SPAM, SPAM, SPAM

Dienstag, 8.2.2005, Restaurant Gallusplatz, St. Gallen
SPAM, SPAM, SPAM, ...
Prof. Dr. P. Heinzmann, ITA-HSR / cnlab AG,
Tiefenaustrasse 2, CH-8640 Rapperswil
e-mail: [email protected] url: www.cnlab.ch
cnlab / HSR 2/21/2005
1
E-Mail ist neben World Wide Web (WWW) die gegenwärtig wichtigste InternetAnwendung. Allerdings wird bei vielen Leuten die
"Kommunikationsfreude" durch eine Flut von unerwünschten Mails - so genannten SPAM
Mails - getrübt. Im Rahmen dieser Veranstaltung gehen wir folgenden SPAM-Fragen nach:
- Was ist wirklich SPAM?
- Wieso kennen plötzlich alle meine e-Mail-Adresse?
- Was haben Viren und Würmer mit SPAM zu tun?
- Wie kann ich mich gegen SPAM wehren?
Im Rahmen des Vortrags sollen die Teilnehmenden vertiefte Kenntnisse zum Thema eMail/SPAM erlangen und entscheiden können, wie sie sich künftig gegen die SPAM-Flut
wehren sollen.
Referenzen:
•Mike Spykerman, “Typical spam characteristics - How to effectively block spam and junk
mail”, White Paper, Red Earth Software.
•E-Mail Spamming countermeasures:
http://ciac.llnl.gov/ciac/bulletins/i-005c.shtml
•Howto gegen Schweizer SPAM: http://spam.trash.net/
•Michael Heuberger, “Spamming – Spamming the Internet”, Hochschule Rapperswil, ISeminar SS 2001, Release 25.4.2001.
•Matthias Rambold, “Wie wird SPAM bekämpft?”, Hochschule Rapperswil, I-Seminar WS
2001/02.
1
Cnlab Information Technology Research AG
und Hochschule für Technik Rapperswil (HSR)
www.cnlab.ch
ita.hsr.ch
HSR:
• Gegründet 1997
• HSR spin-off
• 10 Mitarbeiter
• Internet Security
• Performance-Testing
• Spezialanwendungen
cnlab / HSR 2/21/2005
ITA:
Teilschule der Fachhochschule
Ostschweiz
1‘000 Studierende, 6 Abteilungen
(Informatik, Elektrotechnik,
Bauingenieurwesen, Maschinenbau,
Siedlungsplanung, Gartenarchitektur)
Kompetenzzentrum für InternetTechnologien und -Anwendungen
2
2
Einleitung:
Wie komme ich an meine TourLive-Kunden
cnlab / HSR 2/21/2005
3
3
cnlab TourLive-Mobile System
• Positions-, Geschwindigkeitsund Bildinformationen von
bewegten Objekten
– Sportler (Radfahrer/Biker,
Wanderer, Langläufer, InlineSkater, …)
– Personal (Securitas)
– Personen (Kinder)
• Online-Verfolgung
– Alarmierung bei Unfällen
– Event-Informationssystem
• Offline-Verfolgung
– Trainingsdatenanalyse
• Alternative Art zu
Fotografieren
cnlab / HSR 2/21/2005
4
4
Internet: the Net of Nets
194.95.208.10
195.65.129.44
www.polizei.bayern.de
pc4.cnlab.ch
cnlab.ch
switch.ch
polizei.bayern.de
Router
greenpeace.org
199.249.19.231
www.mci.com
hsr.ch
cnlab / HSR 2/21/2005
152.96.129.3
mci.com
sky.hsr.ch
5
Das Internet ist ein Netz von Netzen. Die einzelnen Teilnetze - auch
Domains genannt – erhalten einen weltweit eindeutigen Namen (z.B.
hsr.ch). Die Datenübertragung im Internet erfolgt „paketweise“. (Man
spricht von „Paketvermittlung“.) Jedes Datenpaket enthält die Internet
Protocol (IP) Adresse der Destination und des Absenders, d.h. jedem via
Internet ansprechbaren Rechner muss eine (weltweit) eindeutige IP-Adresse
zugewiesen werden. Die eigene IP-Adresse kann man sich im DOSFenser(„Eingabeaufforderung) mit dem Befehl ipconfig anzeigen lassen. Die
IP-Adresse, unter welcher man beispielsweise bei einem Web-Server
bekannt ist, kann man sich auf www.whatismyip.com darstellen lassen. Ein
Teil der IP-Adresse (z.B. 195.65.129.0) bezeichnet das Teilnetz, der andere
Teil bzw. die gesamte Adresse identifiziert einen bestimmten Rechner im
entsprechenden Teilnetz (z.B. 195.65.129.44).
