1. 1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University of California, San Diego Introduction

2. 2 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Motivation We all know spam is a blight on the Internet – Billions of spam messages sent everyday – Millions of PCs have been harvested, sold and employed to send spam Many existing anti-spam techniques: Why another one? – Existing solutions are complex and/or don’t impose a burden on spammers – There are billions of messages still being sent by many bots Occam is an email authentication protocol that is: – Simple to deploy and administer – Forces senders to expose online resources – Designed to decrease the utility of spam bots Introduction

3. 3 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Occam’s Goals Mail authentication aims to verify that the purported sender is the actual sender Eliminates the ability to spoof a domain in an email message We have studied authentication from the simplest angle possible: – Asking the sender. For this reason, we refer to the protocol as the Occam protocol Occam’s Razor

4. 4 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor The Occam Protocol Servers can keep logs for some time after they have been contacted in case of a failure on the other end If a receiver does not get a response immediately, they can back off and rate limit, continuing to try to contact the server until a timeout The Occam Protocol

5. 5 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Advantages Ease of Administration – DKIM and SPF require administrators to insert keys into DNS – Easy for knowledgeable admins, hard for many small domain owners – Occam is just a software upgrade Slicing Spam

6. 6 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Advantages Enhanced culpability – Occam authenticates the sender of a message much like SPF and DKIM – However, DKIM requires an expensive cryptographic operation on the receiving side Occam forces the burden of authentication onto the sender of the message – A spammer can easily insert a SPF rule that allows all IP addresses to send email Occam makes it harder to use a botnet to send spam Slicing Spam

7. 7 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Advantages Real-time Validation – SPF and DKIM allow for caching of authentication data – Result is that senders need not be online while being authenticated – Occam requires that the authentication “work” be performed online and in a timely fashion – The spammer is forced to expose higher value, online resources, which can then be blacklisted Slicing Spam

8. 8 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Advantages Anti-phishing Capabilities – An unexpected side-effect of Occam is that if any spammer tries to spoof a domain, the actual server has a method to determine who was being phished – The ability to notify customers being phished or take other actions can be a boon to popular phishing targets Slicing Spam

9. 9 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor The Spammer Response Put the bots to work – Spammers could try to use their bots to respond to the Occam protocol, but… – Occam uses MX record, meaning bots Must have existing domain name with a MX record Or be assigned a domain name or sub-domain – Bots must also be able to respond to incoming queries on low ports Result: – Bots (and possibly botnet structure) are exposed, leading to blacklisting – Occam ensures using bots to send spam is difficult Slicing Spam

10. 10 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor The Spammer Response Centralization – Spammers could try to centralize the Occam reply, rather than distributing load – Spammers must keep track of Message-Ids and To fields – Need a server that can handle millions of queries – Exposes this higher value server to blacklisting – Spam campaign can be derailed if only one domain was used Slicing Spam

11. 11 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor The Spammer Response Using Occam as a DDoS Reflector – Internet malcreants could use Occam to cause other domains to surreptiously DoS a server. – However, Occam does not enable DDoS amplification – Indeed, the Occam protocol is a low-overhead protocol, meaning other DDoS methods would be significantly more effective and attractive Slicing Spam

12. 12 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Disadvantages Mobile Mailers – Some users send mail from hosts intermittently connected to the Internet and allow other servers to handle incoming mail – Occam would effectively end this practice. – However, we believe this flexibility in SMTP is abused more by spammers than used by legitimate mailers Slicing Spam

13. 13 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Implementation We have developed a prototype implementation integrated with Sendmail. Initial testing shows similar overhead to SPF (effectively very little) Larger sites would roll their own solution – Naive solution: Centralize logging systems – A better solution: Use the domain name of the sending server in the Occam header. – Allow the sending servers to respond to queries. – No centralization needed. Implementation

14. 14 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Questions and Answers Conclusion