Malware and Software Vulnerability Analysis Spam and Phishing .ppt
NehaNeha652711
21 views
53 slides
Jun 21, 2024
Slide 1 of 53
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
About This Presentation
Malware and Software Vulnerability Analysis
Spam and Phishing
Slide Content
CAP6135: Malware and Software
Vulnerability Analysis
Spam and Phishing
Cliff Zou
Spring 2016
Vulnerability Analysis
Spam and Phishing
Cliff Zou
Spring 2016
2
Acknowledgement
This lecture uses some contents from the lecture notes
from:
Dr. Dan Boneh (Stanford): CS155:Computer and Network
Security
Jim Kurose, Keith Ross. Computer Networking: A Top Down
Approach Featuring the Internet, 5th edition.
Acknowledgement
This lecture uses some contents from the lecture notes
from:
Dr. Dan Boneh (Stanford): CS155:Computer and Network
Security
Jim Kurose, Keith Ross. Computer Networking: A Top Down
Approach Featuring the Internet, 5th edition.
3
Electronic Mail
Three major components:
user agents
mail servers
simple mail transfer protocol: SMTP
User Agent
a.k.a. “mail reader”
composing, editing, reading mail
messages
e.g., Eudora, Outlook, elm,
Netscape Messenger
outgoing, incoming messages
stored on server
user mailbox
outgoing
message queue
mail
server
user
agent
user
agent
user
agent
mail
server
user
agent
user
agent
mail
server
user
agent
SMTP
SMTP
SMTP
Electronic Mail
Three major components:
user agents
mail servers
simple mail transfer protocol: SMTP
User Agent
a.k.a. “mail reader”
composing, editing, reading mail
messages
e.g., Eudora, Outlook, elm,
Netscape Messenger
outgoing, incoming messages
stored on server
user mailbox
outgoing
message queue
server
user
agent
user
agent
user
agent
server
user
agent
user
agent
server
user
agent
SMTP
SMTP
SMTP
4
How email works: SMTP
(RFC 821, 1982)
Some SMTP Commands:
MAIL FROM:<reverse-path>
RCPT TO:<forward-path>
RCPT TO:<forward-path>
If unknown recipient: response “550 Failure reply”
DATA
email headers and contents
Use TCP port 25 for connections
.
Repeated
for each
recipient
How email works: SMTP
(RFC 821, 1982)
Some SMTP Commands:
MAIL FROM:<reverse-path>
RCPT TO:<forward-path>
RCPT TO:<forward-path>
If unknown recipient: response “550 Failure reply”
DATA
email headers and contents
Use TCP port 25 for connections
.
Repeated
for each
recipient
5
Sample fake email sending
S: 220 longwood.cs.ucf.edu
C: HELO fake.domain
S: 250 Hello crepes.fr, pleased to meet you
C: MAIL FROM: <[email protected]>
S: 250 [email protected]... Sender ok
C: RCPT TO: <[email protected]>
S: 250 [email protected] ... Recipient ok
C: DATA
S: 354 Enter mail, end with "." on a line by itself
C: from: “fake man” <[email protected]>
C: to: “dr. who” <who@who>
C: subject: who am I?
C: Do you like ketchup?
C:How about pickles?
C:.
S: 250 Message accepted for delivery
C: QUIT
S: 221 longwood.cs.ucf.edu closing connection
Sample fake email sending
S: 220 longwood.cs.ucf.edu
C: HELO fake.domain
S: 250 Hello crepes.fr, pleased to meet you
C: MAIL FROM: <[email protected]>
S: 250 [email protected]... Sender ok
C: RCPT TO: <[email protected]>
S: 250 [email protected] ... Recipient ok
C: DATA
S: 354 Enter mail, end with "." on a line by itself
C: from: “fake man” <[email protected]>
C: to: “dr. who” <who@who>
C: subject: who am I?
C: Do you like ketchup?
C:How about pickles?
C:.
