Spam, Spam, Spam Why is spam interesting? Everyone can observe - - PowerPoint PPT Presentation

Spam, Spam, Spam

Why is spam interesting?

• Spam is a microcosm of the network

security problem.

• Everyone can observe spam.
• Spam / Anti-spam is a highly evolved form of

information warfare.

• Fascinating socioeconomic study with many

players - users, ISPs, spammers, technologists, legal systems.

Evolution of broadcast methods 1997 - 2007

• Shell accounts
• Open Relays
• Dedicated “ISPs”
• Hacked Accounts
• Hosted Webmail services
• 90% of spam comes from Botnets today.

Botnets & Zombies

• An army of hacked (or zombied) computers.
• A small botnet is powerful. 1000 bots = 100 MB/s.
• “The Storm worm botnet has grown so massive and far-reaching

that it easily overpowers the world's top supercomputers.” -- [2]

• “2 million different computers in the botnet sending out spam
• n any given day... botnet could be as large as 50 million

computers.” -- [2]

• As of September 2007, 93% of email is spam, 90% of which

comes from botnets.

Botnets & Zombies

• A platform for attack. Underground sales of botnet time.
• A new application for malware.
• Anonymous. Bot activity is throttled to keep it under the
• radar. Sophisticated installation - AV detection.
• An example of economic externality. Fighting bots is hard

due to misaligned incentives.

• Spam is the most lucrative application of botnets so far.

Click fraud is close second.

State of Spam

• 93% of all email traffic is spam (Cloudmark)
• 98B spam per day worldwide (Ironport)
• 28% increase in spam volume from June to Sept 2006

(Symantec)

• 59% of all phishing sites in the US (Symantec)
• 8% users click on phishing scams (Cloudmark)
• 29% of internet connected computers in China are

Zombies (Symantec)

It’s the economics...

• Network attacks are about making money.

When a major attack happens, someone is making cash, usually lots of it.

• A duo of stock spammers were recently

charged - they made $20M in 2 months.

• Attackers select most valuable and least

defended targets.

Why email?

• Email is #1 internet app. (High

Value)

• Spamming took off in late 90s when e-

commerce transactions on the web became common place. (High Value)

• Non-metered, targeted messaging network.

(Ease of attack)

• Attacks can be very anonymous, which

reduces exposure. (Ease of attack).

New Targets Social Networks Click fraud DNS Windows Malware Mobile Devices*

Ease of Exploiting Target Value to Attacker = Targets

New Targets Social Networks Click fraud DNS Windows Malware Mobile Devices*

Spam vs Anti-spam

• Dedicated anti-spam efforts started in late
• 90s. RBL, ORBS, Razor, Spamassassin.
• Effects of Anti-Spam are easily and

immediately accessible to spammers.

• Anti-spam must thrive in an environment

that is directly hostile to it.

• A classic non-cooperative game.

Anti Spam Landscape

• Forensics
• DNS based Sender IP ACLs
• Text Classification
• URI BLs
• Collaborative Filtering Systems
• Sender Authentication & Reputation

Sender IP ACLs

• DNS list of IPs known to send spam.
• Evidence based, policy based
• High performance - spam message can be

rejected at protocol level.

• Free.
• Diversification and camouflage afforded by

zombies is making these less useful.

• Spamhaus

Text Classification

• Naive Bayesian (Plan for Spam)
• SVMs, kNN also used
• Language and corpus dependent
• Online Training
• Feature Selection

URI Blacklists

• Internet domains cost money, most

expensive to change.

• Razor, SURBL started listing spammer

domains in 2003.

• Spam domains registered in 2003

45,000

• Spam domains registered in 2006

869,000

• Attrition Warfare

Collaborative Filtering

• Razor / Cloudmark is a collaborative filter
• Rapid distribution of intelligence
• Control System design
• Fingerprinting
• Trust Metric
• Large scale - filtering over 7B msg / day.

Authentication

• SPF
• DomainKeys
• Sender Reputation