Einen Rechnern kann man anstatt über die IP-Adresse (z.B. 199.249.19.231)
auch über den Domain-Namen (z.B. www.mci.com) ansprechen. Die
Zuordnung von Domain-Namen zu IP-Adresse erfolgt über das „Domain
Name System (DNS)“. Weitere Informationen zur Domain-NamenZuordnung und zu den Inhabern von Domains findet man bei
www.switch.ch.
5
Internet «Killer» Applications
• E-Mail
• Web
• Suchmaschinen
2004: Mehr als die
Hälfte der Schweizer
Bevölkerung (51,2%)
nutzt das Internet
täglich oder mehrmals
pro Woche.
(www.wemf.ch)
Ref: Nick Hösli, Baromedia 2001, Ringier AG,
www.webdo.ch
cnlab / HSR 2/21/2005
6
http://www.webdo.ch/downloads/baro2001_d.pdf
http://www.wemf.ch/d/studien/manet.shtml 2004:
3,8 Millionen Personen das Internet. Dies entspricht 66,7% der Bevölkerung
ab 14 Jahren. Mehr als die Hälfte der Schweizer Bevölkerung (51,2%) nutzt
das Internet täglich oder mehrmals pro Woche.
6
Spezielle Suchmaschinen: E-Mail Harvester
www.mailutilities.com
1. Phase:
Web-Seiten mit
Suchbegriffen
finden
Weiteren Links
folgen
2. Phase:
e-Mail Adressen auf
Web-Seiten Suchen
cnlab / HSR 2/21/2005
7
http://www.contactplus.com/products/email/etour/hrvemail.htm
http://www.5star-shareware.com/Internet/Email-Tools/perfectharvester.html
330+ search engines from 36 countries
two HTML parsers — Microsoft parser and built-in parser
scripting technology to process found emails on fly
very flexible plugins technology
flexible limiters of scanning range
command line mode to automize
7
Was ist SPAM?
cnlab / HSR 2/21/2005
8
8
SPAM History
•
1937: Hormel & Co. economical pork loaf
called SPAM
– government did not allow to call it ham)
– advertising campaign for "Spamwich" or
"Spambled eggs"
•
•
1970: Monty Python's Flying Circus
Wikingersketch (SPAM)
1994: Laurence Canter and Martha Siegel
made a newsgroup posting about a
„Green Card Lottery“
– SPAM used for messages to flood
newsgroups with irrelevant or inappropriate
messages
•
2002: eMail SPAM is getting a significant
Internet problem
cnlab / HSR 2/21/2005
9
•1937 US company Hormel Trademark: During the Great Depression, George A. Hormel
's (1860-1946) company sold 1.5-pound cans of beef stew for only 15 cents, providing an
affordable, filling, and nutritious meal for the families of unemployed workers. The beef
stew and other "poor man's dishes" (including canned products such as corned beef and
cabbage, spaghetti and meat balls, and chili con carne) were highly regarded in those lean
years. "Encouraged by the success of its poor man's dishes, Hormel & Co. introduced an
economical pork loaf in 1937. The canned meat ran into a major problem before it even got
to market, however, when the U.S. government would not allow the company to call it ham,
because it was made from pork shoulder instead of the hindquarters.”
http://www.roadsideamerica.com/attract/MNAUSspam.html The product was called
SPAM instead ov Ham (as an Abbrevation for „Spiced Pork and Ham“)
•November 1970 there was a Monty Python's sketch on SPAM in a cafe. One table is
occupied by a group of Vikings with horned helmets on. A man and his wife enter.
Whenever they hear the word “Spam” everybody is repeating and singing “Spam, Spam,
…”. http://www.cs.berkeley.edu/~ddgarcia/spam.html#MontyPython
•April 13, 1994 there was a lowers couple, Laurence Canter and Martha Siegel, who used
the Usenet to send out an advertisement about their (overpriced) immigration help service.
They made an announcement, that people could win “Green Cards” by sending a postcard
to the “Green Card lottery service” and at the same time they advertised their (overpriced)
services to immigrant communities. This created a big, endless discussion about advertising
in Usenet news groups. http://www.wired.com/news/politics/0,1283,19098,00.html
•Around 2002, SPAM is really an important problem in e-mail communication.