S: 250 Message accepted for delivery
C: QUIT
S: 221 longwood.cs.ucf.edu closing connection
6
Try SMTP interaction for yourself:
telnet servername 25
see 220 reply from server
enter HELO, MAIL FROM, RCPT TO, DATA, QUIT
commands
“mail from:”the domain may need to be existed
“rcpt to:”the user needs to be existed
A mail server may or may not support “relay”
CS email server supports relay from Eustis machine
“from:”“to:”“subject:”are what shown in normal
email display
Try SMTP interaction for yourself:
telnet servername 25
see 220 reply from server
enter HELO, MAIL FROM, RCPT TO, DATA, QUIT
commands
“mail from:”the domain may need to be existed
“rcpt to:”the user needs to be existed
A mail server may or may not support “relay”
CS email server supports relay from Eustis machine
“from:”“to:”“subject:”are what shown in normal
email display
Using Telnet
On department Eustis or eustis2 Linux machine:
telnet longwood.cs.ucf.edu 25
In telnet interaction, “backspace” is not supported.
You can type “ctrl+backspace” to erase previous two
characters
On Windows 7 machine:
Telnet is not installed by default, check this tutorial
for install:
http://technet.microsoft.com/en-
us/library/cc771275%28v=ws.10%29.aspx
7
On department Eustis or eustis2 Linux machine:
telnet longwood.cs.ucf.edu 25
In telnet interaction, “backspace” is not supported.
You can type “ctrl+backspace” to erase previous two
characters
On Windows 7 machine:
Telnet is not installed by default, check this tutorial
for install:
http://technet.microsoft.com/en-
us/library/cc771275%28v=ws.10%29.aspx
7
Advanced Manual Spam
But the above manual spam can only send text-only
spam email!
Effective spam and phishing email needs to have
authorities figures/logos.
Also need to have URLs
Especially for phishing
attack email
8
But the above manual spam can only send text-only
spam email!
Effective spam and phishing email needs to have
authorities figures/logos.
Also need to have URLs
Especially for phishing
attack email
8
Email with Attachment?
What if a normal email user wants to send graphic email
and has email attachment with any file format?
Original SMTP protocol only support 7-bit ASCII text
transmission
Manual email attachment:
Sender use base64 to encode file into pure ASCII text
Sender appends the text to her email
Receiver extract the encoded text part from received email
Receiver use base64 to decode to recover the original file
Troublesome, easy to make mistake!
9
What if a normal email user wants to send graphic email
and has email attachment with any file format?
Original SMTP protocol only support 7-bit ASCII text
transmission
Manual email attachment:
Sender use base64 to encode file into pure ASCII text
Sender appends the text to her email
Receiver extract the encoded text part from received email
Receiver use base64 to decode to recover the original file
Troublesome, easy to make mistake!
9
Message format: multimedia extensions
MIME (Multi-purpose Internet Mail Extensions)
multimedia mail extension, RFC 2045, 2056
additional lines in msg header declare MIME content type
From: [email protected]
To: [email protected]
Subject: Picture of yummy crepe.
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Type: image/jpeg
base64 encoded data .....
.........................
......base64 encoded data
multimedia data
type, subtype,
parameter declaration
method used
to encode data
encoded data
MIME version
MIME (Multi-purpose Internet Mail Extensions)
multimedia mail extension, RFC 2045, 2056
additional lines in msg header declare MIME content type
From: [email protected]
To: [email protected]
Subject: Picture of yummy crepe.
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Type: image/jpeg
base64 encoded data .....
.........................
