PPt - IDC

Download Report

Transcript PPt - IDC

Chronicles of Spam

Amir Lev

Where It All Started …

1970: Monty Python’s Flying Circus

‘Spam’ sketch

1978: First mass e-mailing

(Everyone with an e-mail got it!)

1994 First Unsolicited Commercial E-mails (UCE)

1st - Green card lottery applications 2nd “Global Alert for All: Jesus is Coming Soon“

1

First Spam (1978, To All Arpanet Users)

Mail-from: DEC-MARLBORO rcvd at 3-May-78 0955-PDT Date: 1 May 1978 1233-EDT From: THUERK at DEC-MARLBORO Subject: ADRIAN@SRI-KL DIGITAL WILL BE GIVING A PRODUCT PRESENTATION OF THE NEWEST MEMBERS OF THE DECSYSTEM-20 FAMILY; THE DECSYSTEM-2020, 2020T, 2060, AND 2060T. THE DECSYSTEM-20 FAMILY OF COMPUTERS HAS EVOLVED FROM THE TENEX OPERATING SYSTEM AND THE DECSYSTEM-10 COMPUTER ARCHITECTURE. BOTH THE DECSYSTEM-2060T AND 2020T OFFER FULL ARPANET SUPPORT UNDER THE TOPS-20 OPERATING SYSTEM. THE DECSYSTEM-2060 IS AN UPWARD EXTENSION OF THE CURRENT DECSYSTEM 2040 AND 2050 FAMILY. THE DECSYSTEM-2020 IS A NEW LOW END MEMBER OF THE DECSYSTEM 20 FAMILY AND FULLY SOFTWARE COMPATIBLE WITH ALL OF THE OTHER DECSYSTEM-20 MODELS. WE INVITE YOU TO COME SEE THE 2020 AND HEAR ABOUT THE DECSYSTEM-20 FAMILY AT THE TWO PRODUCT PRESENTATIONS WE WILL BE GIVING IN CALIFORNIA THIS MONTH. THE LOCATIONS WILL BE: TUESDAY, MAY 9, 1978 - 2 PM HYATT HOUSE (NEAR THE L.A. AIRPORT) LOS ANGELES, CA THURSDAY, MAY 11, 1978 - 2 PM DUNFEY'S ROYAL COACH SAN MATEO, CA (4 MILES SOUTH OF S.F. AIRPORT AT BAYSHORE, RT 101 AND RT 92)

2

International Scourge

A group of

Argentinean

spammers named SuperZonda, registered in

Holland

, using a

Spanish

ISP, have broken into

British

Airway ’s servers to promote

Russian

"email brides" to

American

men

Russian Women looking for Western Men

Russian Women: View Western Men Why Russian Mail Order Brides is superior for meeting Russian women a Russian woman?

3

Spam-Anti-Spam Dynamic – Vicious Circle

Revenue =

(Response %) x (Spam number)

Sending more Spam 1. Response rate decrease 2. Anti-spam technology improves Spam technology improves

• •

Need: more spam Better anti-anti spam technology 4

Inside The Spam-Can

1

st

Generation – Keywords Filters 50 ways to spam Viagra:

V I @ G R A , [email protected], \./iagra, Viiagra, Vìagrä, V--i--a--g--r —a, V!agra, V1agra, VI.A.G.R.A, vi@gra, vIagr.a, via-gra, Via.gra,

6

2

nd

Generation – The Heuristics Wars

What the user sees Mortgage

 Mutations

M o r t g a g e , M0rtgage

 Invisible ink

M x o 1 r y t t g v a q g 8 e

 Color games 

M x o 1 r y t t g v a q g 8 e

HTML table –

M O R T D o n e G A G E e a s y What the filter sees Mortgage M o r t g a g e, M0rtgage Mxo1ryttgvaqg8e Mxo1ryttgvaqg8e MDOoRnTeG AeGaEsy 7

Endless Set of Rules

It's ${quick|fast}, ${easy|simple} and ${anonymous|very private}.

Our ${dat.ing|matchin.g} ${system|portal} has taken live ${dating|matching} to a ${whole new|much higher} level. Now you can {meet|get to know} someone in ${seconds|nanoseconds} , Send them virtual kisses now and meet up the next day.

${that you like|by your taste} !

${Send|Give} them virtual kisses now and ${meet up|get together} the next day.

Why ${spend|be} another minute alone?

${Check|Visit} us here, join the real fun!

http://www.hockeyhicks.com/extra/gettingitgood/

‘Chinese Menu’:

2^16 = 65,536 permutations

… for simple message … using legit vocabulary only … and proper grammar

8

3

rd

Generation – Bayesian Filter

9

3

rd

Generation – Bayesian Filter

From

: Nell Gomez [mailto:[email protected]]

Sent

: Wednesday, December 20, 2004 2:56 PM

To

: !@#$%%$;

Subject

: mammal coalition hugo antithetic postpone Hi, Genierc Viagrand Sepur Viarga (Caiils) available onlnie!

