The new face of spam

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

It keeps coming on, stronger than ever.

It's been almost four years since the passage of the Can-Spam Act, yet spam remains as big a problem as ever. Neither congressional mandate nor technological advances seems to have had much effect. Heuristics, traffic analysis, content analysis, blacklisting and other recent advances in filtering have siphoned off only the smallest portion of unwanted e-mail.

Heed Bulgakov: New techniques in spam

"Never speak to strangers."


This was good advice when Mikhail Bulgakov gave it in The Master and Margarita, his satire on Soviet Russia, and it remains good advice today.


You also should be careful about e-mail from strangers. If it contains snippets from Bulgakov's cult classic about a visit by Satan to Moscow, it probably is up to no good. Captured by Symantec Corp. and apparently created by a spammer with a taste for Russian literature, the e-mail uses passages from The Master and Margarita to avoid detection.


The Bulgakov message is a variation on one of the most recent evolutions of spam, combining multiple techniques to avoid content filters designed to block unwanted e-mail messages. For some time now, spammers have used 'word salad''lines of gibberish composed of meaningless combinations of letters or words'to fool text scanners. Rapidly generated and quickly changed, the word salad fools scanners that are looking for easily identified text signatures that identify spam.


An interesting development, however, is the use of images. As text scanning became more effective, spammers began hiding messages in images. As optical character readers developed to counter this, spammers began slicing up the images so they would be read only when displayed on the user's screen.


The latest development in image spam is a ransom note-style message that is made up of a separate image for each letter. The spammer uses different colors, variable image sizes, 'little things that can throw off a typical scanner for images,' said Penny Freeman of Marshal Inc. of Atlanta.


The solution to this tactic is to go beyond content analysis and look at the broad characteristics of the e-mail.


This sliced-and-diced image salad is not the kind of thing that appears in legitimate corporate mailings, Freeman said.


'William Jackson

Chip Simons



E-mail security firm MessageLabs Inc. of New York reported large spikes in late 2006, surges that brought the level of spam to 74 percent of all e-mail traffic in November. But that figure counted only the spam that penetrated perimeter defenses. The real figure was 'a staggering 89.4 percent,' according to the company.


Those figures jibe with what is being seen by the Justice Department's Computer Emergency Readiness Team, which shares responsibility for keeping unwanted messages out of inboxes. DOJCERT program manager Kevin Cox said as much as 80 percent of the traffic hitting the gateways is spam, and the department's filters stop 8 million to 10 million unwanted messages each month.


'If we didn't filter this, we wouldn't be able to get anything else done,' Cox said.


Spam filtering is getting better, Cox said. 'We've made great strides in the past couple of years.' But the battle still requires constant attention to counter the constant adaptations in what security professionals call a cat-and-mouse game.
Spammers are 'determined to see just how good you really are,' said Penny Freeman, director of sales engineering for Marshal Inc. of Atlanta.


Follow the Money

The reason the battle continues unabated after so many years is money.


'For the spammers, there is a financial incentive,' Cox said.


And profit is a powerful incentive.


Spam falls into two broad categories, both of which can produce a profit for the spammer. There are fraudulent messages that carry malicious payloads or direct users to a site where they can be cheated or infected, and there are more legitimate messages from those selling something. Whether the spammer is selling Rolex watch knock-offs, stealing your personal data or taking over your computer to send more spam, there is money to be made.


How much money is impossible to say, because this is an underground economy. But traditional wisdom is that because of the scale and cost-effectiveness of spamming, only a small percentage of success is needed to produce great returns.


'One of the best measures' of these returns 'is the volume of spam itself,' said Doug Bowers, senior director of anti-abuse engineering for Symantec Corp. of Cupertino, Calif. 'To the extent we are seeing spam volume increasing, that is an indication they are having some success.'


Freeman said, 'as long as there are buyers, there are going to be sellers.'


The volume of spam fluctuates throughout the year, spiking at times as new tricks and delivery methods emerge. The significance of the spikes is open to debate. At Marshal, where a 40 percent increase was noted in late November, the spike was seen as tied to the Christmas shopping season.


'That has happened ever year for the 10 years I've been in the industry,' Freeman said.


But the spikes seen at DOJ do not appear to be seasonal, Cox said. 'What we see is pretty random.'


Botnets to the Fore

One undeniable trend in spam over the past several years has been the growth of automated networks of compromised computers, or botnets, to distribute vast quantities of unwanted e-mail.