......base64 encoded data
multimedia data
type, subtype,
parameter declaration
method used
to encode data
encoded data
MIME version
MIME
Check some real email examples to see how MIME is
implemented
Content-Type: multipart/mixed;
boundary="_002_D2E669A13641EMichaelMacedoniaucfedu_"
MIME-Version: 1.0
--_002_D2E669A13641EMichaelMacedoniaucfedu_
Content-Type: text/plain; charset="us-ascii"
Content-ID: <[email protected]>
Content-Transfer-Encoding: quoted-printable
--_002_D2E669A13641EMichaelMacedoniaucfedu_
Content-Type: application/pdf;
name="CAE-Tech-Talk-Vogtembing-Omari-18Feb2016.pdf"
Content-Description: CAE-Tech-Talk-Vogtembing-Omari-18Feb2016.pdf
Content-Disposition: attachment;
filename="CAE-Tech-Talk-Vogtembing-Omari-18Feb2016.pdf"; size=355404;
creation-date="Sun, 14 Feb 2016 22:28:23 GMT";
modification-date="Sun, 14 Feb 2016 22:28:23 GMT"
Content-ID: <[email protected]>
Content-Transfer-Encoding: base64
11
Check some real email examples to see how MIME is
implemented
Content-Type: multipart/mixed;
boundary="_002_D2E669A13641EMichaelMacedoniaucfedu_"
MIME-Version: 1.0
--_002_D2E669A13641EMichaelMacedoniaucfedu_
Content-Type: text/plain; charset="us-ascii"
Content-ID: <[email protected]>
Content-Transfer-Encoding: quoted-printable
--_002_D2E669A13641EMichaelMacedoniaucfedu_
Content-Type: application/pdf;
name="CAE-Tech-Talk-Vogtembing-Omari-18Feb2016.pdf"
Content-Description: CAE-Tech-Talk-Vogtembing-Omari-18Feb2016.pdf
Content-Disposition: attachment;
filename="CAE-Tech-Talk-Vogtembing-Omari-18Feb2016.pdf"; size=355404;
creation-date="Sun, 14 Feb 2016 22:28:23 GMT";
modification-date="Sun, 14 Feb 2016 22:28:23 GMT"
Content-ID: <[email protected]>
Content-Transfer-Encoding: base64
11
Advanced Manual Spam
Two ways for including images in email
Include images by URLs
The email itself does not have the content of the images
<imgsrc="http://www.cs.ucf.edu/~czou/images/smallUCF.gif"
height="76" width="200">
Include image content with the email
Use MIME protocol to include image content
--94eb2c06b65cf653cd052b8b8da4
Content-Type: image/gif; name="ucf-gold.gif"
Content-Disposition: inline; filename="ucf-gold.gif"
Content-Transfer-Encoding: base64
R0lGODlhZABkAOYAAP////f399bW1sbGxr29vc7Gvb21pca1jL
Ka2ECK2MGKWECM7Gpefetd7GWr2lQrWcOa2UMbWcMa2U
…………………………………………………….
--94eb2c06b65cf653cd052b8b8da4--
12
Two ways for including images in email
Include images by URLs
The email itself does not have the content of the images
<imgsrc="http://www.cs.ucf.edu/~czou/images/smallUCF.gif"
height="76" width="200">
Include image content with the email
Use MIME protocol to include image content
--94eb2c06b65cf653cd052b8b8da4
Content-Type: image/gif; name="ucf-gold.gif"
Content-Disposition: inline; filename="ucf-gold.gif"
Content-Transfer-Encoding: base64
R0lGODlhZABkAOYAAP////f399bW1sbGxr29vc7Gvb21pca1jL
Ka2ECK2MGKWECM7Gpefetd7GWr2lQrWcOa2UMbWcMa2U
…………………………………………………….
--94eb2c06b65cf653cd052b8b8da4--
12
Advanced Manual Spam
But how to generate the Figure-based spam email
manually with ease?
Send the email to yourself by using a web-based email
service
Upon receiving the email, show the email original text
Gmail has the option “Show Original”
Copy the text of the email into a pure text editor (such
as notepad, notepad++,…)
In Telnet manual spam sending, after “Data”
command, paste those text
13
But how to generate the Figure-based spam email
manually with ease?
Send the email to yourself by using a web-based email
service
Upon receiving the email, show the email original text
Gmail has the option “Show Original”
Copy the text of the email into a pure text editor (such
as notepad, notepad++,…)
In Telnet manual spam sending, after “Data”
command, paste those text
13
Outside campus network, department email server does
not accept:
You need to first setup VPN to campus network, then use telnet
How to set up VPN:
https://publishing.ucf.edu/sites/itr/cst/Pages/NSvpn.aspx
Even inside campus network, directly telnet EECS email server
will not work now because of the CS server’s new restriction
You can connect to Eustis machine, then run telnet command
inside Eustis machine to connect to CS email server.
14
not accept:
You need to first setup VPN to campus network, then use telnet
How to set up VPN:
https://publishing.ucf.edu/sites/itr/cst/Pages/NSvpn.aspx
Even inside campus network, directly telnet EECS email server
will not work now because of the CS server’s new restriction
You can connect to Eustis machine, then run telnet command
inside Eustis machine to connect to CS email server.