9
Mails an cnlab Dez 04 / Jan 05
80%
total Mails
75%
an gültige Adressen
70%
ohne Virus
65%
nicht Spamassassin tagged
60%
nicht Brightmail tagged
55%
50%
Nur etwa 10% aller Mails
sind keine (nicht
erwünschte) Massenmails
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
1
2
3
4
5
6
cnlab / HSR 2/21/2005
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
10
10
SPAM-Arten
• SPAM
Other; 3%
Spiritual; 4%
Leisure; 6%
Products; 25%
– Unaufgeforderte Massenmails,
welche maschinell versandt wurden
• UBE (Unsolicited bulk e-mail)
• UCE (Unsolicited commercial e-mail)
Internet; 7%
– Keine (Geschäfts)Beziehung
zwischen Sender und den meisten
der Empfägner
Health; 7%
Scams; 9%
Financial; 20%
Adult; 19%
2003: www.spam-filter-review.toptenreviews.com/
spam-statistics.html
cnlab / HSR 2/21/2005
• SPORN: SPAMs mit
pornographischem Inhalt
• SCAM: SPAMs mit gefälschtem/
bösartigem/ kriminellen Inhalt
– Nigeria … Info Grabber (Phishing) 11
The 2003 statistics were derived from a number of different reputable
sources including: Google, Brightmail, Jupiter Research, eMarketer,
Gartner, MailShell, Harris Interactive, and Ferris Research.
•Worst of the Spam - Sporn - How well does the email filter support the
blocking of sporn or spammed pornography? Does it allow you to block all
pornography and/or adult themes? Does it allow you to view quarantined
email without viewing any of the pornographic i?
•As much as 8% of all e-mail is pornographic in nature, what we at Spam
Filter Review call “Sporn” or spammed pornography.
http://www.spam-filter-review.toptenreviews.com/spam-statistics.html
11
"419" Scam (Advance Fee Scam)
http://www.joewein.de/sw/419scam.htm
•
Nigeria or West African Scam
–
–
–
–
•
large sum of money sitting in a bank account
making payments through you to us
At some point, the victim is asked to pay up front an Advance Fee of some sort
http://home.rica.net/alphae/419coal/
Fake Lottery Scam (Elgordo Lottery Madrid, Microsoft Email Lottery)
– you have therefore been approved for a lump sum pay out of US$ 500,000.00
– To file for your claim, please contact …
•
Ghana Gold Scam
– prepared to provide quantities of up to 400 kilograms of 22.karat alluvial gold monthly
– offer the quantity of gold required to the Buyer [or their representative] upon their arrival here
in Accra
– kindly contact me at the numbers listed above
cnlab / HSR 2/21/2005
12
The so-called "419" scam (aka "Nigeria scam" or "West African" scam) is a
type of fraud named after an article of the Nigerian legal code under which it
is prosecuted. Most "normal" spam uses bogus sender addresses. For 419
spam existing mailboxes at legitimate mail providers are used. When such
mailboxes get cancelled for abuse, often similarly names mailboxes are
created at the same provider. Most 419 scams originate from about a dozen
freemailer domains (netscape.net, yahoo.com/yahoo.*, tiscali.co.uk,
libero.it, telstra.com, bigpond.com, indiatimes.com, 123.com (Chile),
zwallet.com, fsmail.net, hotmail.com, etc., see addresses by domain). A
small minority uses throw-away domains registered via MSN (see example),
Rediffmail, XO/Concentric, Yahoo/Geocities or other webhosters (ns.signon-africa1.net) as the sender instead of a freemailer service, particularly for
fake companies and fake banks (e.g. firstcapitalft.com).
http://home.rica.net/alphae/419coal/
http://www.joewein.de/sw/419scam.htm
12
Info Grabber: Cheap Rolex?
cnlab / HSR 2/21/2005
13
Lockvogelangebote für Rolex-Uhren, Windows Software, Wettbewerbe, …
Gefälschte Bestellung, mit falscher MC Nummer und Junk e-Mail am
17.11.04 abgeschickt:
•Keine Verschlüsselung
•Falsche Kreditkartennummer nicht detektiert
•Keine E-Mail-Bestätigung für die Bestellung
… wahrscheinlich geht es nur darum, Kreditkarten- und Personen
Informatinen zu sammeln.
http://www.onlinereplicastore.com/checkout.php
13
Phishing
Real site
3. Spoofed Web Site
1. Spoof E-Mail (Spam)
2. Camouflaged
Hyperlink
Fake Pop-Up
<A HREF=www.stealmyinfo.com>www.yourbank.com/myaccount</A>
cnlab / HSR
Ref. Gartner Group, Cannes 2004
Phishing is a spam-based scam that has grown in popularity. Phishing is not a "cyberattack," such as
propagating malicious code. It is a social-engineering attack, in which attackers (or "phishers") trick
users into doing something that will harm them or their companies.
The phisher sends an e-mail message that looks like it comes from a legitimate source — for example,
an online merchant. In many cases, the message states that there is a problem with the user's account
and requests that the user confirm the merchant's information by entering sensitive account
information (such as a credit card number, address, user name and password) into the phisher's Web
site, which resembles the merchant's site. Using this information, the phisher can steal access to the
account or perpetrate identity fraud. In addition, phishing could provide attackers with access to an
organization's internal systems, but it is used for identity theft in most cases.
