We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byGabriel Larsen
Modified over 3 years ago
© Copyright 2003 – Chesapeake NetCraftsmen, LLC SPAM Joe Roundy Senior Security Consultant
© Copyright 2005– Chesapeake NetCraftsmen About the Presenter Joe Roundy Senior Security Consultant Chesapeake NetCraftsmen, LLC CISSP #4848
© Copyright 2005– Chesapeake NetCraftsmen Agenda Introduction to SPAM Stopping Spam Tracking, Blocking, and Filtering Spam Spam Filtering Architectures and Examples
© Copyright 2003 – Chesapeake NetCraftsmen, LLC Introduction to SPAM
© Copyright 2005– Chesapeake NetCraftsmen What is SPAM Hawaii residents consume nearly 7 million cans of Spam a year, 11,000 cans per day, an average of about six for every man, woman and child. Spam fried rice is a local classic. http ://www.azstarnet.com/dailystar/relatedarticles/14264.php http ://www.azstarnet.com/dailystar/relatedarticles/14264.php From dictionary.com: spam (n): Unsolicited , often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups; junk .
© Copyright 2005– Chesapeake NetCraftsmen SPAM
© Copyright 2005– Chesapeake NetCraftsmen The Problem "Spamming is the scourge of electronic-mail and newsgroups on the Internet. It can seriously interfere with the operation of public services, to say nothing of the effect it may have on any individual's mail system.... Spammers are, in effect, taking resources away from users and service suppliers without compensation and without authorization." -- Vint Cerf, Senior Vice President, MCI
© Copyright 2005– Chesapeake NetCraftsmen Why All the Fuss? Loss of Productivity Discouraged Users Loss of Efficiency Legal Issues Communications Quality Business Continuity Company Reputation
© Copyright 2005– Chesapeake NetCraftsmen Fraud Spammers know that in survey after survey, the overwhelming majority (often approaching 95%) of recipients don't want to receive their messages. In many cases, ISPs and consumers have set up "filters" to help dispose of SPAM. While filters often consume more resources at the ISP, making mail delivery and web surfing slower, they can sometimes help end-users cope a little bit better. Another common trick that spammers use is to forge the headers of messages, making it appear as though the message originated elsewhere, again providing a convenient target.
© Copyright 2005– Chesapeake NetCraftsmen Profile of a SPAMer Used ~20 computers, to send SPAM to list of over 250 million addresses, ~650,000 message/hour Controlled/used ~200 servers in Michigan, Texas and Asia, routing primarily through overseas ISPs. Charge to send one solicitation to his entire list: up to $22,000 "When you're sending out 250 million s, even a blind squirrel will find a nut. Mr. Ralsky has amassed his fortune with an response rate of less than one quarter of one percent During the time he was in business, spam has increased from 8% to 36% of all electronic mail. It is expected to increase to 50% by 2005.
© Copyright 2005– Chesapeake NetCraftsmen Profile Sanford Wallace and his companies, SmartBot.net Inc. of Richboro, Pa., and Seismic Entertainment Productions Inc. of Rochester, N.H., are required by the agreement to send online ads only to people who visit their Web sites. Wallace used spyware to infiltrate computers, overwhelming them with ads and other programs. Then, he tried to sell programs he claimed would fix the problems. He headed a company called Cyber Promotions that sent as many as 30 million junk s daily to consumers, earning him the nicknames Spam King and Spamford. He left the company after lawsuits from America Online and CompuServe
© Copyright 2005– Chesapeake NetCraftsmen Statistics Early 2003, spam accounted for about 50% of all e- mail Postini, (Redwood City, CA) anti-spam firm, scans ~400 million messages/day End of 2003, grown to roughly 75 percent. Throughout 2004, spam accounted for 75 to 80 percent of all (Postini) Denver-based MX Logic reported spam at ~77 percent of the messages scanned in In December 2003, spam accounted for 67 percent of messages.
