1. The SPAM Problem By Steven McIntosh CS526 December 10, 2003

2. Outline What is spam? SPAM War How does it work? Tracking spam Tracking spam Why is it a problem? Solutions Client-Side Client-Side Server-Side Server-Side Redesigning the SMTP Protocol Redesigning the SMTP ProtocolConclusion

3. What is spam? UCE – Unsolicited Commercial E-mail UBE – Unsolicited Bulk E-mail UCBE – Unsolicited Commercial Bulk E- mail UEMS – Unsolicited Electronic Mail Solicitations Fraudulent, Objectionable, or Deceptive…

4. SPAM War Spammers Send out bulk e-mails from home ISP Spammer gets multiple ISP accounts and continues to send spam Spammers use stray and random characters to bypass filters Spammers use stealth software to spoof e- mail headers making spam harder to trace Spammers start to use expensive bullet- proof servers overseas to keep their websites up and running. Spammers use open-relay servers to route spam around IP range blocks Spammers begin utilizing open proxies to distribute spam Recipients Easily tracked ISP closes spammers account E-mail providers start to use filters to block spam E-mail users continue to track spam and shut down spammers ISP accounts Recipients have a harder time tracking spam e- mails so they have companion websites closed instead Anti-spam groups have entire IP ranges blocked to stop spam and access to bullet- proof websites Anti-spam groups and government agencies strive to shut down open-relay servers around the globe.

5. How does it work? SMTP E-mail Protocol HELO Handshake via port 25 HELO Handshake via port 25 Message Header RECEIVED Line Message Header RECEIVED Line Date time stamp IP of server message was received from IP of current server Reverse DNS lookup

6. SPAM Relaying Received: from gomer.wiscnet.net (dial.wiscnet.net [144.92.88.11]) by betty.globecomm.net (8.8.7/8.8.0) with SMTP id BAA19150; Sun, 21 Sep 1997 01:09:59 -0400 (EDT) Received: from pugsly-s-comput (max1-800-25.earthlink.net [206.149.205.26]) by gomer.wiscnet.net (8.6.9W/) with SMTP id XAA110348; Sat, 20 Sep 1997 23:48:11 -0500 Received: from here.com (her-us48c1.here.com [111.111.111.111]) by mail.wiscnet.net (8.9.9/8.8.8/Mx-mnd) with ESMTP id BAA22322; Sat, 20 Sep 1997 23:24:40 -0400 (EST) Received: from email5.com (ema-us49d4.email5.com [000.000.000.000]) by here.com (0.0.0/0.0.0/mx-mnd) with SMTP id GAA11111; for ; Sat, 20 Sep 1997 23:24:40 -0400 (EST) Return-Path: Return-Path: Received: from hotmail.com ([65.54.247.20]) by mta6.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id id for ; Mon, 8 Dec 2003 11:14:02 -0500 for ; Mon, 8 Dec 2003 11:14:02 -0500 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 8 Dec 2003 08:13:48 -0800 Mon, 8 Dec 2003 08:13:48 -0800 Received: from 24.55.121.231 by by2fd.bay2.hotmail.msn.com with HTTP; Mon, 08 Dec 2003 16:13:47 GMT X-Originating-IP: [24.55.121.231] X-Originating-Email: [steven_mc@hotmail.com] X-Sender: steven_mc@hotmail.com From: "Steven McIntosh" From: "Steven McIntosh" To: twistedcj@adelphia.net Bcc: Subject: FW: If You Work For Someone Else Date: Mon, 08 Dec 2003 16:13:47 +0000 Mime-Version: 1.0 Content-Type: text/html Message-ID: Message-ID: X-OriginalArrivalTime: 08 Dec 2003 16:13:48.0124 (UTC) FILETIME=[42E831C0:01C3BDA6] The BadThe Good

7. Case Study Return-Path: Return-Path: Received: from [128.198.168.202] (HELO sunshine.uccs.edu) by uccs.edu (CommuniGate Pro SMTP 4.1) by uccs.edu (CommuniGate Pro SMTP 4.1) with ESMTP id 10424631; Tue, 09 Dec 2003 12:02:43 -0700 with ESMTP id 10424631; Tue, 09 Dec 2003 12:02:43 -0700 Received: from h24-84-144-173.vs.shawcable.net (h24-84-144- 173.vs.shawcable.net [24.84.144.173]) by sunshine.uccs.edu (8.12.8/8.12.8) with SMTP id hB9Iu36A008424; Tue, 9 Dec 2003 11:56:04 -0700 Received: from [92.207.149.26] by h24-84-144-173.vs.shawcable.net with SMTP; Tue, 09 Dec 2003 18:47:58 +0000 Message-ID: Message-ID: From: "Darwin Blair" From: "Darwin Blair" Reply-To: "Darwin Blair" Reply-To: "Darwin Blair" To: cs522@cs.uccs.edu Subject: Fw: Suspended Account Date: Tue, 09 Dec 03 18:47:58 GMT X-Mailer: The Bat! (v1.52f) Business MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="AA.B264BB_C6" X-Priority: 3 X-MSMail-Priority: Normal Start at bottom Shawcable.net received message from 92.207.149.26 @ 6:47:58pm Greenwich mean time. Next server Sunshine.uccs.edu received message from 24.84.144.173 at 7:56:04 Greenwich mean time. Finally message was relayed from sunshine.uccs.edu to uccs.edu 6 minutes later. 92.207.149.26 was the source of the spam.

