Blacklisting email accounts?

Discussion:

Jason W.

2011-08-30 22:08:40 UTC

(Maybe my google-fu isn't up to par and this has been discussed
previously - if so, my apologies)

With PCs being owned and email accounts being owned, has anyone
considered blacklisting individual email accounts? Within the past
month, I've gotten an influx of spam from people who I have
communicated with. Given the content, I doubt these people would be
sending me random links to foreign websites designed to own my PC.
Some of these senders are people who I haven't communicated with in
years, but my email address is probably in their email box or address
book. It's all been consumer-grade email (Comcast, AOL, Yahoo, etc.)
from people for whom it would not be a stretch to imagine them getting
owned.

Considering that some of these providers don't seem to be interested
in cleaning up their outbound mail, has anyone considered blacklisting
email accounts like we do IPs/hostnames? I do this for my personal
mail stream, and it scales - get a spam from an owned person I don't
need email from, drop 'em in the local BL. But for this to be
effective, there'd have to be some kind of DNSBL'ish thing to query.

I do understand that there are an infinite amount of email addresses
for freemail domains ;) So this wouldn't stop spammer-created
accounts.

But if Aunt Tilly has to change her email address (or go through some
removal-from-blocklist stuff - possibly go through some education),
that could have the necessary impact to change her behavior so she
wouldn't get owned again. This could be use a strong password, don't
run an insecure OS, don't use insecure wiifi, whatever is deemed good
information to better their understanding of what they've done.

Or am I giving people too much credit in hoping they'd change after
they meet the clue by four? For some, the aversion to getting another
email address might outlive the desire to be lackadaisical..

--
HTH, YMMV, HANW :)

Jason

The path to enlightenment is /usr/bin/enlightenment.

Graeme Fowler

2011-08-31 08:45:05 UTC

Permalink

But for this to be effective, there'd have to be some kind of
DNSBL'ish thing to query.

Whilst it's at a finer level of detail than you might require, there is
the APER (Anti Phishing Email Reply) list which spun out of HE being
targetted and is maintained by a decent group of volunteers:

http://code.google.com/p/anti-phishing-email-reply/

At work we've found this of tremendous use.

Graeme

Chris Lewis

2011-09-05 16:25:53 UTC

Permalink

Sorry for the old post - deliverability issues.

Post by Jason W.
With PCs being owned and email accounts being owned, has anyone
considered blacklisting individual email accounts? Within the past
month, I've gotten an influx of spam from people who I have
communicated with. Given the content, I doubt these people would be
sending me random links to foreign websites designed to own my PC.
Some of these senders are people who I haven't communicated with in
years, but my email address is probably in their email box or address
book. It's all been consumer-grade email (Comcast, AOL, Yahoo, etc.)
from people for whom it would not be a stretch to imagine them getting
owned.

Consider the following points:

- Most "infected user" spam is designed from the very beginning to be
difficult or impossible to tell _who_ is infected. Why would the
spammers make the ISP's (or our) job easier? Believe me they don't,
they make it as hard as possible.

- If you get bot spam, you can be virtually certain someone else is
getting bot spam forged in your email address. It doesn't mean you're
infected.

- Your proposal could naively be implemented by "blocking every from
address ever seen in spam". Most spam is forged. We'd _all_ be
blacklisted. Heck, some bots specialize in forging the from to be the
recipient. You'd be blacklisting yourself ;-)

- In approximately 99% of all cases of spam from "owned" machines, there
is NO WAY for the recipient to know _who_ was infected for any given
spam. It can be incredibly hard even for experts to find it in some cases.

- Even when it is possible, it's rare that any given recipient can
figure it out, because it'll be in a header they don't see, and wouldn't
understand if they did. You want grandma making that choice?

Datapoint: I personally get hundreds of spams per day. The number of
times I could clearly identify who was compromised (and I know how to
read headers ;-) is about once or twice per _year_.

