|
Cal Poly |
Cal Poly
|
Title V Project
Spam and Denial of Service Attacks
Spam is flooding the Internet with many copies of the same
message, in an attempt to force the message on people who would not otherwise
choose to receive it. Most spam is unsolicited commercial advertising, often
for dubious products, get-rich-quick schemes, or quasi-legal services. There
are two main types of spam, and they have different effects on Internet users.
Usenet spam is a single message sent to 20 or more Usenet newsgroups. Email
spam targets individual users with direct mail messages. Email spam lists are
often created by scanning Usenet postings, stealing Internet mailing lists, or
searching the Web for addresses. Spamming is the scourge of electronic-mail and
newsgroups on the Internet. It can seriously interfere with the operation of
public services and an individual’s e-mail system. Spammers are, in effect,
taking resources away from users and service suppliers without compensation and
without authorization. The problem is getting worse as the number of unsolicited email messages is expected to increase from 68.9 billion
this year to 75.6 billion next year.
A
"denial-of-service" attack is characterized by an explicit attempt by
attackers to prevent legitimate users of a service from using that service.
Examples include
o
attempts to "flood" a network, thereby preventing legitimate
network traffic
o
attempts to disrupt connections between two machines, thereby preventing
access to a service
o
attempts to prevent a particular individual from accessing a service
o
attempts to disrupt service to a
specific system or person
1.2
Problem
o
overloading network connections
o
using all available system resources
o
filling the disk as a result of multiple
postings and resulting syslog entries
1.2
Prevention
Unfortunately it
is difficult to prevent email spam because any valid email address can send a
message to another valid email address, and it is impossible to determine the
origin of the next attack. It used to be easy
to track down spammers. All it took to block spam was a firewall or mail server
rules that denied access from the spammers' domain. Spammers today use
commercial tools designed to hide the source of the spam, and they use
third-party sites as relays so the spam won't be blocked before it reaches its
victims. Here are 4 possible solutions from an article
found on the
1.
Develop in-house tools to help you recognize and respond to the email
bombing/spamming and so minimize the impact of such activity. The tools should
increase the logging capabilities and check for and alert you to
incoming/outgoing messages that originate from the same user or same site in a
very short span of time. Once you identify the activity, you can use other
in-house tools to discard the messages from the offending users or sites.
2.
If your site uses a small number of email servers, you may want to
configure your firewall to ensure that SMTP connections from outside your firewall
can be made only to your central email hubs and to none of your other systems.
Although this will not prevent an attack, it minimizes the number of machines
available to an intruder for an SMTP-based attack (whether that attack is an
email spam or an attempt to break into a host). It also means that should you
wish to control incoming SMTP in a particular way (through filtering or another
means), you have only a small number of systems--the main email hub and any
backup email hubs--to configure. More information on filtering is available
from
3.
Educate your users to call you about email bombing and spamming.
4.
Do not propagate the problem by forwarding (or replying to) spammed email.
Here are some alternate methods of stopping unsolicited
email spam
o
Ensure that all necessary security patches have been applied to the
server.
o
Check to see if the web server is capable of acting as an open relay for
spam.
o
Develop an email policy to inform and educate users about spam and what
they can do to reduce it, such as using junk filters provided by their email
client. The following is a suggested by Kelly Haggerty of SurfControl
(http://www.techrepublic.com/article.jhtml?id=r00620020508hoo01.htm&src=search)
1. Tell users never to respond to spam e-mail messages. Sending a reply, even if it's a request to be taken off a list, confirms a user at an address and encourages the spammer to send more mail.
2. Include guidance in your Internet use policy forbidding the use by employees of their company e-mail addresses when surfing or shopping online.
3. Subscribe to "real time black hole" list services that block delivery of e-mails from known spammers.
4. Subscribe to a Signature Database List, which prevents the delivery of known spam and other digital junk. And make sure you update the subscription list regularly to ensure the most complete protection.
5. Install content filtering tools that scan and block e-mail messages that include suspect text like "Get Rich Quick" or similar subject words and phrases, and those with multiple forwards or huge distribution lists.
Here is another list of possible recommendations to stop spam. This is from the Networking Group at Chalmers University of Technology (ftp://ftp.isi.edu/in-notes/rfc2505.txt)
1. Must be able to restrict unauthorized use as Mail Relay.
2. Must be able to provide "Received:" lines with enough information to make it possible to trace the mail path, despite spammers use forged host names in HELO statements etc.
3. Must be able to provide local log information that makes it possible to trace the event afterwards.
4. Should be able to log all occurrences of anti-relay/anti-spam actions.
5. Should be able to refuse mail from a host or a group of hosts.
6. Should be able to limit ("Rate Control") mail flow.
7. Should be able to verify "MAIL From:" domain (using DNS or other means).
8. Should be able to verify in outgoing mail.
9. Should be able to control SMTP VRFY and EXPN.
10. Should be able to control SMTP ETRN.
11. Must be able to configure to provide different Return Codes for different rules (e.g. 451 Temp Fail vs. 550 Fatal Error).