© Copyright 2003 – Chesapeake NetCraftsmen, LLC Stopping Spam
© Copyright 2005– Chesapeake NetCraftsmen What Can We Do? 1. Make it illegal to send spam 2. Policy, Policy, Policy 3. Technically blocking spam
© Copyright 2005– Chesapeake NetCraftsmen The Legal Avenue # CAN-SPAM Act of 2003 (S. 877) (Burns-Wyden) Signed, Dec. 16, 2003 Illegal to falsify the "from" and "subject" lines of Required senders of bulk to include a working "unsubscribe" link The law doesn't allow individual users to sue spammers AOL reported a drop-off both in the volume of hitting its network and in the amount of spam delivered to users' inboxes in Fielded 1.6 billion messages in 2004, down from 2.1 billion in 2003 March 2004, file several lawsuits targeting some of the most prolific spammers, more to follow Approximately 20 states have local laws -
© Copyright 2005– Chesapeake NetCraftsmen The Legal Avenue Summary of Bills in front of 108 th Congress (109 th now) # Anti-Spam Act of 2003 (H.R. 2515) (Wilson) # Ban on Deceptive Unsolicited Bulk Electronic Mail Act of 2003 (S. 1052) (Bill Nelson) # Computer Owners' Bill of Rights (S. 563) (Dayton) # Criminal Spam Act of 2003 (S. 1293) (Hatch) # Reduction in Distribution of Spam Act of 2003 (H.R. 2214) (Burr) # REDUCE Spam Act of 2003 (H.R. 1933) (Lofgren) # Stop Pornography and Abusive Marketing Act (S. 1231) (Schumer) # Wireless Telephone Spam Protection Act (H.R. 122) (Holt) Resource at
© Copyright 2005– Chesapeake NetCraftsmen Stopping Spammers From Sending Spam Simple Mail Transfer Protocol (SMTP) is used to transfer across the Internet Designed when the Internet was small and friendly Very efficient at forwarding and delivering . Not intended to manage content, Post Office
© Copyright 2005– Chesapeake NetCraftsmen The ISP Why Can't the ISP Just Block it? Data movers, what would they block? Often it is difficult for ISPs to block spam to everyone. Expensive to implement Difficult to maintain Often inconvenient for users
© Copyright 2005– Chesapeake NetCraftsmen Kill the Relay 'Simple Mail Transfer Protocol, used does not check passwords or any other sort of access when it is accepting messages for delivery. If a spammer connects to your server all they have to do is give it a list of addresses. The MTA then 'fans out' the lists of addresses into real attempts to connect to remote sites. While this simple technique works fairly well, not all mail server packages support this feature. Third-party software, such as Lyris MailShield, can add anti-relay security to servers that do not support filtering of TCP/IP addresses or other anti-relay techniques. If your company has employees who travel or telecommute, you may wish to only allow specific "From:" addresses to prevent unauthorized relaying. Use a mail proxy server with anti-relay features, and a regular mail server that is protected by a firewall, internal TCP/IP address, or port- moving technique.
© Copyright 2005– Chesapeake NetCraftsmen Stopping Spammers From Sending Spam (2) Open mail relays are a serious impediment to stopping spam!
© Copyright 2005– Chesapeake NetCraftsmen Address Munging Address munging is the act of modifying one's address so that sent to that address will not be delivered to the person doing the modifications. The Jargon File defines 'mung' as `Mash Until No Good', probably originating at MIT. Munging DOES NOT MEAN MAKING YOURSELF ANONYMOUS Trying to hide your identity by faking your address simply does not work. Trying to hide from spammers by changing the "name" or "real name" portion of your posted address also does not work.
© Copyright 2005– Chesapeake NetCraftsmen Should I unsubscribe? Often a plot to appear responsible Spammers would be out of business very quickly if everyone unsubscribed. Unsubscribing provides proof that your address is active.