14
SPAM-Kosten Kalkulator
15
cnlab / HSR 2/21/2005
Finden Sie heraus wie sich Spam auf die Finanzen und Produktivität Ihrer
Unternehmung auswirkt. Füllen Sie Felder 1-5 mit den entsprechenden
Zahlen und clicken sie auf 'Spamkosten Berechnen'.
Diese Kalkulation ist nur eine Schätzung und bezieht keine Kosten ein,
welche durch verschwendeten Speicherplatz, Bandbreite und IT Personal
entstehen.
http://www.open.ch/de/services/spamcalc.html
Durch Spamming fallen Kosten an. Mehrheitlich werden diese nicht
vom Spammer bezahlt:
Download der Nachrichten
Unnötiger Verbrauch von Festplattenplatz
Unnötiger Traffic auf Netzwerkressourcen
SPAM auf falsche Adressen: Fehlermeldungen
kommen zum ISP
Wenn Spammer fremde Mail-Server für ihre Zwecke missbrauchen,
können dadurch ganze Server lahmgelegt werden
Geschätzte Kosten weltweit: 10 Milliarden Euro
15
Wie finde ich SPAM und Spammer?
(Spam-Abwehr)
cnlab / HSR 2/21/2005
16
16
Mail Format
(RFC 822 standard text message format)
SMTP-Envelope
(written by servers)
RCPT To:
Mail From:
•
DATA
header lines
–
–
–
–
•
To:
From:
Subject:
…
body
– the “message”, ASCII
characters only
header
blank
line
body
cnlab / HSR 2/21/2005
17
Die Header-Informationen werden beim normalen e-Mail Client vom ClientProgramm an den SMTP Prozess übergeben. D.h. beim Versand einer
normalen E-Mail werden die Adressen, die im Mailprogramm
des Absenders in die Felder "To:" und "CC:" eingetragen
wurden, nicht nur zur Generierung dieser beiden
Headerzeilen benutzt, sondern auch beim SMTP-Dialog als
"RCPT TO:" und „Mail From:“ auf den Umschlag übertragen.
Die Envelope enthält die für die Zustellung einer E-Mail
relevanten Informationen, welche vor allem durch die MailServer interpretiert werden. Dem Client interessieren die
Envelope-Informationen in der Regel nicht. Allerdings
werden manchmal gewisse Daten aus der Envelope in den
Header übertragen.
http://sites.inka.de/ancalagon/faq/headerfaq.php3#Section_2.1
17
E-Mail Versand, Weiterleitung und Empfang
(SMTP = Simple Mail Transfer Protocol, POP = Post Office Protocol)
Internet
[email protected]
Mail Client
Send Server
Router
[email protected]
Router
Router
Send Server
Host 1
Receive Server
Router
Receive Server
Send Server
Host 1
bbb.ch
Host 1
aaa.com
cnlab / HSR 2/21/2005
Router
18
18
Return-Path: <[email protected]>
Received: from mx3.gmx.example ([email protected] [195.63.104.129])
by ancalagon.rhein-neckar.de (8.8.5/8.8.5) with SMTP id SAA25291
for <[email protected]>; Thu, 16 Sep 1998 17:36:20 +0200 (MET DST)
Received: (qmail 1935 invoked by alias); 16 Sep 1998 15:36:06 -0000
Delivered-To: GMX delivery to [email protected]
Received: (qmail 27698 invoked by uid 0); 16 Sep 1998 15:36:02 -0000
Received: from pbox.rz.rwth-aachen.example (137.226.144.252)
by mx3.gmx.example with SMTP; 16 Sep 1998 15:36:02 -0000
Received: from post.rwth-aachen..example (slip-vertech.dialup.RWTH-Aachen.EXAMPLE [134.130.73.8])
by pbox.rz.rwth-aachen.example (8.9.1/8.9.0) with ESMTP id RAA28830
for <[email protected]>; Wed, 16 Sep 1998 17:35:59 +0200
Message-ID: <[email protected]>
Date: Wed, 16 Sep 1998 17:33:35 +0200
From: Heinz-Gustav Hinz <[email protected]>
Organization: RWTH Aachen
X-Mailer: Mozilla 4.05 [de] (Win95; I)
To: Karl-Heinz Schmitt <[email protected]>
MIME-Version: 1.0 | Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: Hallo Nachbar!
References: <[email protected]>
Reply-To: [email protected]
X-Resent-By: Global Message Exchange <[email protected]>
X-Resent-For: [email protected] | X-Resent-To: [email protected]
cnlab / HSR 2/21/2005
19
•Die Return-Path Zeile sollte, wenn sie existiert, ganz am Anfang der EMail stehen. Sie enthält den Envelope-From (also die Absenderangabe
aus dem SMTP-Umschlag). Diese kann allerdings bei SMTP beliebig
angegeben werden.
