microsoft Outlook 98 & 2000 (Windows)
– Double click the message to open it in a new window. Go to the View menu and
choose Options. Copy the text in the Internet Headers window by right clicking
and choosing Select All, then right clicking again and choosing Copy. Then paste
the headers when you forward the message (click the Edit menu and choose
Paste).
• Netscape Mail & News (Win, Linux & Mac)
– Click the Options menu, choose Show Headers, then select All. (Note: Some
older versions of Netscape may not be able to show the complete headers)
18.11.2004
25
The header information is like the envelope around an email telling the senders
address, the time it was sent, and where it was sent from. Email header
information is includes the "To" and "From" data about an email. More
importantly, it also contains a lot of other information about the source of and
email. Knowing how to get to the header is important if you ever want more
information about where the email came from. Many email programs hide much
of the header information because most of the time you don't need it. This tutorial
will teach you how to read and view the full header of emails in different email
programs. What the header information "means" is beyond the scope of this
tutorial.
Most spam these days is sent with a fake return address. To figure out where the
spam really came from the following web form is a tool to let you find out which
provider an IP address is assigned to: http://www.joewein.de/sw/spamhowto.htm
25
SPAM / Massmail
Detektion und Filterung
26
SPAM Abwehrmassnahmen
• Technisch
–
–
–
–
–
Sending Mailserver
Receiving Mailserver
Client
SPAM-Filter Service Betreiber
Mailbox Betreiber
• Organisatorisch, Verhalten
– Anwender
• Einsatz seiner Mail-Adresse
• Reaktion auf SPAM-Mails
– Gesellschaft
• Rechtslage
• Wirtschaftslage
• Kostenfolgen
18.11.2004
27
27
Technische SPAM Abwehrmassnahmen
• Akzeptiere nur
Mails von lokalen
Clients (no relaying)
• Client
Authentication
• Verzögerungstaktik
(Teergrube)
Internet
Sendender
Server Router
Router
Router
Router
Router
Blacklist
Spammer
Empfangender
Server
230.60.6.6
152.96.123.11
80.123.122.5
...
• Filtering
(Sender,
Inhalt, Tag)
bbb.ch
• Ablehnung von Mails
(Blacklists)
• Nachfragen beim Sender
(SPF, Greylisting)
• Filtering (Sender, Inhalt,
Anzahl gleiche Mails / DCC)
18.11.2004
28
Avoid e-Mail grabbing
•Identify and abort dictionary attack
•Identify and abort address-harvasting attack (e-mail tag handling)
Boundary Defense
•“Nonaccept” a message (simply decline to accept it, rather than receiving it at all)
•Disable relaying, verify, expand
Header Analysis (Reading email headers by www.stopspam.org:
http://www.stopspam.org/email/headers/headers.html )
•Validity of the sender (using “reverse lookup”)
•Consistency between the sender and the from fields
•Tactics used by known spammers that are highly unlikely to be found in normal messages
Content Analysis
•A set of rules to search for known spammer tactics
•A set of rules to search for known chain letters, hoaxes and urban legends
•The ability to look for words and phrases in a targeted “words list” (for example, porn, financial
services)
•The ability to do contextual analysis
•The ability to “tune” the product for the environment
Sensing or Reporting
•put e-mail accounts in all the places spammers love to harvest addresses (SPAM Honeypot)
•create consortia or user groups to develop and share anti-spam rules
Blacklist and White Lists
•create a white list of domains that are always allowed to receive e-mail, no matter what the
content is
URL-Blacklist
28
Sender Authentication Initiatives
Initiative
Initiator
How It Works
Domain Keys
Yahoo!
Public key infrastructure
(PKI) and DNS
Caller ID
Microsoft
XML records stored
in DNS
Meng
Wong
(Pobox)
Concise
text records
stored in
DNS
Sender
Policy
Framework
(SPF)
Sender
ID
Source: Gartner Group, Cannes 2004
There are four sender authentication initiatives:
• Domain keys: Uses PKI and DNS. A domain owner generates a public and private key pair, makes the
public one available via DNS, and configures that domain's outbound mail servers to sign messages with
the private key. Inbound mail servers would then need to check that signature against the public key. This
initiative is at the early draft stage.
• Caller ID: Uses XML records stored in DNS, which list the IP address ranges that send e-mails legitimately
from a particular domain. This initiative is at a relatively early stage. Caller ID for E-Mail is the third major e-mail
authentication specification to emerge, after SPF (Sender Permitted From) and Yahoo Domain Keys. These multiple
specifications will impede adoption, as will the need to introduce new intra-enterprise practices and technology upgrades. The
various e-mail authentication initiatives will accelerate the spread of domain-to-domain authentication among early technology
adopters and regulated industries.
• SPF: Uses concise text records stored in DNS. It can designate which servers are sending from a domain
legitimately by using IP address ranges, or established mail exchange (MX) records. Inbound mail servers
that are configured to parse SPF return one of several possible responses, and system administrators can
decide what to do with the result.
• Sender ID: The convergence of Microsoft's Caller ID for E-Mail proposal and Meng Wong's SPF. Microsoft
has submitted this to the IETF.
