May 27th, 2008
Posted in Uncategorized
A couple of weeks ago I made a blog post based on a SecurityFocus vulnerability report suggesting that Gmail smtp servers could be abused by spammers. At the time, the exact details of the attack were not disclosed to give Google an opportunity to respond to the claims.
Since then, the INSERT security team have released the details of the attack including a proof of concept program for demonstration. The key point is that it’s trivial to setup any e-mail address to Auto Forward messages to.
The idea is that a spammer could send a message from a blacklisted IP to a Gmail account they’ve setup to be a spam cannon. Then they would just need to mark the received message as not spam to allow that message to be forwarded in the future. After that, the blacklisted IP can send to the Gmail spam cannon address and have a script automate changes to the forwarding e-mail address to change the spam victim. In that way the spam message can could be relayed from Google’s servers to other mailservers, possibly bypassing anti-spam filtering due to whitelists.
Tags: exploit, gmail, relay, spam
May 26th, 2008
Posted in Uncategorized
Although it may sometimes seem that the purpose of a spammer is to try and fill your inbox with useless content, their main goal is to have a recipient perform some type of action. The “call to action” could be to click on a website URL, call or fax a number or simply send an e-mail to an address provided. In this way the spam campaign can result in sales or in the case of phishing, the collection of valuable data. Content Filtering solutions often have lists against blacklisted URL’s, phone numbers and e-mail drop boxes since there’s an overhead for the spammer in changing and managing the call to action – domain registration costs, adding phone lines and breaking CAPTCHA’s to create new drop boxes. There’s also the risk that the provider of these services could terminate the accounts making the campaign ineffective.
Let’s take the case of a spam message with a website URL in the message body. The message is likely to be received by anti-spam labs via honey pots and end user missed spam submissions within a short amount of time so that future e-mails will be blocked. The natural solution for the spammer is to register a large number of domains and frequently change them once they become blacklisted but this costs money! The cost of registering a single .com domain can be ten times greater than the cost of registering a .info domain. So if you needed to register several hundred throw away domains which one would you opt for? Some large registrars even offer .info registration for sale under a $1 with discounts for bulk registration.
As I mentioned before, the spammer also needs to be concerned that their domain could be suspended by a domain registrar with a sensible anti-abuse policy and responsive to complaints. So there’s a trade off in price versus service and a spammer is more likely to opt for registrars that are able to turn a blind eye since the spammer is paying them after all. I recently read a report by KnuJon claiming that 90% of the spam sites they track are clustered at 20 registrars! Here’s their top ten list of Domain Registrars that are seem to be preferred by spammers. The rankings are explained in the report I’ve linked to.
1. Xinnet Bei Gong Da Software (China)
2. BEIJINGNN (China)
3. Todaynic (China)
4. Joker (Germany)
5. eNom, Inc. (USA)
6. MONIKER (USA)
7. Dynamic Dolphin (USA)
8. The Nameit Co/AITDOMAINS.COM (USA)
9. PDR (USA)
10. Intercosmos/DIRECTNIC (USA)
Since the publication of these rankings, ICANN has published a notice in relation to the Domain Registrars stating that the “Worst Spam Offenders” have been contacted and need to explain themselves.
“But if those registrars, including those publicly cited, do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names,”
I was having an IM chat with a newly minted TC user recently, and the user asked me how he can enable the Passive OS Fingerprinting (p0f) trigger (link goes to our manual, PDF), which permits you to selectively slow down, block, or even whitelist senders based on their operating system type.
Now, before you get too excited, it’s important to note that
- p0f cannot detect the sender’s operating system type with 100% certainty; and,
- even when the correct operating system type has been identified, it’s not guaranteed that the information is useful in preventing spam.
But for those who are curious about this feature and want to give it a shot, here are some guidelines:
To enable p0f, you need to add a configuration line enabling the p0f trigger. Here’s a suggested, safe way to do that:
TriggerP0F Throttle Windows /2000|SP4/
This configuration line tells Traffic Control
- To apply traffic shaping (a.k.a. throttling in our documentation) to all hosts that identify as Windows machines;
- Except hosts that identify themselves also using the strings “2000″ or “SP4,” since these identifier strings are often indicate “server” type Windows hosts.
If you want to be more aggressive, you can leave off the regular expression at the end of the line, which will cause Traffic Control to slow down all Windows traffic. We don’t recommend this policy for anyone running commercial email service, but for hobbyists who want to punish Mr. Gates’ empire, it makes for fun log file viewing.
I will be co-chairing the botnet subcommittee with MXLogic’s Sam Masiello at the upcoming Messaging Anti-Abuse Working Group (MAAWG) meeting in Heidelberg Germany at 1:30pm Wednesday June 11. We will be discussing a preliminary “botnet taxonomy”. If you’re a member of MAAWG and are planning to attend Heidelberg, or if you will be in Europe at the same time, I’d love to meet with you! Drop me a line at email@example.com.
May 16th, 2008
Posted in Uncategorized
Real World Scenarios
Despite all the money invested into anti-spam solutions, spam volume continues to rise. Yes, spamming is an arms race. But the real race is one of sheer volume.
Spammers respond to difficulty by simply sending more spam. Better filtering? Send more to improve numbers getting through. Spamming not profitable enough? Send more spam. Users not interested? Send more variety. With botnets, spammers have a highly scalable delivery infrastructure and are not limited by resources. Unfortunately, it’s the receiver of spam that bears the cost of that volume.