•Die "eigentlichen" Zustellvermerke sind die "Received:"-Headerzeilen,
die jeweils vor dem Weiterschicken einer E-Mail vom Mailserver vorne
angefügt werden.
•Die oberste "Received:"- Zeile wurde vom eigenen Mailserver (bzw.
dem des Providers) erzeugt. Eine "Received:"-Zeile gibt immer an, wer
die Mail von wem empfangen hat.
•Gewisse Received-Zeilen können je nach verwendetem Mail-Server sehr
speziell aussehen (vgl. Received: (qmail ...) und Delivered-To: GMS ...,
bei welchen es sich um eine Spezialität des GMX-Mailers handelt.
•Die Message-ID ist eine eindeutige Kennung der E-Mail (vergleichbar
einer Seriennummer). Sie sollte aus einer unverwechselbaren
Zeichenfolge vor dem "@" (meistens Datum und Benutzerkennung in
einer kodierten Form) und einem Rechnernamen hinter dem "@"
bestehen. Häufig wird die Message-ID bereits vom Mailprogramm des
Absenders erzeugt; ansonsten tragen die meisten Mailserver sie nach,
soweit sie fehlt.
•Alle mit "X-" beginnenden Headerzeilen sind nicht standardisiert und
können von verschiedenen Programmen (oder auch Benutzern) beliebig
eingefügt werden.
19
Example: Mail header additions by involved (SMTP)
servers
• Each SMTP engine adds his Domain Name (with IP Address)
and a „Time Stamp“ to the Mail Header
sky.hsr.ch
(SMTP/POP Server)
Received: from mail.iprolink.ch (titan.iprolink.ch [194.41.63.57] by
sky.hsr.ch (8.8.6/8.8.6) with ESMTP id UAA06615 for <[email protected]>;
Wed, 5 Feb 2003 20:04:55+0100 (CET)
mail.iprolink.ch
(SMTP Server)
Received: from tslzgp157.iprolink.ch (tslzgp157.iprolink.ch
[194.158.5.157] by mail.iprolink.ch (ipl/ipl) with ESMTP id UAA46506
for <[email protected]>; Wed, 5 Feb 2003 20:04:21+0100 (CET)
tslzgp157.iprolink.ch
(Mail Client/SMTP)
Received: by tslzgp157.iprolink.ch with Microsoft Mail id
<[email protected]> Wed, 5 Feb 2003
20:01:39 +0100 (CET)
cnlab / HSR 2/21/2005
20
Mail from user [email protected] to
[email protected]
These “stamps” are placed on the envelope of the mail by each SMTP
server. The SMTP/ESMTP IDs as well as the time stamp have local
significance only (i.e. it is just the local time of the corresponding server).
[see also http://www.stopspam.org/email/headers/headers.html]
20
SPAM-Detektion und Filterung
cnlab / HSR 2/21/2005
21
21
Technische SPAM-Abwehrmassnahmen
• Accept mail from
local Clients only (no
relaying)
• Client Authentication
• Delay mass mails
(Teergrube)
Internet
Send
Server
Router
Router
Router
Router
Router
Blacklist
Spammer
Receive
Server
• Filtering
(header,
content)
230.60.6.6
152.96.123.11
80.123.122.5
...
• Blacklists (do not accept
certain senders) / whitelists
• Make sure the sender exists
(SPF, Greylisting)
• Filtering (header, content, mail
signature)
cnlab / HSR 2/21/2005
22
Avoid e-Mail grabbing
•Identify and abort dictionary attack
•Identify and abort address-harvesting attack (e-mail tag handling)
Boundary Defense
•“Non accept” a message (simply decline to accept it, rather than receiving it at all)
•Disable relaying, verify, expand
Header Analysis (Reading email headers by www.stopspam.org:
http://www.stopspam.org/email/headers/headers.html )
•Validity of the sender (using “reverse lookup”)
•Consistency between the sender and the from fields
•Tactics used by known spammers that are highly unlikely to be found in normal messages
Content Analysis
•A set of rules to search for known spammer tactics
•A set of rules to search for known chain letters, hoaxes and urban legends
•The ability to look for words and phrases in a targeted “words list” (for example, porn,
financial services)
•The ability to do contextual analysis
•The ability to “tune” the product for the environment
Sensing or Reporting
•put e-mail accounts in all the places spammers love to harvest addresses (SPAM honeypot,
decoy addresses)
•create consortia or user groups to develop and share anti-spam rules
Blacklist and White Lists
•Create a blacklist of servers (and networks) which support spamming
•create a white list of servers (and networks) that are always allowed to receive e-mail, no
matter what the content is
•URL-Blacklist
22
Mail Abuse Prevention System (MAPS)
•
•
•
•
•
•
•
MAPS RBL (Realtime Blackhole List): first list of IP addresses of known
sources of unsolicited commercial and bulk email (established in 1996)
MAPS DUL (Dynamic User List): list of IP addresses that should not be
running mail servers
MAPS RSS (Relay Spam Stopper): list of IP addresses of known insecure
("open relay") mail servers
MAPS OPS (Open Proxy Stopper): list of IPs that have been used, as an
open proxy, to transmit spam
MAPS NML (Non-confirming Mailing List): list of IP addresses that have
been demonstrated to be the sources of mailing lists, which do not fully verify
the email addresses on their list
Spam URI Realtime Blocklists (SURBL) http://www.surbl.org
…
was purchased by Kelkea, Inc. on July 1, 2004,
cnlab / HSR 2/21/2005
23
The MAPS RBL is a list of hosts and networks that allow spam to originate
on their system. Vendors of spam-filtering services or software develop
blacklists by compiling possible spam addresses and domains through e-mail
accounts in different markets. The vendor makes a decision whether the
suspect e-mail constitutes spam and the address or domain should go on its
blacklist.
