Internet Safety Internet Safety Microsoft’s Anti-SPAM Strategy and Initiatives Microsoft’s Anti-SPAM Strategy and Initiatives Meng-Chow Kang, CISSP, CISA Meng-Chow Kang, CISSP, CISA Chief Security & Privacy Advisor Chief Security & Privacy Advisor Microsoft Asia Pacific Microsoft Asia Pacific Anti-SPAM Strategies – The Way Forward Anti-SPAM Strategies – The Way Forward ASEAN Telecommunications Regulatory Council (ATRC) ASEAN Telecommunications Regulatory Council (ATRC) May 3-4, 2005, Cyberjaya, Malaysia May 3-4, 2005, Cyberjaya, Malaysia
Transcript
Internet SafetyInternet SafetyMicrosoft’s Anti-SPAM Strategy and Microsoft’s Anti-SPAM Strategy and InitiativesInitiatives
Meng-Chow Kang, CISSP, CISAMeng-Chow Kang, CISSP, CISAChief Security & Privacy AdvisorChief Security & Privacy AdvisorMicrosoft Asia PacificMicrosoft Asia Pacific
Anti-SPAM Strategies – The Way ForwardAnti-SPAM Strategies – The Way ForwardASEAN Telecommunications Regulatory Council (ATRC)ASEAN Telecommunications Regulatory Council (ATRC)
May 3-4, 2005, Cyberjaya, MalaysiaMay 3-4, 2005, Cyberjaya, Malaysia
Evolving SPAM AttacksEvolving SPAM Attacks
VirusVirusWormWorm
ScamsScams
SpywareSpywareTrojansTrojans
• Identity TheftIdentity Theft
• Data Leakage/TheftData Leakage/Theft
• DDoS ExtortionDDoS Extortion
• FraudsFrauds
• Software PiracySoftware Piracy
• Illegal DownloadsIllegal Downloads
EducationEducation & & EnablementEnablement
Industry Collaboration & Industry Collaboration & PartnershipsPartnerships
Protection FiltersProtection FiltersSmartScreenSmartScreenAt gateway, At gateway, server & desktopserver & desktopUpdate ServiceUpdate Service
Microsoft Anti-Spam Microsoft Anti-Spam StrategyStrategy
Technology StrategyTechnology StrategyBuild an integrated, distributed system of Build an integrated, distributed system of inter-connected countermeasuresinter-connected countermeasures
Target key choke pointsTarget key choke points
Proof, Prevention and ProtectionProof, Prevention and ProtectionPreventPrevent before it happens before it happens
ProtectProtect against attacks against attacks
ProofProof of identity and evidenceof identity and evidence
A foundation based on authentication, A foundation based on authentication, accreditation and reputationaccreditation and reputation
Content FilteringContent Filtering• Major improvements in last Major improvements in last
yearyear• Catch rates ~90% Catch rates ~90% • False positive problem False positive problem
Sender ID FrameworkSender ID FrameworkAn Emerging StandardAn Emerging Standard
A merger and refinement of proposals A merger and refinement of proposals SPF (Sender Policy Framework)SPF (Sender Policy Framework)Microsoft Caller ID for EmailMicrosoft Caller ID for EmailIETF MARID working group feedbackIETF MARID working group feedback
Industry collaboration includingIndustry collaboration includingAOL, Bell Canada, Cisco, Comcast, IBM, AOL, Bell Canada, Cisco, Comcast, IBM, Interland, Port25, Sendmail, Symantec, Interland, Port25, Sendmail, Symantec, Tumbleweed, VeriSign….Tumbleweed, VeriSign….Email Service Providers Coalition, Opengroup Email Service Providers Coalition, Opengroup Messaging Forum, TRUSTe….Messaging Forum, TRUSTe….
A first step and on a fast track….A first step and on a fast track….
