Matthew Sullivan matthewsorbs.net

1
AusCERT 2005
Spam The attack vector
Matthew Sullivan ltmatthew_at_sorbs.netgt
2
Synopsis

• What is spam?
• Why is it a problem?
• Where do viruses fit in?
• Spyware, what is it what does it do?
• Phishing, what is it?
• The merging of technologies.
• The new attack vector.
• What can be done?

3
What is Spam...?

• Unsolicited Bulk Email?
• Unsolicited Commercial Email?
• Unsolicited Promotional Email?
• Not what were sending?
• Unsolicited Email?
• Objectionable Email?
• What the ACA tells us is spam?

4
What is Spam...?
5
What is Spam...?
6
What is Spam...?
7
What is Spam...?
8
What is Spam...?
9
What is Spam...?
10
What is Spam...?

• All of the above.!
• Each message is spam in its own right.
• Each poses its own dangers.
• We should be working to stop them all.

11
Where do viruses fit in?

• Open Relays
• Proxy Servers
• Spam Bots
• DoS Bots
• More sinister directions...

• Spyware
• Key-loggers

12
Relays and Proxy Servers...

• Open Relays, are they really a problem?
• How about proxy servers.?
• The risks
• Open relays are diminished in numbers.
• Proxies work both ways.
• Proxy servers being delivered in spam.

13
Spyware, what is it what does it do?

• Tracking movements across the Net
• Demographics
• Parental Control Software
• Surveillance
• Key-logging
• Complete user tracking
• How can we get rid of it?

14
Phishing, what is it?

• (fishing) (n.) The act of sending an e-mail to
  a user falsely claiming to be an established
  legitimate enterprise in an attempt to scam the
  user into surrendering private information that
  will be used for identity theft.
• How do we combat it?
• What can we do when we get caught...?
• How can we prevent it?

15
The merging of technologies...

• Email viruses combining with exploits.
• Newer Trojans that avoid system calls to hide.
  
• Newer ones allow remote upload of software.
• Continually changing ports to avoid detection.
• Calling home, or using IRC servers.

16
The Attack Vector

• Open Relays
• Open Proxies
• Trojans
• Viruses
• Spyware

• Whats this all leading to.?

• Spam, Spam, Spam, and more Spam...!

• So what is the new attack vector?

17
Statistics
18
Some Statistics From SORBS.
19
Some Statistics From OpenRBL
AHBL The Abusive Hosts Blocking List Hits
1009 10 BOGONS completewhois.com Bogon
IP's Hits 144 1 BOPM Blitzed Open Proxy
Monitor Hits 510 6 CBL Composite Blocking
List Hits 3010 24 DRBL Distributed Realtime
Blocking List Hits 1653 11 DSBL Distributed
Server Boycott List Hits 2962 25 FIVETEN Local
Blackholes at Five-Ten Hits 5903 47 JIPPGMA JIPP
G's Relay Blackhole List Hits 142 1 NJABL Not
Just Another Bogus List Hits 1769 16 NOMORE dr.
Jørgen Mash's DNSbl Hits 338 3 ORDB Open Relay
DataBase Hits 167 0 PSBL Passive Spam Block
List Hits 1161 9 SBL Spamhaus Block
List Hits 698 6 SORBS Spam and Open Relay
Blocking System Hits 4643 42 SPAMBAG Spambags
Hits 1167 11 SPAMCOP SpamCop Hits
1868 17 SPAMRBL Hits 9 0 SPAMSITE Spamware
Peddler and Spamservices Hits 5 0 SPEWS Spam
Prevention Early Warning System Hits
1552 12 UCEPROT Hits 880 8 WPBL Weighted
Private Block List Hits 778 7
Which shows statistics mean nothing!
20
Questions..?
21
Thank You
Matthew Sullivan