1. 563.8.2 Spam Sonia Jahid University of Illinois Fall 2007

2. 2 Outline Definition Problem Spam Categories How email works: quick overview Why is spam still a problem? Spammers’ approach

3. 3 Definition Submitting the same message to a large group of individuals in an effort to force the message onto people who would otherwise choose not to receive this message. A message is spam only if it is both Unsolicited and Bulk. –Unsolicited Email is normal email (examples: first contact enquiries, job enquiries, sales enquiries) –Bulk Email is normal email (examples: subscriber newsletters, customer communications, discussion lists) What is spam: SpamLawsWhat is spam: Spamhaus

4. 4 Problem MAAWG Email Metrics Report 07 The statistics reported below are compiled from confidential data provided by participating MAAWG member service operators for Q1 2007

5. 5 Spam Categories Products25% Financial20% Adult19% Scams9% Health7% Internet7% Leisure6% Spiritual4% Other3% Evett 06 According to information compiled by Spam filter review, email spam for 2006 can be categorized as shown in the table

6. 6 How Email Works: Quick Overview helo test 250 mx1.mindspring.com Hello abc.sample.com [220.57.69.37], pleased to meet you mail from: test@sample.com 250 2.1.0 test@sample.com... Sender ok rcpt to: jsmith@mindspring.com 250 2.1.5 jsmith... Recipient ok data 354 Enter mail, end with "." on a line by itself from: test@sample.com to:jsmith@mindspring.com subject: testing John, I am testing.... 250 2.0.0 e1NMajH24604 Message accepted for delivery quit 221 2.0.0 mx1.mindspring.com closing Connection Connection closed by foreign host. Brain

7. 7 Why Is Spam Still a Problem? Spoofing –Email system design Headers allow spoofing –Identity concealing Bot-networks Open proxies Open mail relays Untraceable Internet connection –Available bulk email tools Boneh 04

8. 8 Email System Design SMTP protocol provides no security –email is not private –can be altered en route –no way to validate the identity of the email source Use SMTP-AUTH ? –Not a solution for spam SMTP-AUTH

9. 9 Email System Design Headers are unreliable, can be used for spoofing –Insert fictitious email addresses in the From: lines –Exception: first Received header Received: from unknown (HELO 38.118.132.100) (62.105.106.207) by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000 Received: from [235.16.47.37] by 38.118.132.100 id ; Sun, 16 Nov 2003 13:38:22 -0600 MS: Mail Server Tschabitscher

10. 10 How Email Works: Quick Overview helo test 250 mx1.mindspring.com Hello abc.sample.com [220.57.69.37], pleased to meet you mail from: test@sample.com 250 2.1.0 test@sample.com... Sender ok rcpt to: jsmith@mindspring.com 250 2.1.5 jsmith... Recipient ok data 354 Enter mail, end with "." on a line by itself from: test@sample.com to:jsmith@mindspring.com subject: testing John, I am testing.... 250 2.0.0 e1NMajH24604 Message accepted for delivery quit 221 2.0.0 mx1.mindspring.com closing Connection Connection closed by foreign host. Brain

11. 11 Identity Concealing: Bot-networks Compromised machines running malicious software Once infected, spammer can send spam from it The bot software hides itself and periodically checks for instructions from the human bot- network administrator Emails appear to come from legitimate users Example bot-networks: –Phatbot: largest reported bot-network to date, 400,000 drones –Bobax: assimilates machines with high speed Internet connection

12. 12 Identity Concealing: Open Proxies An open proxy is one which will create connections for any client to any server, without authentication Possible for a computer to be running an open proxy server without knowledge of the computer's owner More difficult to detect when chain of open proxies used

13. 13 Identity Concealing: Open Mail Relays An email server configured to allow anyone on the Internet to relay email through it. Network address of spammer appears in one of the Received: headers Add fake Received: headers

14. 14 Combining Open Proxy and Open Relay Establish TCP connection with Open Proxy1 Connect with Open Proxy2 Send email to Open Relay through this chain Forward to destination SMTP server Andreolini Bulgarelli Colajanni Mazzoni 05

15. 15 Identity Concealing: Untraceable Internet Connection Public Internet cafes Free/stolen wireless connections Connections not needing identifying users Need not hide network address –Send email directly to spam recipients –No way to associate email accounts with the spammer

16. 16 Available Bulk Email Tools Designed to generate and send about 500, 000 emails per hour hiding spammers’ identity –Send-safe Search for open proxies, open relays Download updated list of open proxies Distribute email load over multiple open proxies Periodically verify if open proxies working properly –Massive-mailer –Dark-mailer

17. 17 Spammers’ Approach Gather address –Email harvesting from web –Gather email address from newsgroups –DNS and WHOIS system –Buy data from 3 rd party Generally spam-bots used for email harvesting What makes it easy? –Publish email addresses Andreolini Bulgarelli Colajanni Mazzoni 05

18. 18 Spammers’ Approach Verify address –A web bug in a spam message written in HTML may cause recipient’s email client to transfer its email address –Unsubscribing from a service Send messages anonymously

19. 19 Reading List D. Boneh, The Difficulties of Tracing Spam Email, September 09, 2004The Difficulties of Tracing Spam Email M. Andreolini, A. Bulgarelli, M. Colajanni, and F. Mazzoni, HoneySpam: Honeypots fighting spam at the source, In Proc. USENIX SRUTI 2005, Cambridge, MA, July 2005.HoneySpam: Honeypots fighting spam at the source H. Tschabitscher, What Email Headers Can Tell You About the Origin of SpamWhat Email Headers Can Tell You About the Origin of Spam Spam on WikipediaWikipedia