How Traffic Shaping Differs from Greylisting and Rate Limiting

Many hosting companies use anti-spam techniques that sound like traffic shaping to pre-filter spammers but what they are actually doing is rate limiting. Rate limiting restricts the quantity of messages a sender can send in a particular time frame or the number of recipients each message can have. A few years ago, this worked for high volume senders but it has become less effective against today's botnets that can trickle messages from many unique server IP's.

Until about 2005, a simple anti-spam technique called "greylisting" provided a very effective defense against spam. "Greylisting" means temporarily rejecting connections from new senders, forcing them to retry message delivery a number of times before their messages are accepted. The idea is that legitimate senders will retry (as required by the SMTP standard), whereas spammers will not (because their SMTP servers are often simplistic and non standards-compliant).

Grey-listing was initially very effective at getting rid of spam. But with time, spammers wrote better software that was able to retry message delivery, getting spam through the greylisting barrier and into end users' mailboxes. Whereas greylisting was 50% effective in 2005, our latest statistics show that greylisting now gets rid of less than 10% of spam traffic.

Unfortunately this technique for controlling high spam traffic has become less effective since its creation in 2003 because spammers have simply written more intelligent spamming software.

On the other hand, spammers cannot avoid traffic shaping by simply trying to send an email a second time. Successfully implementing traffic shaping requires more than simply inserting delays in an SMTP session.

Traffic shaping selectively restricts the bandwidth for untrusted senders to only a few bytes per second. High quality senders are expedited to get mail through to you even more quickly, while spammers are placed in a holding pattern. Instead of a spammer clogging your network and slowing down SMTP responses, it's the spammer who gets bogged down. The result is a clean mail stream of less than 30% its original volume.


Traffic Shaping is absolutely free for non-commercial users (less than 10,000 SMTP connections per day):
http://mailchannels.com/download

Subscribe to our blog's RSS feed (unsubscribe at any time):
http://blog.mailchannels.com/feeds/posts/default?alt=rss

Political Spam - Georgia Conflict

I thought it worth discussing the spam e-mails being sent related to the conflict in Georgia. So far, our spam traps show two very different types of spam mailings related to the issue which appear to have very different purposes.

The most recent messages I've seen are in German and originate from the Cutwail botnet. Typically spam messages are used to promote a product or aim to infect even more machines. Interestingly, in this case it's neither - it's a political message which actually links to a youtube video of a Fox News broadcast.

The Subject line is "Wahrheit uber Goergien Konflikt" which translates as the "Truth about Georgia Conflict". It makes claims that YouTube have manipulated the visitor numbers so that the video isn't popular (which I doubt). It goes on to state that we are not "media puppets" and we are opposed to "propaganda in the media" and that the information should be spread like a fire. I've removed the actual link to the video as I don't want to promote traffic to it. Here's a single sample of the message which originated from 77.35.27.101 which is listed on the CBL as associated with Cutwail. Although we've seen high volumes of these hit spam traps.

Subject: Wahrheit uber Georgien Konflikt

Ein kleines Madchen spricht die Wahrheit uber georgische Angriffe:

http://youtube.com/watch?v=i_removed_the_link
(YouTube manipuliert den Aufrufzahler und lasst dieses Video nicht popular werden)

2000 Tote innerhalb von 2 Tagen durch georgischen Angriff - RIP
Fur alle Kinder, Frauen, Manner die durch georgische Angriffe ermordet wurde starten wir diese Aktion.

Wir sind gegen Propaganda in deutschen Medien!
Wir sind keine Medien-Marionetten.
Wir wollten die WAHRHEIT! Wir sind das Volk!

Verbreite diese Nachricht wie ein Lauffeuer! (Emails, Blogs, Foren, ICQ)
Zusammen sind wir stark.

The second spam e-mail referencing Georgia appears to be coming from the Mega-D Botnet. There were reports that this could be a new botnet but the samples I've seen show infections of Mega-D so I'd need to see further evidence to support that claim although I couldn't rule it out completely. Rather than spreading a political message, this spam links to malware to cause further infections. It looks like it's simply leveraging a hot topic to socially engineer people to click on it rather than spread a political message. Gary Warner over at UAB (University of Alabama at Birmingham) has an excellent Anti-Spam blog and gives an analysis of this spam message.

It's clever in that the subject line claims to be from the BBC NEWS. This may sound familiar to the CNN/MSNBC fake headline spam which was sent from the Rustock Botnet but it's not at all related other than borrowing some social engineering ideas. A sample originated from 81.190.91.93 which is listed on the CBL as being infected as a Mega-D bot. The headers of the message also share heuristic type features of that particular botnet such as a forged header and a ratware singature. The message sent is as follows with the addition of an image of the President if viewed in a HTML mail user agent.

Subject: BBC NEWS.