SPF is the only initiative that has been adopted. A significant number of domains publish SPF records,
including AOL. It has been injected into the open source "wild," which means its growth is viral. The
number of open-source mail servers that support SPF is increasing, and it is being adopted into antispam
software.
29
Sender Policy Framework (SPF)
• SPF records are TXT records in DNS
• mail server, or anti-spam filter, that supports SPF
checking does a DNS text query for the address
supplied in the SMTP (Simple MailTransfer Protocol)
“MAIL FROM” command. Response may by
–
–
–
–
–
–
No published SPF records
Pass
Fail
Sender cannot be confirmed as legitimate or illegitimate
Lookup error
The check is neutral or incomplete, which should be treated as
if there was no SPF record
18.11.2004
30
A domain’s SPF records indicate which servers are allowed to send e-mail on
behalf of that domain — that is, which servers can send e-mail purporting to be
from an e-mail address at that domain. SPF records can be constructed loosely to
indicate that “these particular servers are definitely legitimate, but mail from
other servers may or may not be legitimate,” or they can specify that all servers
can legitimately send e-mail from that domain.
Publishes where correct mail from <domain> should originate – MARID closed
sept 04 because of Microsoft license violations
- Switch nutzt SPF nicht weiter
30
Receive Server Actions (Black lists)
http://mail-abuse.org/rbl
Relay Blocking
List (RBL)
230.60.6.6
52.5.33.5
Mail Abuse
prevention
List (MAPS)
230.60.6.6
212.14.4.76
http://mail-abuse.org/rbl/
http://mail-abuse.org/dul/
Relay Mailserver
Mailserver des Empfängers
124.12.50.2
!
Internet
Internet
230.60.6.6
Spammer
212.14.4.76
18.11.2004
ISP des Spammers
212.14.4.10
Empfänger
124.12.50.24
31
Verschiedene Blacklists enthalten Adressen und Namen von Rechnern, welche
sich nicht „be a good Netizen“ konform verhalten. Solche Listen sind
beispielsweise:
ISPs, Server und Rechner, über welche SPAM verschickt wird und die trotz
Warnung nichts dagegen unternehmen, sollen bekannt gemacht werden.
•Mail Abuse Prevention System (MAPS) http://mail-abuse.org Listen
•RBL (Realtime Blackhole List) http://mail-abuse.org/rbl/
•DUL (Dial-up User List) http://mail-abuse.org/dul/
Server, welche beliebig als Relay bzw. Sende-Server verwendet werden können
•Open Relay Behaviour modification System (ORBS)
http://www.orbs.org (tracking SMTP servers that have been confirmed to
permit third-party relay)
•MAPSSM Relay Spam Stopper (RSSSM): queryable DNS-based
database of spam-relaying mail servers, Sites are added to the RSSSM
because they are insecure ("open relay") email servers that have
transmitted spam to our users
31
Example Server Side Blocking:
Spamhaus Block List ("SBL")
• set mail server's anti-spam
DNSBL feature (sometimes
called "Blacklist DNS Servers"
or "RBL servers") to query
either of the DNS zones:
– sbl.spamhaus.org
– spamhaus.relays.osirusoft.com
• February 2003: SBL protects
approximately 110 million
users
• ROKSO: Register of known
SPAM Operations
18.11.2004
32
The SBL is a free DNS-based database of IP addresses of spam sources (spammers, spam gangs
and spam support services) queriable in realtime by mail systems throughout the Internet for the
purpose of refusing Unsolicited Bulk Email (spam).
The SBL database is updated 24/7 by an international team (US, UK, NL, I), distributed by 16
SBL zone mirrors based in Belgium, Denmark, Germany, Greece, Italy, Netherlands, South
Africa, UK and USA, and supplies direct hourly SBL feeds to many of the Internet's major
service providers, corporations, universities, government and military networks.
The SBL is used by numerous U.S. and European backbones/tier-1 providers and ISPs, a number
of U.S. and European government and military networks, and a number of large free email
providers. Most large SBL subscribers, universities and corporations (including major banks,
aerospace, electronics and computer manufacturers) have direct hourly SBL feeds and thousands
of mail relays throughout the Internet subscribe to sbl.spamhaus.org in normal DNS-Query mode.
At February 2003 we estimated these to be serving approximately 75 million users. In addition to
these, a mirror of the SBL is also incorporated in the relays.osirusoft.com DNSBL which itself
has an estimated coverage of 35 million mailboxes, meaning the SBL currently protects
approximately 110 million users.
ROKSO is a register of known spam operations (spammers and spam gangs) that have been
thrown off Internet Service Providers 3 times or more. These are the 180+ known determined
spammers, many with criminal records for fraud and theft, responsible for over 90% of American
and European spam. ROKSO collates information and evidence on each spam operation to assist
ISP Abuse Desks, researchers and Blocklist maintainers.
[http://www.spamhaus.org/SBL/sbl-faqs.lasso]
See also: http://spamcop.net/bl.shtml
32
Collaborative spam identification
databases (NetworkTests)
• Razor database http://razor.sourceforge.net
– allow Unix clients to work out of the same database used by
the commercial customers of the Cloudmark system
• Pyzor http://pyzor.sourceforge.net
– free database and software system, written by Frank Tobin.