'We're seeing botnets continue to play an increasing role,' said Symantec's Bowers.
To build botnets, worms troll the Internet for vulnerable computers to infect.


Once infected, a computer typically contacts a control computer and downloads software that can be used by spammers. Unlike the worms of several years ago that spread quickly, generated high levels of network traffic and generally called attention to themselves, today's worms are quieter. If not exactly flying under the radar, they operate quietly enough to let a controller assemble networks of thousands of zombies, either for his own use or for sale to the highest bidder.


The cost of spam is not always apparent. In fact, the definition of spam is not clear-cut. What one person calls spam another might see as a legitimate offer. Spam is in large part a problem of free speech, Freeman said.


'The ability to freely discuss whatever you want to discuss is the reason it will never be fully controlled,' she said.


But that does not mean that every network or user must accept whatever someone else wants to send out. Acceptable-use policies for network resources require some level of control over what comes in as well as what goes out, and network operators have a legitimate interest in blocking spam.


Even spam that does not reach its destination takes its toll. Network resources
are strained when a program spews out millions of messages to made-up addresses, assuming that some addresses will be valid within each domain. And servers
get tied up rejecting these bad addresses even before the traffic hits the spam filters.


Much of the recent spike in spam traffic has been attributed to the activity of two pieces of Trojan code, SpamThru and Warezov or Stration.


Warezov comes as an e-mail attachment, sent out in batches of a few tens of thousands before it morphs enough to avoid new antivirus signatures, said Paul Wood, chief information security analyst at MessageLabs Ltd.


'It's very easy to do this,' he said. 'It's not huge volumes,' compared to infections spread on a massive scale by worms a few years ago. But volumes are large enough to create large networks of computers that pull down software to execute spam runs.


According to the iDefense Labs at VeriSign Inc. of Mountain View, Calif., Warezov checks to see that its host computer is not already on a spam blacklist
before beginning to send out spam.


Wood described SpamThru, which usually is unwittingly downloaded from a malicious Web site, as more sophisticated. Rather than having a central command and control computer for the infected network, SpamThru zombies use peer-to-peer networking, eliminating any single point of failure and making the botnet more resilient.


Blasting out spam at a rate of thousands or millions of messages an hour does little good if they do not get through. As security companies get better at identifying and blocking unwanted e-mails, spammers adapt by adopting new techniques to disguise their messages. One recent trend is image spam, which uses attached images rather than text to deliver a message, avoiding text scanners.


Marshal reported a rapid growth in the volume of image spam last fall, which accounted for nearly a third of all spam by late November. The newest trick is not just an image, but multiple images.


'What is interesting is the evolution we're seeing,' said Bowers.


An image can be identified and filtered once it is known, so spammers began slicing images into pieces to make filtering more difficult. Sliced images are reassembled in the end user's viewer to display the message. When filters adapted to that trick, spammers went to slicing and dicing the images into more pieces, and some now are composing messages with a separate image for each letter, something like a ransom note.


'It really does look like someone has cut letters from a newspaper,' Bowers said.
But the technique cuts both ways, Freeman said.


'The irony is that spammers are unwittingly making it easier for us to spot spam,' she said. 'Image spam is very distinctive. It has unusual properties that normal business e-mail does not have.'


The defenders have one advantage over the spammers trying to sneak their unwanted messages through, Cox said.


'They have only a limited amount of things they can modify' in a message once it has been identified as spam, he said. This makes it easier to spot spam even as it morphs.


Easier, maybe, but not necessarily easy.


'Successfully blocking image spam depends on looking at every aspect of the message,' Bowers said. That means not only scanning the content to identify patterns and checking the sender's IP address, but also looking for traffic patterns at the network and Internet levels.


The Justice Department uses a layered defense against spam that includes the end user, Cox said.


'We work closely with the team that manages our mail gateway,' he said.

Users who spot spam in their inboxes notify DOJCERT or the gateway team so that spam filters can be adjusted. Depending on end-users for fine-tuning the filters is not a perfect process, Cox said.


'Some will just delete the spam, and we're not going to get the full picture,' he said. But enough of them report it to give a good sense of what is getting through and how to stop it.


As the team became more comfortable with the filters at the gateway, they have been applied in as many spots as possible, including mail servers and desktops.
'There is time involved,' Cox said of job of stopping spam. 'I don't think we'll ever get to a point where we won't have to monitor.'


But spam filters have improved and have made a difference, he said.


'Before, our team had a much larger role in addressing spam,' he said. 'That staff time has lessened.'

NEXT STORY: Privacy, efficiency on the agenda

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.