Presentation is loading. Please wait.

Presentation is loading. Please wait.

Blue Security: Challenges With CAN-SPAM Automation Eran Reshef Blue Security, Inc. Sep 2005 Note: This Presentation Describes Blue Security’s Phase II.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Blue Security: Challenges With CAN-SPAM Automation Eran Reshef Blue Security, Inc. Sep 2005 Note: This Presentation Describes Blue Security’s Phase II."— Presentation transcript:

1 Blue Security: Challenges With CAN-SPAM Automation Eran Reshef Blue Security, Inc. Sep 2005 Note: This Presentation Describes Blue Security’s Phase II Beta

2 Why Did We Found Blue? Internet users do not want to receive spam The CAN-SPAM law allows users to opt-out In reality, it is extremely difficult to opt-out: –Faked “reply-to:” addresses –Broken “unsubscribe” forms –Unsubscribe usually brings more spam –Spyware harboring in spam sites Even if opt-out was possible, there is too much spam to opt-out from manually Our approach: an automated opt-out mechanism

3 Key Principles One opt-out request per each spam message sent to a member’s personal mailbox Opt-outs are sent via HTTP to advertisers’ web sites Manual analysis to overcome “Joe jobs” and zombie web sites No interference with Internet infrastructure Opt-outs refer spammers to a hashed registry

4 Naïve Approach Spammer User’s mailbox opt out via email (joe@example.com) User’s opt- out software spam

5 Problems with Naïve Approach From address is almost always faked –Cannot use “From” to email back to spammer Sender machine is almost always a zombie –Emailing the IP owner will reach either a careless admin or an ISP

6 Opt-out at Merchant’s Site Spammer User’s mailbox User’s opt- out software spam opt out via http (joe@example.com) Merchant’s web site

7 Mechanics of Opt-Out Requests Open an HTTP session to the merchant’s site Politely crawl site to locate all HTML forms –Spammers randomize links to prevent automated opt- out requests, so crawling is necessary –Max 3 connections (Internet Explorer’s default) –Several seconds pause between each request Post opt-out text in HTML forms –Ignore client-side validation (JavaScript) –No use of random information (e.g., credit cards)

8 Problems What it spam? –Legitimate email is sometimes perceived by users as spam Joe Jobs –For only $250, one could get millions of emails appearing to advertise a competitor Zombie web sites –Few spam sites (and all phishing sites) are hosted on compromised home computers

9 Analysis Service Spammer User's mailbox opt out via http (joe@example.com) User's opt- out software Blue’s Analysis opt-out instructions Spammer’s web site spam suspected spam

10 Analysis Service Overview Tracking and researching very few top spammers at each point in time –Currently less than 15 online pharmacies Extensive manual verification of web sites –White lists, black lists, Internet searches, etc. Relying on honeypots for deciding which web sites are spammers, not user reports

11 Spam Currently Not Handled Emails not sent by the few tracked spammers Emails advertising legitimate companies Emails advertising sites hosted in legitimate ISPs (e.g., US based) Emails advertising sites hosted anywhere but spam-friendly ISPs Emails without URLs Emails sent only to users, not to honeypots

12 Problems Opt-out text reveals email address of user

13 Hashed Registry Blue’s Registry Spammer User's mailbox opt out via http (registry) User's opt- out software Blue’s Analysis opt-out instructions Spammer’s web site addrs spam hashed addrs

14 Registry Overview Registry entry does not validate a “live address”: –Hashed email addresses of users –High number of hashed addresses of honeypots Registry has a controlled level of false-positives to protect against brute-force attacks The registry itself and email cleaning tools (including source code) are offered free of charge to anyone

15 Problems Bypassing ISP’s abuse teams Not leveraging existing anti-spam policies of other Internet entities (e.g., domain registrars) Not allowing spammers’ to clean their lists before receiving opt-out requests

16 suspected spam Spam Reports Blue’s Registry Spammer User's mailbox opt out via http (registry) User's opt- out software Blue’s Analysis opt-out instructions Spammer’s web site addrs spam Registrars, ISPs, … Spam Reports hashed addrs

17 Spam Reports Overview Reports are sent mainly to hosting ISPs and to advertisers’ sites One report is sent on behalf of all the members Reports are usually sent via emails to abuse desks of relevant parties

18 Do Not Intrude Registry Stats 25,000 members ~250,000 spam/day received Typical case –15,000 opt-out requests sent by members over a period of 10 hours to a leading spamvertised online pharmacy –Spammer shut down all his domains a few hours after the sending of opt-out requests ended

19 Opting-out is Not DDoS Legitimate traffic –Each member submits one opt-out request per each spam message sent to his or her personal mailbox Invited traffic –Each spam is an invitation to visit the advertiser’s site Low-volume traffic –Each opt-out request mimics a user submitting one opt- out request at the spammer’s site No synchronization –Blue security does not initiate or control timing of opt- out requests Intention –Exercise opt-out right granted under CAN-SPAM law

20 Spammer’s Perspective Spammer sends 10M messages Spammer should expect ~800,000 visitors –Industry average is 8% response rate (source: DoubleClick) Spammer is required by law to support 10M opt- out requests If the spammer is a legitimate business, he should have no problem handling even the entire blue community (25,000 users).

