SpamSpam

Andy NguyenAndy Nguyen

5/17/20045/17/2004

What is Spam?What is Spam? Unsolicited means that the Recipient has not granted verifiable permission Unsolicited means that the Recipient has not granted verifiable permission

for the message to be sent. Bulk means that the message is sent as part of for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content.a larger collection of messages, all having substantively identical content.

A message is Spam only if it is both Unsolicited and Bulk (UBE)A message is Spam only if it is both Unsolicited and Bulk (UBE)• Unsolicited Email is normal emailUnsolicited Email is normal email

(examples include first contact enquiries, job enquiries, sales enquiries)(examples include first contact enquiries, job enquiries, sales enquiries)• Bulk Email is normal emailBulk Email is normal email

(examples include subscriber newsletters, discussion lists, information lists)(examples include subscriber newsletters, discussion lists, information lists)

Technical Definition of “Spam”: Technical Definition of “Spam”: • An electronic message is "spam" IF: (1) the recipient's personal identity and An electronic message is "spam" IF: (1) the recipient's personal identity and

context are irrelevant because the message is equally applicable to many other context are irrelevant because the message is equally applicable to many other potential recipients; AND (2) the recipient has not verifiably granted deliberate, potential recipients; AND (2) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND (3) the transmission explicit, and still-revocable permission for it to be sent; AND (3) the transmission and reception of the message appears to the recipient to give a disproportionate and reception of the message appears to the recipient to give a disproportionate benefit to the sender.benefit to the sender.

Source: www.spamhaus.org

Effects of SpamEffects of Spam

Bandwidth LossBandwidth Loss Connection ExpenseConnection Expense Unnecessary disk space usageUnnecessary disk space usage Over-flowing user mail boxesOver-flowing user mail boxes Loss of productivityLoss of productivity FraudFraud Costs estimated at $1 Billion/yearCosts estimated at $1 Billion/year Nearly 30% of AOL’s mail is Spam Nearly 30% of AOL’s mail is Spam

SpammersSpammers

Use automated tools that analyze online Use automated tools that analyze online contentcontent

MethodsMethods• Looking through UseNet for email addressesLooking through UseNet for email addresses• Mailing listsMailing lists• Web pages (guest books, forums, etc.)Web pages (guest books, forums, etc.)• Dictionary attacks on user and domain names, Dictionary attacks on user and domain names,

using predictable email addressesusing predictable email addresses• E-mail directories, white pages (Big Foot)E-mail directories, white pages (Big Foot)• Chat RoomsChat Rooms

Spam DefenseSpam Defense

Types of Defense:Types of Defense:• EducationalEducational• TechnicalTechnical• Legal/EconomicalLegal/Economical

Issues for Technical Spam Solutions:Issues for Technical Spam Solutions:• DeploymentDeployment

BlacklistingBlacklisting Blocking mail from servers that is known to be Blocking mail from servers that is known to be

badbad Can stop e-mail before it is sent outCan stop e-mail before it is sent out Uses DNS-based distribution schemeUses DNS-based distribution scheme Issues:Issues:

• Account Hopping – spammers use free e-mail addresses, Account Hopping – spammers use free e-mail addresses, spoof e-mail addresses, send through open relays/non-spoof e-mail addresses, send through open relays/non-blacklisted servers to hide their point of originblacklisted servers to hide their point of origin

• Should you trust the administrators of these blacklists? Should you trust the administrators of these blacklists? blacklist listing policies differblacklist listing policies differ Compromised blacklist can blacklist the internet (0/0), or Compromised blacklist can blacklist the internet (0/0), or

allow everyone throughallow everyone through• New/unknown mail servers? Also may prevent good mail New/unknown mail servers? Also may prevent good mail

from coming throughfrom coming through

Spam PoisoningSpam Poisoning Defense against e-mail harvestingDefense against e-mail harvesting Instead of Instead of user@example.comuser@example.com, use , use

user@exampleREMOVETHIS.comuser@exampleREMOVETHIS.com Using imagesUsing images Generating fake web pages, with fake Generating fake web pages, with fake

addressesaddresses Issues:Issues:

• Once address is revealed, all effort spent Once address is revealed, all effort spent concealing address wastedconcealing address wasted

• Harvesters use search engines to find email Harvesters use search engines to find email addressesaddresses

Distributed, Collaborative FilteringDistributed, Collaborative Filtering

When a system receives spam, either from When a system receives spam, either from a user or “spam trap”, message is hashed a user or “spam trap”, message is hashed and passed to closest serverand passed to closest server

This mechanism maintains a distributed This mechanism maintains a distributed and constantly updating library of bulk and constantly updating library of bulk mailmail

Issues:Issues:• Users can abuse service and submit legitimate Users can abuse service and submit legitimate

emailemail• Spammers randomize their spam to change Spammers randomize their spam to change

checksums (adding random strings etc.)checksums (adding random strings etc.)

Content FilteringContent Filtering

Destination based defenseDestination based defense Based on the content of the messageBased on the content of the message

• Bayesian ApproachBayesian Approach Issues:Issues:

• Processing load on mail serverProcessing load on mail server• Doesn’t address bandwidth and storage issuesDoesn’t address bandwidth and storage issues• Accuracy isn’t 100%? Is this acceptable?Accuracy isn’t 100%? Is this acceptable?• Spammers may run their e-mails through the Spammers may run their e-mails through the

filters in order to bypass themfilters in order to bypass them• Privacy issuesPrivacy issues

Pricing FunctionsPricing Functions Basic Idea:Basic Idea:

• ““If I don’t know you and want you to send me a If I don’t know you and want you to send me a message, then you must prove that you spent, say, ten message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this seconds of CPU time, just for me and just for this message”message”

Proof of effort takes some time to compute but Proof of effort takes some time to compute but easily verifiableeasily verifiable• Function based on large number of scattered number of Function based on large number of scattered number of

memory accessesmemory accesses Issues:Issues:

• What about legitimate mailing lists?What about legitimate mailing lists?• Attackers could just compromise many machines to Attackers could just compromise many machines to

send out the mail (similar to DDos)send out the mail (similar to DDos)• Where would you deploy this ? On the between sender Where would you deploy this ? On the between sender

and mail server, server-server?and mail server, server-server?

Internet Mail 2000Internet Mail 2000

New mailing protocolNew mailing protocol Changes “push” architecture to a Changes “push” architecture to a

“pull” architecture“pull” architecture• Mail stored on sender’s serverMail stored on sender’s server

Issues:Issues:• New attacks are possibleNew attacks are possible• Global deployment would be requiredGlobal deployment would be required

DiscussionDiscussion

Certified E-mail?Certified E-mail? National opt-out list?National opt-out list? Human Skill-Challenges ?Human Skill-Challenges ? Payment methods (charging a small Payment methods (charging a small

fee when sending e-mail)fee when sending e-mail) Possible legislationPossible legislation Which approach do you think is best? Which approach do you think is best?

Or should we use a combination of Or should we use a combination of mechanisms? mechanisms?