TrackBack Spam: Abuse and Prevention

Elie Bursztein, Peifung E. Lam, John C. Mitchell

Stanford University Stanford Computer Security Lab Security StanfordComputer Introduction

• Many users nowadays post information on cloud computing sites • Sites sometimes need to link to each other • However, cross-referencing can become a vehicle for abuses (such as spamming) • This calls for a study of security issues on cross-referencing between cloud sites

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Introduction (cont.)

• Blog cross-referencing offers one such example • Blogs have automated mechanisms, called Linkbacks, to facilitate cross-referencing, and this has been exploited by spammers

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Introduction (cont.)

• We carried out a 1-year study of a major spamming platform, and analyzed 10 million spams • Gained insight on attacker’s method of operation and resources • Propose a defense against blog spams

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Outline

• Blog Spam • Experiment setup : Honey blog ! • Results • Defense

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu General Stats on Blogs

Source: universalmccann

• 184 Million blogs world-wide • 73% of internet users have read a blog • 50% post comments

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Common Blog Platforms

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Why blogs are special

• Blog are designed around the idea of user pushing content • As an example, Linkbacks allow cross-linking between blogs. • More specifically, when blog A cites another blog B, a notification of the citation can be sent to B, which can then link back to blog A automatically.

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu TrackBack - a type of LinkBack

The URL of TrackBack TrackBack URL capture script

Auto discovery of Resource Description TrackBack URL Framework (RDF)

Code on blog site extracts Trigger citations to other blogs

Notification HTTP Post

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu TrackBack URL and Blog Comments Trackback Post variables

[title] => Title of the referencing blog entry [url] => http://www.mysite.com/page [excerpt] => Post excerpt .... [blog_name] => Mysite blog

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Problem

• Trackbacks are used to • push spam • do malevolent Search Engine Optimization • One blog spam can reach thousand of users

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu How big is the problem?

Source: Akismet.com Blog Spam

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Honey Blog

• A blog acting as a potential target for spamming • Instrumented our blog site and analyzed spams

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Setup

• Hosted a real blog (dotclear) with a modified TrackBack mechanism • Record TrackBacks • Passive fingerprinting • Sample the lure site

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Activity

Trackback Spams 100000

75000

50000 Number of Spams

25000

0 Mar-AprMar-Apr May-JunMay-Jun July 2007-Apr 2008 July 2007-Apr 2008 20072007 20072007 Mar 1, 2007 Apr 4, 2007 Jul 15, 2007Aug 1, 2007 Sep 4, 2007 Oct 8, 2007 Jan 1, 2008 Feb 4, 2008 Mar 9, 2008 Apr 21, May2007 8, 2007 Oct 25, 2007 Jan 18, 2008 Apr 12, Apr2008 29, 2008 Mar 18, 2007 May 25,Jun 2007 11, Jun2007 28, 2007 Aug 18, 2007 Sep 21, 2007 Nov 11,Nov 2007 28,Dec 2007 15, 2007 Feb 21, 2008 Mar 26, 2008

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Unique Spammer IPs

Unique Spammer IPs 2800

2100

1400 Unique IPs

700

0 Mar-AprMar-Apr May-Jun May-Jun July 2007-Apr 2008 July 2007-Apr 2008 20072007 20072007 Mar 1, 2007 Apr 4, 2007 Jul 15, 2007Aug 1, 2007 Sep 4, 2007 Oct 8, 2007 Jan 1, 2008 Feb 4, 2008 Mar 9, 2008 Apr 21, May2007 8, 2007 Oct 25, 2007 Jan 18, 2008 Apr 12,Apr 2008 29, 2008 Mar 18, 2007 May 25,Jun 2007 11,Jun 2007 28, 2007 Aug 18, 2007 Sep 21, 2007 Nov 11,Nov 2007 28,Dec 2007 15, 2007 Feb 21, 2008 Mar 26, 2008

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu IP Geolocation Distribution

IP Geolocation Distribution 100

75

50 Percentage %

25

0 July 2007- Mar-Apr 2007 May-Jun 2007 Mar 1, 2007 Apr 6, 2007 Jun 8, 2007 Apr 2008 Apr 15, 2007 Apr 24, 2007 May 3, 2007 Mar 10, 2007 Mar 19, 2007 Mar 28, 2007 May 12, 2007May 21, 2007May 30, 2007 Jun 17, 2007

Jun 2007-Apr 2008 RussiaRussia USAUSA GermanyGermany UK UK

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Max Uptime of Spamming IPs by Day