Senders can take immediate steps to protect their brand & Senders can take immediate steps to protect their brand & domain namesdomain names
AccountabilityAccountabilitySenders can be held accountable for mail they sendSenders can be held accountable for mail they send
Ease of adoptionEase of adoptionNo software changes required for most sendersNo software changes required for most sendersOpenly published specification that can be broadly adoptedOpenly published specification that can be broadly adopted
ScalabilityScalabilityFrom small businesses to largest ISPsFrom small businesses to largest ISPs
Non-GoalsNon-GoalsSilver bullet for spam & phishingSilver bullet for spam & phishingSolve all email authentication problemsSolve all email authentication problemsZero costZero cost
What Is Sender ID?What Is Sender ID?A framework of technical specificationsA framework of technical specifications
Sender ID FrameworkSender ID Framework
All Mail All Mail SendersSenders
MTA MTA Vendors &Vendors & Receiving Receiving NetworksNetworks
One time: Publish SDIF record in DNS One time: Publish SDIF record in DNS using SPF text formatusing SPF text format
No other changes requiredNo other changes required Email sent as normalEmail sent as normal
Determine which domain to check; Determine which domain to check; PRA or MAIL FROMPRA or MAIL FROM
Look up sender’s SPF record in DNS Look up sender’s SPF record in DNS Compare connecting IP address to Compare connecting IP address to
authorized list from SPF recordauthorized list from SPF record Match Match positive filter input positive filter input No match No match negative filter input negative filter input
Message transits one or Message transits one or more email servers en more email servers en route to receiverroute to receiver
How Does Sender ID Work?How Does Sender ID Work?
PRA and Mail From ChecksPRA and Mail From Checks
PRAPRA MAIL FROMMAIL FROM
Derived from RFC2822 Derived from RFC2822 message headersmessage headers
Resent-Sender, Resent-From, Resent-Sender, Resent-From, Sender, FromSender, From
Identity most often seen by Identity most often seen by usersusers
RFC2821 “bounce” addressRFC2821 “bounce” address
Helps reduce phishingHelps reduce phishing
Easier adoption for email Easier adoption for email forwardersforwarders
Helps reduce “joe jobs” Helps reduce “joe jobs”
Checking can begin before Checking can begin before message data is receivedmessage data is received
Headers can be spoofedHeaders can be spoofed
Headers must be received and Headers must be received and parsedparsed
Headers seen by users are Headers seen by users are not validatednot validated
More difficult for forwardersMore difficult for forwarders
Interpreting the ResultsInterpreting the Results
Range of actions based on check results:Range of actions based on check results:Accept messageAccept message
Reject messageReject message
Use result as input into spam filtersUse result as input into spam filters
Indicate result to end usersIndicate result to end users
““Pass” does not mean “good mail”Pass” does not mean “good mail”Sender could be a spammer with a domainSender could be a spammer with a domain
Increasing adoption will enable stricter Increasing adoption will enable stricter tests tests
Domains with no Sender ID records will have Domains with no Sender ID records will have their mail subject to increased scrutinytheir mail subject to increased scrutiny
Increase weighting in filtering algorithmsIncrease weighting in filtering algorithms
Sample SPF RecordsSample SPF Records
example.com TXT “v=spf1 -all”example.com TXT “v=spf1 -all”This domain never sends mailThis domain never sends mail
example.com TXT “v=spf1 mx -all”example.com TXT “v=spf1 mx -all”Inbound email servers also send outbound mailInbound email servers also send outbound mail
example.com TXT “v=spf1 ip4:192.0.2.0/24 –all”example.com TXT “v=spf1 ip4:192.0.2.0/24 –all”Specify an IP rangeSpecify an IP range
SendersSendersAdministrative (immediate): Publish DNS records Administrative (immediate): Publish DNS records identifying authorized outbound email serversidentifying authorized outbound email servers
On-going maintenance of sameOn-going maintenance of same
Coordination of e-mail marketing initiativesCoordination of e-mail marketing initiatives
No hard costs or technical overheadNo hard costs or technical overhead
ReceiversReceiversSoftware (near term): Upgrade inbound email gateway Software (near term): Upgrade inbound email gateway servers to perform Sender ID checksservers to perform Sender ID checks
Software (optional - medium-long term): Upgrade client Software (optional - medium-long term): Upgrade client software to display results of Sender ID checksoftware to display results of Sender ID check
““Intermediaries” (forwarders, lists, etc.) Intermediaries” (forwarders, lists, etc.) Software (near term): Upgrade outbound email servers Software (near term): Upgrade outbound email servers to identify their own domains in messagesto identify their own domains in messages
