TrackBack Spam: Abuse and Prevention
Elie Bursztein, Peifung E. Lam, John C. Mitchell
Stanford University Stanford Computer Security Lab Security StanfordComputer Introduction
• Many users nowadays post information on cloud computing sites • Sites sometimes need to link to each other • However, cross-referencing can become a vehicle for abuses (such as spamming) • This calls for a study of security issues on cross-referencing between cloud sites
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Introduction (cont.)
• Blog cross-referencing offers one such example • Blogs have automated mechanisms, called Linkbacks, to facilitate cross-referencing, and this has been exploited by spammers
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Introduction (cont.)
• We carried out a 1-year study of a major spamming platform, and analyzed 10 million spams • Gained insight on attacker’s method of operation and resources • Propose a defense against blog spams
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Outline
• Blog Spam • Experiment setup : Honey blog ! • Results • Defense
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu General Stats on Blogs
Source: universalmccann
• 184 Million blogs world-wide • 73% of internet users have read a blog • 50% post comments
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Common Blog Platforms
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Why blogs are special
• Blog are designed around the idea of user pushing content • As an example, Linkbacks allow cross-linking between blogs. • More specifically, when blog A cites another blog B, a notification of the citation can be sent to B, which can then link back to blog A automatically.
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu TrackBack - a type of LinkBack
The URL of TrackBack TrackBack URL capture script
Auto discovery of Resource Description TrackBack URL Framework (RDF)
Code on blog site extracts Trigger citations to other blogs
Notification HTTP Post
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu TrackBack URL and Blog Comments Trackback Post variables
[title] => Title of the referencing blog entry [url] => http://www.mysite.com/page [excerpt] => Post excerpt .... [blog_name] => Mysite blog
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Problem
• Trackbacks are used to • push spam • do malevolent Search Engine Optimization • One blog spam can reach thousand of users
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu How big is the problem?
Source: Akismet.com Blog Spam
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Honey Blog
• A blog acting as a potential target for spamming • Instrumented our blog site and analyzed spams
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Setup
• Hosted a real blog (dotclear) with a modified TrackBack mechanism • Record TrackBacks • Passive fingerprinting • Sample the lure site
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Activity
Trackback Spams 100000
75000
50000 Number of Spams
25000
0 Mar-AprMar-Apr May-JunMay-Jun July 2007-Apr 2008 July 2007-Apr 2008 20072007 20072007 Mar 1, 2007 Apr 4, 2007 Jul 15, 2007Aug 1, 2007 Sep 4, 2007 Oct 8, 2007 Jan 1, 2008 Feb 4, 2008 Mar 9, 2008 Apr 21, May2007 8, 2007 Oct 25, 2007 Jan 18, 2008 Apr 12, Apr2008 29, 2008 Mar 18, 2007 May 25,Jun 2007 11, Jun2007 28, 2007 Aug 18, 2007 Sep 21, 2007 Nov 11,Nov 2007 28,Dec 2007 15, 2007 Feb 21, 2008 Mar 26, 2008
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Unique Spammer IPs
Unique Spammer IPs 2800
2100
1400 Unique IPs
700
0 Mar-AprMar-Apr May-Jun May-Jun July 2007-Apr 2008 July 2007-Apr 2008 20072007 20072007 Mar 1, 2007 Apr 4, 2007 Jul 15, 2007Aug 1, 2007 Sep 4, 2007 Oct 8, 2007 Jan 1, 2008 Feb 4, 2008 Mar 9, 2008 Apr 21, May2007 8, 2007 Oct 25, 2007 Jan 18, 2008 Apr 12,Apr 2008 29, 2008 Mar 18, 2007 May 25,Jun 2007 11,Jun 2007 28, 2007 Aug 18, 2007 Sep 21, 2007 Nov 11,Nov 2007 28,Dec 2007 15, 2007 Feb 21, 2008 Mar 26, 2008
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu IP Geolocation Distribution
IP Geolocation Distribution 100
75
50 Percentage %
25
0 July 2007- Mar-Apr 2007 May-Jun 2007 Mar 1, 2007 Apr 6, 2007 Jun 8, 2007 Apr 2008 Apr 15, 2007 Apr 24, 2007 May 3, 2007 Mar 10, 2007 Mar 19, 2007 Mar 28, 2007 May 12, 2007May 21, 2007May 30, 2007 Jun 17, 2007
Jun 2007-Apr 2008 RussiaRussia USAUSA GermanyGermany UK UK
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Max Uptime of Spamming IPs by Day
