Blue Security: Challenges With CAN-SPAM Automation
Eran Reshef
Blue Security, Inc.
Sep 2005
Note: This Presentation Describes
Blue Security’s Phase II Beta
Why Did We Found Blue?
• Internet users do not want to receive spam
• The CAN-SPAM law allows users to opt-out
• In reality, it is extremely difficult to opt-out:– Faked “reply-to:” addresses– Broken “unsubscribe” forms– Unsubscribe usually brings more spam
– Spyware harboring in spam sites
• Even if opt-out was possible, there is too much spam to opt-out from manually
• Our approach: an automated opt-out mechanism
Key Principles• One opt-out request per each spam message sent
to a member’s personal mailbox
• Opt-outs are sent via HTTP to advertisers’ web sites
• Manual analysis to overcome “Joe jobs” and zombie web sites
• No interference with Internet infrastructure
• Opt-outs refer spammers to a hashed registry
Naïve Approach
SpammerUser’s
mailbox
opt out via email ([email protected])User’s opt- out software
spam spam
Problems with Naïve Approach
• From address is almost always faked– Cannot use “From” to email back to spammer
• Sender machine is almost always a zombie– Emailing the IP owner will reach either a
careless admin or an ISP
Opt-out at Merchant’s Site
SpammerUser’s
mailbox
User’s opt- out software
spam spam
opt out via http ([email protected])
Merchant’sweb site
Mechanics of Opt-Out Requests
• Open an HTTP session to the merchant’s site
• Politely crawl site to locate all HTML forms– Spammers randomize links to prevent automated opt-
out requests, so crawling is necessary – Max 3 connections (Internet Explorer’s default)– Several seconds pause between each request
• Post opt-out text in HTML forms– Ignore client-side validation (JavaScript)– No use of random information (e.g., credit cards)
Problems
• What it spam?– Legitimate email is sometimes perceived by users as
spam
• Joe Jobs– For only $250, one could get millions of emails
appearing to advertise a competitor
• Zombie web sites– Few spam sites (and all phishing sites) are hosted on
compromised home computers
Analysis Service
SpammerUser's
mailbox
opt out via http ([email protected])User's opt- out software
Blue’sAnalysis
opt-outinstructions
Spammer’sweb site
spam suspectedspam
Analysis Service Overview
• Tracking and researching very few top spammers at each point in time – Currently less than 15 online pharmacies
• Extensive manual verification of web sites– White lists, black lists, Internet searches, etc.
• Relying on honeypots for deciding which web sites are spammers, not user reports
Spam Currently Not Handled
• Emails not sent by the few tracked spammers
• Emails advertising legitimate companies
• Emails advertising sites hosted in legitimate ISPs (e.g., US based)
• Emails advertising sites hosted anywhere but spam-friendly ISPs
• Emails without URLs
• Emails sent only to users, not to honeypots
Hashed Registry
Blue’sRegistry
SpammerUser's
mailbox
opt out via http (registry)
User's opt- out software
Blue’sAnalysis
opt-outinstructions
Spammer’sweb site
addrs
spam
hashedaddrs
Registry Overview
• Registry entry does not validate a “live address”:– Hashed email addresses of users– High number of hashed addresses of honeypots
• Registry has a controlled level of false-positives to protect against brute-force attacks
• The registry itself and email cleaning tools (including source code) are offered free of charge to anyone
Problems
• Bypassing ISP’s abuse teams
• Not leveraging existing anti-spam policies of other Internet entities (e.g., domain registrars)
• Not allowing spammers’ to clean their lists before receiving opt-out requests
suspectedspam
Spam Reports
Blue’sRegistry
SpammerUser's
mailbox
opt out via http (registry)User's opt- out software
Blue’sAnalysis
opt-outinstructions
Spammer’sweb site
addrs
spam
Registrars, ISPs, …
Spam Reports
hashedaddrs
Spam Reports Overview
• Reports are sent mainly to hosting ISPs and to advertisers’ sites
• One report is sent on behalf of all the members
• Reports are usually sent via emails to abuse desks of relevant parties
Do Not Intrude Registry Stats
• 25,000 members
• ~250,000 spam/day received
• Typical case– 15,000 opt-out requests sent by members over a
period of 10 hours to a leading spamvertised online pharmacy
– Spammer shut down all his domains a few hours after the sending of opt-out requests ended
Opting-out is Not DDoS• Legitimate traffic
– Each member submits one opt-out request per each spam message sent to his or her personal mailbox
• Invited traffic – Each spam is an invitation to visit the advertiser’s site
• Low-volume traffic – Each opt-out request mimics a user submitting one opt-out
request at the spammer’s site
• No synchronization– Blue security does not initiate or control timing of opt-out
requests
• Intention– Exercise opt-out right granted under CAN-SPAM law
Spammer’s Perspective
• Spammer sends 10M messages
• Spammer should expect ~800,000 visitors – Industry average is 8% response rate (source:
DoubleClick)
• Spammer is required by law to support 10M opt-out requests
• If the spammer is a legitimate business, he should have no problem handling even the entire blue community (25,000 users).
Members Are Not Zombies
• Members select which spam to complain about (1st control point)
• Members can stop all opt-outs (2nd control point)
• Full logging (3rd control point)
• Members can uninstall the Blue Frog (4th control point)
• Compare to challenge/response systems (e.g., Qurb, acquired by Computer Associated)
This Will Not Make Things Worse
• “Successful” steady state– Spammers do not send spam to registered members
– Members do not send opt-out requests
– Much less spam in the Internet
• “Failure” steady state– Spammers ignore registry
– Community disbands
– Same traffic as before
• Transient state is short and involves a small community, so there is no real impact on Internet traffic
Summary
• Do Not Intrude Registry is an implementation of an automated opt-out mechanism in a secure and responsible manner
• Initial signs spammers may respect opt-out requests
• Blue Security is interested in cooperation with ISPs and anti-spam vendors
• Q & A
Spammer’s Countermeasures
• Spam URLs contain email validation tokens– Analysis service substitutes member-reported URL
with honeypot-reported URL
• Spammer redirects traffic to legitimate domains or IP addresses– Each opt-out request is limited to specific domains
and IP ranges
• More countermeasures are expected
Spam Is Not a Solved Problem
• Even a low false positive ratio is unacceptable to some users– Sales person do not wish to miss even one customer
• Even a low false negative ratio is unacceptable to some users – Religious people are offended by porno spam
• Many users cannot afford top-notch filters– In many countries, ISPs charge extra for filters
More Information• www.ftc.gov/bcp/conline/edcams/spam/rules.htm - The Federal Trade
Commission's summary page of Rules, Regulations and Acts regarding unsolicited commercial Email, pornographic and offensive Email, and Email fraud.
• www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm - The Federal Trade Commission's Requirements for Commercial Emailers.
• www.bluesecurity.com – Blue Security’s web site