Over 1 million domain have published their Over 1 million domain have published their recordsrecords
19.5% of email volume, after IP blocking and BM19.5% of email volume, after IP blocking and BM
Over 16% of the domains sending to HotmailOver 16% of the domains sending to Hotmail
Top sending domains records are cachedTop sending domains records are cached
Internal tests and “training” since Nov 2004Internal tests and “training” since Nov 2004Heuristics integrated into SmartScreen & User feedback Heuristics integrated into SmartScreen & User feedback looploop
Live worldwide implementation since Jan 2005Live worldwide implementation since Jan 2005Transparent to the userTransparent to the user
~14.5% of mail rated “good” passes Sender ID ~14.5% of mail rated “good” passes Sender ID check*check*
~3.9% of mail rated “spam” passes Sender ID ~3.9% of mail rated “spam” passes Sender ID check*check*
~15.7% of mail fails Sender ID check ~15.7% of mail fails Sender ID check No match, no PRA, nonexistent domainNo match, no PRA, nonexistent domain
* Source: Participants in Hotmail Feedback Loop, as of 4/25/2005
Hotmail Sender ID VerificationHotmail Sender ID Verification
Benefits of Sender IDBenefits of Sender ID
Protect senders’ brand and domain names from Protect senders’ brand and domain names from spoofing and phishingspoofing and phishing
Rapid adoptionRapid adoptionSenders can publish SPF records todaySenders can publish SPF records today
Most senders require no software upgradesMost senders require no software upgrades
A foundation for the reliable use of domain names A foundation for the reliable use of domain names in accreditation, reputation systems & safe listsin accreditation, reputation systems & safe lists
Receivers validate the origin of mailReceivers validate the origin of mail
Input into more aggressive spam filtering with Input into more aggressive spam filtering with reduced false positivesreduced false positives
The first step industry will need to take together – The first step industry will need to take together – there will be more to come including signing there will be more to come including signing solutionssolutions
Microsoft Smart Screen Microsoft Smart Screen TMTM – – Hotmail, Exchange & Outlook Hotmail, Exchange & Outlook Accreditation / Reputation – Safelist / Bonded SenderAccreditation / Reputation – Safelist / Bonded Sender
Industry Accountability - Port 25 / Open proxy / Zombie Detection…..Industry Accountability - Port 25 / Open proxy / Zombie Detection…..
Phishing URL detection / mail / browsersPhishing URL detection / mail / browsers
Take Aways Take Aways
No silver bulletNo silver bulletBlended evolving threatsBlended evolving threats
Nailing one problem may help or expose Nailing one problem may help or expose othersothers
““Takes a village”Takes a village”Cooperation & collaborationCooperation & collaboration
Multiple players in the ecosystemMultiple players in the ecosystem
Will take timeWill take timeNew freeways do not happen overnightNew freeways do not happen overnight
SummarySummaryAll e-mail senders and domains should All e-mail senders and domains should publish their SPF records todaypublish their SPF records today
Microsoft will initiate checking by year-endMicrosoft will initiate checking by year-end
Network administrators should contact Network administrators should contact ISP/MTA Vendors for Sender ID Framework ISP/MTA Vendors for Sender ID Framework integrationintegration
1.1. Publish outbound server records in DNSPublish outbound server records in DNS
2.2. Ensure “list-owner” style address is present in the message Ensure “list-owner” style address is present in the message E.g. Sender: [email protected]. Sender: [email protected]
Vast majority of mailing list servers do this todayVast majority of mailing list servers do this today
3.3. Optional: Transmit SUBMITTER parameter on MAIL Optional: Transmit SUBMITTER parameter on MAIL command command
1.1. Publish outbound server records in DNSPublish outbound server records in DNS
2.2. Ensure forwarding address is present in the message Ensure forwarding address is present in the message E.g. Resent-From: [email protected]. Resent-From: [email protected]
3.3. Optional: Transmit SUBMITTER parameter on MAIL Optional: Transmit SUBMITTER parameter on MAIL command indicating forwarding address command indicating forwarding address
Email user with enabled client Email user with enabled client composes and sends messagecomposes and sends messageComputational puzzle is solved Computational puzzle is solved taking up to 20 secondstaking up to 20 secondsSolution is attached to the messageSolution is attached to the message
Receiver confirms the Receiver confirms the puzzle solved correctlypuzzle solved correctlyIf yes, the mail is deliveredIf yes, the mail is deliveredIf not, the message If not, the message is flaggedis flagged
Message is sentMessage is sentTransits through Transits through Sender’s email Sender’s email serverserverTransits through Transits through Recipients email Recipients email serverserver