14
15
Email in the early 1980’s
Network 1
Network 2
Network 3
Mail
relay
Mail
relay
sender
recipient
•Mail Relay: forwards mail to next hop.
•Sender path includes path through relays.
Email in the early 1980’s
Network 1
Network 2
Network 3
relay
relay
sender
recipient
•Mail Relay: forwards mail to next hop.
•Sender path includes path through relays.
Why Email Server Support Relay?
Wiki tutorial:
http://en.wikipedia.org/wiki/Open_mail_relay
Old days network constraint makes it necessary
Email agent uses SMTP to send email on behalf of a user
The user could choose which email address to use as the sender
Email server supports email group list:
The “sender” shown in email is the group list address, but the real
sender is a different person
Closing Relay:
Messages from local IP addresses to local mailboxes
Messages from local IP addresses to non-local mailboxes
Messages from non-local IP addresses to local mailboxes
Messages from clients that are authenticated and authorized
16
Wiki tutorial:
http://en.wikipedia.org/wiki/Open_mail_relay
Old days network constraint makes it necessary
Email agent uses SMTP to send email on behalf of a user
The user could choose which email address to use as the sender
Email server supports email group list:
The “sender” shown in email is the group list address, but the real
sender is a different person
Closing Relay:
Messages from local IP addresses to local mailboxes
Messages from local IP addresses to non-local mailboxes
Messages from non-local IP addresses to local mailboxes
Messages from clients that are authenticated and authorized
16
17
Spoofed email
SMTP: designed for a trusting world …
Data in MAIL FROM totally under control of sender
… an old example of improper input validation
Recipient’s mail server:
Only sees IP address of direct peer
Recorded in the first Fromheader
Spoofed email
SMTP: designed for a trusting world …
Data in MAIL FROM totally under control of sender
… an old example of improper input validation
Recipient’s mail server:
Only sees IP address of direct peer
Recorded in the first Fromheader
18
The received header
Sending spoofed mail to myself:
From [email protected] (172.24.64.20) ...
Received: from cs-smtp-1.stanford.edu
Received: from smtp3.stanford.edu
Received: from cipher.Stanford.EDU
Receivedheader inserted by relays ---untrustworthy
Fromheader inserted by recipient mail server
From
relays
The received header
Sending spoofed mail to myself:
From [email protected] (172.24.64.20) ...
Received: from cs-smtp-1.stanford.edu
Received: from smtp3.stanford.edu
Received: from cipher.Stanford.EDU
Receivedheader inserted by relays ---untrustworthy
Fromheader inserted by recipient mail server
From
relays
19
Spam Blacklists
RBL: Realtime Blackhole Lists
Includes servers or ISPs that generate lots of spam
spamhaus.org , spamcop.net
Effectiveness (stats from spamhaus.org):
RBL can stop about 15-25% of incoming spam at SMTP
connection time,
Over 90% of spam with message body URI checks
Spammer goal:
Evade blacklists by hiding its source IP address.
Spam Blacklists
RBL: Realtime Blackhole Lists
Includes servers or ISPs that generate lots of spam
spamhaus.org , spamcop.net
Effectiveness (stats from spamhaus.org):
RBL can stop about 15-25% of incoming spam at SMTP
connection time,
Over 90% of spam with message body URI checks
Spammer goal:
Evade blacklists by hiding its source IP address.
Spamming techniques
21
Open relays
SMTP Relay forwards mail to destination
1.Bulk email tool connects via SMTP (port 25)
2.Sends list of recipients (via RCPT TO command)
3.Sends email body ---once for all recipients
4.Relay delivers message
Honest relay:
Adds Receivedheader revealing source IP
Hacked relay does not
Open relays
SMTP Relay forwards mail to destination
1.Bulk email tool connects via SMTP (port 25)
2.Sends list of recipients (via RCPT TO command)
3.Sends email body ---once for all recipients
4.Relay delivers message
Honest relay:
Adds Receivedheader revealing source IP
Hacked relay does not
22
Example: bobax worm
Infects machines with high bandwidth
Exploits MS LSASS.exe buffer overflow vulnerability
Slow spreading:
Spreads on manual command from operator
Then randomly scans for vulnerable machines
On infected machine: (spam zombie)
Installs hacked open mail relay. Used for spam.
