internet safety microsoft’s anti-spam strategy and initiatives meng-chow kang, cissp, cisa chief...
Post on 17-Dec-2015
216 Views
Preview:
TRANSCRIPT
Internet SafetyInternet SafetyMicrosoft’s Anti-SPAM Strategy and Microsoft’s Anti-SPAM Strategy and InitiativesInitiatives
Meng-Chow Kang, CISSP, CISAMeng-Chow Kang, CISSP, CISAChief Security & Privacy AdvisorChief Security & Privacy AdvisorMicrosoft Asia PacificMicrosoft Asia Pacific
Anti-SPAM Strategies – The Way ForwardAnti-SPAM Strategies – The Way ForwardASEAN Telecommunications Regulatory Council (ATRC)ASEAN Telecommunications Regulatory Council (ATRC)
May 3-4, 2005, Cyberjaya, MalaysiaMay 3-4, 2005, Cyberjaya, Malaysia
Evolving SPAM AttacksEvolving SPAM Attacks
VirusVirusWormWorm
ScamsScams
SpywareSpywareTrojansTrojans
• Identity TheftIdentity Theft
• Data Leakage/TheftData Leakage/Theft
• DDoS ExtortionDDoS Extortion
• FraudsFrauds
• Software PiracySoftware Piracy
• Illegal DownloadsIllegal Downloads
EducationEducation & & EnablementEnablement
Industry Collaboration & Industry Collaboration & PartnershipsPartnerships
Govt PartnershipsGovt Partnerships Strong LawsStrong Laws & Enforcement& Enforcement
e-mail usere-mail user
Prevention AgentsPrevention AgentsAttack detection Attack detection Sender reputation Sender reputation Outbound filteringOutbound filtering
Proof: Identity & EvidenceProof: Identity & Evidence““Sender ID”Sender ID”Computational CyclesComputational CyclesCertificatesCertificatesSender SafelistsSender Safelists
Protection FiltersProtection FiltersSmartScreenSmartScreenAt gateway, At gateway, server & desktopserver & desktopUpdate ServiceUpdate Service
Microsoft Anti-Spam Microsoft Anti-Spam StrategyStrategy
Technology StrategyTechnology StrategyBuild an integrated, distributed system of Build an integrated, distributed system of inter-connected countermeasuresinter-connected countermeasures
Target key choke pointsTarget key choke points
Proof, Prevention and ProtectionProof, Prevention and ProtectionPreventPrevent before it happens before it happens
ProtectProtect against attacks against attacks
ProofProof of identity and evidenceof identity and evidence
A foundation based on authentication, A foundation based on authentication, accreditation and reputationaccreditation and reputation
Content FilteringContent Filtering• Major improvements in last Major improvements in last
yearyear• Catch rates ~90% Catch rates ~90% • False positive problem False positive problem
persistspersists
Why Authentication?Why Authentication?Sender ReputationSender Reputation• IP-based reputationIP-based reputation• Domain-based Domain-based
reputation reputation **• Feedback to help Feedback to help
senderssenders improve improve **
Sender PracticesSender Practices• Port 25 blockingPort 25 blocking• Rate limitingRate limiting• Publish SPF Publish SPF
recordrecord• Digital signaturesDigital signatures• Proof of workProof of work
** Requires sender authentication Requires sender authentication
Sender ID FrameworkSender ID FrameworkAn Emerging StandardAn Emerging Standard
A merger and refinement of proposals A merger and refinement of proposals SPF (Sender Policy Framework)SPF (Sender Policy Framework)Microsoft Caller ID for EmailMicrosoft Caller ID for EmailIETF MARID working group feedbackIETF MARID working group feedback
Industry collaboration includingIndustry collaboration includingAOL, Bell Canada, Cisco, Comcast, IBM, AOL, Bell Canada, Cisco, Comcast, IBM, Interland, Port25, Sendmail, Symantec, Interland, Port25, Sendmail, Symantec, Tumbleweed, VeriSign….Tumbleweed, VeriSign….Email Service Providers Coalition, Opengroup Email Service Providers Coalition, Opengroup Messaging Forum, TRUSTe….Messaging Forum, TRUSTe….
A first step and on a fast track….A first step and on a fast track….
