Title: NZNOG 07 Dealing with Joe Jobs or how to cope with spam backscatter attacks
1NZNOG 07Dealing with Joe Jobsor how to cope
with spam backscatter attacks
Simon Howard
2Presentation Overview
- Definition
- Amplifier
- Target
- Bounce Verification Technologies
- Issues to Consider
- Questions
3Joe Doll
- Attack on Joe Doll, webmaster of Joe's Cyberpost.
- User had their account removed for advertising
spam - In retaliation, forged an email from Joe Doll
-
- Caused joes.com to be DoSed Jan 1997
- Also defined in Wayne's World as a sub-standard
job
4Definition
- Your email address/domain used as the envelope
sender in a spam run. - Your mail systems end up receiving
- bounce messages
- vacation/out-of-office notices
- challenge-responses
- etc.
- Resulting in huge mail gateway, server and
administrative overhead
5Envelope Headers
- telnet 192.168.1.1 25
- Connected to 192.168.1.1
- Escape character is ''.
- helo dm220-mail70.yourcompany.com ESMTP
- 220 Welcome to yourcompany.coms email system
- helo domain.com
- 250 mail70.yourcompany.com
- mail from jane_at_domain.com
- 250 sender ltjane_at_domain.comgt ok
- rcpt to tracey_at_yourcompany.com
- 250 recipient lttracey_at_yourcompany.comgt ok
- data
- 354 go ahead
6Email Structure
7Why am I being Joe Jobed
- The spammer is using your credentials to
legitimise their marketing campaign - Spam
- Phishing
-
- Discredit your company (Competitive sabotage)
- Random In order to bypass reverse DNS lookup
controls. - Side-effect of a mass-mailing virus
- Blatant Denial of Service
8Amplifier
9How Amplification Works
10Amplifier Implications
- Addition to a DNSBL (MAPS/Spamhaus/Spamcop)
- Denial of Service
- Leaking of sensitive information
11Amplification of NDRs
- Gateway accepts all email and relies on
downstream servers to generate the NDR
(non-delivery report) - RFC-821 requires an NDR for unsuccessful
deliveries to a final destination - Notification to failed recipient reason for the
failure - Above original email (or part of it)
- Above original email all attachments
12Further Amplification of NDRs
- For NDR's of messages sent to multiple
recipients, RFC-821 provides two options - A single notification which lists all failed
recipients of that failed message - Separate notification for each failed recipient
13NDR Payload
- Payload
- Viruses
- Spam
- Large files
- Zip-bombs
- "With 105 outbound emails (containing 1000
invalid recipients) totalling 3.60MB of traffic
we caused the mail servers under study to
generate more than 80,000 emails, totalling
1.15GB of traffic" http//www.techzoom.net/paper-
mailbomb.asp?idmailbomb
14Lessening The Noise
- Hard bounce mail for invalid recipients at the
gateway - Limit the maximum number of recipients per
message - Generate minimalistic NDRs
- Generate one NDR for all failed recipients
- Send bounces from a server you can afford to have
blacklisted - Disable NDRs altogether (maybe not)
15Target
16Target of a Phishing Attack
17Example Phishing Message
- mail-from admin_at_bank.com
- rcpt-to ltmillions of users_at_domainsgt
- subject Your Account Details
-
Dear BANK.com Customer, In an effort to
continually measure the service quality give to
New Zealand and Australia, BANK.com members were
sent out random survey asking valuable feedback
on how we are doing and how we can
approve. There are only a few questions to score
and only take few minutes of your time Your
patience will be rewarded with 20 direct deposit
to your account and your name will automatically
be entered into our quarterly drawing for 2500
grand prize If you are ready for feedback, go to
http//wwwwbank.com/bankmain.php . If this link
does not work, just copy and paste it into your
browser Thank You! Sincerely Yours, Board of
Directors BANK.com
18Implications for the Target
- Denial of Service
- User inbox restrictions
- Mail queues exploding / mail delays
- Unhappy users
19Invalid Users
- Accept mail for valid users only
- local_recipient_maps (postfix)
- Recipient Access Table (Ironport RAT)
- LDAP integration
- Sometimes we dont know who our valid users are
or it can be too expensive to maintain. - Backend user directory incompatible with
front-end MTA - This will stop backscatter for invalid addresses
- What about valid ones?