Once spam zombie added to RBL:
Worm spreads to other machines
Example: bobax worm
Infects machines with high bandwidth
Exploits MS LSASS.exe buffer overflow vulnerability
Slow spreading:
Spreads on manual command from operator
Then randomly scans for vulnerable machines
On infected machine: (spam zombie)
Installs hacked open mail relay. Used for spam.
Once spam zombie added to RBL:
Worm spreads to other machines
23
Open HTTPproxies
Web cache (HTTP/HTTPS proxy) --e.g. squid
To spam: CONNECT SpamRecipient-IP 25
SMTP Commands
Squid becomes a mail relay …
Squid
Web
Cache
CONNECT xyz.com 443
ClientHello Web
Server
xyz.com
URL: HTTPS://xyz.com
ClientHello
ServerHello
ServerHello
Open HTTPproxies
Web cache (HTTP/HTTPS proxy) --e.g. squid
To spam: CONNECT SpamRecipient-IP 25
SMTP Commands
Squid becomes a mail relay …
Squid
Web
Cache
CONNECT xyz.com 443
ClientHello Web
Server
xyz.com
URL: HTTPS://xyz.com
ClientHello
ServerHello
ServerHello
24
Finding proxies
Squid manual: (squid.conf)
acl Safe_ports port 80 443
http_access deny !Safe_ports
URLs for other ports will be denied
Similar problem with SOCKS proxies
Some open proxy and open relay listing services:
http://www.multiproxy.org/
http://www.stayinvisible.com/
http://www.blackcode.com/proxy/
http://www.openproxies.com/ (20$/month)
Finding proxies
Squid manual: (squid.conf)
acl Safe_ports port 80 443
http_access deny !Safe_ports
URLs for other ports will be denied
Similar problem with SOCKS proxies
Some open proxy and open relay listing services:
http://www.multiproxy.org/
http://www.stayinvisible.com/
http://www.blackcode.com/proxy/
http://www.openproxies.com/ (20$/month)
25
Open Relays vs. Open Proxies
HTTP proxy design problem:
Port 25 should have been blocked by default
Otherwise, violates principal of least privilege
Relay vs. proxy:
Relay takes list of address and send msg to all
Proxy: spammer must send msg body to each recipient through
proxy.
zombies typically provide hacked mail relays.
Open Relays vs. Open Proxies
HTTP proxy design problem:
Port 25 should have been blocked by default
Otherwise, violates principal of least privilege
Relay vs. proxy:
Relay takes list of address and send msg to all
Proxy: spammer must send msg body to each recipient through
proxy.
zombies typically provide hacked mail relays.
26
Thin pipe / Thick pipe method
Spam source has
High Speed Broadband connection (HSB)
Controls a Low Speed Zombie (LSZ)
Assumes no egress filtering at HSB’s ISP
Hides IP address of HSB. LSZ is blacklisted.
Target
SMTP
Server
HSB
LSZ
TCP handshake
TCP Seq #s
SMTP bulk mail
(Source IP = LSZ)
Thin pipe / Thick pipe method
Spam source has
High Speed Broadband connection (HSB)
Controls a Low Speed Zombie (LSZ)
Assumes no egress filtering at HSB’s ISP
Hides IP address of HSB. LSZ is blacklisted.