Design Goals & TradeoffsDesign Goals & TradeoffsProtectionProtection
Senders can take immediate steps to protect their brand & Senders can take immediate steps to protect their brand & domain namesdomain names
AccountabilityAccountabilitySenders can be held accountable for mail they sendSenders can be held accountable for mail they send
Ease of adoptionEase of adoptionNo software changes required for most sendersNo software changes required for most sendersOpenly published specification that can be broadly adoptedOpenly published specification that can be broadly adopted
ScalabilityScalabilityFrom small businesses to largest ISPsFrom small businesses to largest ISPs
Non-GoalsNon-GoalsSilver bullet for spam & phishingSilver bullet for spam & phishingSolve all email authentication problemsSolve all email authentication problemsZero costZero cost
What Is Sender ID?What Is Sender ID?A framework of technical specificationsA framework of technical specifications
Sender ID FrameworkSender ID Framework
All Mail All Mail SendersSenders
MTA MTA Vendors &Vendors & Receiving Receiving NetworksNetworks
SPF RecordSPF Record
Purported Responsible Purported Responsible Address (PRA)Address (PRA)
CheckCheck
SubmitterSubmitterSMTP OptimizationSMTP Optimization
MAIL FROMMAIL FROMCheckCheck
http://www.microsoft.com/senderid
One time: Publish SDIF record in DNS One time: Publish SDIF record in DNS using SPF text formatusing SPF text format
No other changes requiredNo other changes required Email sent as normalEmail sent as normal
Determine which domain to check; Determine which domain to check; PRA or MAIL FROMPRA or MAIL FROM
Look up sender’s SPF record in DNS Look up sender’s SPF record in DNS Compare connecting IP address to Compare connecting IP address to
authorized list from SPF recordauthorized list from SPF record Match Match positive filter input positive filter input No match No match negative filter input negative filter input
Message transits one or Message transits one or more email servers en more email servers en route to receiverroute to receiver
How Does Sender ID Work?How Does Sender ID Work?
PRA and Mail From ChecksPRA and Mail From Checks
PRAPRA MAIL FROMMAIL FROM
Derived from RFC2822 Derived from RFC2822 message headersmessage headers
Resent-Sender, Resent-From, Resent-Sender, Resent-From, Sender, FromSender, From
Identity most often seen by Identity most often seen by usersusers
RFC2821 “bounce” addressRFC2821 “bounce” address
Helps reduce phishingHelps reduce phishing
Easier adoption for email Easier adoption for email forwardersforwarders
Helps reduce “joe jobs” Helps reduce “joe jobs”
Checking can begin before Checking can begin before message data is receivedmessage data is received
Headers can be spoofedHeaders can be spoofed
Headers must be received and Headers must be received and parsedparsed
Headers seen by users are Headers seen by users are not validatednot validated
More difficult for forwardersMore difficult for forwarders
Interpreting the ResultsInterpreting the Results
Range of actions based on check results:Range of actions based on check results:Accept messageAccept message
Reject messageReject message
Use result as input into spam filtersUse result as input into spam filters
Indicate result to end usersIndicate result to end users
““Pass” does not mean “good mail”Pass” does not mean “good mail”Sender could be a spammer with a domainSender could be a spammer with a domain
Increasing adoption will enable stricter Increasing adoption will enable stricter tests tests
Domains with no Sender ID records will have Domains with no Sender ID records will have their mail subject to increased scrutinytheir mail subject to increased scrutiny
Increase weighting in filtering algorithmsIncrease weighting in filtering algorithms
Sample SPF RecordsSample SPF Records
example.com TXT “v=spf1 -all”example.com TXT “v=spf1 -all”This domain never sends mailThis domain never sends mail
example.com TXT “v=spf1 mx -all”example.com TXT “v=spf1 mx -all”Inbound email servers also send outbound mailInbound email servers also send outbound mail
example.com TXT “v=spf1 ip4:192.0.2.0/24 –all”example.com TXT “v=spf1 ip4:192.0.2.0/24 –all”Specify an IP rangeSpecify an IP range
example.com TXT “v=spf1 mx include:myesp.com example.com TXT “v=spf1 mx include:myesp.com –all” –all”
Outsourced email serviceOutsourced email service
example.com TXT “spf2.0/pra ip4:192.0.3.0/24 –example.com TXT “spf2.0/pra ip4:192.0.3.0/24 –all”all”
Different configuration for PRA checkingDifferent configuration for PRA checking
Implementation Implementation ConsiderationsConsiderations
SendersSendersAdministrative (immediate): Publish DNS records Administrative (immediate): Publish DNS records identifying authorized outbound email serversidentifying authorized outbound email servers
On-going maintenance of sameOn-going maintenance of same
Coordination of e-mail marketing initiativesCoordination of e-mail marketing initiatives
