zombies suck the life out of the mail server
TRANSCRIPT
IBM Research
© 2010 IBM Corporation
Zombies suck the life out of the mail server(“new developments” from LISA 2010 presentation)
Wietse VenemaIBM T. J. Watson Research CenterHawthorne, NY, USA
IBM Research
© 2010 IBM Corporation2 Zombies suck the life out of the mailserver
Changing threats
� 2009: You built a mail system that has world-class email delivery performance.
– Problem: your world-class performing mail system is now spending most of its resources not delivering mail.
• Solution: work smarter.
Changing threats
IBM Research
© 2010 IBM Corporation3 Zombies suck the life out of the mailserver
92% Mail is spam, 95% spam is from botnets
Source: MessageLabs Intelligence report, August 2010
Botnet spamOther spamNot spam
Changing threats
IBM Research
© 2010 IBM Corporation4 Zombies suck the life out of the mailserver
Zombies keep mail server ports busy
Connections handled by server (Postfix default: 100 sessions)
Connections waiting for service (queued in the kernel)
smtpd
smtpd
smtpd
smtpd
Changing threats
zombie
zombie
zombiezombie
zombie
zombiezombie
zombie zombie
zombie
zombie
zombie
zombie
other
other
other
other
other
. . . . . .
IBM Research
© 2010 IBM Corporation5 Zombies suck the life out of the mailserver
Zombies suck the life out of the mail server
� Worst-case example: Storm botnet.
– RFC 5321 recommends 5-minute server-side timeout.
• Postfix implements SMTP according to the standard.– Result: all SMTP server ports kept busy by Storm zombies.
13:01:36 postfix/smtpd: connect from [x.x.x.x]
13:01:37 postfix/smtpd: reject: RCPT from [x.x.x.x]:550 5.7.1 blah blah blah
13:06:37 postfix/smtpd: timeout after RCPT from [x.x.x.x]
Changing threats
IBM Research
© 2010 IBM Corporation6 Zombies suck the life out of the mailserver
Mail server overload strategiesTargeting small- and mid-size sites primarily
� Assumption: the zombie problem will get worse before things improve (if ever).
� Temporary overload:
– Work faster: less time per SMTP client (load shedding).
� Persistent overload:
– Work harder: handle more SMTP clients (forklift solution).
– Work smarter: stop spambots up-stream (postscreen).
IBM Research
© 2010 IBM Corporation7 Zombies suck the life out of the mailserver
Temporary overload strategy
� Work faster: spend less time per SMTP client.
– Reduce time limits, number of rejected commands, etc.
• Automatic configuration switch in 21 lines of code (2007).
– Will delay some legitimate email.
• From sites with large network latency or packet loss.
• From mailing lists with aggressive timeouts.
– Better to receive some legitimate mail, than no mail.
• OK as long as the overload condition is temporary.
Changing threats
IBM Research
© 2010 IBM Corporation8 Zombies suck the life out of the mailserver
Persistent overload strategies
� Work harder: configure more mail server processes.
– The brute-force, fork-lift approach.
– OK if you can afford network, memory, disk, and CPU.
� Work smarter: keep the zombies away from the server.
– Before-server connection filter.
– More SMTP processes stay available for legitimate email.
Changing threats
IBM Research
© 2010 IBM Corporation9 Zombies suck the life out of the mailserver
Persistent overload - before-smtpd connection filterPrior work: OpenBSD spamd, MailChannels TrafficControl, M.Tokarev
smtpd
smtpd
smtpd
smtpd
post-
screen
Changing threats
other
zombie
zombie
zombie
zombiezombie
zombie
zombie zombie
zombie zombie
zombie
other
other
other
other
other
other. . . . . .
Postfix default: 100 sessions
“new”
IBM Research
© 2010 IBM Corporation10 Zombies suck the life out of the mailserver
postscreen(8) challenges and opportunities
� Zombies are blacklisted within a few hours1.
– Opportunity: reject clients that are in a hurry to send mail.
• Clients that talk too fast: pregreet, command pipelining.
• Other blatant protocol violations.• Fake “temporary” error when stranger connects (greylisting).
� Zombies avoid spamming the same site repeatedly.
– Challenge: decide “it’s a zombie” for single connections.
• Use DNS white- and blacklists as shared intelligence source.
1Chris Kanich et al., Spamalytics: An Empirical Analysis of Spam Marketing Conversion, CCS 2008.
IBM Research
© 2010 IBM Corporation11 Zombies suck the life out of the mailserver
DNS white- and blacklists for email etc.
� Originally conceived by Paul Vixie of ISC.
– The Internet Software Consortium provides reference implementations of DNS, DHCP and more.
– To find out if address 1.2.3.4 is listed at mail.abuse.org, ask for the IP address of 4.3.2.1.mail.abuse.org.
� Popular providers: spamhaus.org, spamcop.net, barracudacentral.org.
– Spam traps and other sensors.
– Some DNS[BW]L providers are free for small users.
