[ISN] The new face of spam

From: InfoSec News (alerts@private)
Date: Wed Jan 24 2007 - 23:26:17 PST


By William Jackson
GCN Staff
01/22/07 issue

Its been almost four years since the passage of the Can-Spam Act, yet 
spam remains as big a problem as ever. Neither congressional mandate nor 
technological advances seems to have had much effect. Heuristics, 
traffic analysis, content analysis, blacklisting and other recent 
advances in filtering have siphoned off only the smallest portion of 
unwanted e-mail.

E-mail security firm MessageLabs Inc. of New York reported large spikes 
in late 2006, surges that brought the level of spam to 74 percent of all 
e-mail traffic in November. But that figure counted only the spam that 
penetrated perimeter defenses. The real figure was a staggering 89.4 
percent, according to the company.

Those figures jibe with what is being seen by the Justice Departments 
Computer Emergency Readiness Team, which shares responsibility for 
keeping unwanted messages out of inboxes. DOJCERT program manager Kevin 
Cox said as much as 80 percent of the traffic hitting the gateways is 
spam, and the departments filters stop 8 million to 10 million unwanted 
messages each month.

If we didnt filter this, we wouldnt be able to get anything else done, 
Cox said.

Spam filtering is getting better, Cox said. Weve made great strides in 
the past couple of years. But the battle still requires constant 
attention to counter the constant adaptations in what security 
professionals call a cat-and-mouse game. Spammers are determined to see 
just how good you really are, said Penny Freeman, director of sales 
engineering for Marshal Inc. of Atlanta.

Follow the Money

The reason the battle continues unabated after so many years is money.

For the spammers, there is a financial incentive, Cox said.

And profit is a powerful incentive.

Spam falls into two broad categories, both of which can produce a profit 
for the spammer. There are fraudulent messages that carry malicious 
payloads or direct users to a site where they can be cheated or 
infected, and there are more legitimate messages from those selling 
something. Whether the spammer is selling Rolex watch knock-offs, 
stealing your personal data or taking over your computer to send more 
spam, there is money to be made.

How much money is impossible to say, because this is an underground 
economy. But traditional wisdom is that because of the scale and 
cost-effectiveness of spamming, only a small percentage of success is 
needed to produce great returns.

One of the best measures of these returns is the volume of spam itself, 
said Doug Bowers, senior director of anti-abuse engineering for Symantec 
Corp. of Cupertino, Calif. To the extent we are seeing spam volume 
increasing, that is an indication they are having some success.

Freeman said, as long as there are buyers, there are going to be 

The volume of spam fluctuates throughout the year, spiking at times as 
new tricks and delivery methods emerge. The significance of the spikes 
is open to debate. At Marshal, where a 40 percent increase was noted in 
late November, the spike was seen as tied to the Christmas shopping 

That has happened ever year for the 10 years Ive been in the industry, 
Freeman said.

But the spikes seen at DOJ do not appear to be seasonal, Cox said. What 
we see is pretty random.

Botnets to the Fore

One undeniable trend in spam over the past several years has been the 
growth of automated networks of compromised computers, or botnets, to 
distribute vast quantities of unwanted e-mail.

Were seeing botnets continue to play an increasing role, said Symantecs 
Bowers. To build botnets, worms troll the Internet for vulnerable 
computers to infect.

Once infected, a computer typically contacts a control computer and 
downloads software that can be used by spammers. Unlike the worms of 
several years ago that spread quickly, generated high levels of network 
traffic and generally called attention to themselves, todays worms are 
quieter. If not exactly flying under the radar, they operate quietly 
enough to let a controller assemble networks of thousands of zombies, 
either for his own use or for sale to the highest bidder.

The cost of spam is not always apparent. In fact, the definition of spam 
is not clear-cut. What one person calls spam another might see as a 
legitimate offer. Spam is in large part a problem of free speech, 
Freeman said.

The ability to freely discuss whatever you want to discuss is the reason 
it will never be fully controlled, she said.

