Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Spam and Flooding

May 15th, 2007
By Stephen Northcutt

"Spam is a term used to describe unsolicited email, also known as unsolicited commercial email (UCE) or junk email. The messages are usually mass mailed and considered invasive by those who receive them. If you haven't heard of spam before, you probably haven't received much of it and should consider yourself lucky. The name is generally believed to come from the song in a Monty Python skit where the Vikings sing "Spam spam spam spam, spam spam spam spam, lovely spam, wonderful spam"- a continuing repetition of worthless text, eventually drowning out all other communication."[1] "The way in which the Monty Python skit was connected to the act of unsolicited communication came from the Multi-User Dungeon (MUD)4 community. One member of that community, after becoming upset with his treatment by some of the other members, created a macro to repeat the word spam several times in the MUD environment during a sacred hatching. Later on, MUD members would refer to the event as the time they got "spammed.""[2] "For historical purposes, the first documented case of spam is a letter sent in 1978 by the company Digital Equipment Corporation. This company sent an advertisement about its DEC-20 computer to all ArpaNet users (precursor of the Internet) on the west coast of the United States. However, the word spam was not coined until 1994, when an advertisement appeared in Usenet from the lawyers Lawrence Cantera and Martha Siegel. It provided information about their service for completing entry forms for United States work permits."[3]

"Traditionally, spam has been thought of more as an inconvenience, requiring workers to sift through and delete dozens and sometimes hundreds of e-mail messages per day. There has been a debate over how much of this sifting and deleting affects employee productivity."[4] According to the NY Times, ''Spam is one of those areas where we see a severe impact on productivity,'' said Rebecca Wettemann, research director of Nucleus. ''The average worker receives 13.3 spam messages a day, which takes six and a half minutes to process. Do the math and that comes to 1.4 percent of their productive time.''[5]

"If your employees are bombarded by spam, then they have to determine what is real and what is fake, and that puts your employees and your business at risk. The majority of the spam you get is useless and harmless, but mixed in the pile of junk are emails with web links that could lead to websites that could dupe your employees into downloading malicious code into your business computer network."[6] Perhaps the greatest concern is when your employees reply to spam, validating their email address and giving information away.

In terms of information warfare, spam is an example of asymmetic warfare, the cost of sending spam via a botnet is low,"response rates to bulk commercial email are less than 0.005 per cent. That means that a typical email message appeals to 50 people and annoys 999,950."[7] However, spammers can break even an a response rate of .001 and botnets are only growing.[8]

SPAM Management
Having established the case that spam is a problem both as an additional cost, but also as a security risk, we consider how to manage this problem.

Sender Permitted From, or SPF, is a new protocol that works in conjunction with existing e-mail protocols to ensure that a person sending an e-mail on behalf of a given address has the right to do so. "SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain's stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake."[9]

SPF is basically a reverse MX record for Domain Name System (DNS). Normally, a domain publishes an MX record to tell the world what machines can receive e-mail for a given domain. SPF lets the same domain publish a record to tell the world what machines send mail from the domain. Computers that receive e-mail can then check incoming mail (during the POP3 conversation) against the SPF record to make sure the mail is indeed coming from the domain it's allegedly written from.[10]

Another tool to battle Spam is Bayesian Filtering. This was first proposed in a paper by Paul Graham. It basically says e-mail with certain words (e.g., Viagra, Impotence) is more likely to be Spam. In particular, this technique works well when Spammers use variants of the words to try to avoid simple Spam filters (e.g., vIagra, Imp0tence).[11]

Yet another novel tool is greylisting. The method is very simple. It only looks at three pieces of information (which we will refer to as a triplet from now on) about any particular mail delivery attempt:

• The IP address of the host attempting the delivery
• The envelope sender address
• The envelope recipient address

From this, we now have a unique triplet for identifying a mail relationship. With this data, we simply follow a basic rule, which is:
If we have never seen this triplet before, then refuse this delivery and any others that may come within a certain period of time, with a temporary failure.

Since SMTP is considered an unreliable transport, the possibility of temporary failures is built into the core spec (see RFC 821). As such, any well behaved message transfer agent (MTA) should attempt retries if given an appropriate temporary failure code for a delivery attempt (see below for a discussion of issues concerning non-conforming MTA's).[12]

Does it actually work? In one test that reported results in March 2007, "We now have 372 users testing greylisting for us and here are the results for 50 days:[13]

• 1.207.925 mails were subject to greylisting
• 844.409 were actually delayed
• 323.879 were actually delivered to the final recipient
• 742.266 were possible spams and weren't delivered

The potential for loss of a valid business message exists in greylisting as well as other technologies. This boils down to a risk management decision.

SpamAssassin, which we use at SANS, uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around. Tests include Bayesian filters and typical address black list information to create a weight and can be seen[14]

Flooding attacks are very closely related to resource exhaustion attacks using e-mail. To date they are rare, but they do have the potential to allow spam bot owners to join the extortion game if anti-spam products nullify their current economic advantage. Here are two real world examples:

"During the first half of 1997, Langley Air Force Base was attacked repeatedly via the Internet with a wide range of automated Simple Mail Transfer Protocol (SMTP) mail bombs. Most e-mail bombs have one primary objective: flood the e-mail server so that it becomes unavailable or is unserviceable. These e-mail attacks may also be used to forge the identity of the attacker, degrade the availability of communications systems, undermine the integrity of organizations, or covertly distribute illicit material."[15]

A UK teenager who had been accused of launching a denial-of-service (DoS) attack against his former employer has been cleared of charges because the wording of the Computer Misuse Act (CMA) does not make DoS attacks a crime. The unnamed youth was charged under section 3 of the CMA, which deals with unauthorized data modification and system tampering. His defense argued that the alleged flood of unsolicited e-mail constituted neither unauthorized access nor modification because the purpose of the e-mail server was to receive e-mail messages. District Judge Kenneth Grant remarked that the "computer world has changed since the 1990 Act" but that the teen's acts were not illegal under the CMA. Peter Sommer, an expert witness for the defense, observed that the outcome of the trial highlights the need for reforms to be made to the CMA. Expert witness for the prosecution, Paul Overton, called DoS attacks a legal gray area.[16,17,18]


1. http://www.mines.edu/academic/computer/spammanagement.shtml
2. http://www.informit.com/articles/article.asp?p=339479&rl=1
3. http://www.pandasoftware.com/virus_info/spam/
4. http://news.com.com/Spam+seen+as+security+risk/2100-7355_3-5157275.html
5. http://query.nytimes.com/gst/fullpage.html?res=9502E5DB1E3FF93BA15754C0A9659C8B63
6. http://bizsecurity.about.com/od/emailsecurity/a/spam.htm
7. http://www.theregister.co.uk/2003/11/18/the_economics_of_spam/
8. http://www.sans.edu/resources/student_projects/200704_001.doc
9. http://www.openspf.org/Introduction
10. http://searchexchange.techtarget.com/tip/1,289483,sid43_gci952189,00.html
11. http://www.paulgraham.com/spam.html
12. http://projects.puremagic.com/greylisting/whitepaper.html
13. http://blog.devnull.fr/post/2007/03/03/greylist-experimentation-results
14. http://spamassassin.apache.org/tests_3_0_x.html
15. http://www.silkroad.com/papers/pdf/ieee-network-email-bombs.pdf
16. http://software.silicon.com/security/0,39024655,39153882,00.htm
17. http://news.zdnet.com/2102-1009_22-5928471.html?tag=printthis
18. http://www.zdnet.co.uk/print/?TYPE=story&AT=39235148-39020375t-10000025c