Target
SMTP
Server
HSB
LSZ
TCP handshake
TCP Seq #s
SMTP bulk mail
(Source IP = LSZ)
27
Bulk email tools (spamware)
Automate:
Message personalization
Also test against spam filters (e.g. spamassassin)
Mailing list and proxy list management
Bulk email tools (spamware)
Automate:
Message personalization
Also test against spam filters (e.g. spamassassin)
Mailing list and proxy list management
28
Send-Safe bulk emailer
Send-Safe bulk emailer
Anti-spam methods
30
The law: CAN-SPAM act (Jan. 2004)
Bans false or misleading header information
To: and From: headers must be accurate
Prohibits deceptive subject lines
Requires an opt-out method
Requires that email be identified as advertisement
... and include sender's physical postal address
Also prohibits various forms of email harvesting
and the use of proxies
The law: CAN-SPAM act (Jan. 2004)
Bans false or misleading header information
To: and From: headers must be accurate
Prohibits deceptive subject lines
Requires an opt-out method
Requires that email be identified as advertisement
... and include sender's physical postal address
Also prohibits various forms of email harvesting
and the use of proxies
31
Effectiveness of CAN-SPAM
Enforced by the FTC:
FTC spam archive [email protected]
Penalties: 11K per act
Dec ’05 FTC report on effectiveness of CAN-SPAM:
50 cases in the US pursued by the FTC
No impact on spam originating outside the US
Open relays hosted on bot-nets make it difficult
to collect evidence
http://www.ftc.gov/spam/
Effectiveness of CAN-SPAM
Enforced by the FTC:
FTC spam archive [email protected]
Penalties: 11K per act
Dec ’05 FTC report on effectiveness of CAN-SPAM:
50 cases in the US pursued by the FTC
No impact on spam originating outside the US
Open relays hosted on bot-nets make it difficult
to collect evidence
http://www.ftc.gov/spam/
32
Sender verification I: SPF
(sender policy framework)
Goal: prevent spoof email claiming to be from HotMail
Why? Bounce messages flood HotMail system
DNS
hotmail.com:
SPF record:
64.4.33.7
64.4.33.8
Recipient
Mail
Server
(MUA)
Sender
MAIL FROM
[email protected]
hotmail.com
64.4.33.7
64.4.33.8
Is SenderIP
in list?
More precisely: hotmail.com TXT v=spf1 a:mailers.hotmail.com -all
Sender verification I: SPF
(sender policy framework)
Goal: prevent spoof email claiming to be from HotMail
Why? Bounce messages flood HotMail system
DNS
hotmail.com:
SPF record:
64.4.33.7
64.4.33.8
Recipient
Server
(MUA)
Sender
MAIL FROM
[email protected]
hotmail.com
64.4.33.7
64.4.33.8
Is SenderIP
in list?
More precisely: hotmail.com TXT v=spf1 a:mailers.hotmail.com -all
33
Sender verification II: DKIM
Domain Keys Identified Mail (DKIM)
Same goal as SPF. Harder to spoof.
Basic idea:
Sender’s MTA signs email
Including body and selected header fields
Receiver’s MUA checks signature
Rejects email if invalid
Sender’s public key managed by DNS
Subdomain: _domainkey.hotmail.com
Sender verification II: DKIM
Domain Keys Identified Mail (DKIM)
Same goal as SPF. Harder to spoof.
Basic idea:
Sender’s MTA signs email
Including body and selected header fields
Receiver’s MUA checks signature
Rejects email if invalid
Sender’s public key managed by DNS
Subdomain: _domainkey.hotmail.com
34
Graylists
Recipient’s mail server records triples:
(sender email, recipient email, peer IP)
Mail server maintains DB of triples
First time: triple not in DB:
Mail server sends 421 reply: “I am busy”
Records triple in DB
Second time(after 5 minutes):allow email to pass
Triples kept for 3 days (configurable)
Easy to defeat but currently works well.
Graylists
Recipient’s mail server records triples:
(sender email, recipient email, peer IP)
Mail server maintains DB of triples
First time: triple not in DB:
Mail server sends 421 reply: “I am busy”
Records triple in DB
Second time(after 5 minutes):allow email to pass
Triples kept for 3 days (configurable)
Easy to defeat but currently works well.
35
Puzzles and CAPTCHA
General DDoS defense techniques
Puzzles: slow down spam server
Every email contains solution to puzzle where
challenge = (sender, recipient, time)
CAPTCHA:
Completely Automated Public Turing test to tell Computers and
Humans Apart
Every email contains a token
Sender obtains tokens from a CAPTCHA server
Say: 100 tokens for solving a CAPTCHA
CAPTCHA server ensures tokens are not reused
Either method is difficult to deploy.
Puzzles and CAPTCHA
General DDoS defense techniques
Puzzles: slow down spam server
Every email contains solution to puzzle where
challenge = (sender, recipient, time)
CAPTCHA:
Completely Automated Public Turing test to tell Computers and
Humans Apart
Every email contains a token
Sender obtains tokens from a CAPTCHA server
Say: 100 tokens for solving a CAPTCHA
CAPTCHA server ensures tokens are not reused
Either method is difficult to deploy.
