Spam Blockers Losing Ground on Sophisticated Attackers
This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."
Download it now to read this article plus other related content.
Of course, defenders are not standing idly by. As the attackers exploit new fronts with new techniques, security forces are moving swiftly to contest the breach:
- Defense spending. The top-tier antispam vendors invest a lot of money in research to penetrate spam networks, discover bot operators and analyze messages. As the bad guys continue to innovate, this level of investment becomes a cost of doing business--vendors that can't keep up will see their spam catch drop precipitously.
- Homing in. Vendors are supplementing reputation networks in the cloud with data gathered locally by specific customers, as well as cross-referencing with user feedback (the "report spam" button) to continue to track and flag servers that send spam. They are also combining email reputation data with other data sources, such as scanning attacks caught by firewalls and attacks detected by Web filters, to triangulate on the true intention of an IP address with increasing precision.
- Who goes there? A lot of researchers hold to the hope that getting legitimate senders to digitally sign their email and publish SPF records to prove their authenticity will help detect spam. In practice, the bad guys have been at least as effective at getting their authentication credentials in place, undermining
- the system.
- Sign in. Signatures of spam messages hearken back to the first generation of spam defense, but this technology is making a comeback as the vendors track hundreds, if not thousands of message characteristics that are increasingly hard for the spammers to fool.
- Combined arms. Email-only solutions are becoming increasingly uncommon, as end users want to integrate multiple content security offerings into a combined gateway encompassing email, Web and other messaging applications. Integrated gateways combine reputation information, and also for allowing a user to build a common policy to govern the use of content, regardless of the protocol used to send it.
- Better training. End users are the last line of defense; investing time to educate them will help eliminate a lot of the silly behavior spawning the worldwide epidemic of zombies. User education may be the only defense against whaling attacks that target senior executives with highly personalized solicitations.
THE FOREVER WAR?
Is there an end in sight? Not likely. As long as victims keep clicking on phishing message links, buying fraudulent products online and responding to solicitations, there will still be a significant return on investment for the bad guys, who will continue to send spam at an alarming rate.
"The format and way that messages are delivered will change," says Doug Bowers, senior director of anti-abuse engineering at Symantec, "but in one form or another, spam will continue to exist as long as there are enough people who respond to make it profitable."
This was first published in June 2008