别让垃圾邮件成为资讯安全漏洞

Building Trust in Computing,Bill Gates Chairman & Chief Software Architect Microsoft Corporation,別讓垃圾郵件成為資訊安全漏洞 - 談微軟訊息平台最新反垃圾郵件技術,June 21, 2005Kirwin Chen 陳國豪 Regional Program Manager Microsoft Taiwan - R&D,The Technology Landscape,DMZ,Update Services,Internet,Hosted Services,Client Solutions Software resides on client, filters mail as read by the mail client.,Enterprise Solutions Software targets mail servers (e.g. Exchange, Lotus), filters mail prior to delivering to mailboxes. Typically mail server add-ons.,Gateway Solutions Software targets gateway devices, filters spam and viruses, blocks IP addresses, performs reverse DNS lookups. Often dedicated HW appliance.,Hosted Services Pre-process mail prior to delivery to customers, filters spam and viruses from mail. Prevents domain harvesting attacks.,Update Services Deliver anti-virus and anti-spam filter updates to gateway, enterprise, and client-side solutions. Always a component of another solution.,SMTP Gateway,SMTP Gateway,Mailbox Servers,Mail Client,Mail Client,Mail Client,多層次的 E-Mail 篩選策略,Outlook 收件匣,Outlook 垃圾郵件資料匣,1. 連線篩選,2.寄件者/收件者篩選,3. 智慧郵件篩選 IMF,內送網際網路電子郵件,Spam filtering with Challenge Response,SPAM,Internet,GOOD,Highly Probable Spam,Probable Spam,Good email,Spam sent to Junk Mail Folder,Subset of mail challenged and quarantined in Quarantine Folder,Only Safe list mail sent to Inbox,“Grey” Mail,False Positives are now rescued & reduced,ATS Spam Filter,IMF 垃圾郵件管理中心,Challenge Response Flow - Sample,Challenge Response Flow - Sample,Challenge Response mail flow view,1,2,3,Internet,SMTP Gateway,Mailbox Servers,Receiving Mail Client,Internet,SMTP Gateway,Mailbox Servers,Internet,SMTP Gateway,Mailbox Servers,Real mail or spam is sent to a user.,If highly suspect mail then challenge is sent back to sender. This will happen automatically. Sender then has to complete either a computational challenge or HIP puzzle.,The sender solves the challenge and the message is returned to the original recipient and the mail is delivered. Future mail from sender is let through if the recipient safe lists him/her.,Receiving Mail Client,SPAM,SPAM,Receiving Mail Client,Phishing - The Current Landscape,Citibank, e-Bay and Paypal the prime target of phishers1,2,Total Phishing attacks increased from 47/day in March 2004 to 415/day in June 2004192% of all Phishing attacks occurred in the last 12 months376% of all attacks happened in the last 6 months,Number of new phishing attacks (new sites to scam) went up from 10/day to 40/day between Feb to May 20041,Financial Sector the prime target of phishers2 Attack on web retailers increasingPhishing scams direct cause of $1.2 B in the last 12 months3,Data Source Legend 1. Anti-Phishing Working Group 2. HM Feedback Loop Analysis 3. Gartner Group,Phishing Attacks,1,Most Targeted Companies,2,3,Unique Phishing Attacks by Industry Segment,4,Unique Phishing Attacks per day,Key Choke Points for Phishing Attacks,Target key choke points on the network to protect customers from phishing scam mails and phishing sites on the internet,95% of phishing attack from spoofed domains10.2% of all mail on the internet is phishing related27% of all purported mails from top 5 targeted institutions are phishing based2,Data Source Legend 1. Anti-Phishing Working Group 2. HM Feedback 3. Brightmail Anti-Fraud Statistics,5% of recipients get scammed into sharing their PII by the phishing emails1,3.52 billion phishing messages blocked in June 20043,40 unique phishing sites are detected each day1,Current Email Tricks,1,2,Domain Spoofing,Subject Line Deception,3,Brand Fraud Content Deception,4,Deceptive URLs (“fool-the-eye” URLs),The domain listed is of “Barclays Bank” - actually sent by phisher,Subject line is misleading,Fraudulent content displays brand images of Barclays bank,URL listed includes Barclays,61% of phishing email detected in hotmail involve domain spoofing,93% of phishing email detected in hotmail have in their subject line the name of an institution and a request for data,24% of phishing email detected in hotmail involve genuine looking content,100% of phishing emails contain URLs, 2% contain good URLS that point to bad sites,Data Source: HM feedback loop sample of 500 messages from Jan-April 2004,Phishing messages have an average of 2.78 tricks per message,Current Browser Tricks,2,Similar URL to actual URL,1,Genuine Looking Content,3,Incorrect URL,4,Deceptive Address Bar ( “chromeless window”),http:/123.456.789/paypal,Paypal brand logo,Javascript overlays actual URL with hidden window,http:/www.security-yahoo.com,Current Browser Tricks (cont.),6,Fraudulent Forms,5,Two windows fraudulent Pop Up Window,Fraudulent Pop-up sits on top of valid Citibank site,Forms seem like real Paypal forms,Note Trusted Logos,Phishing Lifecycle,STS Email Filter Overview,SmartScreen combined Phishing, Sender ID, Spam filterFilter returns three separate ratings for Anti-Phishing, Sender ID, and SpamUses combined data file User experience is owned by Hotmail Hotmail will take the separate outputs and decide on overall deliver/move/delete action for a messageAnti-Phishing filter detects suspect URLs in message Extracts embedded URLs Canonicalizes URLs Attempts to match URLs against safe/block list (does rollup) Detects URL tricks (%00, %01, and name. tricks) Uses simple rules to combine list matches and tricksAllow/Block URL list Stored in common resource containing spam, Sender ID, and Anti-phishing data Complete filter updates sent by STS to Hotmail frequently Based on new data arriving from 3rd parties and partners,