Most trsuted onilne source!

Correctly spelled meaningless subject

Vagira & Cilais takes afefct right away & lasts 24-36 huors!

FOR SUEPR VAIRGA TOCUH HERE Positive Bayesian Values Not itnreseted

cobweb deck nude cowherd contiguous execrable cretinous melange moldboard notice acapulco deject hydronium advisee malfunction diamagnetism iodate cremate holiday headstrong bluish flange bhoy shown antic alumnae galvanic ethyl bale crosby fracture gallop lindholm archaic metallurgist plasma astrophysical asheville brute headwall aim grantor plaintive gangway ligand affectionate garden oxygenate monetary calcareous fluoridate numeric raze pro indignity neckline pompano me cringe sheaf reese endothelial altar jug acetone picnicker planoconcave mildred argumentation nutrient baldy hobble salivary apportion pep obvious relate frozen fafnir packet coleus fallen billiken biometrika indonesia bonus

10

Multiple Layer Anti-Spam – Multiple Layer Spam

From

: Nell Gomez [mailto:[email protected]]

Sent

: Wednesday, December 20, 2004 2:56 PM

To

: !@#$%%$;

Subject

: mammal coalition hugo antithetic postpone

Fake Address

Hi, Genierc Viagrand Sepur Viarga (Caiils) available onlnie!

Most trsuted onilne source!

Take a close look: SUEPR VAIRGA

Vagira & Cilais takes afefct right away & lasts 24-36 huors!

FOR SUEPR VAIRGA TOCUH HERE Positive Bayesian Not itnreseted

cobweb deck nude cowherd contiguous execrable cretinous melange moldboard notice acapulco deject hydronium advisee malfunction diamagnetism iodate cremate holiday headstrong bluish flange bhoy shown antic alumnae galvanic ethyl bale crosby fracture gallop lindholm archaic metallurgist plasma astrophysical asheville brute headwall

‘Typoglycemia’ (Social Engineering):

packet coleus fallen billiken biometrika indonesia bonus

Values

planoconcave mildred argumentation nutrient baldy hobble salivary apportion pep obvious relate frozen fafnir

Words identification regardless of letters order

11

Threats Converge:

•Spam – Viruses symbiosis •Organized crime

Spam & Organized Crime

Organized crime may be behind phishing; Fraudulent e-mail scams show more sophistication Saul Hansell, New York Times, Monday, March 29, 2004 Is Organized Crime Controlling Your PC?

Symantec report says Internet attacks for financial gain on the rise

Samantha Perry, PC-World Monday, September 27, 2004 Organized crime invades cyberspace Dan Verton — Computerworld Monday August 30, 2004 Online organized crime

Internet criminals want your money and their tactics are becoming increasingly refined and organized.

CNN, Monday, September 26, 2005 13

Viruses / Trojans Used By Spammers

Step 1:

planting multiple Trojans ( ‘zombies’)

Step 2:

Dormant Trojans activated at once

Distribution Sources 1000s Volume +100M messages Duration 1-3 Hours 1 Hour Detection Lag 30-100% miss 14

Spam Business Is Booming …

25 Billion spam messages / day

60-70% of global email is spam

80-90% for some corporations …

2 Million outbreaks a day 15

Spam Technology Becomes Vehicle For Viruses

Figure 1-A: Typical viral propagation

100% 80% 60% 40% 20% 0% Signatures release timeline 30 100% 25 Blocked (of 20 AV engines tested) Intensity (100s of samples / hour) 80% 20 60% 40% 15 20% 10

10 10 10 10 10 10 10 13 13 13 13 9

0% 5

3 3 3

0 19 :1 9 20 :1 9 21 :1 2 21 :5 2

3

0: 31 1: 30 2: 30 3: 30 4: 30 5: 30 6: 30 7: 32 8: 30 9: 30 10 :2 4 11 :1 4 12 :1 5

13 16

  

92 Laws And Acts In US and Europe

Definition challenge International Challenge Enforcement Challenge Direct Marketers 5% Rouge Spammers 80% Aggressive Marketers 15%

US Federal Laws US State Laws

4 Proposals 1 Enacted Over 40

European union Austria Belgium Czech Republic Denmark Finland France Germany Greece Ireland Italy Luxemburg Netherlands Norway Portugal Spain Sweden UK

Total European Anti-spam Laws

10 3 1 3 4 4 2 3 1 1 3 1 1 3 1 1 3 3

48 17

Recurrent Pattern Detection ™ (RPD)

Patent #6-330-590

1.

2.

3.

Smart Collection:

Global traffic, Billions of messages/month

Patterns Analysis:

Structure patterns, distribution patterns

Real-time Classification 18

AS Technologies – Durability Challenge

Heuristics Heuristics Bayesian Bayesian Keywords Keywords Public Blacklists Public Blacklists Honeypots Honeypots RPD

The more massive the Outbreak, The faster it’s distributed, … the better and faster it’s detected!

19

Thank You Thank You

Amir Lev 20