Fighting SPAM: Whitelisting Revisited David Erickson Martin - - PowerPoint PPT Presentation

▶

Apr 03, 2024 122 likes •395 views

Fighting SPAM: Whitelisting Revisited David Erickson Martin Casado Nick McKeown derickso@stanford.edu casado@cs.stanford.edu nickm@stanford.edu Member project of the Stanford Clean Slate Program http://cleanslate.stanford.edu

SLIDE 1

Whitelisting Revisited

http://www.doemail.org

1/27

Member project of the

Stanford Clean Slate Program http://cleanslate.stanford.edu

Fighting SPAM:

Whitelisting Revisited

David Erickson Martin Casado Nick McKeown

derickso@stanford.edu casado@cs.stanford.edu nickm@stanford.edu

SLIDE 2

Whitelisting Revisited

http://www.doemail.org

2/27

Motivation

In 2007, 74-95% of all email was SPAM 1.2% of employee time

– $713 per year per employee – $200 billion cost to companies worldwide

SLIDE 3

Whitelisting Revisited

http://www.doemail.org

3/27

Whitelisting

What is it?

– Email must match a whitelist entry to be delivered – Entries contain email addresses / domains

Often paired with challenge-response

– Shifts some burden from user to sender – Has its own list of complaints

Is it feasible?

– Lots of opinions, little data

SLIDE 4

Whitelisting Revisited

http://www.doemail.org

4/27

Methodology

Built an operational system

– Default Off Email (DOEmail)

Heavily instrumented

– Email and user behavior

Running for nearly 2 years

– ~800,000 emails processed to date

Real users

– 120+ accounts have received email

SLIDE 5

Whitelisting Revisited

http://www.doemail.org

5/27

Create an account

– E.g. derickso@doemail.org

Forward existing email Set destination for cleaned email Install Mozilla Thunderbird

– And use our custom add-on! – … or use the web interface

Populate white/black lists

Default Off Email

SLIDE 6

Whitelisting Revisited

http://www.doemail.org

6/27

Sender Categories

Blacklist Blacklist Unknown Unknown Whitelist Whitelist

SLIDE 7

Whitelisting Revisited

http://www.doemail.org

7/27

Stanford Integration

stanford.edu RCPT TO:

derickso@stanford.edu

derickso.pobox.stanford.edu RCPT TO:

derickso@derickso.pobox.stanford.edu

Delivered

SLIDE 8

Whitelisting Revisited

http://www.doemail.org

8/27

Stanford w/DOEmail Whitelist

stanford.edu DOEmail.org RCPT TO:

derickso@stanford.edu

RCPT TO:

derickso@stanford.edu

derickso.pobox.stanford.edu RCPT TO:

derickso@doemail.org

RCPT TO:

derickso@doemail.org

Delivered Is sender on my blacklist?

Is sender on my whitelist?

RCPT TO:

derickso@derickso.pobox.stanford.edu

RCPT TO:

derickso@derickso.pobox.stanford.edu

RCPT TO:

derickso@derickso.pobox.stanford.edu

RCPT TO:

derickso@derickso.pobox.stanford.edu

SLIDE 9

Whitelisting Revisited

http://www.doemail.org

9/27

Stanford w/DOEmail Unknown

stanford.edu DOEmail.org derickso.pobox.stanford.edu RCPT TO:

derickso@doemail.org

RCPT TO:

derickso@doemail.org

Is sender on my blacklist?

Is sender on my whitelist?

RCPT TO:

derickso@stanford.edu

RCPT TO:

derickso@stanford.edu

SLIDE 10

Whitelisting Revisited

http://www.doemail.org

10/27

Stanford w/DOEmail Unknown

stanford.edu DOEmail.org derickso.pobox.stanford.edu Is sender on my blacklist?

Is sender on my whitelist?

SLIDE 11

Whitelisting Revisited

http://www.doemail.org

11/27

Stanford w/DOEmail Unknown

stanford.edu DOEmail.org derickso.pobox.stanford.edu Delivered Is sender on my blacklist?

Is sender on my whitelist?

