http://www.nytimes.com/2006/05/21/business/yourmoney/21spam.html By TOM ZELLER Jr. The New York Times May 21, 2006 TO the antispam researchers at MessageLabs, an e-mail filtering company, each new wave of a recent stock-pumping spam seemed like a personal affront. The spammers were trying to circumvent the world's junk-mail filters by embedding their messages - whether peddling something called China Digital Media for $1.71 a share, or a "Hot Pick!" company called GroFeed for just 10 cents - into images. In some ways, it was a desperate move. The images made the messages much bulkier than simple text messages, so the spammers were using more bandwidth to churn out fewer spams. But they also knew that, to filters scanning for telltale spam words in the text of e-mail messages, a picture of the words "Hot Stox!!" is significantly different from the words themselves. So the bulk e-mailers behind this campaign seemed to calculate that they had a good chance of slipping their stock pitches past spam defenses to land in the in-boxes of prospective customers. It worked, but only briefly. Antispam developers at MessageLabs, one of several companies that essentially reroute their clients' e-mail traffic through proprietary spam-scrubbing servers before delivering it, quickly developed a "checksum," or fingerprint, for the images, and created a filter to block them. Advances in spam-catching techniques mean that most computer users no longer face the paralyzing crush of junk messages that began threatening the very utility of e-mail communications just a few years ago. But spammers have hardly given up, and as they improve and adapt their techniques, network managers must still face down the pill-pushers, get-rich-quick artists and others who use billions of unwanted e-mail messages to troll for income. "For the end user, spam isn't that much of a problem anymore," said Matt Sergeant, MessageLabs' senior antispam technologist. "But for the network, and for people like us, it definitely is." Shortly after MessageLabs created a filter to catch the stock spams, the images they contained changed again. They were now arriving with what looked to the naked eye like a gray border. Zooming in, however, the MessageLabs team discovered that the border was made up of thousands of randomly ordered dots. Indeed, every message in that particular spam campaign was generated with a new image of the border - each with its own random array of dots. "That was kind of cool and kind of funny," said Mr. Sergeant, a soft-spoken British transplant who spends his days helping to douse spam fires from his home office outside Toronto. During a recent meeting at the company's New York office, in Midtown Manhattan, Mr. Sergeant and a colleague, Nick Johnson, an antispam developer visiting from MessageLabs' headquarters in Gloucester, England, expressed both amusement and respect over the sheer creativity of the world's most prolific spammers, who continue to dump hundreds of millions of junk messages into the e-mail stream each day. "It was almost like they knew what we were doing," Mr. Sergeant said. SEVERAL surveys - from AOL, the Pew Internet and American Life Project and others - have indicated that the amount of spam reaching consumer inboxes has at least stabilized. That is true for users whose networks are protected by off-site, third-party filtering services like MessageLabs', as well as those protected by network software or in-house equipment that filters messages before they hit a company's e-mail server. If individual users also have personal spam filters installed on their computers, their in-box spam count can be reduced to a trickle. But spam continues to account for roughly 70 percent of all e-mail messages on the Internet, despite tough antispam laws across the globe (including the Can-Spam Act in the United States), despite vigorous lawsuits against individual junk-mail senders and despite the famous prediction, by Bill Gates at the World Economic Forum in 2004, that spam would be eradicated by 2006. The continuing defiance of spammers was demonstrated last week when one of them forced Blue Security, an antispam company based in Israel, to shut down its services. The company gave customers the power to enact mob justice on spammers by overloading them with requests to be removed from mailing lists. A spammer in Russia retaliated by knocking out Blue Security's Web site and threatening virus attacks against its customers. Blue Security said it would back off rather than be responsible for a "cyberwar." While there are some indications that the growth rate of spam has plateaued or even slowed, experts say that spikes are always looming. That is partly because spammers can hide themselves or their operations in countries where law enforcement is lax, from Russia and Eastern Europe to China and Nigeria. Because some spammers can churn out 200 million or more messages a day, and because less than 1 percent of those need to bring responses from naïve, click-happy users to turn handsome profits, there is little incentive to stop. "That's really just the daily battle," said Mr. Sergeant, who routinely shares intelligence on individual spammers with other antispam organizations and with the F.B.I. and other law enforcement agencies. "That 1 percent is the wall, really - it's the spammers creating something new that we just haven't seen before. And for us it's a matter of how quickly we can deal with it." There is plenty to deal with. Most spam is still just, well, spam: low-rent pitches for stocks and penis-enlargement pills. But there are also the more immediate menaces, including attempts to trick consumers into giving up bank and credit card information - or the use of spam to deliver viruses and other malicious software. From an industry perspective, antivirus and antispam scanning are virtually inseparable, and MessageLabs is among many companies jockeying to position themselves as full-service contractors, offering