I think the upshot would be that:

- it's only possible to tell in a small fraction of spam who is infected.
- few users would be able to reliably and accurately determine _who_ was
infected, and there'd be far more false positives than true positives.

In other words, very low effectiveness rates, and highly false positive
prone. Ick. Sorry.

Martijn Grooten

2011-09-05 18:08:12 UTC

Permalink

Post by Chris Lewis
- few users would be able to reliably and accurately determine _who_ was
infected, and there'd be far more false positives than true positives.

And even blocking only the true positive addresses, i.e. only the ones that have really sent spam, is likely to cause a lot of false positive emails.

I do agree that spam sent from friends' compromised accounts is a serious problem (and not just for email: also on Facebook, Twitter etc.). Not because of their quantity but because they are less likely to be blocked by spam filters and more likely to be believed to be genuine.

However, effectively blocking someone from sending email sounds like a cure worse than the disease.

Also, I know of cases where people who seemed to adhere to all the good practises had their accounts compromised. I don't see much educational value in telling people that they did something wrong, we're not sure what but we hope the punishment will stop them from doing it again.

Martijn.

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.

Al Iverson

2011-09-05 18:44:45 UTC

Permalink

On Mon, Sep 5, 2011 at 1:08 PM, Martijn Grooten

Post by Martijn Grooten

Post by Chris Lewis
- few users would be able to reliably and accurately determine _who_ was
infected, and there'd be far more false positives than true positives.

I actually tested this back in 1999/2000. I created an experimental
filter called FAD - From Address Deterrent, and I tried to convince
Vixie to incorporate it into MAPS. Chris and Martijn are spot on --
even back then, the vast majority of spam had forged from addresses,
and you ended up blacklisting a harmless, unrelated party. Doing the
math on my big spamtrap feeds a few years later, I found that spammers
seemed to change the from address an average of once every third email
message. My math was simplistic but the point was sound, in that
spammers have enough from addresses to rotate their way around kind of
blocking too easily. Look at the amount of spam that comes from
somebody with an address "near" yours -- they're often taking spam
list entry #701 (the last sucker they spammed) and using that as the
from address when spamming list entry #702 (you).

Post by Martijn Grooten
From address blocking, or even from domain blocking, is only going to

catch a bit of mainsleaze and a lot of ESPs. Whether or not you want
to block ESPs is a whole other question.

Cheers,
Al Iverson

John Levine

2011-09-05 21:22:14 UTC

Permalink

Post by Chris Lewis
- Most "infected user" spam is designed from the very beginning to be
difficult or impossible to tell _who_ is infected.

This wouldn't be useful for bots, but I could see it for stolen
account spam. I get a surprising amount of it -- every day after I
send out the spam reports, I invariably get back several responses
from postmasters saying, sigh, another phished account. For bot spam,
you can just block all mail from the IP, but for stolen accounts, the
system is OK, and it's just the one address that's spamming.

In my experience, it's not hard to tell the difference. With stolen
accounts, the address matches the received lines, and the received
lines generally have a familiar from of a webmail or Exchange server.

R's,
John

Chris Lewis

2011-09-06 03:12:00 UTC

Permalink

Post by John Levine

Post by Chris Lewis
- Most "infected user" spam is designed from the very beginning to be
difficult or impossible to tell _who_ is infected.

This wouldn't be useful for bots, but I could see it for stolen
account spam. I get a surprising amount of it -- every day after I
send out the spam reports, I invariably get back several responses
from postmasters saying, sigh, another phished account. For bot spam,
you can just block all mail from the IP, but for stolen accounts, the
system is OK, and it's just the one address that's spamming.
In my experience, it's not hard to tell the difference. With stolen
accounts, the address matches the received lines, and the received
lines generally have a familiar from of a webmail or Exchange server.

In this class of spam, it's generally easy to figure out _where_ the
compromised user existed, and often easy to tell the IP by which it was
compromised, but seldom do you get a correct email address for the
phished account, or at least, not one that you could trust. That
applies for sendsafe style infections - the originating IP is a _bot_,
and the email is sent via AUTHSMTP (which usually doesn't nail the
From:). The provider can tell who it was. The recipient can't.