RCPT TO:

derickso@derickso.pobox.stanford.edu

RCPT TO:

derickso@derickso.pobox.stanford.edu

RCPT TO:

derickso@derickso.pobox.stanford.edu

RCPT TO:

derickso@derickso.pobox.stanford.edu

SLIDE 12

Whitelisting Revisited

http://www.doemail.org

12/27

Mozilla Thunderbird and Web Interfaces Import your whitelist Whitelist your email recipients Detect mailing lists View and manage pending email Monitor your statistics

Tools

SLIDE 13

Whitelisting Revisited

http://www.doemail.org

13/27

Import email addresses and domains from

Thunderbird Add-on

SLIDE 19

Whitelisting Revisited

http://www.doemail.org

19/27

Example Dynamic Graphs

SLIDE 20

Whitelisting Revisited

http://www.doemail.org

20/27

Lists

To: / CC: Whitelist Auto Detection

SLIDE 21

Whitelisting Revisited

http://www.doemail.org

21/27

Backscatter Header spoofing

– DomainKeys/DKIM

Hash/Sign Email

Mailing list detection

– Poor standardization

Challenge Emails

– Filtered

Limitations

SLIDE 22

Whitelisting Revisited

http://www.doemail.org

22/27

Results

Measured from 7/13/07 – 2/29/08 112 user accounts received email 592,794 emails processed Two main questions:

– What are DOEmail’s detection rates?

Compare with Spam Assassin

– How much effort is required?

Track user behavior

SLIDE 23

Whitelisting Revisited

http://www.doemail.org

23/27

Spam Assassin Comparison CDF

97.2% 98.9%

SLIDE 24

Whitelisting Revisited

http://www.doemail.org

24/27

Pending Email

9180 (1.55%) pending emails confirmed

– 4382 (0.74%) by sender – 4798 (0.81%) by user (False Positive Rate)

3864 (0.65%) sent challenges
934 (0.16%) not sent challenges

Whitelisting enables powerful filtering

– Can achieve high degrees of accuracy

Based on user’s rule preferences

– Low rate of false positives – Content filtering limitations

Fundamental tradeoff between FPs and FNs

Fighting SPAM:

Whitelisting Revisited

Motivation

In 2007, 74-95% of all email was SPAM 1.2% of employee time

– $713 per year per employee – $200 billion cost to companies worldwide

Whitelisting

What is it?

– Email must match a whitelist entry to be delivered – Entries contain email addresses / domains

Often paired with challenge-response

– Shifts some burden from user to sender – Has its own list of complaints

Is it feasible?

– Lots of opinions, little data

Methodology

Built an operational system

– Default Off Email (DOEmail)

Heavily instrumented

– Email and user behavior

Running for nearly 2 years

– ~800,000 emails processed to date

Real users

– 120+ accounts have received email

Create an account

– E.g. derickso@doemail.org

Forward existing email Set destination for cleaned email Install Mozilla Thunderbird

– And use our custom add-on! – … or use the web interface

Populate white/black lists

Default Off Email

Sender Categories

Blacklist Blacklist Unknown Unknown Whitelist Whitelist

Stanford Integration

Stanford w/DOEmail Whitelist

Stanford w/DOEmail Unknown

Stanford w/DOEmail Unknown

Stanford w/DOEmail Unknown

Mozilla Thunderbird and Web Interfaces Import your whitelist Whitelist your email recipients Detect mailing lists View and manage pending email Monitor your statistics

Tools

Import email addresses and domains from

existing mail folders

Thunderbird Add-on

Thunderbird Add-on

Manage white and blacklists

Thunderbird Add-on

View and manage pending email

Thunderbird Add-on

Thunderbird Add-on

Thunderbird Add-on

Example Dynamic Graphs

Lists

To: / CC: Whitelist Auto Detection

Backscatter Header spoofing

– DomainKeys/DKIM

Mailing list detection

– Poor standardization

Challenge Emails

– Filtered

Limitations

Results

Measured from 7/13/07 – 2/29/08 112 user accounts received email 592,794 emails processed Two main questions:

– What are DOEmail’s detection rates?

– How much effort is required?

Spam Assassin Comparison CDF

Pending Email

9180 (1.55%) pending emails confirmed

– 4382 (0.74%) by sender – 4798 (0.81%) by user (False Positive Rate)

58+% sender confirmation rate

Pending Email Delay

User Events First 90 days

Conclusions

Whitelisting enables powerful filtering

– Can achieve high degrees of accuracy

– Low rate of false positives – Content filtering limitations

Negligible email delay

– Applies only to first email from a new sender

Low user overhead