• Distributed Checksum Clearinghouse (DCC)
http://www.rhyolite.com/anti-spam/dcc/
– thousands of clients, more than 200 servers
– counting checksums related to more than 130 million mail
messages per day
– If messages with a specific checksum are sent to more than a
given number of
18.11.2004
33
The idea of the DCC is that if mail recipients could compare the mail they
receive, they could recognize unsolicited bulk mail. A DCC server totals reports
of checksums of messages from clients and answers queries about the total counts
for checksums of mail messages. A DCC client reports the checksums for a mail
message to a server and is told the total number of recipients of mail with each
checksum. If one of the totals is higher than a threshold set by the client and
according to local whitelists the message is unsolicited, the DCC client can log,
discard, or reject the message.
Razor mach fixe Checksumme – sobald mindestens ein Buchstabe anders ist,
erhält man eine andere Checksumme.
DCC: Fuzzy-Prüfsumme über Body und gewisse Adressfelder, ähnliche Mails
haben gleiche Prüfsumme
33
Distributed Checksum Clearinghouse
(DCC) - Performance
Quelle: www.dcc-servers.net
18.11.2004
34
34
Greylisting
• Greylisting Triplet
– IP address of the host attempting the delivery
– envelope sender address
– envelope recipient address
• Refuse delivery of mails with unknown triplet (Send
failure code to the originating server)
– Temporary failure Error code 451
– Triplet blocking expiration time is 1 hour
– Expiration time of the triplet record is 4 hours
• Store new Graylisting Triplet
18.11.2004
35
Ref: Evan Harris, The Next Step in the Spam Control War: Greylisting, Revised: 2003-08-21
Greylisting got it's name because it is kind of a cross between black- and white-listing, with
mostly automatic maintenance. A key element of the Greylisting method is this automatic
maintenance.
The Greylisting method is very simple. It only looks at three pieces of information (which we will
refer to as a "triplet" from now on) about any particular mail delivery attempt:
•
The IP address of the host attempting the delivery
•
The envelope sender address
•
The envelope recipient address
From this, we now have a unique triplet for identifying a mail "relationship". With this data, we
simply follow a basic rule, which is:
•
If we have never seen this triplet before, then refuse this delivery and any others that may
come within a certain period of time with a temporary failure.
Since SMTP is considered an unreliable transport, the possibility of temporary failures is built
into the core spec (see RFC 821). As such, any well behaved message transfer agent (MTA)
should attempt retries if given an appropriate temporary failure code for a delivery attempt
(see below for discussion of issues concerning non-conforming MTAs). Greylisting is said to
block 95% of SPAM!
Problems, to be discussed
•
Delay (Temporary failure Error code 451, Triplet blocking expiration time is 1 hour,
Expiration time of the triplet record is 4 hours)
-
Mails in database e.g. ebay change sender id for each resend
-
Spammer will introduce a simple queuing scheme
35
Distributed Approach:
Cloudmark SpamNet http://www.cloudmark.com
• Freeware
• Spam blocked based on votes of users
(SpamNet community):
– Members report SPAM-addresses to SpamNet
– integrity of user-reported spam messages checked in Truth
Evaluation System (based on volume of spam reported, report
accuracy and relevance)
• March 17, 2003 (Oct 17, 2002):
– 315’021 (131’898) SpamFighters
– 14’417’098 (5’028’395) Emails processed today
– 3’305’893 (1’721’074) Spam caught today
18.11.2004
36
Users who detect a spam message in their mailbox can submit a signature of this
mail to Cloudmark SpamNet. (The system generates a secure fingerprint or
signature of each message.) This unique, but indistinguishable, fingerprint can
now be securely shared with all the other SpamNet users to identify the same
spam message in their email. This system permits everyone to contribute to the
fight against spam and ensures that all email remains private.
To ensure that you never lose email, no messages are ever deleted or blocked. If a
message is identified as a known spam message, it is simply tagged as spam and
moved to your Spam box. This process allows you to verify that all the messages
in the Spam box are really spam.
The SpamNet system has been running smoothly for over a year. During that
time, thousands of users have endorsed the system's effectiveness by processing
millions of email a day through SpamNet. The proven system will immediately
cut your spam dramatically, but you can also choose to turn the spam checking
off at anytime. The Cloudmark SpamNet Outlook add-in won't interfere with
your email if you choose to discontinue using the service.
36
Perspektive Datenschutz
Ab April 2005
nehmen 80% der
Schweizer nur
noch E-Mails von
Bekannten entgegen.
18.11.2004
37
Vielleicht ist die Spamproblematik auch ein Grund, elektronische Signaturen
einzusetzen, um verschiedene Mail-Klassen zu ermöglichen. Beispielsweise
•Mails von authentisierten Absendern kommen in eine spezielle Mailbox
•Mails von nicht authentisierten Absendern, welche nicht als SPAM
gekennzeichnet sind kommen in eine andere Mailbox
•Als SPAM gekennzeichnete Mails werden eventuell direkt gelöscht
37

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz