Top > JANOG34_Meeting > Meeting_Report > OP25B

"Measures against Spam after OP25B - Abuse of MSA as a Platform for Spam -"

Outline

The first afternoon session at JANOG34 was "Measures against Spam after OP25B", which was a little unusual for JANOG to cover mail server operations, as most sessions are related to network operations. Speakers were Takehito Akagiri (Rakuten,Inc.), Masaki Kase (NIFTY Corporation), Masatoshi Kato (BIGLOBE Inc.). While they were all first time speakers at JANOG except Masatoshi Kato, all of them are experts on email operations with over ten years of experience.

The session was based on the theme for JANOG 34 "Mix and Shuffle". As there are different ways of "mixing", the level of information sharing and discussions (i.e., mixing) were categorized in three steps.

  • Dip lightly: Introduction
  • Mix Subtly : How the issues relate to participants
  • Stir : Discussions with participants

After these three stages of "mixing, as conclusion,

  • Spill : Conclusion gets "spilled" out after mixing information and opinions between speakers and participants.

Dip Lightly: Introduction of the Current Anti-spam Activities

Today, major measures taken against unsolicited commercial e-mails have moved from DKIM to DMARC and reputations. This is the background behind the dissolution of "dkim.jp", the association in Japan which had promoted DKIM.

Since the adoption of DMARC is spreading in Japan and is likely to be standardized, a call was made from the stage to JANOGers to "Let's declare the adoption of DMARC ". Examples of dig results with DMARC adoption and a list of ISPs fully or partially adopting DMARC were shared in the presentation (Slides P.5-6).

The presentation also pointed out the need of adoption of OP25B in IPv6.

While reputation is another effective measure against unsolicited commercial emails, it was discussed at JANOG 32 that it cannot be used with IPv4 addresses efficiently, as the pool was exhaust in the APNIC region in 2011. In JANOG32, it was also brought to attention that spammers do not always come from the outside and there appears to be members (customers) of ISPs who send out unsolicited commercial emails.

This session at JANOG 34 worked further on an issue raised at JANOG 32, and have considered the situation in which Customer accounts are abused by someone other than an authentic account holder". This is was described in more details in the next part of the presentation "Mix Subtly".

  • M3AAWG: http://www.maawg.org/
    • An anti-spam association set up in the US.
    • Over time, they have expanded their activities to cover Messaging, Malware, and Mobile.
  • JEAG:
    • An association which promoted OP25B. It is practically on the way out today.
  • dkim.jp: http://www.dkim.jp/
    • They promoted the deployment of DKIM. Their work raised the deployment rate of DKIM in Japan from 5% to 40% and then dissolved.

There are other groups such as Association against Unsolicited Commercial Email and a body where the members are 25 ISPs.

Mix Subtly: How You and Your Customers Could be Affected

OP25B is an anti-spam measure which focuses its mitigation measures on MSA(Outbound MTA), i.e., SMTP AUTH of MSA (587) (Diagram Slide P.12). Send volumes of email with SMTP AUTH + AUTH ID, as well as spammers using MSA as a platform for abuse, were within the scope of the assumption for OP25B.

The effect of OP25B promoted by JEAG was tremendous, and was able to lower Japan's ranking as the source of spam, which at the time in 2004 was 6th in the world, to 33th in 2010 (Slides P.15-16). As a result, issues such as third party postings, POP before SMTP and No auth MSA were eliminated. MSA was no longer being used as an abuse platform.

However, data in 2014 shows Japan's ranking is back within the worst top 10, as 7th in the world (Slide P.17). Spammers should no longer be able to send spam from dynamic IP addresses with adoption of OP25B. However, spammer are back in Japan. Where did they come from?

We can think they are the ISP's legitimate customers. In other words, they have customer IDs and passwords. After conducting a survey over 1.5 year, it was found that 0.2%-0.3%, approximately 1 in 500 customers, have their ID/password stolen. Analysis shows how much spam has been sent out from Japan (Slides P.26-27).

At the end of this talk, a call was made to contact one of the speakers, if any of the participants wishes to check how much spam is sent out from your own network.

Stir: Discussions with participants

After describing major attack methodologies of spammers, the session moved on to discussions with JANOGers.

  1. What measures, and at which point in mail server operations can they be taken?
    • P.34 shows diagram of risks and measures at each point
  2. How do you prevent IDs and passwords from being stolen?
    • Include discussions on outbound filtering
  3. Where are the spammers?
    • Statistics were shown for participants at the venue
  4. What to do with AUTH Method?
    • Would it be effective to only provide CRAM-MD5?

Questions below were raised from the floor, and there were several points for considerations in current anti-spam measures.

  • Q. Where are IDs and passwords stolen from in the first place?
  • A. There are several possibilities, but most likely to be through leakage from Malware.
  • Q. Can't mitigation measures be taken by checking IP address, in addition to ID and password?
  • A. It is technically possible, but difficult considering connections through multiple devices and mobiles are popular.
  • Q. Where are the spammers? Where do the sources come from?
  • A. Many from Russia and Ukraine. Filtering based on GeoIP is effective to a certain extent. In fact, there are cases where a customer's source country has changed 30 times within 45 minutes.

Spill: Conclusion

The session concluded that while there is no perfect solution, it is important to ensure that each and every possible measure is taken, one by one.

In addition to mitigation steps introduced, below are the calls made from the speakers:

  • Consider deployment of DMARC
  • Participants can contact one of the speakers if they wish to check how much spam is sent from their network

As mentioned earlier in this report, mail server operations is a relatively rare topic of discussion to cover at JANOG. The presentations were rich with data, well structured, and able to take enough time for discussions with the participants. This is something unique to JANOG, and different from study sessions or lectures covering this topic.

The data demonstrates that attackers move to target ISPs that don't take adequate mitigation measures. It was very useful as a reference approach, not just about mail server operation, but for network operators to consider other security practices.

(Shishio Tsuchiya, Cisco Systems G.K.)


Reload   New Lower page making Edit Freeze Diff Upload Copy Rename   Front page List of pages Search Recent changes Backup Referer     RSS of recent changes
Last-modified: (667d)