NZNOG 07 Dealing with Joe Jobs or how to cope with spam backscatter attacks

1
NZNOG 07Dealing with Joe Jobsor how to cope
with spam backscatter attacks
Simon Howard
2
Presentation Overview

• Definition
• Amplifier
• Target
• Bounce Verification Technologies
• Issues to Consider
• Questions

3
Joe Doll

• Attack on Joe Doll, webmaster of Joe's Cyberpost.
  
• User had their account removed for advertising
  spam
• In retaliation, forged an email from Joe Doll
• Caused joes.com to be DoSed Jan 1997
• Also defined in Wayne's World as a sub-standard
  job

4
Definition

• Your email address/domain used as the envelope
  sender in a spam run.
• Your mail systems end up receiving
• bounce messages
• vacation/out-of-office notices
• challenge-responses
• etc.
• Resulting in huge mail gateway, server and
  administrative overhead

5
Envelope Headers

• telnet 192.168.1.1 25
• Connected to 192.168.1.1
• Escape character is ''.
• helo dm220-mail70.yourcompany.com ESMTP
• 220 Welcome to yourcompany.coms email system
• helo domain.com
• 250 mail70.yourcompany.com
• mail from jane_at_domain.com
• 250 sender ltjane_at_domain.comgt ok
• rcpt to tracey_at_yourcompany.com
• 250 recipient lttracey_at_yourcompany.comgt ok
• data
• 354 go ahead

6
Email Structure
7
Why am I being Joe Jobed

• The spammer is using your credentials to
  legitimise their marketing campaign
• Spam
• Phishing
• Discredit your company (Competitive sabotage)
• Random In order to bypass reverse DNS lookup
  controls.
• Side-effect of a mass-mailing virus
• Blatant Denial of Service

8
Amplifier
9
How Amplification Works
10
Amplifier Implications

• Addition to a DNSBL (MAPS/Spamhaus/Spamcop)
• Denial of Service
• Leaking of sensitive information

11
Amplification of NDRs

• Gateway accepts all email and relies on
  downstream servers to generate the NDR
  (non-delivery report)
• RFC-821 requires an NDR for unsuccessful
  deliveries to a final destination
• Notification to failed recipient reason for the
  failure
• Above original email (or part of it)
• Above original email all attachments

12
Further Amplification of NDRs

• For NDR's of messages sent to multiple
  recipients, RFC-821 provides two options
• A single notification which lists all failed
  recipients of that failed message
• Separate notification for each failed recipient

13
NDR Payload

• Payload
• Viruses
• Spam
• Large files
• Zip-bombs
• "With 105 outbound emails (containing 1000
  invalid recipients) totalling 3.60MB of traffic
  we caused the mail servers under study to
  generate more than 80,000 emails, totalling
  1.15GB of traffic" http//www.techzoom.net/paper-
  mailbomb.asp?idmailbomb

14
Lessening The Noise

• Hard bounce mail for invalid recipients at the
  gateway
• Limit the maximum number of recipients per
  message
• Generate minimalistic NDRs
• Generate one NDR for all failed recipients
• Send bounces from a server you can afford to have
  blacklisted
• Disable NDRs altogether (maybe not)

15
Target
16
Target of a Phishing Attack
17
Example Phishing Message

• mail-from admin_at_bank.com
• rcpt-to ltmillions of users_at_domainsgt
• subject Your Account Details

Dear BANK.com Customer, In an effort to
continually measure the service quality give to
New Zealand and Australia, BANK.com members were
sent out random survey asking valuable feedback
on how we are doing and how we can
approve. There are only a few questions to score
and only take few minutes of your time Your
patience will be rewarded with 20 direct deposit
to your account and your name will automatically
be entered into our quarterly drawing for 2500
grand prize If you are ready for feedback, go to
http//wwwwbank.com/bankmain.php . If this link
does not work, just copy and paste it into your
browser Thank You! Sincerely Yours, Board of
Directors BANK.com
18
Implications for the Target

• Denial of Service
• User inbox restrictions
• Mail queues exploding / mail delays
• Unhappy users

19
Invalid Users

• Accept mail for valid users only
• local_recipient_maps (postfix)
• Recipient Access Table (Ironport RAT)
• LDAP integration
• Sometimes we dont know who our valid users are
  or it can be too expensive to maintain.
• Backend user directory incompatible with
  front-end MTA
• This will stop backscatter for invalid addresses
  
• What about valid ones?