8. American Registry for Internet Numbers (ARIN) Search results for: 92.207.149.26 OrgName: Internet Assigned Numbers Authority OrgID: IANA IANA Address: 4676 Admiralty Way, Suite 330 City: Marina del Rey StateProv: CA PostalCode: 90292-6695 Country: US NetRange: 85.0.0.0 - 95.255.255.255 85.0.0.095.255.255.25585.0.0.095.255.255.255 CIDR: 85.0.0.0/8, 86.0.0.0/7, 88.0.0.0/5 NetName: RESERVED-11 RESERVED-11 NetHandle: NET-85-0-0-0-1 NET-85-0-0-0-1 Parent: NetType: IANA Reserved Comment:RegDate: Updated: 2003-11-17 OrgAbuseHandle: IANA-IP-ARIN IANA-IP-ARIN OrgAbuseName: Internet Corporation for Assigned Names and Number OrgAbusePhone: +1-310-301-5820 OrgAbuseEmail: abuse@iana.org OrgTechHandle: IANA-IP-ARIN IANA-IP-ARIN OrgTechName: Internet Corporation for Assigned Names and Number OrgTechPhone: +1-310-301-5820 OrgTechEmail: abuse@iana.org # ARIN WHOIS database, last updated 2003-12-09 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.

9. American Registry for Internet Numbers (ARIN) Search results for: 157.130.176.33 OrgName: UUNET Technologies, Inc. OrgID: UU UU Address: 22001 Loudoun County Parkway City: Ashburn StateProv: VA PostalCode: 20147 Country: US NetRange: 157.130.0.0 - 157.130.255.255 157.130.0.0157.130.255.255157.130.0.0157.130.255.255 CIDR: 157.130.0.0/16 NetName: UUNETCUSTB40 UUNETCUSTB40 NetHandle: NET-157-130-0-0-1 NET-157-130-0-0-1 Parent: NET-157-0-0-0-0 NET-157-0-0-0-0 NetType: Direct Allocation NameServer: AUTH02.NS.UU.NET NameServer: AUTH51.NS.UU.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1992-01-13 Updated: 2001-09-26 TechHandle: OA12-ARIN OA12-ARIN TechName: UUnet Technologies, Inc., Technologies TechPhone: +1-800-900-0241 TechEmail: help4u@mci.com OrgAbuseHandle: ABUSE3-ARIN ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse-mail@mci.com OrgNOCHandle: OA12-ARIN OA12-ARIN OrgNOCName: UUnet Technologies, Inc., Technologies OrgNOCPhone: +1-800-900-0241 OrgNOCEmail: help4u@mci.com OrgTechHandle: SWIPP-ARIN SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@uu.net # ARIN WHOIS database, last updated 2003-12-09 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.

10. Why is spam a Problem? Bandwidth Free advertising Spam will cost companies $20.5 billion in 2003 $198 billion in 2007 May more spam than legit 140 billion pieces of spam in 2001 261 billion pieces in 2002 AOL blocks 2.3 billion spam e-mails every day. BellSouth says spam will soon add $3 to $5 to each customer’s monthly bill.

11. Solutions Rule Based Exclusions BlacklistsWhitelists Habeas Haiku User Community Challenge-Response Proprietary Algorithms False Positives Redesigning the SMTP Protocol

12. Conclusion Questions?

13. References http://www.nwfusion.com/topics/spam.html http://digital.net/~gandalf/spamfaq.html http://www.spamhaus.org/index.lasso http://www.spamanti.net/ http://spam.abuse.net/ http://www.irtf.org/charters/asrg.html http://www.webopedia.com/TERM/s/spam.html http://email.about.com/ http://computer.howstuffworks.com/email.htm http://computer.howstuffworks.com/spam.htm http://www.msnbc.com/news/945559.asp http://www.usatoday.com/tech/news/techinnovations/2003-12-05- yahoo-spam-switch_x.htm http://www.usatoday.com/tech/news/techinnovations/2003-12-05- yahoo-spam-switch_x.htm