On July 1, 2004, Kelkea, Inc. purchased the assets of Mail Abuse Prevention
Systems, LLC.
The MAPS subscription services are now offered as part of the Kelkea Antispam Service.
23
Basic E-Mail Setup
SMTP
Int. Mailserver
Ext. Mailserver
Quarantine
SPAM-Filter_2
VirusScan_2
User Unknown
SPAM-Filter_1
VirusScan_1
Blacklists
Delete
(Trash)
SMTP
POP/IMAP
SMTP
Tag
SPAM-Filter_3
VirusScan_3
Feedback
cnlab / HSR 2/21/2005
Mail
Client
User Feedback
24
24
SpamAssassin RuleScore
AB_URI_RBL
Bayesian spam probability is 99 to 100%
Forged hotmail.com 'Received:' header found
From: contains numbers mixed in with letters
Reply To: contains numbers mixed in with letters
OB_URI_RBL
Razor2 gives confidence between 51 and 100
Listed in Razor2 (http://razor.sf.net/)
Bulk email fingerprint (double IP) found
Sent via a relay in ipwhois.rfc-ignorant.org
Received: contains a numeric HELO
SPAMCOP_URI_RBL
WS_URI_RBL
5.00
5.40
0.50
0.26
3.25
4.00
1.10
1.05
1.86
0.10
1.50
3.00
3.00
Total
30.02
cnlab / HSR 2/21/2005
25
Example from http://demo.mailcleaner.net/index.php
25
Example: Graylisting at UniNE
Incoming mail vs. Spam during last 12 months
GreyListing since beginning August 2004
26
cnlab / HSR 2/21/2005
Anti-SPAM methods and their efficiency as used
at Uni Neuchatel:
75% less incoming mails since GreyListing (new since 8.2004) was intruduced.
The remaining
SPAMs are tagged as follows:
•50% Spam Lookup Service (SLS/RBL/MAPS)
•50% URI Realtime Blocklists (www.SURBL.org)
•20% Attachement blocking (.ade .adp .bas .bat .chm .cmd .com .cpl .crt
.exe .hlp .hta .inf .ins .isp .js .jse .lnk .mdb .mde .msc .msi .msp .mst .pcd .pif .reg .scr .sct .shb .shs
.url .vb .vbe .vbs .wsc .wsf .wsh .zip
•20% Heuristic
filter
•1% SPF
•0.2% Bayesian
filter
Futher methods:
•Hoax blocking (keywords based)
•Automatic whitelis
26
Fastnet Mailcleaner
• The Mailcleaner Viruswall uses the
following guidelines to detect
massive attacks:
– Simultaneous number of connections by
sender's IP address
– Server black list
– Regular Expression filters
– Refused Recipient lists
– eTrust Antivirus Computer Associates
http://demo.mailcleaner.net/index.php
cnlab / HSR 2/21/2005
27
The Mailcleaner "Enterprise Solution" is composed of modules. Which (and how many)
modules to install depends on the daily e-mail volume that your mail servers process.
The Basic Version consists of a single machine that manages all of Mailcleaner's
operations, including the incoming queue, filtering, quarantining, and the management
interface. This version is sufficient for a daily volume of roughly 50,000 messages.
With daily traffic above 50,000 messages, the Advanced Version is ideal. This version uses
multiple servers working in parallel. It may have one or more Entry Point servers, which
queue incoming messages and then distribute them evenly over the Filtering Servers. The
Management Server hosts the control database and the web-based management interface.
Anti-spam – Mailcleaner uses a number of complementary techniques to distinguish spam
from legitimate mail. Using artificial intelligence algorithms and daily updates, Mailcleaner
adapts to identify the ever-changing techniques of spammers.
Anti-virus – Mailcleaner scans all incoming mail for viruses, worms, and suspicious
attachments that may hide malicious scripts.