With the freemails, you usually don't get a reliable email address.
Except for that "breakin and spam contact list" variety. Which are
quite rare (but highly noticable when you see one).

Then there's another issue. How do you signal the DNSBL when the
compromise is fixed?

John Levine

2011-09-06 14:15:23 UTC

Permalink

Post by Chris Lewis
In this class of spam, it's generally easy to figure out _where_ the
compromised user existed, and often easy to tell the IP by which it was
compromised, but seldom do you get a correct email address for the
phished account, or at least, not one that you could trust.

Odd, my experience is quite different. The address typically looks
real and matches stuff in Received: lines. Perhaps I'm fooled by
unusually brilliant header forgery, but it doesn't look like it. This
stuff doesn't appear to be bots, it's sent using phished credentials.
For the systems that log the connecting IP, it's often in Nigeria or
China.

R's,
John

Chris Lewis

2011-09-06 14:56:47 UTC

Permalink

Post by John Levine
Odd, my experience is quite different. The address typically looks
real and matches stuff in Received: lines. Perhaps I'm fooled by
unusually brilliant header forgery, but it doesn't look like it. This
stuff doesn't appear to be bots, it's sent using phished credentials.
For the systems that log the connecting IP, it's often in Nigeria or
China.

Right. Sendsafe stuff. I have 10s of thousands of them. Here's one:

Received: from 108-65-8-39.lightspeed.wlfrct.sbcglobal.net (HELO
mail.torreycrane.com) (108.65.8.39)
by moi2 (qpsmtpd/0.80) with ESMTP; Tue, 06 Sep 2011 14:24:10 +0000
Received: from User ([70.88.143.134]) by mail.torreycrane.com with
Microsoft SMTPSVC(6.0.3790.3959);
Tue, 6 Sep 2011 10:12:45 -0400
Reply-To: <***@one.co.il>
From: "DR.MOHAMMED JIKA"<***@one.co.il>
Subject: PLEASE GET BACK TO ME URGENTLY
Date: Tue, 6 Sep 2011 10:12:36 -0400

The From: & Reply-To are forged, unless you think that
mail.torrycrane.com is the MTA for one.co.il.

70.88.143.134 is infected with sendsafe, Advanced Mass Sender or some
other similar package.

Effectively what happens is that the bad guys accumulate
userid/password/server tuples. Injects their infection somewhere, and
controls it remotely. The infection connects to the server, supplies
the userid/password (via AUTHSMTP or in some cases webmail), and injects
its spam with forged From:.

One very common feature of these is no To: line.

This is running about 1-2% of all spam according to one trap.

John Johnson

2011-09-06 16:43:43 UTC

Permalink

Post by John Levine

Yes, that would be spot on in what I see. Biggest problem - the
compromised accounts are using the big server farms like Yahoo
that pass the SPF and DKIM checks, can't be blocked based on IP
and even make it through spamassassin scoring.

The best I've been able to do is use milter-regex for sender matches.
One thing that looks promising is that the Reply-To rarely matches
the sender and often is a free mail server for the reply-to.
I'm seeing the compromised accounts cycled through several times.
Hit maybe 3 times, wait a week or two, hit again.

The most interesting one I've seen to date was a valid Yahoo server
taking in email via webmail and many of the headers were dinked with.

-j2

Jason W.

2011-09-06 05:18:14 UTC

Permalink

Post by John Levine
This wouldn't be useful for bots, but I could see it for stolen
account spam. I get a surprising amount of it -- every day after I
send out the spam reports, I invariably get back several responses
from postmasters saying, sigh, another phished account. For bot spam,
you can just block all mail from the IP, but for stolen accounts, the
system is OK, and it's just the one address that's spamming.
In my experience, it's not hard to tell the difference. With stolen
accounts, the address matches the received lines, and the received
lines generally have a familiar from of a webmail or Exchange server.