SpamAssasin
Wiki tutorial:
http://en.wikipedia.org/wiki/SpamAssassin
Mainly a rule-based spam filter
Many rules to give scores for all fields in an email
Email header, special keywords in email, URLs in email, images in
email, …..
Final decision is the combined score compared with a threshold
Has false positive (treat normal as spam), and false negative
(treat spam as normal)
False positive is very damaging!
Nobody wants to lose an important email!
Also contains Bayesian filtering to match a user’s
statistical profile
Need known “ham” and “spam” email samples for training
36
Wiki tutorial:
http://en.wikipedia.org/wiki/SpamAssassin
Mainly a rule-based spam filter
Many rules to give scores for all fields in an email
Email header, special keywords in email, URLs in email, images in
email, …..
Final decision is the combined score compared with a threshold
Has false positive (treat normal as spam), and false negative
(treat spam as normal)
False positive is very damaging!
Nobody wants to lose an important email!
Also contains Bayesian filtering to match a user’s
statistical profile
Need known “ham” and “spam” email samples for training
36
SpamAssasin
You can find the rule list at:
http://spamassassin.apache.org/tests_3_3_x.html
Your manual spam is possible to be labeled by our CS
email server as spam, based on SpamAssasin’s score
The text information added by SpamAssasin tells you what rule
gives the email suspicious positive score
It could help real Spammer to improve their spam email to
circumvent SpamAssasin detection
Gmail spam detection algorithm is not public
A helpful article: https://www.quora.com/How-does-Gmail-
spam-detection-works
37
You can find the rule list at:
http://spamassassin.apache.org/tests_3_3_x.html
Your manual spam is possible to be labeled by our CS
email server as spam, based on SpamAssasin’s score
The text information added by SpamAssasin tells you what rule
gives the email suspicious positive score
It could help real Spammer to improve their spam email to
circumvent SpamAssasin detection
Gmail spam detection algorithm is not public
A helpful article: https://www.quora.com/How-does-Gmail-
spam-detection-works
37
Part II:
Phishing & Pharming
Phishing & Pharming
39
40
Note: no SSL. Typically: short lived sites.
Note: no SSL. Typically: short lived sites.
41
Common Phishing Methods
Often phishing sites hosted on bot-net drones.
Move from bot to bot using dynamic DNS.
Use domain names such as:
www.ebay.com.badguy.com
Use URLs with multipleredirections:
http://www.chase.com/url.php?url=“http://www.phish.com”
Use randomized links:
http://www.some-poor-sap.com/823548jd/
Common Phishing Methods
Often phishing sites hosted on bot-net drones.
Move from bot to bot using dynamic DNS.
Use domain names such as:
www.ebay.com.badguy.com
Use URLs with multipleredirections:
http://www.chase.com/url.php?url=“http://www.phish.com”
Use randomized links:
http://www.some-poor-sap.com/823548jd/
42
Industry Response
Anti-phishing toolbars: Netcraft, EBay, Google, IE7
IE7 phishing filter:
Whitelisted sites are not checked
Other sites: (stripped) URL sent to MS server
Server responds with “OK” or “phishing”
Industry Response
Anti-phishing toolbars: Netcraft, EBay, Google, IE7
IE7 phishing filter:
Whitelisted sites are not checked
Other sites: (stripped) URL sent to MS server
Server responds with “OK” or “phishing”
Check Browser for HTTP or HTTPS
43
HTTP
HTTPS
The server’s digital
Certificate has been
verified
43
HTTP
HTTPS
The server’s digital
Certificate has been
verified
44
Pharming
Cause DNS to point to phishing site
Examples:
1.DNS cache poisoning
2.Write an entry into machine’s /etc/hosts file:
“ Phisher-IP Victim-Name ”
URL of phishing site is identical to victim’s URL
… will bypass all URL checks
Pharming
Cause DNS to point to phishing site
Examples:
1.DNS cache poisoning
2.Write an entry into machine’s /etc/hosts file:
“ Phisher-IP Victim-Name ”
URL of phishing site is identical to victim’s URL
… will bypass all URL checks
45
Response: High assurance certs
More careful validation of cert issuance
On browser (IE7) :
… but most phishing sites do not use HTTPS
Response: High assurance certs
More careful validation of cert issuance
On browser (IE7) :
… but most phishing sites do not use HTTPS
46
Other industry responses: SiteKey
ING bank login
Other industry responses: SiteKey
ING bank login
Research: SiteKey is not secure
47
“The Emperor's New Security Indicators”. Stuart E.
