Damn spam! There's more of it than ever
- By William Jackson
- Feb 08, 2007
SAN FRANCISCO ' You probably already know this, but it bears repeating: The spam problem is getting worse.
'The amount of unwanted and malicious content on the Internet is the greatest it's ever been,' said Daniel Druker, chief marketing officer for Postini Inc. of Redwood City, Calif.
Postini released the results of its annual survey of e-communications security issues at this week's RSA IT security conference.
'There has been a major inflection point with the emergence of botnets,' Druker said.
Spam spiked in the last half of 2006, and depending on whose figures you use, it now makes up from 85 percent to 94 percent of all e-mail. If that weren't enough, it is getting harder to spot and block. The category called image spam, which uses images rather than text to deliver messages, took off 'big time' in late 2006, said Jay Chaudhry, chief strategy officer for Secure Computing Corp. of San Jose, Calif.
'Most of our customers had their spam volume double, and most of it was image spam,' Chaudhry said.
Both botnets and image spam have been around for a while, but the planets aligned last year to create a harmonic convergence resulting in ... well, lots of spam. Growth in botnets has been fueled by the emergence of an underground economy. Organizations pay good money for networks of compromised computers that can be used to deliver spam. The value goes up as sources of unwanted e-mail traffic become known and blacklisted. Once again, numbers vary, but security companies are reporting from 400,000 to 1 million new compromised computers ' or bots ' each day.
Image spam is not new, but 'somebody released tools to create image spam easily' last year, Chaudhry said.
Unfortunately, much of the work in recent years in identifying and blocking spam relied on content analysis and filtering.
'All of the techniques developed in the last five years is going out the door,' he said.
Well, not completely. Any security architecture for keeping unwanted e-mail out of your system depends on layers of technology, each doing what it does best to adapt and respond to emerging spamming techniques.
Postini offers this as a service, processing 1.5 billion messages a day with a combination of content analysis, sender behavior analysis, and blacklists of known spam sources. This can not only slow down spam, it also can take a large load off your e-mail servers.
'We block about 95 percent of the traffic being directed at each organization,' Druker said.
With the rapid emergence of new botnets for delivering more sophisticated spam, Secure Computing sees reputation as the key to stopping unwanted e-mail. Not coincidentally, the company has a system for rating URLs, domains and IP addresses on a scale that lets customers block traffic from suspicious sources.
The company's Global Intelligence Network monitors 110 billion messages a month, analyzes the behavior of the sources and ranks it on a scale of -180 to +180. Customers can adjust their policies to block or quarantine mail below a specified level of confidence.
Almost by default, any new e-mail server is likely to be treated suspiciously, Chaudhry said. There are less than 2 million legitimate e-mail servers in cyberspace, he said, with relatively little churn in their addresses. With a half-million new bots popping up each day, the chances are good that any new source warrants caution.
Reputation filtering is not enough by itself to protect you from spam, 'but it's a first layer of defense,' Chaudhry said. The company claims it can block 60 percent of spam at the first layer, reducing the amount of traffic that the more computationally intensive content analysis tools will have to handle.
Not surprisingly, Secure Computing would like to see its reputation scoring become an industry standard for handling e-mail, much like credit scores for lending institutions. The company plans to make the scoring available to other vendors.
'You don't become a de facto standard by keeping it to yourself,' Chaudhry said.
If reputation filtering is a first line of defense, Avinti Inc. of Lindon, Utah, sees its iSolation Server as the last line of defense. The server sets behind more traditional filters such as signature-based antivirus, content analysis for spam and blacklists. Once the initial culling of traffic is done, the server's Observation Engine sandboxes the remaining suspicious traffic and watches its behavior when it is opened or executed in a simulated desktop environment.
'It's not viewing everything that's coming through,' said Avinti CEO William Kilmer. 'We're covering what's new, what's targeted.'
William Jackson is a Maryland-based freelance writer.