Spam, Spam, Spam
Why is spam interesting? • Everyone can observe spam. • Spam / Anti-spam is a highly evolved form of information warfare. • Fascinating socioeconomic study with many players - users, ISPs, spammers, technologists, legal systems. • Spam is a microcosm of the network security problem.
Evolution of broadcast methods 1997 - 2007 • Shell accounts • Open Relays • Dedicated “ISPs” • Hacked Accounts • Hosted Webmail services • 90% of spam comes from Botnets today.
Botnets & Zombies • An army of hacked (or zombied) computers. • A small botnet is powerful. 1000 bots = 100 MB/s. • “ The Storm worm botnet has grown so massive and far-reaching that it easily overpowers the world's top supercomputers. ” -- [2] • “ 2 million different computers in the botnet sending out spam on any given day... botnet could be as large as 50 million computers. ” -- [2] • As of September 2007, 93% of email is spam, 90% of which comes from botnets.
Botnets & Zombies • A platform for attack. Underground sales of botnet time. • A new application for malware. • Anonymous. Bot activity is throttled to keep it under the radar. Sophisticated installation - AV detection. • An example of economic externality. Fighting bots is hard due to misaligned incentives. • Spam is the most lucrative application of botnets so far. Click fraud is close second.
State of Spam • 93% of all email traffic is spam (Cloudmark) • 98B spam per day worldwide (Ironport) • 28% increase in spam volume from June to Sept 2006 (Symantec) • 59% of all phishing sites in the US (Symantec) • 8% users click on phishing scams (Cloudmark) • 29% of internet connected computers in China are Zombies (Symantec)
It’s the economics... • Network attacks are about making money. When a major attack happens, someone is making cash, usually lots of it. • A duo of stock spammers were recently charged - they made $20M in 2 months. • Attackers select most valuable and least defended targets.
Why email? • Email is #1 internet app. (High Value) • Spamming took off in late 90s when e- commerce transactions on the web became common place. (High Value) • Non-metered, targeted messaging network. (Ease of attack) • Attacks can be very anonymous, which reduces exposure. (Ease of attack).
New Targets Social Networks Click fraud DNS Windows Malware Mobile Devices*
Value to Attacker New Targets Social Networks Click fraud Ease of Exploiting Target DNS = Targets Windows Malware Mobile Devices*
Spam vs Anti-spam • Dedicated anti-spam efforts started in late 90s. RBL, ORBS, Razor, Spamassassin. • Effects of Anti-Spam are easily and immediately accessible to spammers. • Anti-spam must thrive in an environment that is directly hostile to it. • A classic non-cooperative game.
Anti Spam Landscape • Forensics • DNS based Sender IP ACLs • Text Classification • URI BLs • Collaborative Filtering Systems • Sender Authentication & Reputation
Sender IP ACLs • DNS list of IPs known to send spam. • Evidence based, policy based • High performance - spam message can be rejected at protocol level. • Free. • Diversification and camouflage afforded by zombies is making these less useful. • Spamhaus
Text Classification • Naive Bayesian (Plan for Spam) • SVMs, kNN also used • Language and corpus dependent • Online Training • Feature Selection
URI Blacklists • Internet domains cost money, most expensive to change. • Razor, SURBL started listing spammer domains in 2003. • Spam domains registered in 2003 45,000 • Spam domains registered in 2006 869,000 • Attrition Warfare
Collaborative Filtering • Razor / Cloudmark is a collaborative filter • Rapid distribution of intelligence • Control System design • Fingerprinting • Trust Metric • Large scale - filtering over 7B msg / day.
Authentication • SPF • DomainKeys • Sender Reputation
Recommend
More recommend
