Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject to the terms and conditions set forth in GNU General Public License v2 or later; or, at your option, distributed under the terms of GNU Free Documentation License version 1.2 or later (GNU FDL).
How address harvesting works A program collecting items from various sources Mail addresses are collected and later used as a false SMTP MAIL FROM: identification to send Unsolicited Bulk (forged addresses in mail messages) Mailing lists Usenet newsgroups Saved addresses WWW pages
Challenge-Response based authentication Send challenge Bar sends his first mail to Foo Add foo to whitelist Respond to challenge Accept challenge Add bar to whitelist Bar and Foo exchange messages (Passwords/Catchpas no longer needed) A C B There are serious problems in the C- R system at points A, B and C
How viruses/spam should not be treated mail sent in the name of Bar (forged address) to Foo MAIL FROM: 1) Message is rejected and returned in full 2) Or notification is sent: ”Your message contained virus or spam and it was not delivered” But this person never sent that message. His mailbox is being filled with false notifications Scanner found that ncoming message is spam or carrying a worm mailbox
Challenge-Response system causing Joe-Job See also RFC 2821 A challenge is sent to: SMTP connection Bar’s C-R system falsely concludes that is the sender ”Joe-Job” Multitude of challenges sent to wrong address More users running C-R systems TO.COMFROM.COM Spammer’s messages which all use forged addresses 220 mailserver.from.com ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL mailserver.from.com ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL... (2) (1)
IP How SPF helps to prevent forgeries SPF result: ”No, mail did not come through our Mail Exchanger (MX)” SPF check: consult DNS TXT record Is this message coming from IP authorized to send mail? Host located at some ISP’s address space *.* TO.COM FROM.COM 220 mailserver.to.com ESMTP mailserver.to.com ESMTP (1) (3) SMTP 5xx reject: message is returned to sender due to SPF result: ”you did not use from.com to send mail.” (4) Spammer sends message pretending to come from SMTP connection (2) TXT ”v=spf1 ip4: /24” DNS configuration includes record:
220 mailserver.to.com ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL mailserver.to.com ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL... IP x.x.x.x How MTA level UBE prevention works - Is this mail coming from correct location (SPF) - Is this IP in block lists? - Has this ”DATA” seen before as spam? (1)(3) (4) - SPF check - IP block lists (DNSBL) - Known bad domains - Razor2, Pyzor, DCC spam collection checks... SMTP connection TO.COM Access control lists (ACL) or Content filters (2) ?? Virus scanners (Clamv) Spam checkers (Spamassassin) A B (5) (6) External process Other Programs
Procmail with battery of statistical tools Procmail’s rules cannot reliably identify content, so external statistical (Bayesian) programs are called in chain to determine if message is Unsolicited Bulk (*.rc modules interface to statistical programs) MTA (Exim) LDA (Procmail) to deliver mail to user foo # ~/.procmailrc SHELL = /bin/bash... # Detect spam INCLUDERC = bayes1.rc INCLUDERC = bayes2.rc... # was message spam? :0 * ERROR ?? [a-z] spam.mbox # ~/.procmailrc SHELL = /bin/bash... # Detect spam INCLUDERC = bayes1.rc INCLUDERC = bayes2.rc... # was message spam? :0 * ERROR ?? [a-z] spam.mbox bogofilterSpamprobe Bmf Spamoracle Ifile... incoming mail message Host A Host B UBE?
Tools See RFC 2821 SMTP connection A ”robot” program making a collection of addresses TO.COM Spammer injects messages: All use forged address 220 mailserver.target.net ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL mailserver.target.net ESMTP MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 ok Buy our product, and visit URL... RFC Libraries