to filter, scan, scrub and archive both incoming and outgoing mail. It's a lucrative strategy. IDC, the research firm, estimates that the global market for "messaging security" will grow to $2.6 billion by 2009, from $675 million in 2004. The category consists mostly of antispam services, but also covers outbound filtering - something that employers now demand and all vendors include, according to Brian Burke, an IDC analyst. IDC estimates that the larger market for "secure content management," which folds in virus protection, Web filtering and spyware protection, will grow to $11.4 billion by 2009 from $4.8 billion in 2004. In 2005, about 60 percent of businesses were using software to combat spam, with the rest split between using managed services and antispam hardware, according to Osterman Research, which conducts market analysis on the messaging industry. But the percentage of businesses moving to managed services is expected to double, to almost 40 percent, during the next two years. In that context, it may not be surprising that Microsoft recently acquired FrontBridge, the third-largest provider of managed e-mail services. MessageLabs and Postini, based in San Carlos, Calif., have long been the leaders in the category. While much growth in this field will be driven by the threat of viruses and other bugs attached to messages, the wave of simple but inventive marketing spam remains a big concern - and, in many ways, is the harder thing to catch. Consider the stock spam using random dots in the borders. "We actually developed some technology to detect borders in images and figure out the entropy - that is, to figure out if the border was random," Mr. Sergeant said. "So that was fine." Of course, shortly afterward, "they decided to stop using the borders," he added. >From there, the senders began placing a small number of barely perceptible and, again, randomly placed dots - a pink one here, a blue one there, a green one near the bottom - throughout the images. Then they shifted to multiple images, with words spelled partially in plain text and partially as images, so that the content, when viewed on a common e-mail reader like Outlook or AOL, would look like an ordinary message. "There are loads of different kinds of obfuscation," Mr. Johnson said. "They've realized that people are looking for V1agra spelled with a '1' and st0ck with a 'zero' and that sort of thing, so they might try some sort of meaning obfuscation, like just referring to a watch as a 'wrist accessory' or something like that. So they say something like, 'Drape your wrist with this elegant accessory.' "Any way not to say 'Rolex,' " he added, "so it's quite cryptic." Sitting in a windowless conference room, Mr. Sergeant alternated his gaze between the conversation at hand and the streams of filtered e-mail subject lines slithering down his laptop screen. The lines were feedback from the company's "radar" system, which allows team members to test a new "rule" or "signature" that they have devised on a slice of the incoming torrent of spam. If the rule is too broad and general, legitimate e-mail messages - dreaded "false positives" in the parlance of spam assassins - will begin showing up on the radar. Mr. Johnson plugs into the radar himself and highlights a common obfuscation technique he calls "gappy text": words with spaces between the letters, to fool filters designed to look only for whole words. The example was in a message advertising a work-at-home opportunity out of "T u l s a , O k l a h o m a ." "That's something that we might consider signaturing, that whole line there, with the spaces," he said, "because it's not very common behavior for someone to want to write like that." Mr. Johnson began reading from a customer testimonial included in the same message: "I was skeptical at first. I made money. I couldn't believe it!" Mr. Sergeant erupted in laughter. "It's a classic joke in our office," Mr. Johnson said. "If it's advertised in spam, it must be true." MR. JOHNSON described another trick that a spammer had recently deployed so that messages peddling Viagra would move into recipients' in-boxes. By default, most modern e-mail software can display messages that are written with the same text formatting code used to create Web pages - known as hypertext markup language, or HTML. Like viewers of Web pages, e-mail users never actually see the underlying code, or "tags" used to make some words appear, say, bold or italicized. But spam filters scan this code, too, looking for "spammy behavior," as Mr. Johnson put it. In this instance, a clever spam writer slipped a Viagra message past many filters by spelling the word with several I's, then using HTML code to shove all of the I's together. "Whenever you view this in your e-mail program," Mr. Johnson said, "the letter spacing is set to minus-3 pixels, so it will show all these I's on top of each other, and it will look like one I. "That was quite an impressive one, actually," he said. And vexing, Mr. Sergeant added. Without a special rule created by the team, it would have been virtually impossible for a machine to examine the source code of a message and determine that this was the word "Viagra." "The word appears on screen as it should," Mr. Sergeant said. "But if you actually are examining the HTML, you just couldn't pull out a word from it. So while a computer can't figure out what the words are in the e-mail, the human eyes can." A company like MessageLabs tries to avoid examining messages at this level. Instead, it prefers to stop much of the junk at the door, using what is called I.P. blocking. This prevents the receipt of messages from a particular Internet protocol address already identified as a spamming source. This technique is sometimes frowned upon by Internet purists, because it can punish innocent users by blacklisting a whole range of addresses from a single host. But Mr. Sergeant said that I.P. blocking had become more refined since the