No hard costs or technical overheadNo hard costs or technical overhead
ReceiversReceiversSoftware (near term): Upgrade inbound email gateway Software (near term): Upgrade inbound email gateway servers to perform Sender ID checksservers to perform Sender ID checks
Software (optional - medium-long term): Upgrade client Software (optional - medium-long term): Upgrade client software to display results of Sender ID checksoftware to display results of Sender ID check
““Intermediaries” (forwarders, lists, etc.) Intermediaries” (forwarders, lists, etc.) Software (near term): Upgrade outbound email servers Software (near term): Upgrade outbound email servers to identify their own domains in messagesto identify their own domains in messages
OutcomeOutcome
Over 1 million domain have published their Over 1 million domain have published their recordsrecords
19.5% of email volume, after IP blocking and BM19.5% of email volume, after IP blocking and BM
Over 16% of the domains sending to HotmailOver 16% of the domains sending to Hotmail
Top sending domains records are cachedTop sending domains records are cached
Internal tests and “training” since Nov 2004Internal tests and “training” since Nov 2004Heuristics integrated into SmartScreen & User feedback Heuristics integrated into SmartScreen & User feedback looploop
Live worldwide implementation since Jan 2005Live worldwide implementation since Jan 2005Transparent to the userTransparent to the user
~14.5% of mail rated “good” passes Sender ID ~14.5% of mail rated “good” passes Sender ID check*check*
~3.9% of mail rated “spam” passes Sender ID ~3.9% of mail rated “spam” passes Sender ID check*check*
~15.7% of mail fails Sender ID check ~15.7% of mail fails Sender ID check No match, no PRA, nonexistent domainNo match, no PRA, nonexistent domain
* Source: Participants in Hotmail Feedback Loop, as of 4/25/2005
Benefits of Sender IDBenefits of Sender ID
Protect senders’ brand and domain names from Protect senders’ brand and domain names from spoofing and phishingspoofing and phishing
Rapid adoptionRapid adoptionSenders can publish SPF records todaySenders can publish SPF records today
Most senders require no software upgradesMost senders require no software upgrades
A foundation for the reliable use of domain names A foundation for the reliable use of domain names in accreditation, reputation systems & safe listsin accreditation, reputation systems & safe lists
Receivers validate the origin of mailReceivers validate the origin of mail
Input into more aggressive spam filtering with Input into more aggressive spam filtering with reduced false positivesreduced false positives
The first step industry will need to take together – The first step industry will need to take together – there will be more to come including signing there will be more to come including signing solutionssolutions
Sender ID FrameworkSender ID Framework
Proof, Protection & PreventionProof, Protection & Prevention
Signing SolutionsSigning Solutions
Computational Cycles / Challenges Computational Cycles / Challenges
TodayToday 3 years +3 years +
Microsoft Smart Screen Microsoft Smart Screen TMTM – – Hotmail, Exchange & Outlook Hotmail, Exchange & Outlook Accreditation / Reputation – Safelist / Bonded SenderAccreditation / Reputation – Safelist / Bonded Sender
Industry Accountability - Port 25 / Open proxy / Zombie Detection…..Industry Accountability - Port 25 / Open proxy / Zombie Detection…..
Phishing URL detection / mail / browsersPhishing URL detection / mail / browsers
Take Aways Take Aways
No silver bulletNo silver bulletBlended evolving threatsBlended evolving threats
Nailing one problem may help or expose Nailing one problem may help or expose othersothers
““Takes a village”Takes a village”Cooperation & collaborationCooperation & collaboration
Multiple players in the ecosystemMultiple players in the ecosystem
Will take timeWill take timeNew freeways do not happen overnightNew freeways do not happen overnight
SummarySummaryAll e-mail senders and domains should All e-mail senders and domains should publish their SPF records todaypublish their SPF records today
Microsoft will initiate checking by year-endMicrosoft will initiate checking by year-end
Network administrators should contact Network administrators should contact ISP/MTA Vendors for Sender ID Framework ISP/MTA Vendors for Sender ID Framework integrationintegration
ResourcesResourceshttp://www.microsoft.com/senderid http://www.microsoft.com/senderid
Specs, resources, record wizardSpecs, resources, record wizard
http://www.microsoft.com/spamhttp://www.microsoft.com/spam
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
AppendixAppendix
Sender ID ScenariosSender ID ScenariosDirect DeliveryDirect Delivery
List ServerList Server
Mobile CarrierMobile Carrier
Guest Email ServiceGuest Email Service
Mail Delivery ScenariosMail Delivery ScenariosWhat Must Senders Do?What Must Senders Do?