But that does not mean that every network or user must accept whatever 
someone else wants to send out. Acceptable-use policies for network 
resources require some level of control over what comes in as well as 
what goes out, and network operators have a legitimate interest in 
blocking spam.

Even spam that does not reach its destination takes its toll. Network 
resources are strained when a program spews out millions of messages to 
made-up addresses, assuming that some addresses will be valid within 
each domain. And servers get tied up rejecting these bad addresses even 
before the traffic hits the spam filters.

Much of the recent spike in spam traffic has been attributed to the 
activity of two pieces of Trojan code, SpamThru and Warezov or Stration.

Warezov comes as an e-mail attachment, sent out in batches of a few tens 
of thousands before it morphs enough to avoid new antivirus signatures, 
said Paul Wood, chief information security analyst at MessageLabs Ltd.

Its very easy to do this, he said. Its not huge volumes, compared to 
infections spread on a massive scale by worms a few years ago. But 
volumes are large enough to create large networks of computers that pull 
down software to execute spam runs.

According to the iDefense Labs at VeriSign Inc. of Mountain View, 
Calif., Warezov checks to see that its host computer is not already on a 
spam blacklist before beginning to send out spam.

Wood described SpamThru, which usually is unwittingly downloaded from a 
malicious Web site, as more sophisticated. Rather than having a central 
command and control computer for the infected network, SpamThru zombies 
use peer-to-peer networking, eliminating any single point of failure and 
making the botnet more resilient.

Blasting out spam at a rate of thousands or millions of messages an hour 
does little good if they do not get through. As security companies get 
better at identifying and blocking unwanted e-mails, spammers adapt by 
adopting new techniques to disguise their messages. One recent trend is 
image spam, which uses attached images rather than text to deliver a 
message, avoiding text scanners.

Marshal reported a rapid growth in the volume of image spam last fall, 
which accounted for nearly a third of all spam by late November. The 
newest trick is not just an image, but multiple images.

What is interesting is the evolution were seeing, said Bowers.

An image can be identified and filtered once it is known, so spammers 
began slicing images into pieces to make filtering more difficult. 
Sliced images are reassembled in the end users viewer to display the 
message. When filters adapted to that trick, spammers went to slicing 
and dicing the images into more pieces, and some now are composing 
messages with a separate image for each letter, something like a ransom 

It really does look like someone has cut letters from a newspaper, 
Bowers said. But the technique cuts both ways, Freeman said.

The irony is that spammers are unwittingly making it easier for us to 
spot spam, she said. Image spam is very distinctive. It has unusual 
properties that normal business e-mail does not have.

The defenders have one advantage over the spammers trying to sneak their 
unwanted messages through, Cox said.

They have only a limited amount of things they can modify in a message 
once it has been identified as spam, he said. This makes it easier to 
spot spam even as it morphs.

Easier, maybe, but not necessarily easy.

Successfully blocking image spam depends on looking at every aspect of 
the message, Bowers said. That means not only scanning the content to 
identify patterns and checking the senders IP address, but also looking 
for traffic patterns at the network and Internet levels.

The Justice Department uses a layered defense against spam that includes 
the end user, Cox said.

We work closely with the team that manages our mail gateway, he said.

Users who spot spam in their inboxes notify DOJCERT or the gateway team 
so that spam filters can be adjusted. Depending on end-users for 
fine-tuning the filters is not a perfect process, Cox said.

Some will just delete the spam, and were not going to get the full 
picture, he said. But enough of them report it to give a good sense of 
what is getting through and how to stop it.

As the team became more comfortable with the filters at the gateway, 
they have been applied in as many spots as possible, including mail 
servers and desktops. There is time involved, Cox said of job of 
stopping spam. I dont think well ever get to a point where we wont have 
to monitor.

But spam filters have improved and have made a difference, he said.

Before, our team had a much larger role in addressing spam, he said. 
That staff time has lessened.

Copyright 1996-2007 Post-Newsweek Media, Inc. All Rights Reserved.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 24 2007 - 23:41:01 PST