early days of spam fighting. "It's very, very important to us," he said. "It's our first line of defense, really." Still, spammers can often get around this by turning to zombie bots. These are vast networks of personal computers that have been surreptitiously infected with malicious software, permitting a spammer to use their computing power, without the owners' knowledge, to spew or relay spam, viruses, keyloggers, phony "update your bank account" messages and other dark payloads. Zombies now deliver half to three-quarters of all spam, according to a Federal Trade Commission report to Congress in December on the state of the spam problem. Among the zombies' many advantages is an ever-shifting collection of I.P. addresses. Another trump card was handed to spammers just over a year and a half ago, when VeriSign, the security and services company that controls the dot-com and dot-net network domains, unveiled a quicker way to update domain names. Although a boon to people setting up their own sites, the new system decreased the time needed for a newly registered domain name to be activated, to 5 minutes from about 12 hours. That put spammers, armed with stolen credit cards and a willingness to buy and quickly abandon domain names, at a new advantage. VeriSign updates its domain information every 12 hours. "But a spammer can register a new domain and have it live within 5 minutes," Mr. Sergeant said. "So he's got a big window where nobody has any information about his domain. They make use of that window." MESSAGELABS' filtering database tries to discover new zombie bots by studying the behavior of e-mail messages from new addresses. Normally, for instance, a machine looking to deliver a message to another machine essentially says "hello" by passing an identifying string of code. Most legitimate mail servers will say "hello" with the same string over and over, for every message. "When a machine communicates with us in two, three, four different ways within a small time frame," Mr. Sergeant said, "that makes the sending machine look kind of weird." That behavior can indicate "it's not a real machine, it's just one of these drone armies." Some low-end spamming software, too, may leave characteristic fingerprints - for instance, the telltale way in which it forges the header information - that spam fighters gradually add to their cumulative antispam wisdom. For all the algorithmic derring-do, however, sooner or later the game turns not on I.P. addresses or software fingerprints, but on the content of the message. It's the approach that MessageLabs researchers like least, but one that spammers constantly force on them. Nigerian e-mail scams are a particular nuisance in this regard. Familiar to any e-mail user, these are the ones seeking an advance payment from the recipient to help rescue a deposed prince or to collect a percentage on some elaborately portrayed fortune. They are difficult to weed out because the senders often use Web-based e-mail services like Yahoo or Gmail, so I.P. blocking is impractical. The language used in the e-mail messages, too, is often common enough that no particular string lends itself to safe rule-making; the risk of filtering out legitimate communications would be high. MessageLabs has spent a year compiling a database, "Scam DNA," of 15,000 Nigerian scam messages, and used pattern analysis to build a family tree of the scams. It has found that most of the pitches are derived among a few hundred templates. "Scam DNA basically codifies this into an algorithm," Mr. Sergeant said, "where, hopefully, we can detect this going on and find new scams based on the old scams." But even if it works, the amount of spam it would eliminate from the overall deluge would be negligible by almost any measure, and Mr. Sergeant and his team will still be forced into encounters with "C i a l i s" and "st0x" and "Viiiiagra." The researchers are certain that the last, with multiple I's shoved together, is the handiwork of Leo Kuvayev. Mr. Kuvayev is No. 3 on the list of the world's most prolific and notorious spammers, maintained at Spamhaus.org, a London-based watchdog group. The listing is not undeserved. In Massachusetts last October, a Suffolk Superior Court judge, D. Lloyd MacDonald, levied $37 million in penalties on Mr. Kuvayev and six other people after deciding against them - in absentia - in a lawsuit brought by the state's attorney general, Tom Reilly. The suit contended that the defendants, who once worked out of Newton, Mass., and Boston, used "a complicated web of Internet sites and domain names selling a variety of illegal products," including counterfeit drugs, pirated software, pornography and phony designer watches. Spam watchers say they believe Mr. Kuvayev is now in Russia - still very much in business and employing a team of spam writers to continue poking holes in the world's filters. "They must be pretty good HTML gurus," Mr. Sergeant said, "who must really know their stuff." Mr. Sergeant said that just two men - Mr. Kuvayev and Alex Blood, a Ukrainian who is rated the No. 1 junk mailer by Spamhaus - hammer the world's e-mail systems with five million messages an hour. "You're talking about being responsible for something like 10 percent of all e-mail on the Internet," Mr. Sergeant said, "from just two guys." Two guys who, along with plenty of others, may keep antispam outfits like MessageLabs in business. "A lot of people would say, 'Why would you want to have these spammers prosecuted and why give information to the F.B.I., because surely you want there to be more spam?' " Mr. Sergeant said. "But with the volumes these guys are sending, it would actually help us more if there were less of it. "We're just not going to kid ourselves and say we believe that spam is ever going to go away," he added. "It's always going to be a prob- lem." Copyright 2006 The New York Times Company _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon May 22 2006 - 02:00:26 PDT