alice@example.comalice@example.com bob@woodgrove.combob@woodgrove.com
Direct DeliveryDirect Delivery
List ServerList ServerMobile CarrierMobile CarrierGuest Email ServiceGuest Email Service
ForwarderForwarder
List ServerList Server ForwarderForwarder
Sender Sender AgentAgent
Recip.Recip.AgentAgent
Sender Sender AgentAgent
Recip.Recip.AgentAgent
Direct DeliveryDirect Delivery
Publish outbound server records in DNS Publish outbound server records in DNS using the SPF formatusing the SPF format
Optional: Transmit SUBMITTER parameter Optional: Transmit SUBMITTER parameter on MAIL command on MAIL command
alice@example.comalice@example.com bob@woodgrove.combob@woodgrove.com
S: 220 woodgrove.com ESMTP server ready C: EHLO example.com S: 250-woodgrove.com S: 250-DSN S: 250-AUTH S: 250-SUBMITTER S: 250 SIZE C: MAIL FROM:<alice@example.com>S: 250 <alice@example.com> sender ok C: RCPT TO:<bob@woodgrove.com> S: 250 <bob@woodgrove.com> recipient ok C: DATA S: 354 okay, send message C: From: alice@example.comC: (message body goes here) C: . S: 250 message accepted C: QUIT S: 221 goodbye
Direct DeliveryDirect Delivery
SUBMITTER extension advertised in EHLO
response
RFC2821 MAIL FROM = RFC2822 From
Mailing ListMailing List
1.1. Publish outbound server records in DNSPublish outbound server records in DNS
2.2. Ensure “list-owner” style address is present in the message Ensure “list-owner” style address is present in the message E.g. Sender: owner-list1@listexample.comE.g. Sender: owner-list1@listexample.com
Vast majority of mailing list servers do this todayVast majority of mailing list servers do this today
3.3. Optional: Transmit SUBMITTER parameter on MAIL Optional: Transmit SUBMITTER parameter on MAIL command command
bob@woodgrove.combob@woodgrove.comalice@example.comalice@example.com
owner-list1@listexample.comowner-list1@listexample.com
List List ServerServer
Mailing ListMailing ListS: 220 woodgrove.com ESMTP server ready C: EHLO listexample.comS: 250-woodgrove.com S: 250-SUBMITTER S: 250 SIZE C: MAIL FROM:<owner-list1@listexample.com> SUBMITTER=owner-list1@listexample.com S: 250 <owner-list1@listexample.com> sender ok C: RCPT TO:<bob@woodgrove.com> S: 250 <bob@woodgrove.com> recipient ok C: DATA S: 354 okay, send message C: Received By: ... C: From: alice@example.comC: Sender: owner-list1@listexample.comC: To: list1@listexample.comC: (message body goes here) C: . S: 250 message accepted C: QUIT S: 221 goodbye
SUBMITTER extension advertised in EHLO
response
SUBMITTER parameter added
to MAIL command
Sender header added to message
Mail ForwarderMail Forwarder
1.1. Publish outbound server records in DNSPublish outbound server records in DNS
2.2. Ensure forwarding address is present in the message Ensure forwarding address is present in the message E.g. Resent-From: bob@alumni.almamater.eduE.g. Resent-From: bob@alumni.almamater.edu
3.3. Optional: Transmit SUBMITTER parameter on MAIL Optional: Transmit SUBMITTER parameter on MAIL command indicating forwarding address command indicating forwarding address
bob@woodgrove.combob@woodgrove.comalice@example.comalice@example.com
bob@alumni.almamater.edubob@alumni.almamater.edu
MailMailForwarderForwarder
S: 220 woodgrove.com ESMTP server ready C: EHLO alumni.almamater.edu S: 250-woodgrove.com S: 250-DSN S: 250-AUTH S: 250-SUBMITTER S: 250 SIZE C: MAIL FROM:<alice@example.com> SUBMITTER=bob@alumni.almamater.edu S: 250 <alice@example.com> sender ok C: RCPT TO:<bob@woodgrove.com> S: 250 <bob@woodgrove.com> recipient ok C: DATA S: 354 okay, send message C: Resent-From: bob@alumni.almamater.edu C: Received By: ... C: (message body goes here) C: . S: 250 message accepted C: QUIT S: 221 goodbye
Mail ForwarderMail Forwarder
SUBMITTER extension advertised in EHLO response
SUBMITTER parameter added to
MAIL command
Resent-From header added to message
Email user with enabled client Email user with enabled client composes and sends messagecomposes and sends messageComputational puzzle is solved Computational puzzle is solved taking up to 20 secondstaking up to 20 secondsSolution is attached to the messageSolution is attached to the message
Receiver confirms the Receiver confirms the puzzle solved correctlypuzzle solved correctlyIf yes, the mail is deliveredIf yes, the mail is deliveredIf not, the message If not, the message is flaggedis flagged
Message is sentMessage is sentTransits through Transits through Sender’s email Sender’s email serverserverTransits through Transits through Recipients email Recipients email serverserver
top related