The problem is more than just the annoyance of spam. Spam is a big cost to organizations. High spam volumes lead to delays in email delivery and significant over-capacity to handle spikes in volume. Email providers know customers are very sensitive to any delays in the receipt of important email, and any service disruptions by a failure to handle loads can have immediate complaints and ongoing financial impacts.
Delays in email delivery caused by high spam traffic divert IT attention to chase spam.
Ongoing IT workload costs likely dwarf one-time capital expenditures for new systems.
Adding capacity in chunks with each budget period makes it difficult to know if it’s too little or too much to scale capacity to meet volumes.
Traffic shaping reduce IT infrastructure and support costs because it removes more spam at the connection level than any other approach.
One of the Fortune 500 companies MailChannels works with has implemented traffic shaping solely to get their infrastructure costs under control. They were being flooded with spam and as a result legitimate email was being crowded out by the spam resulting in delivert delays of hours at a time. Their spam filters were getting rid of it so the end users didn’t see it but the servers were doing all they could to process backlogged traffic. The company couldn’t accept any more mail, they were are there limit in terms of concurrent SMTP connections and were at a loss to come up with a good strategy for dealing with all the spam.
They were using all the blacklists they could find, but even though the blacklists got rid of 50 to 70 percent of spam coming from known spam sources, the spam that got through was significant enough to be a very serious problem for end users and administrators trying to keep the email service flowing.
Implementing email traffic shaping in front of their servers dramatically dropped spam from 70 percent of all processed traffic down to 20 percent overnight as a result they turned off 4 of the 6 servers they were using to handle all inbound mail. More importantly, they no longer needed to waste time maintaining content filters, adding more servers or experiencing slow SMTP responses.
There are limitations with every anti-spam technology. While filtering is an effective at separating spam from email, it is only one layer in a multi-tiered anti-spam architecture designed to leverage various technologies suited to each task. Applying traffic shaping at the network edge ensures legitimate senders get excellent quality of service and their mail flows quickly, while spammers are given very poor quality of service and their mail is not allowed into your network.
NEXT: Post #10 Challenges of Traffic Shaping
PREVIOUS: Post #8 Dealing Spammers a Blow
Tags: cost, high traffic loads, itunes, smtp, spam, traffic shaping
May 7th, 2008
Posted in Uncategorized
A vulnerability report posted to the BugTraq section of the SecurityFocus website suggests that Gmail smtp servers can be abused by spammers. For the moment the exact details of the attack are not being disclosed to give Google an opportunity to respond to these claims.
The report gives a high level description of the vulnerability as follows:
This issue is related to the risk of a malicious user abusing Gmail’s email forwarding functionality. This is possible because Gmail’s email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google’s very own SMTP servers.
Pablo Ximenes claims that this technique can be used to circumvent spam filters that use whitelists and that they’ve developed a proof of concept attack that enabled them to e-mail out forged messages without any rate restrictions.
Tags: google, relay, spam, vulnerability
May 6th, 2008
Posted in Uncategorized
The British Columbia Technology Industry Association (BCTIA) hands out awards every June at its annual barbecue to recognize companies in the region that have contributed to the advancement of the technology industry here in our corner of the world. I am pleased to announce that MailChannels has been selected as a finalist for the “Best Application of Technology” award, in recognition of our success in stopping spam using our Traffic Control software.
Here’s a link to the BCTIA press release.
Tags: mailchannels, traffic control
MailChannels tracks (in real-time) the email flows hitting our customers worldwide. We use this data to establish a fairly comprehensive reputation score for IP addresses we have seen many times – mostly as a method for automatically “whitelisting” IPs which have a long track record of sending good email.
Recently, a customer of ours asked us to prepare some historical data showing the performance of Traffic Control at their site over time. We were somewhat surprised to see that the volume of connections they receive each day has dropped to just a third of what it was last September.
What has caused this drop? We’re not really sure, but here are some ideas:
- Spammers have chosen to “blacklist” this customer’s servers, because they are noticing the customer is slowing down most spam-bot connections;
- Global spam volume is down by two-thirds (haven’t seen this with other customers, so we don’t think it’s likely the case); or,
- The recent demise of a few well-hyped botnets because of Microsoft’s ongoing efforts to patch up Windows XP.
What do you think? Why is this customer getting so much less spam?
May 2nd, 2008
Posted in Uncategorized
Dealing a Blow to Spammers
ISPs have recently been getting a lot of criticism for traffic shaping P2P file sharers. While we can argue over whether this is excessive or not, they have been doing this primarily for legitimate reasons, to reduce the impact of resource hogging users on the rest of their network.
The same technique can also have a positive impact on email, SMTP traffic shaping essentially puts shackles on email’s heaviest users the spammers who have a voracious appetite for broadband capacity. Slowing down unknown senders causes the greatest harm for spammers who need to circulate their messages as quickly as possible. In fact during peak-load times, 90% of spammers go away after 10 seconds of being put in the slow lane.
Using traffic shaping, senders of spam are literally restricted from delivering packets to the network. This slowing down approach works by shaping the TCP connection and implements in a way similar to that of a network load-balancing device.
Unlike other traffic based spam protection, traffic shaping is not about putting limits on the quantity of emails from a sender (spammers can get around this easily by sending fewer emails per zombie). In comparison, true “shaping” literally slows down suspicious email delivery to a trickle (like 3 kbps) — effectively stopping spam from flooding in and eliminating processing delays. Then senders with good reputation can be dispatched on a fast connection and given higher service priority.
The result is a clean mail stream of less than 25 per cent its original volume.
NEXT: Post #9 Real World Scenarios
PREVIOUS: Post #7 Slowing Things Down
Tags: anti-spam, comment spam, ISPs, results, tcp, traffic shaping