Jamming the spammers
15 Jul 2006
Ingenious spam techniques require anti-spam firms to stay one step ahead, says Ambarish Deshpande, regional director India & SAARC, IronPort Systems.
The
volume of spam has been steadily increasing every year
since 2002. In addition to sheer volume, the sophistication
of spammer tactics has also grown. This flood of illegitimate
email is propelled by a powerful motive profit.
Spammers make money from selling a wide array of marginal
products ranging from herbal supplements, low interest
mortgages, and ergonomic computer products, to criminal
activities such as credit card fraud, pornography and
illegal pharmaceutical sales. The profits behind these
endeavours are being ploughed back into new technology
and infrastructure for delivering spam.
When spam initially became a pandemic, corporations and networks began to deploy first-generation spam filters. These filters primarily relied upon heuristic analysis looking at the words in a message and using a weighting system to create a probability that the message was spam.
As these anti-spam solutions became more widespread, spammers began to develop new, more sophisticated tactics to circumvent the filters. This spawned a cat and mouse game in which spammers would develop a new tactic to get past filters, then anti-spam vendors would add a new technique to their "cocktail" to stop the spammers'', then spammers would come out with a new tactic to get past even these filters, etc.
Recently, spam has been using increasingly sophisticated obfuscation techniques and mutating faster than ever. Most spam now includes blocks of text that contain words known to score as "not spam" which are often technical terms or a passage from a text book. Other tricks involve using words with white on white text or replacing letters with numbers. Spammers have keep becoming increasingly smarter in using URLs. Some spam contains minimal content but includes a URL with a call to action, while other spam attacks host their spam URLs on the same servers used by legitimate websites using free web hosting services, like Geocities.
These
obfuscation techniques have effectively defeated most
content-based filters. While most vendors still claim
to have spam capture rates in the high 90''s, in reality,
their capture rate may be in the 80''s (or worse). At the
same time, content-based filters have the challenge of
occasionally deleting legitimate mail that happens to
contain words associated with spam creating a "false
positive". The table highlights the evolution of
spam filtering, along with the limitations of each of
the approaches.
Generation |
Limitations |
Example |
1. Heuristics |
Spoofable spammers change words so filters dont recognize spam but humans do. False positives legitimate email often contains "spammy" words. |
"C H EAP V.i.a.g.r.a" |
2. Signatures |
Spoofable Hashbusters fool bulk detection systems by making spam look dissimilar. Reactive writing signatures first requires collecting spam samples. |
"Cheap Viagra dgjk#" |
3. Adaptive |
Spoofable Defeated by inserting good words that only machines see. High Overhead learn ing systems, like bayesian, are hard to train/maintain. |
"Cheap Viagra here:http://abc.comCancer, office, Shakespeare." |
4. Context Adaptive |
Emerging Requires extensive vendor investment in tracking email and Web reputation. |
IronPort Systems'' latest industry research shows an increased prevalence of "image-based spam" an advanced technique that spammers have adopted to evade detection. Image-based spam bypasses both traditional content and signature scanning and contains little or no text to analyse, instead including a .gif or .jpeg file with an image.
The image contains the spam message in the form of text and graphics, similar to an HTML email, making it difficult for a machine to easily recognize the text. Image-based spam has exploded-growing from less than 1 per cent of all spam in June of 2005 to more than 12 per cent of all spam in June 2006.
This represents more than five billion image-based spam messages sent per day 78 per cent of which pass right through first- and second-generation spam filters. The study was conducted using SenderBase data, which represents 25 pe rcent of the worlds email traffic and data from more than 100,000 ISPs, universities, and corporations around the world.
In late 2005, spam volumes were still increasing, but the growth rate began to decline from the 100 percent+ that spam volumes had sustained for the two previous years. But this respite was brief. Over the last six months, spam volumes have resumed their hyper growth rates.
From just two months between April 2006 to June 2006, spam volumes have surged 40 per cent worldwide. At the same time, spammers are focusing the intensity of their attacks. When the sophisticated spammers launch a new wave of randomised image spam, they will typically target a specific geographical area, an ISP or even an enterprise.
When this happens, as much as 50 percent of the incoming spam at a corporation is image-based. If the filter protecting that corporation is not equipped to detect and block these highly sophisticated attacks, end-users are deluged with spam for the duration of the attack, causing sever communication disruptions and major productivity losses.
Today''s spam attacks have become too sophisticated for earlier-generation spam systems. These systems share a common weakness relying heav-ily on analysing content that can easily be manipulated by a spammer. State of the art anti-spam systems must go beyond content analysis and analyse messages in the full context in which they are sent.
Maintaining
leading efficacy also requires publishing high-quality
rules in near real time. Rule quality is driven by the
size, breadth, and quality of the data that feeds the
rule generation system. Finally, the most effective
rule development systems have humans in the loop
analyzing and responding to the last few percent of spam
messages that escaped automated defenses.