slide 1 Vitaly Shmatikov CS 361Sslide 2 Email in the Early 1980s Network 1 Network 2 Network 3 Mail relay Mail relay sender recipient • Mail relay: forwards mail to next hop • Sender path includes path through relaysslide 3 Email Spoofing Mail is sent via SMTP protocol • No built-in authentication MAIL FROM field is set by the sender Recipient’s mail server only sees the IP address of the direct peer from whom it received the messageslide 4 Mail Relays An SMTP relay forwards mail to destination 1. Bulk email tool connects via SMTP (port 25) 2. Sends list of recipients via RCPT TO command 3. Sends email body (once for all recipients!) 4. Relay delivers message Honest relay adds correct Received: header revealing source IP Hacked relay does notslide 5 Received: by 10.78.68.6 with SMTP id q6cs394373hua; Mon, 12 Feb 2007 06:43:30 -0800 (PST) Received: by 10.90.113.18 with SMTP id l18mr17307116agc.1171291410432; Mon, 12 Feb 2007 06:43:30 -0800 (PST) Return-Path: <[email protected]> Received: from onelinkpr.net ([203.169.49.172]) by mx.google.com with ESMTP id 30si11317474agc.2007.02.12.06.43.18; Mon, 12 Feb 2007 06:43:30 -0800 (PST) Received-SPF: neutral (google.com: 203.169.49.172 is neither permitted nor denied by best guess record for domain of [email protected]) Message-ID: <20050057765.stank.203.169.49.172@ASAFTU> From: "Barclay Morales" <[email protected]> To: <[email protected]> Subject: You can order both Viagra and Cialis. A Closer Look at Spam Inserted by relays Puerto Rico Mongolia Bogus!slide 6 Why Hide Sources of Spam? Many email providers blacklist servers and ISPs that generate a lot of spam • Use info from spamhaus.org, spamcop.net Real-time blackhole lists stop 15-25% of spam at SMTP connection time • Over 90% after message body checks Spammers’ objective: evade blacklists • Botnets come very handy!slide 7 Thin Pipe / Thick Pipe Spam source has high-speed broadband machine (HSB) and controls a low-speed zombie (LSZ) Hides IP address of HSB; LSZ is blacklisted Target SMTP server HSB LSZ TCP handshake TCP sequence numbers SMTP bulk mail (Source IP = LSZ)slide 8 Open HTTP Proxies Web cache (HTTP/HTTPS proxy), e.g., squid To spam: CONNECT <Victim’s IP> 25, then issue SMTP Commands • Squid becomes a mail relay Squid web cache CONNECT xyz.com 443 ClientHello Web server xyz.com URL: HTTPS://xyz.com ClientHello ServerHello ServerHello Why is port 25 enabled, anyway?slide 9 Send-Safe Spam Toolslide 10 Open proxy • Spammer must send message to each recipient through the proxy Open relay • Takes a list of addresses and sends to all • Can host an open relay on a zombie Listing services for open proxies and relays (many appear to be defunct as of 2010) • http://www.multiproxy.org/ http://www.stayinvisible.com/ http://www.openproxies.com/ ($20/month) Open Relays vs. Open ProxiesMcAfee antivirus includes “Rumor Service” for delivering updates to computers without direct Internet access This service has been hacked, turned into an open proxy, and used to send tons of spam "As an ultimate insult, even McAfee, whose software is at the root of our problems, now rate our email IP as 'High Risk': we can't email them as they have blacklisted us!" slide 11 McAfee Spam Hijack (Jan 2012)slide 12 Distribution of Spam Sources [Ramachandran, Feamster]slide 14 Distribution Across Domains [Ramachandran, Feamster]slide 15 IP addresses of spam sources are widely distributed across the Internet • In tracking experiments, most IP addresses appear once or twice; 60-80% not reachable by traceroute Vast majority of spam originates from a small fraction of IP address space • Same fraction that most legitimate email comes from Spammers exploit routing infrastructure • Create short-lived connection to mail relay, then disappear • Hijack a large chunk of unallocated “dark” space Where Does Spam Come From? [Ramachandran, Feamster]slide 16 CAN-SPAM Act (passed in 2003) Legal solution to the problem • Bans email harvesting, misleading header information, deceptive subject lines, use of proxies • Requires opt-out and identification of advertising • Imposes penalties (up to $11K per violation) FTC report on effectiveness (Dec 2005) • 50 cases pursued in the US • No impact on spam originating outside the US (60%) • Open relays hosted on botnets make it difficult to collect evidence http://www.ftc.gov/spamslide 17 Bobax Worm Infects machines with high bandwidth • Exploits Windows LSASS buffer overflow vulnerability Slow spreading (and thus hard to detect) • On manual command from operator, randomly scans for vulnerable machines Installs hacked open relay on infected zombies • Once the spam zombie added to blacklist, spread to another machine • Interesting detection technique: look for botmaster’s DNS queries (trying to determine who is blacklisted)slide 20 Major Spambots in 2008 http://www.marshal.com/trace/traceitem.asp?article=615slide 21 McColo was a San Jose-based hosting provider Hosted command-and-control servers of the biggest spam botnets • Rustock, Srizbi, Mega-D, Pushdo/Cutwail, others Disconnected by upstream providers on Nov 11, 2008 75% reduction of spam worldwide Resurrected for 12 hours on Nov 20, 2008 • Through a backup connection (soon terminated) • During this time, 15MB/sec of traffic to Russia – botmasters getting data to regain control of botnets McColoslide 22 Rootkit + sophisticated spam mailer 500K zombies, 60 billion spam messages daily • More than half of all spam worldwide After McColo takedown, fail-safe code inside bots started generating names of backup domains • ypouaypu.com, oryitugf.com, prpoqpsy.com … • Botmasters regained control by registering these domains (through a Russian registrar) and hosting new C&C servers in Estonia – shut down later Srizbislide 23 Rustock Responsible for 40% of all spam in 2010 Between 1 and 2.5 million infected computers • Up to 240,000 messages daily from each host Based on a fairly elaborate rookit C&C servers taken down on March 16, 2011 • Investigation by Microsoft, Pfizer, FireEye, and security researchers from the University of Washington • “John Doe” lawsuit against botnet operators • Coordinated seizure of C&C servers in the US • 33%
View Full Document
Unlocking...