Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Unintended Consequences of Spam Prevention

PublishStephen Jansen Modified over 5 years ago

Similar presentations

Presentation on theme: "The Unintended Consequences of Spam Prevention"— Presentation transcript:

1 The Unintended Consequences of Email Spam Prevention
Measure closed DNS resolvers DoS attack against nameserver Sarah Scheffler, Sean Smith, Yossi Gilad, Sharon Goldberg Boston University

2 Closed Resolvers Serve Only Their Network
bob.com bob Resolver alice.com alice Closed resolvers don’t respond to queries made outside their network ns1.charlie.com

3 This work: Using email spam prevention to make closed resolvers do my bidding
bob.com Resolver alice.com alice ns1.charlie.com

4 Outline Querying closed DNS resolvers using spam prevention
Bypassing query limits Testing the query limit in practice

5 Background: How Email Works
bob.com bob MTA alice.com To talk about SPF, must first talk about SMTP. wants to send message to A.Com and B.com each have a “Mail Transfer Agent” (MTA) that communicate over SMTP Alice writes message, A.com MTA sends it to B.com MTA, which gives it to Bob alice MTA

6 Why Email Needs Sender Verification
bob.com bob MTA alice.com But, much like the normal post office, SMTP does not verify that the sender “owns” the address. Evil.com MTA can send message as which might be spam or might even impersonate Alice to Bob. Raw SMTP does not have a way to tell the difference. alice MTA MTA evil.com

7 SPF Records are Sender Whitelists
bob.com SPF record for alice.com Resolver MTA SPF ns1.alice.com alice.com Only now SPF on the receiving MTA is going to verify the sender’s identity. When B receives a message from A.com, it asks what the SPF record for A.com is. The SPF record is stored as a TXT record in the A.com authoritative nameserver. In this example, it says the server at IPv4 address is allowed to send messages for A.com, and all other servers should be rejected. This info is passed back to the B.com SPF implementation. In this case, the message was sent from , so it is accepted. alice MTA

8 SPF Rejects Non-Whitelisted Senders
bob.com SPF record for alice.com Resolver MTA SPF ns1.alice.com alice.com And now if evil.com tries to send a message from A.com, since the message was not sent from , instead it was sent from this evil.com server, it gets rejected by the B.com SPF implementation. alice MTA MTA evil.com

9 Recursively include other SPF Records
foo.alice.com alice.com carol.com alice.com foo.alice.com carol.com bob.com SPF record for alice.com include: foo.alice.com include: carol.com Resolver MTA SPF ns1.alice.com alice.com ns1.foo. alice.com And now the B.com SPF implementation must make three additional queries, for those new SPF records. In this example, each new SPF record allows a single IPv4 address to send from it. The SPF implementation queries for sd1.A.com, sd2.A.com, and C.com, wherever those all are. alice MTA ns1. carol.com SPF record for carol.com SPF record for foo.alice.com

10 Goal was to make closed resolvers do my bidding
bob.com Resolver alice.com alice ns1.charlie.com

11 Goal Achieved! Induced query at closed resolver!
bob.com SPF record for alice.com include: target.net Resolver MTA SPF ns1.alice.com alice.com alice MTA ns1.target.net

12 Outline Querying closed DNS resolvers using spam prevention
Bypassing query limits Testing the query limit in practice

13 New Goal: Induce Many Queries at Closed Resolver
SPF record for alice.com include: 1.target.net include 2.target.net include: other.com bob.com Resolver MTA SPF ns1.alice.com alice.com alice ns1.other.com ns1.target.net MTA

14 How many queries can we induce at closed resolver
How many queries can we induce at closed resolver? RFC7208 limit of 10 query-causing terms “SPF implementations MUST limit the total number of those terms [which cause DNS queries] to 10… to avoid unreasonable load on the DNS.” Spirit of the limit: 10 total queries Letter of the limit: 10 query-causing terms Now we’ve started to make a lot of queries. One could ask what’s stopping an evil domain from causing a large number of queries to an unrelated nameserver. The RFC limits the number of DNS query-causing terms to 10. But notice that we haven’t bounded the number of queries. We’ve bounded the number of terms.

15 Letter of Law but not Spirit of Law  Unlimited Queries!
evil.com evil.com 1 2 3 4 5 6 7 8 9 1.evil.com 1.evil.com bob.com 11 12 13 14 15 16 17 18 19 Resolver 2.evil.com 2.evil.com MTA SPF ns1.evil.com evil.com . . . alice By making 9 include statements for an unrelated server, an evil sender can cause the B.com recursive resolver to repeatedly issue queries to the target.com nameserver. With mutually-recursive SPF records, they could extend this, getting an infinite loop of queries, where 9 queries are issued to the target for each 1 issued to the sending nameserver. MTA ns1.target.net

16 Outline Querying closed DNS resolvers using spam prevention
Bypassing query limits (in spirit) Testing the query limit in practice

17 Ethically Testing the RFC7208 Limit
That’s it in total. Measure induced queries DoS only ourselves Send minimal mail to each MTA Mail should not be delivered to humans