IBM Research
© 2010 IBM Corporation12 Zombies suck the life out of the mailserver
postscreen(8) workflowOne daemon screens multiple connections simultaneously
Accept connection
Local W/B list DNS W/B list Protocol tests
Reject mail (and log from, to, client, helo)
Add to temp whitelist
Hand-off to real SMTP server
Fast path: ~0.1 ms
Slow path: up to ~6 seconds
No
Yes Pass
Fail
Changing threats
Drop connection
Query temp whitelist
IBM Research
© 2010 IBM Corporation13 Zombies suck the life out of the mailserver
Detecting spambots that speak to early (pregreet)
� Good SMTP clients wait for the SMTP server greeting:
� Sendmail greet_pause approach: wait several seconds before sending the 220 greeting.
– Very few clients greet too early.
– More clients just give up after a few seconds.
– Manual whitelisting.
SMTP server: 220 server.example.com ESMTP Postfix<CR><LF>
SMTP client: EHLO client.example.org<CR><LF>
Changing threats
IBM Research
© 2010 IBM Corporation14 Zombies suck the life out of the mailserver
Question for dog catchers
� Q: How do I quickly find out if a house has a dog?
� A: Ring the doorbell, and the dog barks immediately.
� postscreen(8) uses a similar trick with botnet zombies.
Changing threats
IBM Research
© 2010 IBM Corporation15 Zombies suck the life out of the mailserver
Making zombies bark - multi-line greeting trap
� Good clients wait for the full multi-line server greeting:
� Many spambots talk immediately after the first line of the multi-line server greeting:
postscreen: 220–server.example.com ESMTP Postfix<CR><LF>
spambot: HELO i-am-a-bot<CR><LF>
mail server: 220–server.example.com ESMTP Postfix<CR><LF>
mail server: 220 server.example.com ESMTP Postfix<CR><LF>
good client: HELO client.example.org<CR><LF>
Changing threats
IBM Research
© 2010 IBM Corporation16 Zombies suck the life out of the mailserver
Over 60% of bots pregreet at mail.charite.de 8% Not on DNS blacklists. Berlin, Aug 26 – Sep 29, 2010
0
1000
2000
3000
4000
5000
0.1 0.5 0.9
Time until pregreet response (seconds)
Pre
gre
et e
ven
ts/d
ay
IBM Research
© 2010 IBM Corporation17 Zombies suck the life out of the mailserver
Over 60% of bots pregreet at mail.charite.de 8% Not on DNS blacklists. Berlin, Aug 26 – Sep 29, 2010
0
200
400
600
800
1000
1200
1400
1600
Pregreet events per day
0.1 0.3 0.5 0.7 0.9
China 1831Vietnam 2668
Brazil 4103India 4516
USA 1201Ukraine 3207
Russia 6115
Pregreet response delay (secs)
IBM Research
© 2010 IBM Corporation18 Zombies suck the life out of the mailserver
Over 70% of bots pregreet at mail.python.org1% Not on DNS blacklists. Amsterdam, Sep 16 – 29, 2010
0
500
1000
1500
2000
2500
3000
3500
Pregreet events per day
0.1 0.3 0.5 0.7 0.9
Vietnam 3887Brazil 4283
India 7058Kazakhstan 1788
Belarus 1843Ukraine 7132
Russia 11247
Pregreet response delay (secs)
IBM Research
© 2010 IBM Corporation19 Zombies suck the life out of the mailserver
SPAM load varies by receiver and time of day
� SPAM load at different receivers:
– A handful countries sends most of today’s spam, but different receivers see different sender volumes.
� SPAM load at different times of day:
– SPAM is a 24-hour operation, but spambots are not.
• SPAM tends to be sent later in the day than HAM1.
1S. Hao et al., Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine.
Usenix Security 2009.
IBM Research
© 2010 IBM Corporation20 Zombies suck the life out of the mailserver
Spam connections/day at small European sites Spam according to zen.spamhaus.org, Sep 3 – 23, 2010
0
5000
10000
15000
mail.python.org(Amsterdam)
mail.charite.de (Berl in)
brazilrussiaindiaukrainevietnamindonesiausachina
Changing threats
60 k/day
108 k/day
IBM Research
© 2010 IBM Corporation21 Zombies suck the life out of the mailserver
Spam volume by source country and hour at mail.charite.de UTC+2Spam according to zen.spamhaus.org, Aug 26 – Sep 29, 2010
01
23
4
5
6
7
8
910
1112
1314
15
16
17
18
19
20
2122
23
Brazil
01
23
4
5
6
7
8
910
1112
1314
15
16
17
18
19
20
2122
23
Russia
01
23
4
5
6
7
8
910
1112
1314
15
16
17
18
19
20
2122
23
India
Changing threats
01
23
4
5
6
7
8
910
1112
1314
15
16
17
18
19
20
2122
23
Vietnam
01
23
4
5
6
7
8
910
1112
1314
15
16
17
18
19
20
2122
23
China
01
23
4
5
6
7
8
910
1112
1314
15
16
17
18
19
20
2122
23
USA
IBM Research
© 2010 IBM Corporation22 Zombies suck the life out of the mailserver
postscreen(8) results and status
� Parallel, weighted, DNS white/blacklist lookup.
� Static white/blacklist, dynamic “fast path” cache.
� Pilot results (small sites, up to 200k connections/day):
– Pregreet (talk too early): up to ~10% not on DNS blacklist.
– Pipelining (multiple commands): ~1% of spambots.
– Hanging zombies (read timeout): ~1% of spambots.
� Other protocol tests to be added as botnets evolve.
� Start planning for extension interfaces.
� Expected release with Postfix 2.8, early 2011.
Changing threats