Max Uptime of All Spamming IPs by Day 12000
9000
6000 Uptime in Hours
3000
0
JanuaryJanuary FebruaryFebruary MarchMarch April 2008
Jan 4, 2008Jan 9, 2008 Feb 3, 2008Feb 8, 2008 Mar 4, 2008Mar 9, 2008 Apr 3, 2008Apr 8, 2008 Jan 14, Jan2008 19, Jan2008 24, Jan2008 29, 2008 Feb 13,Feb 2008 18,Feb 2008 23,Feb 2008 28, 2008 Mar 14,Mar 2008 19,Mar 2008 24,Mar 2008 29, 2008 Apr 13, Apr2008 18, Apr2008 23, Apr2008 28, 2008
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu User Agents in Spamming
User Agents in Spamming 100
75
50 Percentage %
25
0 Mar-AprMar-Apr May-Jun May-Jun Jul 2007-Apr 2008 July 2007-Apr 2008 20072007 2007 2007Jul 1, 2007 Apr 1, 2007 Oct 1, 2007 Jan 1, 2008 Apr 1, 2008 Mar 1, 2007 May 1, 2007 Jun 1, 2007 Aug 1, 2007 Sep 1, 2007 Nov 1, 2007 Dec 1, 2007 Feb 1, 2008 Mar 1, 2008 WordPress/1.9 WordPress 1.9 WordPress/2.0 WordPress/2.1.2 WordPress 2.1.2 WordPress 2.1 IE 6 XP Firefox Opera
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Trackback content
• Random keywords revolving around adult theme • Blog URLs in the Trackback pings are of the form random-words.nx.cn
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Trackback Post sample
Apparent Bayesian poisoning against spam filters: [title] => Please teacher hentai pics [url] =>http://please-teacher-hentai- pics.howdsl.nx.cn/index.html [excerpt] => pics Please teacher hentai pics ... [blog_name] =>Please teacher hentai pics
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Created using Wordle
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Spam Workflow
Servers submit Trackback spam
Spam points to Social network site exploited as relay site obscufaction Relay site links to lure sites with purported adult content
obscufaction
Lure site badgers user to download fake video plugins hosted on malware site
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Relay URL
• Www.nx.cn, a community hosting site at Ningxia province, PRC • Exploited by attackers as relay • The hosting site started to use CAPTCHA (some in Chinese) around May, 2008 • We observed a corresponding drop of spam activities using them as relay
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Behind the relay
• Lead to various sites • selectedclipz.com, gogomovz.com (purported adult site) • vidzwares.com (malware distribution site) • Need an id in the url download.php?id=429
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu The Lure site
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Whois
Domain Name: GOGOMOVZ.COM Registrar: ONLINENIC, INC. Whois Server: whois.onlinenic.com Referral URL: http://www.OnlineNIC.com Name Server: NS1.GOGOMOVZ.COM Name Server: NS2.GOGOMOVZ.COM. Updated Date: 22-oct-2008 Creation Date: 22-oct-2008 Expiration Date: 22-oct-2009 Registrant: ... ul Beketova 3 Nijnii Novgorod,n/a,RUSSIAN FEDERATION 603057
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu DNS analysis : related domains
• ns1.clipzsaloon.com • ns1.clipztube.com • ns1.freexxxmovz.com • ns1.itunnelz.com • ns1.vidzselector.com, and more...
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Malware
• Binary flagged as • TrojanDownloader:Win32/Zlob.gen!dll • Trojan.Popuper.origin • Downloader.Zlob.LI
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu TalkBack
• Designed a secure protocol: TalkBack • Address the root of the problem: prevent spammers to post notifications • Key ideas : • Lightweight PKI • Global rate limiting
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Goals
• Sender authenticity • Receiver authenticity • Notification integrity • Notification irrefutability
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu How it works
Authority
1. Seed 4. Talkback request reporting
2.Auto-Discovery Sender Receiver 3. Talkback posting
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Conclusion
• Linking between cloud sites can become a vehicle for spamming • One such example is blog TrackBacks • We did a 1 year study of a major blog spamming platform: 10 million spams analyzed • Gained insight about TrackBack spam and spammers • Provided us a basis to build better defense
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Related work and alternative approaches
• TrackBack Validator [21] - Parsing sender page to find the link • Reputation system • IP Blacklisting • Local rate limiting
Elie Bursztein, Peifung E. Lam, John C. Mitchell Trackback Spams: Abuse and Prevention http://seclab.stanford.edu Questions ?
Thank you! Lab Security StanfordComputer