Web-based User Interface – Mailcleaner offers each user a simple way to review
quarantine lists, change preferences, and consolidate reports for users who have more than
one e-mail address.
http://www.mailcleaner.net/docs/spec_en.html
Pricing (regular price) per month
License for 1000 mailboxes: 4800.- EUR, You will need 1 server to handle 50‘000
messages daily.
License for 1...100 mailboxes: 500.- EUR, You will need 1 server to handle 500 messages
daily.
License for 500 mailboxes: 2400.- EUR
License for 10‘000 mailboxes: 32‘530.- EUR, You will need 10 servers to handle 500‘000
messages daily.
VAT and hardware excluded.
27
Wie werde ich Millionär?
cnlab / HSR 2/21/2005
28
28
http://www.spamhaus.org/rokso/index.lasso
•
200 known „Spam Operations“ (500-600 professional spammers)
responsible for 90% of your spam
– operate 'offshore' using servers in Asia and South America
•
spammer
– listed in ROKSO if terminated by a minimum of 3 consecutive ISPs for AUP
violations
– spammers IP addresses are automatically sent to Spamhaus Block List
•
ROSLO assists
– ISP Abuse Desks
– Law Enforcement Agencies (with special, sensitive information version)
cnlab / HSR 2/21/2005
29
•The Register Of Known Spam Operations (ROKSO) database collates information and
evidence on the known spammers and spam gangs, to assist ISP Abuse Desks and Law
Enforcement Agencies.
•90% of spam received by Internet users in North America and Europe can be traced via
redirects, hosting locations of web sites, domains and aliases, to a hard-core group of
around 200 known spam operations. These spam operations consist of an estimated 500-600
professional spammers loosely grouped into gangs ("spam gangs"), the vast majority of
whom are operating illegally.
•Many of these spam operations pretend to operate 'offshore' using servers in Asia and
South America to disguise the origin. Those who don't pretend to be 'offshore' pretend to be
small ISPs themselves, claiming to their providers the spam is being sent not by them but by
their non-existent 'customers'. Some set up as fake networks, pirate or fraudulently obtain
large IP allocations from ARIN/RIPE and use routing tricks to simulate a network, fooling
real ISPs into supplying them connectivity. When caught, almost all use the age old tactic of
lying to each ISP long enough to buy a few weeks more of spamming and when terminated
simply move on to the next ISP already set up and waiting.
•ROKSO is a "3 Strikes" register: To be listed in ROKSO a spammer must first be
terminated by a minimum of 3 consecutive ISPs for Access User Policy (AUP) violations.
IP addresses under the control of ROKSO-listed spammers are automatically and
preemptively listed in the Spamhaus Block List (SBL).
•For Law Enforcement Agencies there is a special version of this ROKSO database which
gives access to records with information, logs and evidence too sensitive to publish here.
http://www.spamhaus.org/rokso/index.lasso
29
CREATIVE MARKETING ZONE
Alain Ralsky (SPAM King)
•
•
•
•
Aliases: Jeff Kramer, Additional Benefits , Creative Marketing
Zone Inc , Sam Smith, William Window, ...
1997: couple of mailing lists, making $6,000 a week
2001: Creative Marketing Zone, Inc., Nevada
2002: 250 million valid addresses
–
–
–
–
–
•
cnlab / HSR 2/21/2005
0.25% response rate
0.75% of mails opened (hidden notification code)
89 Million people have opt-out (between 1997 and 2002)
up to $22,000, for single mailing to entire database
stealth spam (Romanian program), detect computers that are online
and then flash them a pop-up ad
2004: Hundreds of domains: aboutchpecha.com, ...
30
Some statements from Alain Ralsky (Mike Wendland: Spam king lives large off others' e-mail
troubles, November 22, 2002 http://www.freep.com/money/tech/mwend22_20021122.htm
and http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky):
•"I've gone overseas," he said. "I now send most of my mail from other countries. And that's a shame.
I pay a fortune to providers to do this, and I'd much rather have it go to American companies. But I
have to stay in business, and if I have to go out of the country, then so be it."
•The computers in Ralsky's basement control 190 e-mail servers -- 110 located in Southfield, 50 in
Dallas and 30 more in Canada, China, Russia and India. Each computer, he said, is capable of sending
out 650,000 messages every hour -- more than a billion a day -- routed through overseas Internet
companies Ralsky said are eager to sell him bandwidth.
•"I'll never quit," said the 57-year-old master of spam. "I like what I do. This is the greatest business in
the world." It's made him a millionaire, he said, seated in the wood-paneled first floor library of his
new house. "In fact," he added, "this wing was probably paid for by an e-mail I sent out for a couple of
years promoting a weight-loss plan."
•In 1997 he bought a couple of mailing lists from advertising brokers and, with the help of the
computers, launched a new career that soon was making him $6,000 a week.
