William Jackson | The most powerful anti-spam filter isn't used enough
Cybereye | Commentary: The villains continue to evolve networks and techniques to ensure that their messages are delivered into our inboxes
- By William Jackson
- Nov 02, 2007
If there were any questions that the current generation of spammers and hackers have dug in for the long haul, events in the past few weeks should eliminate them. Botnet operators and spammers are continuing the evolution of their networks and techniques to ensure that their messages continue to arrive in our inboxes.
One of the most successful worms ' in the same sense that the common cold is successful ' has been the Storm Worm, partly because of its adaptations. It now appears to be using encrypted command-and-control channels to help hide its traffic and create smaller networks that could be sold off to spammers.
Spammers use these networks to launch online campaigns to infect and compromise more computers for their botnets and engage in a variety of fraudulent schemes.
They have begun using a new medium to deliver their unwanted messages. MessageLabs discovered a rash of audio spam in late October using MP3 files for pump-and-dump stock fraud schemes.
Analysts at the security company identified about 10,000 of these messages in a two-day period with file names such as elvis.mp3 and beatles.mps3 to tempt unwary recipients to open them.
MessageLabs reported that the audio spam seems to be coming from the same organization that has also used large-scale mailings of PDF files in recent months to sneak their spam past filters.
Encrypted Storm Worm traffic was found by SecureWorks. The Trojan apparently is using a 40-byte key to encrypt communications on Overnet peer-to-peer networks.
According to that company's analysts, use of different keys could let botnet creators segment their networks to offer turnkey operations to spammers, complete with fast-flux domain name service to avoid system shutdowns.
This is serious business for spammers and the gangs that are organizing botnets. Any estimate of the volume of business they are doing is suspect because it is all underground, but it must be worth their while, judging from the volume of e-mail traffic they generate.
Security companies do a good job of identifying, responding to and filtering new attacks, but they will always be playing catch-up, and there will be windows of vulnerability in our systems as the bad guys find new techniques.
The final line of defense in the battle against malicious traffic is the biological spam filter. Given the almost infinite complexity of the filtering engine and its ability to learn, it could also be one of the most effective.
The biological filter, of course, is the computer user accessing his e-mail. The human mind has an uncanny ability to identify spam and other fraudulent or junk messages that make it through the best commercial filters. Unfortunately, too many of us have set that filter's threshold too low and are letting malicious traffic through.
So here are a few rules you might want to apply to your biological filter: Rolex does not sell cheap watches online. Viagra is not available over the Web. Nobody in Nigeria wants to send you money. And hot girls are not waiting to meet you.
It is unlikely that a stranger is going to e-mail you a new Beatles tune ' they broke up more than 35 years ago' and Elvis is still dead.
A properly tuned sense of skepticism can go a long way toward closing the window of vulnerability in the cat-and-mouse game against spammers.