[ISN] The Fight Against V1@gra (and Other Spam)

From: InfoSec News (isn@private)
Date: Mon May 22 2006 - 01:41:36 PDT


The New York Times
May 21, 2006

TO the antispam researchers at MessageLabs, an e-mail filtering
company, each new wave of a recent stock-pumping spam seemed like a
personal affront.

The spammers were trying to circumvent the world's junk-mail filters
by embedding their messages - whether peddling something called China
Digital Media for $1.71 a share, or a "Hot Pick!" company called
GroFeed for just 10 cents - into images.

In some ways, it was a desperate move. The images made the messages
much bulkier than simple text messages, so the spammers were using
more bandwidth to churn out fewer spams. But they also knew that, to
filters scanning for telltale spam words in the text of e-mail
messages, a picture of the words "Hot Stox!!" is significantly
different from the words themselves.

So the bulk e-mailers behind this campaign seemed to calculate that
they had a good chance of slipping their stock pitches past spam
defenses to land in the in-boxes of prospective customers.

It worked, but only briefly. Antispam developers at MessageLabs, one
of several companies that essentially reroute their clients' e-mail
traffic through proprietary spam-scrubbing servers before delivering
it, quickly developed a "checksum," or fingerprint, for the images,
and created a filter to block them.

Advances in spam-catching techniques mean that most computer users no
longer face the paralyzing crush of junk messages that began
threatening the very utility of e-mail communications just a few years

But spammers have hardly given up, and as they improve and adapt their
techniques, network managers must still face down the pill-pushers,
get-rich-quick artists and others who use billions of unwanted e-mail
messages to troll for income. "For the end user, spam isn't that much
of a problem anymore," said Matt Sergeant, MessageLabs' senior
antispam technologist. "But for the network, and for people like us,
it definitely is."

Shortly after MessageLabs created a filter to catch the stock spams,
the images they contained changed again.

They were now arriving with what looked to the naked eye like a gray
border. Zooming in, however, the MessageLabs team discovered that the
border was made up of thousands of randomly ordered dots. Indeed,
every message in that particular spam campaign was generated with a
new image of the border - each with its own random array of dots.

"That was kind of cool and kind of funny," said Mr. Sergeant, a
soft-spoken British transplant who spends his days helping to douse
spam fires from his home office outside Toronto.

During a recent meeting at the company's New York office, in Midtown
Manhattan, Mr. Sergeant and a colleague, Nick Johnson, an antispam
developer visiting from MessageLabs' headquarters in Gloucester,
England, expressed both amusement and respect over the sheer
creativity of the world's most prolific spammers, who continue to dump
hundreds of millions of junk messages into the e-mail stream each day.

"It was almost like they knew what we were doing," Mr. Sergeant said.

SEVERAL surveys - from AOL, the Pew Internet and American Life Project
and others - have indicated that the amount of spam reaching consumer
inboxes has at least stabilized.

That is true for users whose networks are protected by off-site,
third-party filtering services like MessageLabs', as well as those
protected by network software or in-house equipment that filters
messages before they hit a company's e-mail server.

If individual users also have personal spam filters installed on their
computers, their in-box spam count can be reduced to a trickle.

But spam continues to account for roughly 70 percent of all e-mail
messages on the Internet, despite tough antispam laws across the globe
(including the Can-Spam Act in the United States), despite vigorous
lawsuits against individual junk-mail senders and despite the famous
prediction, by Bill Gates at the World Economic Forum in 2004, that
spam would be eradicated by 2006.

The continuing defiance of spammers was demonstrated last week when
one of them forced Blue Security, an antispam company based in Israel,
to shut down its services. The company gave customers the power to
enact mob justice on spammers by overloading them with requests to be
removed from mailing lists. A spammer in Russia retaliated by knocking
out Blue Security's Web site and threatening virus attacks against its
customers. Blue Security said it would back off rather than be
responsible for a "cyberwar."

While there are some indications that the growth rate of spam has
plateaued or even slowed, experts say that spikes are always looming.  
That is partly because spammers can hide themselves or their
operations in countries where law enforcement is lax, from Russia and
Eastern Europe to China and Nigeria. Because some spammers can churn
out 200 million or more messages a day, and because less than 1
percent of those need to bring responses from na´ve, click-happy users
to turn handsome profits, there is little incentive to stop.

"That's really just the daily battle," said Mr. Sergeant, who
routinely shares intelligence on individual spammers with other
antispam organizations and with the F.B.I. and other law enforcement
agencies. "That 1 percent is the wall, really - it's the spammers
creating something new that we just haven't seen before. And for us
it's a matter of how quickly we can deal with it."

There is plenty to deal with. Most spam is still just, well, spam:  
low-rent pitches for stocks and penis-enlargement pills. But there are
also the more immediate menaces, including attempts to trick consumers
into giving up bank and credit card information - or the use of spam
to deliver viruses and other malicious software.

 From an industry perspective, antivirus and antispam scanning are
virtually inseparable, and MessageLabs is among many companies
jockeying to position themselves as full-service contractors, offering
to filter, scan, scrub and archive both incoming and outgoing mail.

