Blue Security: Challenges With CAN-SPAM Automation

Eran Reshef

Blue Security, Inc.

Sep 2005

Note: This Presentation Describes

Blue Security’s Phase II Beta

Why Did We Found Blue?

• Internet users do not want to receive spam

• The CAN-SPAM law allows users to opt-out

• In reality, it is extremely difficult to opt-out:– Faked “reply-to:” addresses– Broken “unsubscribe” forms– Unsubscribe usually brings more spam

– Spyware harboring in spam sites

• Even if opt-out was possible, there is too much spam to opt-out from manually

• Our approach: an automated opt-out mechanism

Key Principles• One opt-out request per each spam message sent

to a member’s personal mailbox

• Opt-outs are sent via HTTP to advertisers’ web sites

• Manual analysis to overcome “Joe jobs” and zombie web sites

• No interference with Internet infrastructure

• Opt-outs refer spammers to a hashed registry

Naïve Approach

SpammerUser’s

mailbox

opt out via email (joe@example.com)User’s opt- out software

spam spam

Problems with Naïve Approach

• From address is almost always faked– Cannot use “From” to email back to spammer

• Sender machine is almost always a zombie– Emailing the IP owner will reach either a

careless admin or an ISP

Opt-out at Merchant’s Site

SpammerUser’s

mailbox

User’s opt- out software

spam spam

opt out via http (joe@example.com)

Merchant’sweb site

Mechanics of Opt-Out Requests

• Open an HTTP session to the merchant’s site

• Politely crawl site to locate all HTML forms– Spammers randomize links to prevent automated opt-

out requests, so crawling is necessary – Max 3 connections (Internet Explorer’s default)– Several seconds pause between each request

• Post opt-out text in HTML forms– Ignore client-side validation (JavaScript)– No use of random information (e.g., credit cards)

Problems

• What it spam?– Legitimate email is sometimes perceived by users as

spam

• Joe Jobs– For only $250, one could get millions of emails

appearing to advertise a competitor

• Zombie web sites– Few spam sites (and all phishing sites) are hosted on

compromised home computers

Analysis Service

SpammerUser's

mailbox

opt out via http (joe@example.com)User's opt- out software

Blue’sAnalysis

opt-outinstructions

Spammer’sweb site

spam suspectedspam

Analysis Service Overview

• Tracking and researching very few top spammers at each point in time – Currently less than 15 online pharmacies

• Extensive manual verification of web sites– White lists, black lists, Internet searches, etc.

• Relying on honeypots for deciding which web sites are spammers, not user reports

Spam Currently Not Handled

• Emails not sent by the few tracked spammers

• Emails advertising legitimate companies

• Emails advertising sites hosted in legitimate ISPs (e.g., US based)

• Emails advertising sites hosted anywhere but spam-friendly ISPs

• Emails without URLs

• Emails sent only to users, not to honeypots

Problems

• Opt-out text reveals email address of user

Hashed Registry

Blue’sRegistry

SpammerUser's

mailbox

opt out via http (registry)

User's opt- out software

Blue’sAnalysis

opt-outinstructions

Spammer’sweb site

addrs

spam

hashedaddrs

Registry Overview

• Registry entry does not validate a “live address”:– Hashed email addresses of users– High number of hashed addresses of honeypots

• Registry has a controlled level of false-positives to protect against brute-force attacks

• The registry itself and email cleaning tools (including source code) are offered free of charge to anyone

Problems

• Bypassing ISP’s abuse teams

• Not leveraging existing anti-spam policies of other Internet entities (e.g., domain registrars)

• Not allowing spammers’ to clean their lists before receiving opt-out requests

suspectedspam

Spam Reports

Blue’sRegistry

SpammerUser's

mailbox

opt out via http (registry)User's opt- out software

Blue’sAnalysis

opt-outinstructions

Spammer’sweb site

addrs

spam

Registrars, ISPs, …

Spam Reports

hashedaddrs

Spam Reports Overview

• Reports are sent mainly to hosting ISPs and to advertisers’ sites

• One report is sent on behalf of all the members

• Reports are usually sent via emails to abuse desks of relevant parties

Do Not Intrude Registry Stats

• 25,000 members

• ~250,000 spam/day received

• Typical case– 15,000 opt-out requests sent by members over a

period of 10 hours to a leading spamvertised online pharmacy

– Spammer shut down all his domains a few hours after the sending of opt-out requests ended

Opting-out is Not DDoS• Legitimate traffic

– Each member submits one opt-out request per each spam message sent to his or her personal mailbox

• Invited traffic – Each spam is an invitation to visit the advertiser’s site

• Low-volume traffic – Each opt-out request mimics a user submitting one opt-out

request at the spammer’s site

• No synchronization– Blue security does not initiate or control timing of opt-out

requests

• Intention– Exercise opt-out right granted under CAN-SPAM law

Spammer’s Perspective

• Spammer sends 10M messages

• Spammer should expect ~800,000 visitors – Industry average is 8% response rate (source:

DoubleClick)

• Spammer is required by law to support 10M opt-out requests

• If the spammer is a legitimate business, he should have no problem handling even the entire blue community (25,000 users).

Members Are Not Zombies

• Members select which spam to complain about (1st control point)

• Members can stop all opt-outs (2nd control point)

• Full logging (3rd control point)

• Members can uninstall the Blue Frog (4th control point)

• Compare to challenge/response systems (e.g., Qurb, acquired by Computer Associated)

This Will Not Make Things Worse

• “Successful” steady state– Spammers do not send spam to registered members

– Members do not send opt-out requests

– Much less spam in the Internet

• “Failure” steady state– Spammers ignore registry

– Community disbands

– Same traffic as before

• Transient state is short and involves a small community, so there is no real impact on Internet traffic

Summary

• Do Not Intrude Registry is an implementation of an automated opt-out mechanism in a secure and responsible manner

• Initial signs spammers may respect opt-out requests

• Blue Security is interested in cooperation with ISPs and anti-spam vendors

• Q & A

Backup Slides

Spammer’s Countermeasures

• Spam URLs contain email validation tokens– Analysis service substitutes member-reported URL

with honeypot-reported URL

• Spammer redirects traffic to legitimate domains or IP addresses– Each opt-out request is limited to specific domains

and IP ranges

• More countermeasures are expected

Spam Is Not a Solved Problem

• Even a low false positive ratio is unacceptable to some users– Sales person do not wish to miss even one customer

• Even a low false negative ratio is unacceptable to some users – Religious people are offended by porno spam

• Many users cannot afford top-notch filters– In many countries, ISPs charge extra for filters

More Information• www.ftc.gov/bcp/conline/edcams/spam/rules.htm - The Federal Trade

Commission's summary page of Rules, Regulations and Acts regarding unsolicited commercial Email, pornographic and offensive Email, and Email fraud.

• www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm - The Federal Trade Commission's Requirements for Commercial Emailers.

• www.bluesecurity.com – Blue Security’s web site