Max Uptime of All Spamming IPs by Day 12000

9000

6000 Uptime in Hours

3000

0

JanuaryJanuary FebruaryFebruary MarchMarch April 2008

Jan 4, 2008Jan 9, 2008 Feb 3, 2008Feb 8, 2008 Mar 4, 2008Mar 9, 2008 Apr 3, 2008Apr 8, 2008 Jan 14, Jan2008 19, Jan2008 24, Jan2008 29, 2008 Feb 13,Feb 2008 18,Feb 2008 23,Feb 2008 28, 2008 Mar 14,Mar 2008 19,Mar 2008 24,Mar 2008 29, 2008 Apr 13, Apr2008 18, Apr2008 23, Apr2008 28, 2008

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu User Agents in Spamming

User Agents in Spamming 100

75

50 Percentage %

25

0 Mar-AprMar-Apr May-Jun May-Jun Jul 2007-Apr 2008 July 2007-Apr 2008 20072007 2007 2007Jul 1, 2007 Apr 1, 2007 Oct 1, 2007 Jan 1, 2008 Apr 1, 2008 Mar 1, 2007 May 1, 2007 Jun 1, 2007 Aug 1, 2007 Sep 1, 2007 Nov 1, 2007 Dec 1, 2007 Feb 1, 2008 Mar 1, 2008 WordPress/1.9 WordPress 1.9 WordPress/2.0 WordPress/2.1.2 WordPress 2.1.2 WordPress 2.1 IE 6 XP Firefox Opera

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Trackback content

• Random keywords revolving around adult theme • Blog URLs in the Trackback pings are of the form random-words.nx.cn

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Trackback Post sample

Apparent Bayesian poisoning against spam filters: [title] => Please teacher hentai pics [url] =>http://please-teacher-hentai- pics.howdsl.nx.cn/index.html [excerpt] => pics Please teacher hentai pics ... [blog_name] =>Please teacher hentai pics

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Created using Wordle

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Spam Workflow

Servers submit Trackback spam

Spam points to Social network site exploited as relay site obscufaction Relay site links to lure sites with purported adult content

obscufaction

Lure site badgers user to download fake video plugins hosted on malware site

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Relay URL

• Www.nx.cn, a community hosting site at Ningxia province, PRC • Exploited by attackers as relay • The hosting site started to use CAPTCHA (some in Chinese) around May, 2008 • We observed a corresponding drop of spam activities using them as relay

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Behind the relay

• Lead to various sites • selectedclipz.com, gogomovz.com (purported adult site) • vidzwares.com (malware distribution site) • Need an id in the url download.php?id=429

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu The Lure site

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Whois

Domain Name: GOGOMOVZ.COM Registrar: ONLINENIC, INC. Whois Server: whois.onlinenic.com Referral URL: http://www.OnlineNIC.com Name Server: NS1.GOGOMOVZ.COM Name Server: NS2.GOGOMOVZ.COM. Updated Date: 22-oct-2008 Creation Date: 22-oct-2008 Expiration Date: 22-oct-2009 Registrant: ... ul Beketova 3 Nijnii Novgorod,n/a,RUSSIAN FEDERATION 603057

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu DNS analysis : related domains

• ns1.clipzsaloon.com • ns1.clipztube.com • ns1.freexxxmovz.com • ns1.itunnelz.com • ns1.vidzselector.com, and more...

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Malware

• Binary flagged as • TrojanDownloader:Win32/Zlob.gen!dll • Trojan.Popuper.origin • Downloader.Zlob.LI

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu TalkBack

• Designed a secure protocol: TalkBack • Address the root of the problem: prevent spammers to post notifications • Key ideas : • Lightweight PKI • Global rate limiting

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Goals

• Sender authenticity • Receiver authenticity • Notification integrity • Notification irrefutability

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu How it works

Authority

1. Seed 4. Talkback request reporting

2.Auto-Discovery Sender Receiver 3. Talkback posting

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Conclusion

• Linking between cloud sites can become a vehicle for spamming • One such example is blog TrackBacks • We did a 1 year study of a major blog spamming platform: 10 million spams analyzed • Gained insight about TrackBack spam and spammers • Provided us a basis to build better defense

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Related work and alternative approaches

• TrackBack Validator [21] - Parsing sender page to find the link • Reputation system • IP Blacklisting • Local rate limiting

Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Questions ?

Thank you! Lab Security StanfordComputer