18 SPF Configurations for Testing the Limit
Obey the letter of the limit, but not the spirit of the limit Disregard the letter and spirit of the limit Control: Obey the letter and spirit of the limit 4 3 2 1 6 5 1f 1d 1e 1b 1c 1a 2f 2d 2e 2b 2c 2a 3f 3d 3e 3b 3c 3a 4f 4d 4e 4b 4c 4a 5f 5d 5e 5b 5c 5a 6f 6d 6e 6b 6c 6a *.treespf. dns.net 8 9 10 6 7 4 5 2 3 1 18 19 20 16 17 14 15 12 13 11 *.badspf. dns.net Goodspf is a baseline determining that SPF behaves as expected when checking a record with <10 include statements. It has 5 include statements. Badspf is a baseline detemrining that SPF behaves as expected when checking a record with >10 include statements. It has 20 include statements. Treespf is our test for whether or not include statements can be used recursively to bypass the limit of 10. Treespf has 6 include statements, but each of those induces an *additional* 6 statements, for a total of 42. TODO put treespf first 4 5 2 3 1 *.goodspf. dns.net

19 Measuring the RFC7208 Limit
bob.com Resolver MTA SPF zmap ns1. dns.net That’s it in total. MTA Partial scan: –

20 Finding: The Spirit of the Limit Is Not Enforced
42 Letter of Limit Enforced Actual 34.3 No SPF 10 Spirit of Limit Enforced 3e 20 No Limit Enforced No SPF 10 Limit Enforced Actual 7.79 Coll res!!! Actual 4.87 5 Expected No SPF

21 Additional Finding: Many Closed Resolvers
7303 (82%) 8889 resolvers 82% of resolvers that queried us were closed Nearly all had both TXID randomization and port ID randomization Nearly a decade after Kaminsky’s attack, the patch is in place! Caveat: only applies to resolvers serving MTAs from

22 Takeaway 1: Induce Queries in Closed Resolvers with SPF
bob.com Resolver MTA ns1.alice.com alice.com alice ns1.other.com ns1.target.net MTA

23 Takeaway 2: Letter of SPF Query Limit Does Not Match Spirit of Query Limit
bob.com Resolver MTA SPF zmap ns1. dns.net That’s it in total. MTA

24 Writing IETF internet draft to address this in SPF sscheff@bu.edu
Takeaway 3: Potential DoS Attack if Spirit and Letter of Limit do not match evil.com 1 2 3 4 5 6 7 8 9 1.evil.com bob.com 11 12 13 14 15 16 17 18 19 Resolver 2.evil.com MTA SPF ns1.evil.com evil.com . . . alice By making 9 include statements for an unrelated server, an evil sender can cause the B.com recursive resolver to repeatedly issue queries to the target.com nameserver. With mutually-recursive SPF records, they could extend this, getting an infinite loop of queries, where 9 queries are issued to the target for each 1 issued to the sending nameserver. MTA ns1.target.net Writing IETF internet draft to address this in SPF

25

26 DKIM: verify email signature with key in nameserver
bob.com Verif key for alice.com 0xa9ff2e8b Resolver MTA ns1.alice.com alice.com Only now SPF on the receiving MTA is going to verify the sender’s identity. When B receives a message from A.com, it asks what the SPF record for A.com is. The SPF record is stored as a TXT record in the A.com authoritative nameserver. In this example, it says the server at IPv4 address is allowed to send messages for A.com, and all other servers should be rejected. This info is passed back to the B.com SPF implementation. In this case, the message was sent from , so it is accepted. alice MTA -Alice

Download ppt "The Unintended Consequences of Spam Prevention"

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis

DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis
DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.
1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.

1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
The Application Layer Chapter 7. Where are we now?

The Application Layer Chapter 7. Where are we now?
Sender policy framework. Note: is a good reference source for SPFhttp://www.openspf.org/

Sender policy framework. Note: is a good reference source for SPFhttp://
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Spam Reduction Techniques Using greylisting and SpamAssassin.

Spam Reduction Techniques Using greylisting and SpamAssassin.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
© 2007 Convio, Inc. HOW TO: Best Practices for Sending Email to Organizations Confidential for use by American Cancer Society and Convio – Copyright ©

© 2007 Convio, Inc. HOW TO: Best Practices for Sending to Organizations Confidential for use by American Cancer Society and Convio – Copyright ©
The Linux Operating System Lecture 7: Email Tonga Institute of Higher Education.

The Linux Operating System Lecture 7: Tonga Institute of Higher Education.
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
DNS Related Commands Sayed Ahmed Computer Engineering, BUET, Bangladesh (Graduated on 2001 ) MSc, Computer Science, U of Manitoba, Canada

DNS Related Commands Sayed Ahmed Computer Engineering, BUET, Bangladesh (Graduated on 2001 ) MSc, Computer Science, U of Manitoba, Canada
DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-

Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Similar presentations

Ads by Google