© Copyright 2005– Chesapeake NetCraftsmen What Can I do? Forward a message with your spam complaint to the Internet Service Provider (ISP) that hosts the spammer's account. For example, if you received spam from then go to the Web site and look for a "contact us" page. Often ISPs have an account called "abuse" for such purposes. You could also try or Try to verify what the correct address is first so you don't waste anyone else's time. Reputable ISPs will investigate spammers
© Copyright 2005– Chesapeake NetCraftsmen Mail Clients Outlook Automatically flag suspect Place it in the Junk Mail. Users can flag and move to Junk Junk all from a domain can be marked as Junk. Netscape Netscape Mail automatically detects incoming messages that appear to be spam. When it detects a message that appears to be unwanted, it marks the message's Junk Status column with a special junk mail icon. Need to teach Netscape Mail what is spam Yahoo Web In "Mail Options, provides address blocking features, filters and spam protection Hotmail Various anti-spam features, including three automatic levels
© Copyright 2005– Chesapeake NetCraftsmen Third Party Add-ons Cloudmark offers a plug-in for Outlook and Outlook Express that allows you to mark specific s as spam and registers those s on its network. When enough people mark a message as spam it automatically deletes the message from every members inbox. SpamArrest takes a different approach. It filters all your mail through its mail server and only forwards mail from those senders who have been approved by you or those that have been challenged to type in a special keyword. MailBlocks: Offers a web-based service like Hotmail but it has a built in challenge/response system similar to the one employed by the SpamArrest service.
© Copyright 2005– Chesapeake NetCraftsmen Ban header text Many spam programs include telltale text in the headers of messages they send. For example: "public.com" or Other examples of telltale text and tags include: "savetrees.com," "relay.comanche.denmark," and "x-advert. If you ban header text, you can eliminate a significant amount of spam created by automated programs.
© Copyright 2005– Chesapeake NetCraftsmen Filtering In addition to filtering TCP/IP addresses and header text, it is also important that your server or anti-spam software filter body text. The address given in the body of the text may not be the same as the "From:" address, an indicator that the mail could be spam. Filtering body text and subject lines also allows you protection against the recent Melissa virus since "Melissa-tainted" often includes the following telltale information: * A subject line of: "Important Message From [sender's name]" * A body with the following content: "Here is that document you asked for... don't show anyone else ;-)"
© Copyright 2005– Chesapeake NetCraftsmen Tarpit spammers Tarpitting involves creating delays that slow down the mail-sending sessions of spammers. Evidence shows that when tarpitting slows down mail-sending from a server that is used for unauthorized relaying, the owner of the server may (1) become aware of the unauthorized relaying if he or she wasn't aware of it before and (2) adopt higher security measures to avoid being tarpitted. Besides tarpitting specific domains, one might also tarpit users that attempt to send mail to large numbers of people. Spam software works by sending a single message, and a huge BCC (blind carbon copy) list to the server for delivery. If you know that your customers (in the case of an ISP) or employees do not need to send mail to more than 20 recipients per message, you might tarpit a mail-sending session that attempts to send mail to 50 recipients. Some anti-spam software also allows you to tarpit specific TCP/IP addresses.
© Copyright 2005– Chesapeake NetCraftsmen Enforce Standards Internet standards basically state the following: * All mail must include a "From:" header. * All mail must include "To:" header. * All mail servers must have a reverse DNS host entry. Spammers typically violate Internet mail standards. Anti-spam software like Lyris MailShield allows you to modify the rules for filtering mail and send an explanation message to users that their mail was rejected Although not explicitly stated, valid host values for the HELO command are also encouraged by the Internet standards.
© Copyright 2003 – Chesapeake NetCraftsmen, LLC Tracking, Blocking, and Filtering Spam
© Copyright 2005– Chesapeake NetCraftsmen Example: Standard Message Date: Tue, 25 Mar :00: (EST) From: John Smith To: Joe Roundy Subject: Hello This is a perfectly good message.
© Copyright 2005– Chesapeake NetCraftsmen Example: All Message Headers From Wed Jan 15 12:00: Return-Path: jsmith Received: (from by netcraftsmen.net (8.6.12/8.6.9) id MAA00135; Wed, 15 Jan :00: Date: Wed, 15 Jan :00: (EST) From: John Smith To: Joe Roundy Subject: Hello Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: This is a perfectly good message.
© Copyright 2005– Chesapeake NetCraftsmen Example: Forged Mail Headers Date: Tue, 25 Mar :25: From: Hello. This is a really horrible piece of forged .