20
Valid Users

• Message Headers
• Received-from
• Message-ID
• Looking for signs that it didnt actually leave
  your network in the first place
• Resource Intensive

21
Bounce Verification Technologies

• We cant rely on session verification techniques
• e.g. SPF
• Bounce Verification
• BATV (Bounce Address Tag Validation)
• Authbounce
• ABBS (Anti-Bogus-Bounce-Scheme)
• SES (Signed Envelope Sender)

22
BATV (Bounce Address Tag Validation)
23
BATV Specification

• The envelope sender address is signed.
• mail-from mailbox_at_domain.com becomes
• mail-from prvsmailbox/tag-val_at_domain.com
• tag-val K DDD SSSSSS
• K key number
• DDD low 3 digits of the number of days since
  1970 when the address will expire
• SSSSSS Hex of the first three bytes of the
  SHA-1 HMAC of lthash-sourcegt and a
  key
• hash-source K DDD ltorig-mailfromgt
• orig-mailfrom original RFC2821.MailFrom
  address

24
BATV cont

• Supported on the following MTAs
• netqmail
• Ironport AsyncOS
• Exim
• Documentation available for other MTAs
• Pursuing IETF standardisation

25
How Authbounce works
26
Authbounce for Exim

• Addition of a signed X-Header
• X-bounce-keyexample.net-1you_at_example.com1077198
  109fb7e6ffa
• (1) (2)
  (3) (4)
• A key identifier, typically the ISP's domain plus
  a number.
• The E-mail address to which a bounce may be sent.
  
• The time when the message was sent out. Bounces
  older than a certain age are ignored.
• 32-bit cryptographic checksum, calculated as a
  hash over (1), (2), (3) and a secret value

27
ABBS (Anti-Bogus-Bounce-Scheme)

• Similar to BATV
• Signed envelope sender
• mail-from user-b_at_b.example.com becomes
• mail-from user-btimestamp-hmac_at_b.example.com
• timestamp is time()
• hmac is HMAC-SHA1-nn
• Timeout defaults to 1296000 seconds (15 days)
• Supported in qmail safari

28
SES (Signed Envelope Sender)

• Challenge response system for SMTP
• UDP call back service
• Send hash value to the server that claims to have
  originated the message
• If the query is positive, mail is accepted as
  valid, if not, its rejected
• Website is dead, probably a good thing

29
Advantages / Disadvantages

• BATV
• ? Modifies the envelope sender address
• ? Stops invalid bounces after the rcpt-to header
  is received
• Authbounce
• ? Doesnt modify the envelope sender address
• ? More overhead as X-headers need to be
  processed
• ABBS
• ? BATV for qmail with a few differences
• SES
• ? project is dead?

30
Security Considerations

• Cryptographic weaknesses
• Replay attacks

31
Issues to Consider

• Too many different standards, none settled on
• CPU overhead for large mail volumes
• All outbound messages tagged, all inbound checked
• Greylisting (451)
• Mail-listings validate on envelope sender
• Challenge-Response systems

32
More Issues

• Legitimate DSNs are rejected unless the original
  mail has been sent via your server
• Roaming users

33
Knowing Your Environment

• Which servers send out email?

34
Conclusion

• Know and control your environment
• Determine if you are an amplifier
• Decide which technology fits best
• Implement technology before you are targeted

35
Conclusion

• You dont want to be hacking up custom Sendmail
  rules at 300am
• Kphishsrc regex -a_at_MATCH (customercarecustomerss
  upportcustomersupportcustservicecustsupportinf
  onumonline_supportonlinesupportoperateoperator
  referencesupportsupprefnum)(\-ref\_ref\-refer
  ence\_reference\-id\_id)?(\-\_)?0-9
• SLocal_check_rcpt
• R gtParse0 gt3 1
• R lt _at_ domain.co.nz. gt (phishsrc 1 )

36
Questions?
37
References

• ABBS - http//msgs.securepoint.com/cgi-bin/get/qma
  il0403/161.html
• Anti-Phishing Workging Group http//www.antiphish
  ing.org/phishing_archive.html
• Anti-spam Email Research http//spamlinks.net/prev
  ent-research.htm
• Authbounce - http//psg.com/7Ebrian/software/auth
  bounce/configure-authbounce.txt
• BATV - http//mipassoc.org/batv/
• Mail Non-Delivery Notice Attacks
  http//www.techzoom.net/paper-mailbomb.asp?idmail
  bomb
• Postfix Backscatter Howto http//www.postfix.org/
  BACKSCATTER_README.html
• Signed Envelope Sender http//www.advogato.org/pr
  oj/Signed20Envelope20Sender/
• Sender Policy Framework http//www.openspf.org/
• Signed Return Address http//www.tuffmail.com/bac
  kscatter.php
• Why are auto responders bad? http//www.spamcop.
  net/fom-serve/cache/329.html