Last news! Saakashvili (president of Georgia) the gay! See it now!
http://website_removed.com/upload1/upload.php

Broadcasting House,
Portland Place,
London,
W1A 1AA

It's not suprising that Botnets would leverage a major current affair event to try and get a recipient to read it. What did interest me was the fact that both Rustock and Mega-D are both using news agencies and both Cutwail and Mega-D are both using the Georgia conflict in their messages. There's an overlap in the social engineering techniques used by the different Botnets as they learn from each other what appears to work. Another interesting point is that the spam from Mega-D is pro-Russian and the spam from Cutwail is pro-Georgian so it's probably unlikely that the latter is under the control of the RBN (Russian Business Network).

Password Security - Letmein Monkey

In the past month I've noticed a large increase in the amount of spam being sent via SMTP Auth and Webmail accounts. These are old techniques but have the advantage of avoiding blocklists and sometimes bypassing anti-spam filters. In both cases a user name and password is required to send the spam and this is usually captured via brute force or phishing attacks.

As the name suggests, a brute force attack is when an attacker tries guessing a combination of user names and passwords at a server until authenticated. Some of the most common services attacked are ssh, ftp, snmp and smtp-auth. There are tools available that attackers can use to repeatedly hammer a server with authentication attempts. One method to help prevent the attack is to slow down or block an authentication attempt after a certain number of failures. For example, the fail2ban application can provide such protection on a Unix server. This makes life much more difficult for an attacker but a strict password policy is still necessary. Why?

An attacker needs to know both a user name and password to authenticate. It's possible to guess a user name that's common to many servers, such as root/info on a Unix server or User/Administrator on a Windows server. In the case of SMTP Auth attacks, the user name is already in the e-mail address so only the password needs to be brute forced. However, a bad choice of password makes the brute force attempt quite simple. If only one attempt is needed to guess the password then it could bypass checks for authentication failures. I recently investigated the case of a compromised mail server where the password was identical to the user name and it was sending out phishing e-mails.

So let me try and guess one of your passwords. Hmmm... is it "letmein"? No, how about "qwerty"? No. One more try, is it "monkey"? If I managed to guess your password, you should probably change it immediately as it's one of the top 10 most common passwords, according to this article. This technique of guessing the password is based on how common a password is across a large user base. In December 2006, a MySpace phishing attack managed to steal 34,000 passwords but accidentally made them publicly available. Security researchers were able to analyze these to find the most common passwords.

I've discussed the use of common passwords but it's also possible that your password could be socially engineered. If the attacker knows the victim then the password could be guessed if the password was related to a pets name, a hobby or a music band. I'm well aware of this so in my case my passwords aren't Guinness, Snowboarding or U2 :o)

Unfortunately, even a well chosen password that's difficult to guess can be compromised. In the case of webmail spam the login credentials are typically gathered using a phishing attack. I've previously discussed this spear phishing attack aimed at particular organizations and universities. If you e-mail your user name and password to a phisher it doesn't really matter how long or complex your password is. When the phisher has these credentials they can use the webmail account to send spam from a non-blocked IP.

To summarize, a good anti-spam and anti-virus solution should be deployed to prevent phishing based attacks along with end user education. It's important that an organization enforce a strict password policy where passwords must be changed on a regular basis and meet a minimum requirement. By changing passwords regularly it provides protection in the event of a password being compromised. Although prevention is better than cure and a brute force attack would be much more difficult if the password had to be at least a reasonable minimum length, contain both upper and lower case characters, contain digits and a non-alphanumeric password. It should also not appear on a post-it note attached to the monitor!

Facebook Warning!

Most Facebook users will be familiar with their web based message inbox. From an end user perspective, it looks similar to e-mail in many ways. However, it can only receive messages from approved friends. Well now it has another similarity with e-mail as it's being used in an attempt to distribute a Trojan.

According to Marc Saltzman's blog post, a message arrives in the message inbox from an approved Facebook friend with the message "LOL, You've been catched on hidden cam, yo.". Marc states:

Following this messages is a long URL (website address) that, when clicked, takes you to what appears to be a YouTube video. This is not YouTube. When you click the video to begin, a message pops up and says you first need to download a newer Flash player to play the video. Do not do this. It's a virus.

Symantec detect the downloaded file as the Infostealer.Gampass Trojan. The virus itself isn't anything new or out of the ordinary. However, the delivery mechanism of using the Facebook Message Inbox is a clever Social Engineering technique that could result in a large number of infections.

So the question is, how did the messages appear to come from approved friends? As I was writing this blog post, I found this news article with a warning from Kaspersky:

When owners of the infected machines next log onto the social networks, their machine automatically sends the malicious messages out to new victims grabbed from the friend list, said Ryan Naraine, security evangelist at Kaspersky.

If you receive this message from a friend be sure to delete it and notify your friend that they have been infected by a virus.