7/30/2019 Fowler Phish

1/15

System Maintenance: Please verify your details

Or bloody scammers, theyre at it again

IT Services, Loughborough University1

7/30/2019 Fowler Phish

2/15

System Maintenance: Please verify your details

From: J.Bloggs@some-uni.ac.ukReply-to: dodgy@bigfreemailer.com

Date: Thu, 28 May 2009 09:00:00 +0100

Subject: SOME-UNI.AC.UK WEBMAIL MAINTENANCE

Dear E-mail User,

To complete your Account Verification process, you are to reply this

message and enter your Username and Password respectively in the space

provided below this email.You are required to do this before the next

48hrs of receipt of this e-mail, or your mail Account will be

de-activated and erased from our Database. Your account can also be

verified at:

https://student.some-uni.ac.uk/webmail/

Enter Username ( )

Enter Password ( )

Thank you for using SOME-UNI.AC.UK WEBMAIL

IT Services, Loughborough University2

mailto:J.Bloggs@some-uni.ac.ukmailto:dodgy@bigfreemailer.comhttps://student-webmail.lboro.ac.uk/webmail/https://student-webmail.lboro.ac.uk/webmail/https://student-webmail.lboro.ac.uk/webmail/https://student-webmail.lboro.ac.uk/webmail/mailto:dodgy@bigfreemailer.commailto:J.Bloggs@some-uni.ac.ukmailto:J.Bloggs@some-uni.ac.ukmailto:J.Bloggs@some-uni.ac.uk

7/30/2019 Fowler Phish

3/15

Todays session

Evolution of spam Defences

Our new approach to spear phishing

IT Services, Loughborough University3

7/30/2019 Fowler Phish

4/15

Originally no more than an irritation

Marketing, sales relatively innocuous

Developed over the years

advance fee fraud, lottery scams etc

still money-related in the main

Now much more sinister

Evolution of spam

Loughborough University4

7/30/2019 Fowler Phish

5/15

Huge volume

Huge numbers

of machines

Volume

Loughborough University5

7/30/2019 Fowler Phish

6/15

Defence in depth

Filtering as messages arrive Network level

Protocol level

DNSBLs

IP, Netblock, AS Reputation checks

Signatures (DCC Servers for example)

Anti Virus

Content scanning

Heuristics

...

Whats next? (Not the FUSSP, thats for sure)

How do we keep up?

IT Services, Loughborough University6

7/30/2019 Fowler Phish

7/15

A New Approach

We cant control the input properly...

...but (fanfare): we can control the output.

...we can then protect our systems and users

Our solution is called Kochi:

http://oss.lboro.ac.uk/

IT Services, Loughborough University7

http://oss.lboro.ac.uk/http://oss.lboro.ac.uk/

7/30/2019 Fowler Phish

8/15

Kochi How it works

Content scanning of outbound messages

Outbound == traversing our mail routing

infrastructure Message passed during SMTP transaction by

MTA to a filter daemon (written in Perl)

Uses ClamAVs daemon API

Already accessible to a large number of MTAapplications

Simple pass/fail result, with details

IT Services, Loughborough University8

7/30/2019 Fowler Phish

9/15

How it works in more detail

First search for key words (big, complex

regex) such as

user, username, pass, password

If keywords found (or skipped), tokenise emailinto candidate user/pass strings

Our defined password policy gives us a regex:

## Regular expression matching valid passwords

my $regex = qr{

(?: (?=\S*?[a-z])(?=\S*?[A-Z])(?=\S*?[0-9])

| (?=\S*?[a-z])(?=\S*?[A-Z])(?=\S*?[^a-zA-Z0-9\s])

| (?=\S*?[A-Z])(?=\S*?[0-9])(?=\S*?[^a-zA-Z0-9\s])

)[-0-9a-zA-Z_=\+\!"\$\%^\&\*\(\)\[\]\{\}\\;:\'\@#~\/\?\.,\|\`]{6,}

}x;

Likewise for usernames (big regex!)

IT Services, Loughborough University9

7/30/2019 Fowler Phish

10/15

Token Pair Authentication

Can hook into all manner of authentication

schemes (did I say its written in Perl?)

If PAM available

combine auth schemes

check multiple auth backends

abstract methodology tailored to platform

Pass/Fail is cached to limit impact on authbackend

If authentication succeeds...

IT Services, Loughborough University10

7/30/2019 Fowler Phish

11/15

Acting on detection results

...your choice of action

Dont bounce or reject the message!

We discard the message and generate an

autoreply in a standard format:Your message with subject "$h_Subject:", contained a valid Loughborough

University username and password.

The message has not been sent.

Usernames and passwords must never be disclosed by e-mail.

If you feel you have received this message in error, please forward this

message to it.services@lboro.ac.uk

--

IT Services

IT Services, Loughborough University11

7/30/2019 Fowler Phish

12/15

Side effects - good

Not only stops phishing

Enforces local policy

Acceptable Use

Security

Good IT practice

...some users try to brute-force around it!

IT Services, Loughborough University12

7/30/2019 Fowler Phish

13/15

Side effects - bad

Difficult to utilise in systems with lockout after

repeated failures

Accounts will be locked!

...can use abstraction in certain systems

Windows Server 2008 AD has fine grained

password security policies but can still be a

problem

Makes it near impossible to send passwords

for user registered services

IT Services, Loughborough University13

7/30/2019 Fowler Phish

14/15

Some statistics

IT Services, Loughborough University14

0.00

2.00

4.00

6.00

8.00

10.00

12.00

14.00

16.00

18.00

20.00

16/02/2009

26/02/2009

08/03/2009

18/03/2009

28/03/2009

07/04/2009

17/04/2009

27/04/2009

07/05/2009

17/05/2009

7-day average

Count

3rd & 4th March -

66 and 13

detections

respectively dueto registration on

non-IT ServicesSystem

30th Mar - phish

to 1000 recipients,

0 responses

16th May - phish

to 1600 recipients,

3 responses

7/30/2019 Fowler Phish

15/15

Summary

Spam, phishing very difficult to stop

Concentrate where possible on detection of

responses Kochi can help!

http://oss.lboro.ac.uk/kochi1.html

Graeme Fowler, G.E.Fowler@lboro.ac.uk

IT Services, Loughborough University15

http://oss.lboro.ac.uk/kochi1.htmlhttp://oss.lboro.ac.uk/kochi1.html