Schechter, RachnaDhamija, Andy Ozment, and Ian
Fischer. IEEE Security & Privacy 2007.
MITM attack: man-in-the-middle attack that strips off SSL. The only visible
indication of the attack is that lack of a HTTPS indicator (no HTTPS in the
address bar, no lock icon, etc.).
Security image attack: The researchers simulated a phishing attack. In this
attack, it looks like the users are interacting with the real bank site, except that
the SiteKeysecurity image (and security phrase) is missing. In its place, the
attack places the following text:
SiteKeyMaintananceNotice: Bank of America is currently upgrading our
award winning SiteKeyfeature. Please contact customer service if your SiteKey
does not reappear within the next 24 hours.
47
“The Emperor's New Security Indicators”. Stuart E.
Schechter, RachnaDhamija, Andy Ozment, and Ian
Fischer. IEEE Security & Privacy 2007.
MITM attack: man-in-the-middle attack that strips off SSL. The only visible
indication of the attack is that lack of a HTTPS indicator (no HTTPS in the
address bar, no lock icon, etc.).
Security image attack: The researchers simulated a phishing attack. In this
attack, it looks like the users are interacting with the real bank site, except that
the SiteKeysecurity image (and security phrase) is missing. In its place, the
attack places the following text:
SiteKeyMaintananceNotice: Bank of America is currently upgrading our
award winning SiteKeyfeature. Please contact customer service if your SiteKey
does not reappear within the next 24 hours.
48
Industry Response:
Defending against Keylogger
Industry Response:
Defending against Keylogger
49
ING PIN Guard
ING PIN Guard
50
Some ID Protection Tools
SpoofGuard:(NDSS ’04)
Alerts user when viewing a spoofed web page.
Uses variety of heuristics to identify spoof pages.
Some SpoofGuard heuristics used in
eBay toolbarandEarthlink ScamBlocker.
PwdHash: (Usenix Sec ’05)
Browser extension for strengthening pwd web auth.
Being integrated with RSA SecurID.
Some ID Protection Tools
SpoofGuard:(NDSS ’04)
Alerts user when viewing a spoofed web page.
Uses variety of heuristics to identify spoof pages.
Some SpoofGuard heuristics used in
eBay toolbarandEarthlink ScamBlocker.
PwdHash: (Usenix Sec ’05)
Browser extension for strengthening pwd web auth.
Being integrated with RSA SecurID.
51
Password Hashing (pwdhash.com)
Generate a unique password per site
HMAC
fido:123
(banka.com) Q7a+0ekEXb
HMAC
fido:123
(siteb.com) OzX2+ICiqc
Hashed password is not usable at any other site
Bank A
Site B
pwd
A
pwd
B
=
Password Hashing (pwdhash.com)
Generate a unique password per site
HMAC
fido:123
(banka.com) Q7a+0ekEXb
HMAC
fido:123
(siteb.com) OzX2+ICiqc
Hashed password is not usable at any other site
Bank A
Site B
pwd
A
pwd
B
=
Problems of Password Hashing
Need to install a client program on user’s machine
It means the user cannot use other machines to log in to her
accounts
Different websites have different requirements on
password format
# of characters
Special characters, capital characters,….
This means that the pwdHash client program must know the
formats of all users’ accounts
52
Need to install a client program on user’s machine
It means the user cannot use other machines to log in to her
accounts
Different websites have different requirements on
password format
# of characters
Special characters, capital characters,….
This means that the pwdHash client program must know the
formats of all users’ accounts
52
53
Take home message
Deployed insecure services (proxies, relays)
Quickly exploited
Cause trouble for everyone
Current web user authentication is vulnerable
to spoofing
Users are easily fooled into entering password
in an insecure location
Take home message
Deployed insecure services (proxies, relays)
Quickly exploited
Cause trouble for everyone
Current web user authentication is vulnerable
to spoofing
Users are easily fooled into entering password
in an insecure location
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 21
- Slides 53
- Age 531 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
49 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
48 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
23 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views