280 likes | 386 Vues
Final Lab - Spam. Group 10: Scott Durr Stephen Thompson. Outline. Introduction Set up Obtaining Email Addresses Sending Mass Emails Filtering & Stopping Spam. Introduction. Almost 90% of email is now considered Spam! Messaging Anti-Abuse Working Group Report #6, Oct 2007
E N D
Final Lab - Spam Group 10: Scott Durr Stephen Thompson
Outline • Introduction • Set up • Obtaining Email Addresses • Sending Mass Emails • Filtering & Stopping Spam
Introduction Almost 90% of email is now considered Spam! • Messaging Anti-Abuse Working Group Report #6, Oct 2007 • Huge drain on resources • Strains the infrastructure • Distracts/Annoys us all • Major delivery mechanism for Malware!
The Costs • The State of California estimates Spam cost the state’s economy $1.2 billion in 2003. The estimate the entire US suffered a $10 billion loss in that same year. • http://www.spamlaws.com/state/ca.shtml • That was in 2003…
Our Set Up Servers Clients WinXP: 57.35.6.133 Host Machine: 57.35.6.131 WinXP2: 57.35.6.134 RedHat7.2 Machine: 57.35.6.132
Major Software Packages • Apache2 Web Server • Sendmail Email Server w/ SpamAssasin • Included on lab installs of Redhat 7.2 and Redhat WS 4.0 • Qpopper • POP3 server • PINE • Outlook Express • Included with WinXP • Evolution • Included with RedHat • Spam software: • Atomic Email Hunter & Atomic Email Sender
Two Email Servers • Set up with slightly different rules for comparison • Were NOT able to SMTP between Sendmail servers because Sendmail MUST have DNS running in order to find other servers. • We didn’t want to tackle the additional setup. • We could accomplish what we wanted without it.
Obtaining Email Addresses • Many different methods, but we focus on: • Email address spider • Anonymous FTP trick • Verification of Email addresses at the server
Email Address Spiders • Crawl the web and copy anything that looks like an email address. • Implemented a basic one with wget and grep, using a regular expression: wget –rFO lotsofhtml.txt http://localhost/ egrep –rhoie ‘[[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3}’ lotsofhtml.txt That regex is: [[:alnum:]\.\-\_]+\@[[:alnum:]\.\-]+\.[a-zA-Z]{2,3} • Example
“Atomic Email Hunter” • Commercial Windows program that implements an email address spider. • Tested on the same dummy websites as our homemade one. • Has a lot more features.
Anonymous FTP • A throwback from the days of old: Anonymous FTP logins require an email address as a password! • Set up your web page to grab images via FTP vice HTML and some browsers will cough up an email address. • Tested on Mozilla and IE: they give dummy addresses.
Verifying Email Addresses • Why is this important? • A “good” email list will minimize alerts that might catch the spammer. • Allows for a ‘guess and test’ method of email address discovery. • VRFY and EXPN • Ask the server if an address is good (VRFY) • Ask the server about an alias/list (EXPN) • Disable these!
Verifying Email Addresses • During the SMTP exchange, you pass a “TO” address to the server. It will come back and tell you if it is good! • Email header implemented by many clients: Return-Receipt-To: <email-address> X-Confirm-Reading-To: <email-address> Make sure you disable these as defaults in Outlook and others!
Defeating those Email Spiders • Two choices • Hide your email address • Actively counter spiders
Hide your email address • Use script to return an email address instead of putting the address in code. • ECE does this for their faculty! • Great example, courtesy of Mr. Tim Williams at U. Arizona: http://www.u.arizona.edu/~trw/spam/spam4.htm
WPoison • Available at http://www.monkeys.com/wpoison/ • Actively thwarts spiders by generating random pages with more links and email addresses. • Each link leads right back to WPoison! • Run the spider in a circle, filling it with garbage. • We have a video
Sending Mass Emails • Methods 1. Use your own (school/isp) SMTP server • You will probably get caught and shut down! 2. Use another, third party SMTP server • You will probably be blocked from Relaying 3. Connect directly to the recipient’s server • This takes some work, and you might get blacklisted 4. Do any of the above via a Bot Net • Even if you get caught, you don’t get blocked!
Method #3: Connect Directly to Victim’s SMTP Server Method #2: Use a Third Party SMTP Server Method # 1: Use your SMTP Server Method #4: Bot Net Our Simulations Servers Clients WinXP: 57.35.6.133 Host Machine: 57.35.6.131 WinXP2: 57.35.6.134 Fictional yahoo.com RedHat7.2 Machine: 57.35.6.132
Mass Email Countermeasures • Limit who can send on your server • Only users on the domain can “RELAY” • Use a blacklist to prevent connections from known spammers • Filter messages as they come in
SpamAssassin • Open source & extremely common • Very complex • Lots of rules • Uses scores to determine what is spam • Has learning capabilities • Can connect to services to receive rules and blacklists • www.spamhaus.org • More info at: http://spamassassin.apache.org
SpamAssassin in the Lab • We walk through the setup of some basic rules.
Your Last Line of Defense… • The email client • Web-based email clients can rapidly aggregate feedback and build more responsive filters. • Gmail, Yahoo, Hotmail, etc.
In the Lab Summary • Set up Servers • Harvest emails • Email Address Spiders: wget/grep & Atomic • FTP method • Experiment with address verification • Send mass emails through each scenario • Use manual connection and Atomic Email Sender • Implement some countermeasures • RELAY limitations • WPoison • Hide Email Addresses • Install, setup, and test SpamAssassin