It's a lucrative strategy.

IDC, the research firm, estimates that the global market for
"messaging security" will grow to $2.6 billion by 2009, from $675
million in 2004. The category consists mostly of antispam services,
but also covers outbound filtering - something that employers now
demand and all vendors include, according to Brian Burke, an IDC

IDC estimates that the larger market for "secure content management,"  
which folds in virus protection, Web filtering and spyware protection,
will grow to $11.4 billion by 2009 from $4.8 billion in 2004.

In 2005, about 60 percent of businesses were using software to combat
spam, with the rest split between using managed services and antispam
hardware, according to Osterman Research, which conducts market
analysis on the messaging industry. But the percentage of businesses
moving to managed services is expected to double, to almost 40
percent, during the next two years.

In that context, it may not be surprising that Microsoft recently
acquired FrontBridge, the third-largest provider of managed e-mail
services. MessageLabs and Postini, based in San Carlos, Calif., have
long been the leaders in the category.

While much growth in this field will be driven by the threat of
viruses and other bugs attached to messages, the wave of simple but
inventive marketing spam remains a big concern - and, in many ways, is
the harder thing to catch. Consider the stock spam using random dots
in the borders.

"We actually developed some technology to detect borders in images and
figure out the entropy - that is, to figure out if the border was
random," Mr. Sergeant said. "So that was fine." Of course, shortly
afterward, "they decided to stop using the borders," he added.

>From there, the senders began placing a small number of barely
perceptible and, again, randomly placed dots - a pink one here, a blue
one there, a green one near the bottom - throughout the images. Then
they shifted to multiple images, with words spelled partially in plain
text and partially as images, so that the content, when viewed on a
common e-mail reader like Outlook or AOL, would look like an ordinary

"There are loads of different kinds of obfuscation," Mr. Johnson said.  
"They've realized that people are looking for V1agra spelled with a
'1' and st0ck with a 'zero' and that sort of thing, so they might try
some sort of meaning obfuscation, like just referring to a watch as a
'wrist accessory' or something like that. So they say something like,
'Drape your wrist with this elegant accessory.'

"Any way not to say 'Rolex,' " he added, "so it's quite cryptic."

Sitting in a windowless conference room, Mr. Sergeant alternated his
gaze between the conversation at hand and the streams of filtered
e-mail subject lines slithering down his laptop screen.

The lines were feedback from the company's "radar" system, which
allows team members to test a new "rule" or "signature" that they have
devised on a slice of the incoming torrent of spam. If the rule is too
broad and general, legitimate e-mail messages - dreaded "false
positives" in the parlance of spam assassins - will begin showing up
on the radar.

Mr. Johnson plugs into the radar himself and highlights a common
obfuscation technique he calls "gappy text": words with spaces between
the letters, to fool filters designed to look only for whole words.  
The example was in a message advertising a work-at-home opportunity
out of "T u l s a , O k l a h o m a ."

"That's something that we might consider signaturing, that whole line
there, with the spaces," he said, "because it's not very common
behavior for someone to want to write like that."

Mr. Johnson began reading from a customer testimonial included in the
same message: "I was skeptical at first. I made money. I couldn't
believe it!"

Mr. Sergeant erupted in laughter.

"It's a classic joke in our office," Mr. Johnson said. "If it's
advertised in spam, it must be true."

MR. JOHNSON described another trick that a spammer had recently
deployed so that messages peddling Viagra would move into recipients'

By default, most modern e-mail software can display messages that are
written with the same text formatting code used to create Web pages -
known as hypertext markup language, or HTML. Like viewers of Web
pages, e-mail users never actually see the underlying code, or "tags"  
used to make some words appear, say, bold or italicized. But spam
filters scan this code, too, looking for "spammy behavior," as Mr.  
Johnson put it.

In this instance, a clever spam writer slipped a Viagra message past
many filters by spelling the word with several I's, then using HTML
code to shove all of the I's together. "Whenever you view this in your
e-mail program," Mr. Johnson said, "the letter spacing is set to
minus-3 pixels, so it will show all these I's on top of each other,
and it will look like one I.

"That was quite an impressive one, actually," he said.

And vexing, Mr. Sergeant added. Without a special rule created by the
team, it would have been virtually impossible for a machine to examine
the source code of a message and determine that this was the word

"The word appears on screen as it should," Mr. Sergeant said. "But if
you actually are examining the HTML, you just couldn't pull out a word
from it. So while a computer can't figure out what the words are in
the e-mail, the human eyes can."

A company like MessageLabs tries to avoid examining messages at this
level. Instead, it prefers to stop much of the junk at the door, using
what is called I.P. blocking. This prevents the receipt of messages
from a particular Internet protocol address already identified as a
spamming source.