20Valid Users
- Message Headers
- Received-from
- Message-ID
- Looking for signs that it didnt actually leave
your network in the first place - Resource Intensive
21Bounce Verification Technologies
- We cant rely on session verification techniques
- e.g. SPF
- Bounce Verification
- BATV (Bounce Address Tag Validation)
- Authbounce
- ABBS (Anti-Bogus-Bounce-Scheme)
- SES (Signed Envelope Sender)
22BATV (Bounce Address Tag Validation)
23BATV Specification
- The envelope sender address is signed.
- mail-from mailbox_at_domain.com becomes
- mail-from prvsmailbox/tag-val_at_domain.com
- tag-val K DDD SSSSSS
- K key number
- DDD low 3 digits of the number of days since
1970 when the address will expire - SSSSSS Hex of the first three bytes of the
SHA-1 HMAC of lthash-sourcegt and a
key - hash-source K DDD ltorig-mailfromgt
- orig-mailfrom original RFC2821.MailFrom
address
24BATV cont
- Supported on the following MTAs
- netqmail
- Ironport AsyncOS
- Exim
- Documentation available for other MTAs
- Pursuing IETF standardisation
25How Authbounce works
26Authbounce for Exim
- Addition of a signed X-Header
- X-bounce-keyexample.net-1you_at_example.com1077198
109fb7e6ffa - (1) (2)
(3) (4) - A key identifier, typically the ISP's domain plus
a number. - The E-mail address to which a bounce may be sent.
- The time when the message was sent out. Bounces
older than a certain age are ignored. - 32-bit cryptographic checksum, calculated as a
hash over (1), (2), (3) and a secret value
27ABBS (Anti-Bogus-Bounce-Scheme)
- Similar to BATV
- Signed envelope sender
- mail-from user-b_at_b.example.com becomes
- mail-from user-btimestamp-hmac_at_b.example.com
- timestamp is time()
- hmac is HMAC-SHA1-nn
- Timeout defaults to 1296000 seconds (15 days)
- Supported in qmail safari
28SES (Signed Envelope Sender)
- Challenge response system for SMTP
- UDP call back service
- Send hash value to the server that claims to have
originated the message - If the query is positive, mail is accepted as
valid, if not, its rejected - Website is dead, probably a good thing
29Advantages / Disadvantages
- BATV
- ? Modifies the envelope sender address
- ? Stops invalid bounces after the rcpt-to header
is received - Authbounce
- ? Doesnt modify the envelope sender address
- ? More overhead as X-headers need to be
processed - ABBS
- ? BATV for qmail with a few differences
- SES
- ? project is dead?
30Security Considerations
- Cryptographic weaknesses
- Replay attacks
-
31Issues to Consider
- Too many different standards, none settled on
- CPU overhead for large mail volumes
- All outbound messages tagged, all inbound checked
- Greylisting (451)
- Mail-listings validate on envelope sender
- Challenge-Response systems
32More Issues
- Legitimate DSNs are rejected unless the original
mail has been sent via your server - Roaming users
33Knowing Your Environment
- Which servers send out email?
34Conclusion
- Know and control your environment
- Determine if you are an amplifier
- Decide which technology fits best
- Implement technology before you are targeted
35Conclusion
- You dont want to be hacking up custom Sendmail
rules at 300am - Kphishsrc regex -a_at_MATCH (customercarecustomerss
upportcustomersupportcustservicecustsupportinf
onumonline_supportonlinesupportoperateoperator
referencesupportsupprefnum)(\-ref\_ref\-refer
ence\_reference\-id\_id)?(\-\_)?0-9 - SLocal_check_rcpt
- R gtParse0 gt3 1
- R lt _at_ domain.co.nz. gt (phishsrc 1 )
36Questions?
37References
- ABBS - http//msgs.securepoint.com/cgi-bin/get/qma
il0403/161.html - Anti-Phishing Workging Group http//www.antiphish
ing.org/phishing_archive.html - Anti-spam Email Research http//spamlinks.net/prev
ent-research.htm - Authbounce - http//psg.com/7Ebrian/software/auth
bounce/configure-authbounce.txt - BATV - http//mipassoc.org/batv/
- Mail Non-Delivery Notice Attacks
http//www.techzoom.net/paper-mailbomb.asp?idmail
bomb - Postfix Backscatter Howto http//www.postfix.org/
BACKSCATTER_README.html - Signed Envelope Sender http//www.advogato.org/pr
oj/Signed20Envelope20Sender/ - Sender Policy Framework http//www.openspf.org/
- Signed Return Address http//www.tuffmail.com/bac
kscatter.php - Why are auto responders bad? http//www.spamcop.
net/fom-serve/cache/329.html