© Copyright 2005– Chesapeake NetCraftsmen Forged Mail Headers: Who Is Responsible? From Wed Jan 15 12:26: Return-Path: Received: from nowhere.com [ ]) by netcraftsmen.net (8.6.12/8.6.9) with SMTP id MAA00153 for jroundy; Wed, 15 Jan :25: Date: Wed, 15 Jan :25: From: Message-Id: Apparently-To: Status: RO X-Status: Hello. This is a really horrible piece of forged .
© Copyright 2005– Chesapeake NetCraftsmen Example: Actual Spam Return-Path: Received: from mindless.com ([ ]) by netcraftsmen.net (netcraftsmen.net mail service) with SMTP id 18xLfy7t43Nl3oW0 Sun, 12 Jan :46: (EST) Received: from ([ ]) by webmail.halftomorrow.com with esmtp; Sun, 12 Jan :47: Received: from unknown (HELO mxs.perenter.com) ( ) by public.micromail.com.au with NNFMP; Sat, 11 Jan :46: Received: from unknown ( ) by asx121.turbo-inline.com with asmtp; 12 Jan :46: Received: from [ ] by external.newsubdomain.com with local; 12 Jan :45: Received: from unknown (HELO qnx.mdrost.com) ( ) by nntp.pinxodet.net with NNFMP; Sun, 12 Jan :44:
© Copyright 2005– Chesapeake NetCraftsmen Mail Filtering Modern mail software packages have features to filter mail based on: Message headers Message body Sending host, including: IP address DNS lookup SMTP responses Many more …
© Copyright 2005– Chesapeake NetCraftsmen Real-Time Blocking Lists (RBL) RBLs provide efficient and consensual blocking of mail hosts known to harbor spammers Examples include: Caution is advised when choosing your RBL!
© Copyright 2005– Chesapeake NetCraftsmen Example: RBL 1. Spammer starts to send spam to the victim
© Copyright 2005– Chesapeake NetCraftsmen Example: RBL (2) 2. Victim checks with RBL to determine if spamking.net is a known spammer
© Copyright 2005– Chesapeake NetCraftsmen Example: RBL (3) 3. RBL responds that spamking.net is a confirmed spammer
© Copyright 2005– Chesapeake NetCraftsmen Example: RBL (4) 4. Victim blocks mail transmission
© Copyright 2005– Chesapeake NetCraftsmen Regular Expression Matching Searches incoming messages for patterns of text that are known to be used by spammers Improper sensitivity levels may miss spam or mark legitimate messages as spam Very commonly used method
© Copyright 2005– Chesapeake NetCraftsmen Example: Regular Expression Matching Set up regular expression filter Search for the regular expression: Buy Widgets Hot Date! Drawbacks?
© Copyright 2005– Chesapeake NetCraftsmen Regular Expression Matching: Hit Lists Method used to avoid mislabeling legitimate messages Every regular expression hit is associated with some number of points When a threshold is met, the mail is marked as spam
© Copyright 2005– Chesapeake NetCraftsmen Text Searches Vs. Language Computers search text for specific strings People read text and comprehend language How do we program a computer to recognize language in terms that it can understand?
© Copyright 2005– Chesapeake NetCraftsmen Bayesian Filtering Filters spam based on a statistical analysis of the contents Calculate the probability of a message being spam based on its contents and previous . Learns from spam and from good mail Scoring content-based spam filters look for words and other characteristics typical of spam. Every characteristic element is assigned a score, and a spam score for the whole message is computed from the individual score Adaptive
© Copyright 2005– Chesapeake NetCraftsmen Implementing Bayesian Filtering Build two collections of mail: Spam Non-spam Collections should be at least 4000 messages for accurate results Filter breaks apart messages into a collection of tokens and creates a hash
© Copyright 2005– Chesapeake NetCraftsmen Compare to the Token Hash As is received: Separate the into tokens Compare it to the hash Based on the outcome, mark it appropriately
© Copyright 2003 – Chesapeake NetCraftsmen, LLC Spam Filtering Architectures and Examples
© Copyright 2005– Chesapeake NetCraftsmen Example Network: No Filtering
© Copyright 2005– Chesapeake NetCraftsmen Example Network: Mail Relay
© Copyright 2005– Chesapeake NetCraftsmen Preparing the Mail Relay The mail relay should: Run on a stable, fault-tolerant operating system Only be running mail applications Be hardened against attack
© Copyright 2005– Chesapeake NetCraftsmen Example Network: Redundant Relays
© Copyright 2005– Chesapeake NetCraftsmen Relay Filtering Options MailScanner Separates incoming and outgoing mail into separate queues Runs external anti-virus and spam filtering software to scan incoming mail
© Copyright 2005– Chesapeake NetCraftsmen MailScanner Architecture MailScanner
© Copyright 2005– Chesapeake NetCraftsmen Spam Filtering Options SpamAssassin Supports: RBL Regular expression matching Text analysis Bayesian filtering
© Copyright 2005– Chesapeake NetCraftsmen Example Network: Outgoing Mail
© Copyright 2005– Chesapeake NetCraftsmen Questions Joe Roundy Senior Security Consultant Resources statistics.html esian_filter.htm
The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .
Spam By Dan Sterrett. Overview ► What is spam? ► Why it’s a problem ► The source of spam ► How spammers get your address ► Preventing Spam ► Possible.
What is and How Does it Work? Electronic mail ( ) is the most popular use of the Internet. It is a fast and inexpensive way of sending messages.
(or ?) Short for Electronic Mail The transmission of messages over networks.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
GOT SPAM? Spam is the unsolicited or undesired bulk electronic messages. Spam usually contains pornography, viruses, phishing attacks, scams, trojans,
Unit 2—Using the Computer Lesson 14 and Electronic Communication.
Unit 9 Communication Services. Describe the components for electronic communication Explain the purpose of usernames, passwords, and credentials
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
A form of communication in which electronic messages are created and transferred between two or more devices connected to a network.
Outlook 2000 Summertime Technology 2002 Vicki Blackwell Tangipahoa Parish Schools.
is still the preferred standard communication tool for businesses. Benefits: ability to write lengthy messages Include attachments displayed.
Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.
Basic Communication on the Internet: Integrated Browser Programs and Web-Based Services Tutorial 3.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
Basics What is ? is short for electronic mail. is a method for sending messages electronically from one computer.
RYAN HICKLING. WHAT IS AN An messages distributed by electronic means from one computer user to one or more recipients via a network.
advantages The system is nearly universal because anyone who can access the Internet has an address. is fast because messages.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Microsoft Office Illustrated Introductory, Second Edition Started with Outlook 2003 Getting.
Intro to Computer Networks Bob Bradley The University of Tennessee at Martin.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
WXET1143 Lecture7: , Chat and Messaging. Introduction Electronic mail is everywhere. Now many people in business, government, and education use.
1 How Do I Order From.decimal? Rev 05/04/09 This instructional training document may be updated at anytime. Please visit and check the.
Chapter 3 Social Media Revolution Video. 1. Guidelines a. Determine the information you need. b. Consider who is likely to have the info. c. Communicate.
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3
Spam Sonia Jahid University of Illinois Fall 2007.
XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 2 1 Evaluating an Program and a Web-Based Service Basic Communication.
1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.
1 Effective, secure and reliable hosted security and continuity solution.
Services Course Windows Live SkyDrive Participant Guide.
1 Chinese Information Processing (I): Basic Concepts and Practice Unit 5: Asynchronous Communication.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
1 Chapter 2 (Continued) Section 2.2 Section 2.2. Internet Service Provider (ISP) ISP - a company that connects you through your communications line to.
Lesson 3: Introduction to Internet Technology. Define networks Define the Internet Identify Internet connection methods Define Internet protocols.
Microsoft Office XP Illustrated Introductory, Enhanced Started with Outlook 2002 Getting.
» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.
Cyber Crimes. Introduction Definition Types Classification.
FNAL Central Systems Jack Schmidt, Al Lilianstrom, Ray Pasetes, and Kevin Hill (Fermi National Accelerator Laboratory) Introduction The FNAL .
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
CAN SPAM and Your Marketing Best Practices for Senders By Lars Helgeson Cooler .
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Slide 3-1 Chapter 3 Terms Electronic Commerce and Internet Technologies Introduction to Information Systems Judith C. Simon.
© 2017 SlidePlayer.com Inc. All rights reserved.