This is exactly what I have seen. In each case, the hand-off MTA
matches their provider, so I know that their provider sent it to me. I
have seen AOL, Hotmail, Yahoo and Comcast. One is a neighbor who I no
longer converse with over email but I now her account is spamming me
(and the entire neighborhood) about sex sites. I can't see her doing
this on purpose :)

In most cases (>75%), it's from people who I have communicated with in
the past and now have no problems with blocking because I don't
communicate with them (over SMTP) currently and have no plans to do
so. If I (or any of the handful of users I MX for) ever did, I'd
remove the line from a text file and it's undone. But I get that there
would be scaling problems for other MXs;)

Chris' point about whether it was their account used to send the spam
is understandable - I brought up this idea assuming that there is a
pretty good indicator that the account has been owned (e.g. my
neighbor). I find it interesting that I would get mostly spam from
people who I have communicated with and not random FROM addresses on
whatever system has been owned (e.g. random comcast, aol, hotmail,
yahoo users).

I do wish that MSAs would mention the authenticated user that injected
the email. Even if authenticated != SMTP auth. I am sure that this
would have privacy implications.

RE Graeme's suggestion: Thanks much! I will have to compare against my
logs and see if any of these addresses have shown up.

--
HTH, YMMV, HANW :)

Jason

The path to enlightenment is /usr/bin/enlightenment.

Chris Lewis

2011-09-06 05:51:02 UTC

Permalink

Post by Jason W.
Chris' point about whether it was their account used to send the spam
is understandable - I brought up this idea assuming that there is a
pretty good indicator that the account has been owned (e.g. my
neighbor). I find it interesting that I would get mostly spam from
people who I have communicated with and not random FROM addresses on
whatever system has been owned (e.g. random comcast, aol, hotmail,
yahoo users).

What a lot of people don't appreciate is that spam volumes and types are
intensely variable. One's spamload can be radically different from the
next person's.

I (personally) get hundreds of spams per day of all kinds. And yet,
I've only been hit _once_ by one of those spams. I don't think my traps
(>10M/day) see much. I've never noticed them during surveys of what the
traps get.

It was easier to phone the person and warn them. They already knew, and
it was already fixed.

Martijn Grooten

2011-09-06 08:43:03 UTC

Permalink

Post by Chris Lewis
I (personally) get hundreds of spams per day of all kinds. And yet,
I've only been hit _once_ by one of those spams. I don't think my traps
(>10M/day) see much. I've never noticed them during surveys of what
the traps get.

I monitor 50+ mailing lists (discussion lists) and I do notice them from time to time. My very rough estimate would be that it accounts for close to 0.1 per cent of all mail sent to these lists. And that is after the lists' spam filters have done their work.

Given the nature of these emails, I think they are unlikely to make it to traps.

Post by Chris Lewis
It was easier to phone the person and warn them. They already knew,
and it was already fixed.

In the few cases I've personally dealt with, the 'victims' had noticed before I had the chance to warn them. Password changed, problem solved. I never really found out whether this was because the spammers did not get hold of the passwords in the first place (but used session cookies, malware running on the desktop etc.) or because they just couldn't be bother to change it.

Martijn.

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.

Ian Eiloart

2011-09-06 10:44:20 UTC

Permalink

Post by Chris Lewis
- If you get bot spam, you can be virtually certain someone else is
getting bot spam forged in your email address. It doesn't mean you're
infected.
- Your proposal could naively be implemented by "blocking every from
address ever seen in spam". Most spam is forged. We'd _all_ be
blacklisted. Heck, some bots specialize in forging the from to be the
recipient. You'd be blacklisting yourself ;-)

I'd suggest that there might be some value in doing this for domains that neither DKIM sign, nor publish SPF records. Ultimately, until domain owners start taking responsibility for ALL use of their domains, this is going to remain a problem.

--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148