Identifying spam: consider the source

Experts advise layered security, including 'reputation filtering'

Duncan Walker

It's no secret that the spam problem is getting worse, but a layered approach to security can keep most of it out of your inboxes, experts say.

'The amount of unwanted and malicious content on the Internet is the greatest it's ever been,' said Daniel Druker, chief marketing officer for Postini Inc. of Redwood City, Calif. 'There has been a major inflection point with the emergence of botnets,' Druker said at the recent RSA IT security conference.

Spam spiked in the last half of 2006 and, depending on whose figures you use, it now makes up from 85 percent to 94 percent of all e-mail. If that weren't enough, it is getting harder to spot and block. The category called image spam, which uses images rather than text to deliver messages, took off 'big time' in late 2006, said Jay Chaudhry, chief strategy officer for Secure Computing Corp. of San Jose, Calif.

'Most of our customers had their spam volume double, and most of it was image spam,' Chaudhry said.

Both botnets and image spam have been around for a while, but the planets aligned last year to create a harmonic convergence resulting in ' well, lots of spam.
Growth in botnets has been fueled by the emergence of an underground economy. Organizations pay good money for networks of compromised computers that can be used to deliver spam. The value goes up as sources of unwanted e-mail traffic become known and blacklisted. Once again, numbers vary, but security companies are reporting from 400,000 to 1 million new compromised computers'or bots'each day.

Any security architecture for keeping unwanted e-mail out of your system depends on layers of technology, each doing what it does best to adapt and respond to emerging spamming techniques.

Postini offers this as a service, processing 1.5 billion messages a day with a combination of content analysis, sender behavior analysis and blacklists of known spam sources. This can not only slow down spam, it also can take a large load off your e-mail servers. 'We block about 95 percent of the traffic being directed at each organization,' Druker said.

With the rapid emergence of new botnets for delivering more sophisticated spam, Secure Computing sees reputation as the key to stopping unwanted e-mail. Not coincidentally, the company has a system for rating URLs, domains and IP addresses on a scale that lets customers block traffic from suspicious sources.

The company's Global Intelligence Network monitors 110 billion messages a month, analyzes the behavior of the sources and ranks it on a scale of -180 to +180. Customers can adjust their policies to block or quarantine mail below a specified level of confidence.

Suspicious servers

Almost by default, any new e-mail server is likely to be treated suspiciously, Chaudhry said. There are less than 2 million legitimate e-mail servers in cyberspace, he said, with relatively little churn in their addresses. With a half-million new bots popping up each day, the chances are good that any new source warrants caution.

Reputation filtering is not enough by itself, 'but it's a first layer of defense,' Chaudhry said. The company claims it can block 60 percent of spam at the first layer, reducing the amount of traffic that the more computationally intensive content analysis tools will have to handle.

Not surprisingly, Secure Computing would like to see its reputation scoring become an industry standard for handling e-mail, much like credit scores for lending institutions. The company plans to make the scoring available to other vendors.

'You don't become a de facto standard by keeping it to yourself,' Chaudhry said.

If reputation filtering is a first line of defense, Avinti Inc. of Lindon, Utah, sees its iSolation Server as the last line of defense. The server sets behind more traditional filters such as signature-based antivirus, content analysis for spam and blacklists. Once the initial culling of traffic is done, the server's Observation Engine sandboxes the remaining suspicious traffic and watches its behavior when it is opened or executed in a simulated desktop environment.

'It's not viewing everything that's coming through,' said Avinti CEO William Kilmer. 'We're covering what's new, what's targeted.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above