Final Lab - Spam Group 10: Scott Durr Stephen Thompson

Outline Introduction Introduction Set up Set up Obtaining Addresses Obtaining Addresses Sending Mass s Sending Mass s Filtering & Stopping Spam Filtering & Stopping Spam

Introduction Almost 90% of is now considered Spam! –Messaging Anti-Abuse Working Group Report #6, Oct 2007 Huge drain on resources Huge drain on resources Strains the infrastructure Strains the infrastructure Distracts/Annoys us all Distracts/Annoys us all Major delivery mechanism for Malware! Major delivery mechanism for Malware!

The Costs The State of California estimates Spam cost the state’s economy $1.2 billion in The estimate the entire US suffered a $10 billion loss in that same year. The State of California estimates Spam cost the state’s economy $1.2 billion in The estimate the entire US suffered a $10 billion loss in that same year. – That was in 2003… That was in 2003…

Our Set Up Host Machine: RedHat7.2 Machine: Servers WinXP: WinXP2: Clients

Major Software Packages Apache2 Web Server Apache2 Web Server Sendmail Server w/ SpamAssasin Sendmail Server w/ SpamAssasin –Included on lab installs of Redhat 7.2 and Redhat WS 4.0 Qpopper Qpopper –POP3 server PINE PINE Outlook Express Outlook Express –Included with WinXP Evolution Evolution –Included with RedHat Spam software: Spam software: –Atomic Hunter & Atomic Sender

Two Servers Set up with slightly different rules for comparison Set up with slightly different rules for comparison Were NOT able to SMTP between Sendmail servers because Sendmail MUST have DNS running in order to find other servers. Were NOT able to SMTP between Sendmail servers because Sendmail MUST have DNS running in order to find other servers. –We didn’t want to tackle the additional setup. –We could accomplish what we wanted without it.

Obtaining Addresses Many different methods, but we focus on: Many different methods, but we focus on: – address spider –Anonymous FTP trick –Verification of addresses at the server

Address Spiders Crawl the web and copy anything that looks like an address. Crawl the web and copy anything that looks like an address. Implemented a basic one with wget and grep, using a regular expression: Implemented a basic one with wget and grep, using a regular expression: wget –rFO lotsofhtml.txt egrep –rhoie lotsofhtml.txt That regex is: Example Example

“Atomic Hunter” Commercial Windows program that implements an address spider. Commercial Windows program that implements an address spider. Tested on the same dummy websites as our homemade one. Tested on the same dummy websites as our homemade one. Has a lot more features. Has a lot more features.

Anonymous FTP A throwback from the days of old: Anonymous FTP logins require an address as a password! A throwback from the days of old: Anonymous FTP logins require an address as a password! Set up your web page to grab images via FTP vice HTML and some browsers will cough up an address. Set up your web page to grab images via FTP vice HTML and some browsers will cough up an address. Tested on Mozilla and IE: they give dummy addresses. Tested on Mozilla and IE: they give dummy addresses.

Verifying Addresses Why is this important? Why is this important? –A “good” list will minimize alerts that might catch the spammer. –Allows for a ‘guess and test’ method of address discovery. VRFY and EXPN VRFY and EXPN –Ask the server if an address is good (VRFY) –Ask the server about an alias/list (EXPN) –Disable these!

Verifying Addresses During the SMTP exchange, you pass a “TO” address to the server. It will come back and tell you if it is good! During the SMTP exchange, you pass a “TO” address to the server. It will come back and tell you if it is good! header implemented by many clients: header implemented by many clients: Return-Receipt-To: Return-Receipt-To: X-Confirm-Reading-To: X-Confirm-Reading-To: Make sure you disable these as defaults in Outlook and others!

Defeating those Spiders Two choices Two choices –Hide your address –Actively counter spiders

Hide your address Use script to return an address instead of putting the address in code. Use script to return an address instead of putting the address in code. ECE does this for their faculty! ECE does this for their faculty! Great example, courtesy of Mr. Tim Williams at U. Arizona: Great example, courtesy of Mr. Tim Williams at U. Arizona:

WPoison Available at Available at Actively thwarts spiders by generating random pages with more links and addresses. Actively thwarts spiders by generating random pages with more links and addresses. Each link leads right back to WPoison! Each link leads right back to WPoison! –Run the spider in a circle, filling it with garbage. –We have a video

WPoison Movie

Sending Mass s Methods Methods 1. Use your own (school/isp) SMTP server You will probably get caught and shut down! You will probably get caught and shut down! 2. Use another, third party SMTP server You will probably be blocked from Relaying You will probably be blocked from Relaying 3. Connect directly to the recipient’s server This takes some work, and you might get blacklisted This takes some work, and you might get blacklisted 4. Do any of the above via a Bot Net Even if you get caught, you don’t get blocked! Even if you get caught, you don’t get blocked!

Our Simulations Host Machine: RedHat7.2 Machine: Servers WinXP: WinXP2: Clients Fictional yahoo.com Method #4: Bot Net Method # 1: Use your SMTP Server Method #2: Use a Third Party SMTP Server Method #3: Connect Directly to Victim’s SMTP Server

Mass Countermeasures Limit who can send on your server Limit who can send on your server –Only users on the domain can “RELAY” –Use a blacklist to prevent connections from known spammers Filter messages as they come in Filter messages as they come in

SpamAssassin Open source & extremely common Open source & extremely common Very complex Very complex –Lots of rules –Uses scores to determine what is spam –Has learning capabilities Can connect to services to receive rules and blacklists Can connect to services to receive rules and blacklists – More info at: More info at:

SpamAssassin in the Lab We walk through the setup of some basic rules. We walk through the setup of some basic rules.

Your Last Line of Defense… The client The client Web-based clients can rapidly aggregate feedback and build more responsive filters. Web-based clients can rapidly aggregate feedback and build more responsive filters. Gmail, Yahoo, Hotmail, etc. Gmail, Yahoo, Hotmail, etc.

In the Lab Summary Set up Servers Set up Servers Harvest s Harvest s – Address Spiders: wget/grep & Atomic –FTP method Experiment with address verification Experiment with address verification Send mass s through each scenario Send mass s through each scenario –Use manual connection and Atomic Sender Implement some countermeasures Implement some countermeasures –RELAY limitations –WPoison –Hide Addresses Install, setup, and test SpamAssassin Install, setup, and test SpamAssassin

Questions?