21 Members Are Not Zombies Members select which spam to complain about (1 st control point) Members can stop all opt-outs (2 nd control point) Full logging (3 rd control point) Members can uninstall the Blue Frog (4 th control point) Compare to challenge/response systems (e.g., Qurb, acquired by Computer Associated)

22 This Will Not Make Things Worse “Successful” steady state –Spammers do not send spam to registered members –Members do not send opt-out requests –Much less spam in the Internet “Failure” steady state –Spammers ignore registry –Community disbands –Same traffic as before Transient state is short and involves a small community, so there is no real impact on Internet traffic

23 Summary Do Not Intrude Registry is an implementation of an automated opt-out mechanism in a secure and responsible manner Initial signs spammers may respect opt-out requests Blue Security is interested in cooperation with ISPs and anti-spam vendors Q & A

24 Backup Slides

25 Spammer’s Countermeasures Spam URLs contain email validation tokens –Analysis service substitutes member-reported URL with honeypot-reported URL Spammer redirects traffic to legitimate domains or IP addresses –Each opt-out request is limited to specific domains and IP ranges More countermeasures are expected

26 Spam Is Not a Solved Problem Even a low false positive ratio is unacceptable to some users –Sales person do not wish to miss even one customer Even a low false negative ratio is unacceptable to some users –Religious people are offended by porno spam Many users cannot afford top-notch filters –In many countries, ISPs charge extra for filters

27 More Information www.ftc.gov/bcp/conline/edcams/spam/rules.htm - The Federal Trade Commission's summary page of Rules, Regulations and Acts regarding unsolicited commercial Email, pornographic and offensive Email, and Email fraud.www.ftc.gov/bcp/conline/edcams/spam/rules.htm www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm - The Federal Trade Commission's Requirements for Commercial Emailers.www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm www.bluesecurity.com – Blue Security’s web sitewww.bluesecurity.com

Download ppt "Blue Security: Challenges With CAN-SPAM Automation Eran Reshef Blue Security, Inc. Sep 2005 Note: This Presentation Describes Blue Security’s Phase II."

Similar presentations

How Lawsuits Against Spammers Can Aid Spam-Filtering Technology: A Spam Litigators View From the Front Lines Jon Praed Internet Law Group

How Lawsuits Against Spammers Can Aid Spam-Filtering Technology: A Spam Litigators View From the Front Lines Jon Praed Internet Law Group
3.02H Publishing a Website 3.02 Develop webpages..

3.02H Publishing a Website 3.02 Develop webpages..
Virtual Conference on Anti-spam Regulation and Policy Development Sharing The Singapore Experience By Low Boon Kiat Policy & Competition Development Group.

Virtual Conference on Anti-spam Regulation and Policy Development Sharing The Singapore Experience By Low Boon Kiat Policy & Competition Development Group.
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via email, text message, online chat, blogs or various other.

What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via , text message, online chat, blogs or various other.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Software programs that enable you to view world wide web documents. Internet Explorer and Firefox are examples. Browser.

Software programs that enable you to view world wide web documents. Internet Explorer and Firefox are examples. Browser.
New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.

New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.

Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
1 Unsolicited Electronic Messages Ordinance An Overview of Implementation and Enforcement 28 May 2007.

1 Unsolicited Electronic Messages Ordinance An Overview of Implementation and Enforcement 28 May 2007.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Managing and Avoiding Junkmail. Junk E-mail  Where does Junk Mail come from? People with whom you do business  Pepsi Friends of people with whom you.

Managing and Avoiding Junkmail. Junk  Where does Junk Mail come from? People with whom you do business  Pepsi Friends of people with whom you.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Should there be a law that forbids people from sending email to thousands of people (spam)? By: Bennett Moss Daniel Hoyt Hizkias Neway Junyu Wang.

Should there be a law that forbids people from sending to thousands of people (spam)? By: Bennett Moss Daniel Hoyt Hizkias Neway Junyu Wang.
Responsible Email Targeting Chapter One. Content from The Essential Guide to Web Strategy for Entrepreneurs unless otherwise noted Chapter One Opt-in.

Responsible Targeting Chapter One. Content from The Essential Guide to Web Strategy for Entrepreneurs unless otherwise noted Chapter One Opt-in.

Similar presentations

Ads by Google