SPAM Presentation
advertisement
Final Lab - Spam
Group 10:
Scott Durr
Stephen Thompson
Outline
• Introduction
• Set up
• Obtaining Email Addresses
• Sending Mass Emails
• Filtering & Stopping Spam
Introduction
Almost 90% of email is now considered Spam!
– Messaging Anti-Abuse Working Group Report #6, Oct 2007
• Huge drain on resources
• Strains the infrastructure
• Distracts/Annoys us all
• Major delivery mechanism for Malware!
The Costs
• The State of California estimates Spam
cost the state’s economy $1.2 billion in
2003. The estimate the entire US suffered
a $10 billion loss in that same year.
– http://www.spamlaws.com/state/ca.shtml
• That was in 2003…
Our Set Up
Servers
Clients
WinXP: 57.35.6.133
Host Machine: 57.35.6.131
WinXP2: 57.35.6.134
RedHat7.2 Machine: 57.35.6.132
Major Software Packages
• Apache2 Web Server
• Sendmail Email Server w/ SpamAssasin
– Included on lab installs of Redhat 7.2 and Redhat WS
4.0
• Qpopper
– POP3 server
• PINE
• Outlook Express
– Included with WinXP
• Evolution
– Included with RedHat
• Spam software:
– Atomic Email Hunter & Atomic Email Sender
Two Email Servers
• Set up with slightly different rules for
comparison
• Were NOT able to SMTP between
Sendmail servers because Sendmail MUST
have DNS running in order to find other
servers.
– We didn’t want to tackle the additional setup.
– We could accomplish what we wanted without
it.
Obtaining Email Addresses
• Many different methods, but we focus on:
– Email address spider
– Anonymous FTP trick
– Verification of Email addresses at the server
Email Address Spiders
• Crawl the web and copy anything that looks
like an email address.
• Implemented a basic one with wget and
grep, using a regular expression:
wget –rFO lotsofhtml.txt http://localhost/
egrep –rhoie ‘[[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}’ lotsofhtml.txt
That regex is:
[[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}
• Example
“Atomic Email Hunter”
• Commercial Windows program that
implements an email address spider.
• Tested on the same dummy websites as
our homemade one.
• Has a lot more features.
Anonymous FTP
• A throwback from the days of old: Anonymous
•
FTP logins require an email address as a
password!
Set up your web page to grab images via FTP
vice HTML and some browsers will cough up an
email address.
• Tested on Mozilla and IE: they give dummy
addresses.
Verifying Email Addresses
• Why is this important?
– A “good” email list will minimize alerts that
might catch the spammer.
– Allows for a ‘guess and test’ method of email
address discovery.
• VRFY and EXPN
– Ask the server if an address is good (VRFY)
– Ask the server about an alias/list (EXPN)
– Disable these!
Verifying Email Addresses
•During the SMTP exchange, you pass a “TO”
address to the server. It will come back and
tell you if it is good!
•Email header implemented by many clients:
Return-Receipt-To: <email-address>
X-Confirm-Reading-To: <email-address>
Make sure you disable these as defaults in Outlook and others!
Defeating those Email Spiders
• Two choices
– Hide your email address
– Actively counter spiders
Hide your email address
• Use script to return an email address instead of
putting the address in code.
• ECE does this for their faculty!
• Great example, courtesy of Mr. Tim Williams at
U. Arizona:
http://www.u.arizona.edu/~trw/spam/spam4.htm
WPoison
• Available at
http://www.monkeys.com/wpoison/
• Actively thwarts spiders by generating
random pages with more links and email
addresses.
• Each link leads right back to WPoison!
– Run the spider in a circle, filling it with
garbage.
– We have a video
WPoison Movie
Sending Mass Emails
• Methods
1. Use your own (school/isp) SMTP server
• You will probably get caught and shut down!
2. Use another, third party SMTP server
• You will probably be blocked from Relaying
3. Connect directly to the recipient’s server
• This takes some work, and you might get
blacklisted
4. Do any of the above via a Bot Net
• Even if you get caught, you don’t get blocked!
Method
#3:
Method
#2:
Method#
#4:
Method
1:Connect
Our SimulationsUseDirectly
to Victim’s
Use
a
Third
your
SMTP
Bot
NetServer
SMTP
Party
SMTP Clients
Server
Servers
Server
WinXP: 57.35.6.133
Host Machine: 57.35.6.131
WinXP2: 57.35.6.134
Fictional
yahoo.com
RedHat7.2 Machine: 57.35.6.132
Mass Email Countermeasures
• Limit who can send on your server
– Only users on the domain can “RELAY”
– Use a blacklist to prevent connections from
known spammers
• Filter messages as they come in
SpamAssassin
• Open source & extremely common
• Very complex
– Lots of rules
– Uses scores to determine what is spam
– Has learning capabilities
• Can connect to services to receive rules and
blacklists
– www.spamhaus.org
• More info at: http://spamassassin.apache.org
SpamAssassin in the Lab
• We walk through the setup of some basic rules.
required_score 5
report_safe 0
rewrite_header Subject [**SPAM** _SCORE_]
body FIRST_RULE /BUY ME/
describe FIRST_RULE Check if "BUY ME" is in the body
score FIRST_RULE 4.0
header SECOND_RULE Subject =~ /Cheap/
describe SECOND_RULE Check of Cheap is in the subject line
score SECOND_RULE 4.0
body THIRD_RULE /Safe/i
describe THIRD_RULE Check for Safe to make it safe
score THIRD_RULE -10.0
# Blacklist all mail from domain spam.org
blacklist_from *.spam.org
Your Last Line of Defense…
• The email client
• Web-based email clients can rapidly
aggregate feedback and build more
responsive filters.
• Gmail, Yahoo, Hotmail, etc.
In the Lab Summary
• Set up Servers
• Harvest emails
– Email Address Spiders: wget/grep & Atomic
– FTP method
• Experiment with address verification
• Send mass emails through each scenario
– Use manual connection and Atomic Email Sender
• Implement some countermeasures
– RELAY limitations
– WPoison
– Hide Email Addresses
• Install, setup, and test SpamAssassin
Questions?