This technique is sometimes frowned upon by Internet purists, because
it can punish innocent users by blacklisting a whole range of
addresses from a single host. But Mr. Sergeant said that I.P. blocking
had become more refined since the early days of spam fighting. "It's
very, very important to us," he said. "It's our first line of defense,

Still, spammers can often get around this by turning to zombie bots.  
These are vast networks of personal computers that have been
surreptitiously infected with malicious software, permitting a spammer
to use their computing power, without the owners' knowledge, to spew
or relay spam, viruses, keyloggers, phony "update your bank account"  
messages and other dark payloads.

Zombies now deliver half to three-quarters of all spam, according to a
Federal Trade Commission report to Congress in December on the state
of the spam problem. Among the zombies' many advantages is an
ever-shifting collection of I.P. addresses.

Another trump card was handed to spammers just over a year and a half
ago, when VeriSign, the security and services company that controls
the dot-com and dot-net network domains, unveiled a quicker way to
update domain names.

Although a boon to people setting up their own sites, the new system
decreased the time needed for a newly registered domain name to be
activated, to 5 minutes from about 12 hours. That put spammers, armed
with stolen credit cards and a willingness to buy and quickly abandon
domain names, at a new advantage.

VeriSign updates its domain information every 12 hours. "But a spammer
can register a new domain and have it live within 5 minutes," Mr.  
Sergeant said. "So he's got a big window where nobody has any
information about his domain. They make use of that window."

MESSAGELABS' filtering database tries to discover new zombie bots by
studying the behavior of e-mail messages from new addresses. Normally,
for instance, a machine looking to deliver a message to another
machine essentially says "hello" by passing an identifying string of
code. Most legitimate mail servers will say "hello" with the same
string over and over, for every message.

"When a machine communicates with us in two, three, four different
ways within a small time frame," Mr. Sergeant said, "that makes the
sending machine look kind of weird." That behavior can indicate "it's
not a real machine, it's just one of these drone armies."

Some low-end spamming software, too, may leave characteristic
fingerprints - for instance, the telltale way in which it forges the
header information - that spam fighters gradually add to their
cumulative antispam wisdom.

For all the algorithmic derring-do, however, sooner or later the game
turns not on I.P. addresses or software fingerprints, but on the
content of the message. It's the approach that MessageLabs researchers
like least, but one that spammers constantly force on them.

Nigerian e-mail scams are a particular nuisance in this regard.  
Familiar to any e-mail user, these are the ones seeking an advance
payment from the recipient to help rescue a deposed prince or to
collect a percentage on some elaborately portrayed fortune. They are
difficult to weed out because the senders often use Web-based e-mail
services like Yahoo or Gmail, so I.P. blocking is impractical.

The language used in the e-mail messages, too, is often common enough
that no particular string lends itself to safe rule-making; the risk
of filtering out legitimate communications would be high.

MessageLabs has spent a year compiling a database, "Scam DNA," of
15,000 Nigerian scam messages, and used pattern analysis to build a
family tree of the scams. It has found that most of the pitches are
derived among a few hundred templates.

"Scam DNA basically codifies this into an algorithm," Mr. Sergeant
said, "where, hopefully, we can detect this going on and find new
scams based on the old scams."

But even if it works, the amount of spam it would eliminate from the
overall deluge would be negligible by almost any measure, and Mr.  
Sergeant and his team will still be forced into encounters with "C i a
l i s" and "st0x" and "Viiiiagra." The researchers are certain that
the last, with multiple I's shoved together, is the handiwork of Leo

Mr. Kuvayev is No. 3 on the list of the world's most prolific and
notorious spammers, maintained at Spamhaus.org, a London-based
watchdog group. The listing is not undeserved.

In Massachusetts last October, a Suffolk Superior Court judge, D.  
Lloyd MacDonald, levied $37 million in penalties on Mr. Kuvayev and
six other people after deciding against them - in absentia - in a
lawsuit brought by the state's attorney general, Tom Reilly.

The suit contended that the defendants, who once worked out of Newton,
Mass., and Boston, used "a complicated web of Internet sites and
domain names selling a variety of illegal products," including
counterfeit drugs, pirated software, pornography and phony designer

Spam watchers say they believe Mr. Kuvayev is now in Russia - still
very much in business and employing a team of spam writers to continue
poking holes in the world's filters.

"They must be pretty good HTML gurus," Mr. Sergeant said, "who must
really know their stuff."

Mr. Sergeant said that just two men - Mr. Kuvayev and Alex Blood, a
Ukrainian who is rated the No. 1 junk mailer by Spamhaus - hammer the
world's e-mail systems with five million messages an hour. "You're
talking about being responsible for something like 10 percent of all
e-mail on the Internet," Mr. Sergeant said, "from just two guys."

Two guys who, along with plenty of others, may keep antispam outfits
like MessageLabs in business.

"A lot of people would say, 'Why would you want to have these spammers
prosecuted and why give information to the F.B.I., because surely you
want there to be more spam?' " Mr. Sergeant said. "But with the
volumes these guys are sending, it would actually help us more if
there were less of it.

"We're just not going to kid ourselves and say we believe that spam is
ever going to go away," he added. "It's always going to be a prob-

Copyright 2006 The New York Times Company

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon May 22 2006 - 02:00:26 PDT