•Ralsky said he includes a link on each e-mail he sends that lets the recipient opt out of any future
mailings. He said 89 million people have done just that over the past five years, and he keeps a list of
them that grows by about 1,000 every day. That list is constantly run against his master list of 250
million valid addresses.
•The response rate is the key to the whole operation, said Ralsky. These days, it's about one-quarter of
1 percent.
•Ralsky makes his money by charging the companies that hire him to send bulk e-mail a commission
on sales. He sometimes charges just a flat fee, up to $22,000, for a single mailing to his entire
database.
•Ralsky has other ways to monitor the success of his campaigns. Buried in every e-mail he sends is a
hidden code that sends back a message every time the e-mail is opened. About three-quarters of 1
percent of all the messages are opened by their recipients, he said. The rest are deleted.
•Ralsky, meanwhile, is looking at new technology. Recently he's been talking to two computer
programmers in Romania who have developed what could be called stealth spam. It is intricate
computer software, said Ralsky, that can detect computers that are online and then be programmed to
flash them a pop-up ad, much like the kind that display whenever a particular Web site is opened.
"This is even better," he said. "You don't have to be on a Web site at all. You can just have your
computer on, connected to the Internet, reading e-mail or just idling and, bam, this program detects
your presence and up pops the message on your screen, past firewalls, past anti-spam programs, past
anything.
30
Botnet Providing
• networks of zombie PCs used
– anonymous relays for spam
– to launch denial of service attacks on websites
– to steal confidential information about a PC's owner
• More than 30‘000 PCs per day are being taken over to spread
spam and viruses (bot nets peak of new recruits was 75‘000 in
one day)
• 4‘496 Windows viruses were detected in the first six months of
2004
• October 5, 2004, Spy Act
cnlab / HSR 2/21/2005
31
The 75’000 new recruits per day peak in 2004 is due to a “battle” between
the MyDoom and Bagle virus teams.
October 5, 2004, the U.S. House of Representatives passed a bill to
criminalize the act of altering PC configurations (Spy Act ), taking control
and downloading software onto a PC without the owner's consent: By a 3991 vote, House members approved legislation prohibiting "taking control" of
a computer, surreptitiously modifying a Web browser's home page, or
disabling antivirus software without proper authorization.
The Spy Act would also create a complicated set of rules governing
software capable of transmitting information across the Internet. It would
give the Federal Trade Commission authority to police violations of the law
and to levy fines of up to $3 million in the most pernicious cases.
31
Beagle_J Mass Mailing Worm
Attachment
SMTP /
HTTP
File
Sys.
Backdoor
cnlab / HSR 2/21/2005
32
•Beagle_J is a mass-mailing worm that opens a backdoor on TCP port 2745
and uses its own SMTP engine to spread through email.
•Sends the attacker the port on which the backdoor listens, as well as the IP
address.
•Attempts to spread through file-sharing networks, such as Kazaa and
iMesh, by dropping itself into the folders that contain "shar" in their names.
32
Beispiel: Botnet Nutzung
• 21.02.2004: C’t Redaktion konnte von Virenverbreitern
IP-Adressen infizierter Rechner kaufen
• Virus "Randex[1]“:
– Trojaner auf tausenden Rechnern installiert
– empfängt Befehle wie etwa,
• nach CD-Keys von Spielen zu suchen,
• SYN-Flood-Attacken[2] vom infizierten System aus zu starten
• oder unbemerkt weitere Software nachzuladen (installierte
beispielsweise auch einen SOCKS[3]-Proxyserver, der zur
Weiterleitung von Spam über die befallenen PCs genutzt wurde)
cnlab / HSR 2/21/2005
33
Ferngesteuerte Spam-Armeen, Nachgewiesen: Virenschreiber liefern
Spam-Infrastruktur, c't 5/04, S. 18
URL dieses Artikels:
http://www.heise.de/newsticker/meldung/44869
Links in diesem Artikel:
[1] http://vil.nai.com/vil/content/v_100401.htm
[2] http://www.heise.de/security/artikel/43066
[3] http://www.socks.permeo.com/TechnicalResources/ProtocolDocuments
.asp
[4] http://www.heise.de/newsticker/meldung/44849
[5] http://www.ctmagazin.de
[6] http://www.heise.de/english/newsticker/news/44879
[7] http://www.groklaw.net/article.php?story=20040221051056136
33
So what?
cnlab / HSR 2/21/2005
34
34
•
•
•
•
•
vorsichtiger Umgang mit eigener E-Mail-Adresse
keine Programme von Fremden starten
zentrale SPAM-Filter-Dienste nutzen
lokale SPAM-Filter-Dienste nutzen
…
cnlab / HSR 2/21/2005
35
35
… e-Mail
Harvaster
Suchmaschinen
nicht reinlassen
cnlab / HSR 2/21/2005
36
36