Blue Security: Challenges With CAN-SPAM Automation Eran Reshef Blue Security, Inc. Sep 2005 Note: This Presentation Describes Blue Security’s Phase II Beta
Why Did We Found Blue? Internet users do not want to receive spam The CAN-SPAM law allows users to opt-out In reality, it is extremely difficult to opt-out: –Faked “reply-to:” addresses –Broken “unsubscribe” forms –Unsubscribe usually brings more spam –Spyware harboring in spam sites Even if opt-out was possible, there is too much spam to opt-out from manually Our approach: an automated opt-out mechanism
Key Principles One opt-out request per each spam message sent to a member’s personal mailbox Opt-outs are sent via HTTP to advertisers’ web sites Manual analysis to overcome “Joe jobs” and zombie web sites No interference with Internet infrastructure Opt-outs refer spammers to a hashed registry
Naïve Approach Spammer User’s mailbox opt out via User’s opt- out software spam
Problems with Naïve Approach From address is almost always faked –Cannot use “From” to back to spammer Sender machine is almost always a zombie – ing the IP owner will reach either a careless admin or an ISP
Opt-out at Merchant’s Site Spammer User’s mailbox User’s opt- out software spam opt out via http Merchant’s web site
Mechanics of Opt-Out Requests Open an HTTP session to the merchant’s site Politely crawl site to locate all HTML forms –Spammers randomize links to prevent automated opt- out requests, so crawling is necessary –Max 3 connections (Internet Explorer’s default) –Several seconds pause between each request Post opt-out text in HTML forms –Ignore client-side validation (JavaScript) –No use of random information (e.g., credit cards)
Problems What it spam? –Legitimate is sometimes perceived by users as spam Joe Jobs –For only $250, one could get millions of s appearing to advertise a competitor Zombie web sites –Few spam sites (and all phishing sites) are hosted on compromised home computers
Analysis Service Spammer User's mailbox opt out via http User's opt- out software Blue’s Analysis opt-out instructions Spammer’s web site spam suspected spam
Analysis Service Overview Tracking and researching very few top spammers at each point in time –Currently less than 15 online pharmacies Extensive manual verification of web sites –White lists, black lists, Internet searches, etc. Relying on honeypots for deciding which web sites are spammers, not user reports
Spam Currently Not Handled s not sent by the few tracked spammers s advertising legitimate companies s advertising sites hosted in legitimate ISPs (e.g., US based) s advertising sites hosted anywhere but spam-friendly ISPs s without URLs s sent only to users, not to honeypots
Problems Opt-out text reveals address of user
Hashed Registry Blue’s Registry Spammer User's mailbox opt out via http (registry) User's opt- out software Blue’s Analysis opt-out instructions Spammer’s web site addrs spam hashed addrs
Registry Overview Registry entry does not validate a “live address”: –Hashed addresses of users –High number of hashed addresses of honeypots Registry has a controlled level of false-positives to protect against brute-force attacks The registry itself and cleaning tools (including source code) are offered free of charge to anyone
Problems Bypassing ISP’s abuse teams Not leveraging existing anti-spam policies of other Internet entities (e.g., domain registrars) Not allowing spammers’ to clean their lists before receiving opt-out requests
suspected spam Spam Reports Blue’s Registry Spammer User's mailbox opt out via http (registry) User's opt- out software Blue’s Analysis opt-out instructions Spammer’s web site addrs spam Registrars, ISPs, … Spam Reports hashed addrs
Spam Reports Overview Reports are sent mainly to hosting ISPs and to advertisers’ sites One report is sent on behalf of all the members Reports are usually sent via s to abuse desks of relevant parties
Do Not Intrude Registry Stats 25,000 members ~250,000 spam/day received Typical case –15,000 opt-out requests sent by members over a period of 10 hours to a leading spamvertised online pharmacy –Spammer shut down all his domains a few hours after the sending of opt-out requests ended
Opting-out is Not DDoS Legitimate traffic –Each member submits one opt-out request per each spam message sent to his or her personal mailbox Invited traffic –Each spam is an invitation to visit the advertiser’s site Low-volume traffic –Each opt-out request mimics a user submitting one opt- out request at the spammer’s site No synchronization –Blue security does not initiate or control timing of opt- out requests Intention –Exercise opt-out right granted under CAN-SPAM law
Spammer’s Perspective Spammer sends 10M messages Spammer should expect ~800,000 visitors –Industry average is 8% response rate (source: DoubleClick) Spammer is required by law to support 10M opt- out requests If the spammer is a legitimate business, he should have no problem handling even the entire blue community (25,000 users).
Members Are Not Zombies Members select which spam to complain about (1 st control point) Members can stop all opt-outs (2 nd control point) Full logging (3 rd control point) Members can uninstall the Blue Frog (4 th control point) Compare to challenge/response systems (e.g., Qurb, acquired by Computer Associated)
This Will Not Make Things Worse “Successful” steady state –Spammers do not send spam to registered members –Members do not send opt-out requests –Much less spam in the Internet “Failure” steady state –Spammers ignore registry –Community disbands –Same traffic as before Transient state is short and involves a small community, so there is no real impact on Internet traffic
Summary Do Not Intrude Registry is an implementation of an automated opt-out mechanism in a secure and responsible manner Initial signs spammers may respect opt-out requests Blue Security is interested in cooperation with ISPs and anti-spam vendors Q & A
Backup Slides
Spammer’s Countermeasures Spam URLs contain validation tokens –Analysis service substitutes member-reported URL with honeypot-reported URL Spammer redirects traffic to legitimate domains or IP addresses –Each opt-out request is limited to specific domains and IP ranges More countermeasures are expected
Spam Is Not a Solved Problem Even a low false positive ratio is unacceptable to some users –Sales person do not wish to miss even one customer Even a low false negative ratio is unacceptable to some users –Religious people are offended by porno spam Many users cannot afford top-notch filters –In many countries, ISPs charge extra for filters
More Information - The Federal Trade Commission's summary page of Rules, Regulations and Acts regarding unsolicited commercial , pornographic and offensive , and fraud The Federal Trade Commission's Requirements for Commercial ers. – Blue Security’s web sitewww.bluesecurity.com