The new face of spam
It keeps coming on, stronger than ever
- By William Jackson
- Jan 21, 2007
It's been almost four years since the passage of the Can-Spam Act, yet spam remains as big a problem as ever. Neither congressional mandate nor technological advances seems to have had much effect. Heuristics, traffic analysis, content analysis, blacklisting and other recent advances in filtering have siphoned off only the smallest portion of unwanted e-mail.
E-mail security firm MessageLabs Inc. of New York reported large spikes in late 2006, surges that brought the level of spam to 74 percent of all e-mail traffic in November. But that figure counted only the spam that penetrated perimeter defenses. The real figure was 'a staggering 89.4 percent,' according to the company.
Those figures jibe with what is being seen by the Justice Department's Computer Emergency Readiness Team, which shares responsibility for keeping unwanted messages out of inboxes. DOJCERT program manager Kevin Cox said as much as 80 percent of the traffic hitting the gateways is spam, and the department's filters stop 8 million to 10 million unwanted messages each month.
'If we didn't filter this, we wouldn't be able to get anything else done,' Cox said.
Spam filtering is getting better, Cox said. 'We've made great strides in the past couple of years.' But the battle still requires constant attention to counter the constant adaptations in what security professionals call a cat-and-mouse game.
Spammers are 'determined to see just how good you really are,' said Penny Freeman, director of sales engineering for Marshal Inc. of Atlanta.
Follow the Money
The reason the battle continues unabated after so many years is money.
'For the spammers, there is a financial incentive,' Cox said.
And profit is a powerful incentive.
Spam falls into two broad categories, both of which can produce a profit for the spammer. There are fraudulent messages that carry malicious payloads or direct users to a site where they can be cheated or infected, and there are more legitimate messages from those selling something. Whether the spammer is selling Rolex watch knock-offs, stealing your personal data or taking over your computer to send more spam, there is money to be made.
How much money is impossible to say, because this is an underground economy. But traditional wisdom is that because of the scale and cost-effectiveness of spamming, only a small percentage of success is needed to produce great returns.
'One of the best measures' of these returns 'is the volume of spam itself,' said Doug Bowers, senior director of anti-abuse engineering for Symantec Corp. of Cupertino, Calif. 'To the extent we are seeing spam volume increasing, that is an indication they are having some success.'
Freeman said, 'as long as there are buyers, there are going to be sellers.'
The volume of spam fluctuates throughout the year, spiking at times as new tricks and delivery methods emerge. The significance of the spikes is open to debate. At Marshal, where a 40 percent increase was noted in late November, the spike was seen as tied to the Christmas shopping season.
'That has happened ever year for the 10 years I've been in the industry,' Freeman said.
But the spikes seen at DOJ do not appear to be seasonal, Cox said. 'What we see is pretty random.'
Botnets to the Fore
One undeniable trend in spam over the past several years has been the growth of automated networks of compromised computers, or botnets, to distribute vast quantities of unwanted e-mail.
'We're seeing botnets continue to play an increasing role,' said Symantec's Bowers.
To build botnets, worms troll the Internet for vulnerable computers to infect.
Once infected, a computer typically contacts a control computer and downloads software that can be used by spammers. Unlike the worms of several years ago that spread quickly, generated high levels of network traffic and generally called attention to themselves, today's worms are quieter. If not exactly flying under the radar, they operate quietly enough to let a controller assemble networks of thousands of zombies, either for his own use or for sale to the highest bidder.
The cost of spam is not always apparent. In fact, the definition of spam is not clear-cut. What one person calls spam another might see as a legitimate offer. Spam is in large part a problem of free speech, Freeman said.
'The ability to freely discuss whatever you want to discuss is the reason it will never be fully controlled,' she said.
But that does not mean that every network or user must accept whatever someone else wants to send out. Acceptable-use policies for network resources require some level of control over what comes in as well as what goes out, and network operators have a legitimate interest in blocking spam.
Even spam that does not reach its destination takes its toll. Network resources
are strained when a program spews out millions of messages to made-up addresses, assuming that some addresses will be valid within each domain. And servers
get tied up rejecting these bad addresses even before the traffic hits the spam filters.
Much of the recent spike in spam traffic has been attributed to the activity of two pieces of Trojan code, SpamThru and Warezov or Stration.
Warezov comes as an e-mail attachment, sent out in batches of a few tens of thousands before it morphs enough to avoid new antivirus signatures, said Paul Wood, chief information security analyst at MessageLabs Ltd.
'It's very easy to do this,' he said. 'It's not huge volumes,' compared to infections spread on a massive scale by worms a few years ago. But volumes are large enough to create large networks of computers that pull down software to execute spam runs.
According to the iDefense Labs at VeriSign Inc. of Mountain View, Calif., Warezov checks to see that its host computer is not already on a spam blacklist
before beginning to send out spam.
Wood described SpamThru, which usually is unwittingly downloaded from a malicious Web site, as more sophisticated. Rather than having a central command and control computer for the infected network, SpamThru zombies use peer-to-peer networking, eliminating any single point of failure and making the botnet more resilient.
Blasting out spam at a rate of thousands or millions of messages an hour does little good if they do not get through. As security companies get better at identifying and blocking unwanted e-mails, spammers adapt by adopting new techniques to disguise their messages. One recent trend is image spam, which uses attached images rather than text to deliver a message, avoiding text scanners.
Marshal reported a rapid growth in the volume of image spam last fall, which accounted for nearly a third of all spam by late November. The newest trick is not just an image, but multiple images.
'What is interesting is the evolution we're seeing,' said Bowers.
An image can be identified and filtered once it is known, so spammers began slicing images into pieces to make filtering more difficult. Sliced images are reassembled in the end user's viewer to display the message. When filters adapted to that trick, spammers went to slicing and dicing the images into more pieces, and some now are composing messages with a separate image for each letter, something like a ransom note.
'It really does look like someone has cut letters from a newspaper,' Bowers said.
But the technique cuts both ways, Freeman said.
'The irony is that spammers are unwittingly making it easier for us to spot spam,' she said. 'Image spam is very distinctive. It has unusual properties that normal business e-mail does not have.'
The defenders have one advantage over the spammers trying to sneak their unwanted messages through, Cox said.
'They have only a limited amount of things they can modify' in a message once it has been identified as spam, he said. This makes it easier to spot spam even as it morphs.
Easier, maybe, but not necessarily easy.
'Successfully blocking image spam depends on looking at every aspect of the message,' Bowers said. That means not only scanning the content to identify patterns and checking the sender's IP address, but also looking for traffic patterns at the network and Internet levels.
The Justice Department uses a layered defense against spam that includes the end user, Cox said.
'We work closely with the team that manages our mail gateway,' he said.
Users who spot spam in their inboxes notify DOJCERT or the gateway team so that spam filters can be adjusted. Depending on end-users for fine-tuning the filters is not a perfect process, Cox said.
'Some will just delete the spam, and we're not going to get the full picture,' he said. But enough of them report it to give a good sense of what is getting through and how to stop it.
As the team became more comfortable with the filters at the gateway, they have been applied in as many spots as possible, including mail servers and desktops.
'There is time involved,' Cox said of job of stopping spam. 'I don't think we'll ever get to a point where we won't have to monitor.'
But spam filters have improved and have made a difference, he said.
'Before, our team had a much larger role in addressing spam,' he said. 'That staff time has lessened.'