Published: 01 Jun 2008
Spam hasn't been "solved"; in fact, the scourge has grown worse as attackers continually trump counter-measures and refine their focus on high-value targets.
The war against spam has not come to a swift and just conclusion. Ever since Bill Gates' proclamation in 2004 that spam will be "solved" within two years, the problem has gotten worse, with no light at the end of the tunnel.
As with any conflict, it's instructive to understand how and why it started, how it is being fought and what we can expect.
Spam started primarily as a marketing vehicle. Sending email to harvested lists was the most cost-effective way to get a message out; a very small percentage of responses to these mass mailings was enough to turn a profit.
It wasn't long before spam was used to carry malicious payloads. Ranging from Melissa, I Love You and MyDoom to the most recent scourge, Storm, the email attack is here to stay. The reason is pretty obvious: the attack mechanism remains as profitable as ever.
Sophisticated spammers bring traditional direct marketing tactics to the table, innovating with new campaigns, tracking responses and refining the programs. The rise of PDF spam at the end of 2006 is a great example. PDF spam, designed to evade detection by email security tools, disappeared as quickly as it appeared because it didn't get the same response rates as other techniques.
So we've seen the bad guys return their focus to more traditional methods like plain text and HTML formatted messages, according to Mark Sunner, chief security analyst of email security service provider MessageLabs. They still continue to try new ways to more effectively monetize PDF spam, tuning the offers and subject lines to increase response.
It's a multibillion-dollar business and growing rapidly, so it's no surprise that organized crime is involved, investing heavily in networks that focus on stealing identities and monetizing those identities over time.
Thrust and parry
The first generation of spam defense was really about matching messages that we knew were bad--much like traditional antivirus detection is about matching attack signatures.
The battle escalated as the bad guys started to morph their messages by adding random strings and text that would thwart signature detection. Security researchers countered by developing Bayesian filters and other heuristic detection techniques to more effectively catch this frequently changing spam. Fast forward a year or two to 2003-04: All of these techniques were optimized into a spam "cocktail," which determined the relative weighting of these detection mechanisms to maximize effectiveness.
In 2005, reputation-based detection was born, as antispam vendors realized you could determine the likelihood of a sender's intent based on IP address. Known spammers were quickly blocked, and it became a lot harder to get a message into the inbox.
Now, the bad guys increasingly use bots to obscure their true identities and intentions. Since the bot is anonymous and tends not to have a "bad reputation," bots are very effective for a short period of time.
News from the front
The current generation of attacks is focused on getting the victim to take action by clicking on a link to navigate to a malicious website, where the attackers can download Trojans, steal personal information and turn the machine into a zombie. This process is called "multi-stage monetization" (see "And the Bot Goes On," below), as an attacker builds a long-term relationship with the victim to turn the device into a profit-generating bot.
Why does this continue to work? Basically, despite all the news stories, commercials about identity theft and other warnings, there are still enough gullible users. It's why con artists continue to live off variations on the same tricks decade after decade.
They may use timely news topics--"See Britney Spears in the Nude or "Bin Laden Reported Dead"--that they hope will generate a lot of clicks. Or, they'll send "holiday greetings" attacks in the form of electronic cards to lure you.
The spammers continue to innovate at an astonishing rate; today, the road to email hell tends to run through Google. Spammers' latest ploy is to have Google index their malicious Web sites, then send around links to Google searches--as opposed to direct links to the sites. That's more likely to fool even an educated user.
"If you click the link, which is a legitimate www.google.com link, the result is that you get forwarded by Google directly to the spammer's website," says Message-Labs' Sunner.
This is effective because no Web filters are going to block links directly to Google. To add insult to injury, the bad guys can also get advertising revenue through this attack vector.
Battling the bots
By aggregating data on billions of messages and tens of millions of senders, reputation services have emerged to gauge sender intent. The antispam companies can assess, with statistical significance, whether a particular IP address is likely to be sending spam or ham (legitimate messages). Additionally, law enforcement has gotten much more aggressive over the past three years in finding, catching and prosecuting high-volume spammers.
Thus it became important for the bad guys to more effectively mask their intent and stay hidden. This is what drove the interest in and growth of bots as an effective way to mask who they were and what they were doing. The nature of the bot communication makes it very difficult to track the identity of the bot master. The bot masters now have millions of compromised machines at their disposal to deliver spam or launch a denial-of-service attack.
But even bots will be detected and eliminated over time, so the bad guys have tried a different tack, directly attacking legitimate mail servers. If the credentials and passwords of a known good email server can be stolen or acquired via brute force, the spammer has free rein to blast messages until the reputation servers respond by giving that server a bad reputation score.
Spammers are also increasingly compromising free hosting companies and co-opting the built-in SMTP server running on the host to blast messages unfettered until the reputation score of the server is affected. Of course, there is significant collateral damage as the legitimate senders are blacklisted.
Turning the gateway inside out
Spam and other inbound attacks are certainly very high-profile. Turn off your spam filter for an hour or two and you'll realize that. But organizations may be losing a lot more valuable information on the outbound side. Whether it's insiders sending corporate secrets to competitors or their own webmail accounts, or a customer service rep inadvertently sending private data to customers, these are significant corporate and regulatory compliance issues.
Many of the same detection techniques, including content analysis, regular expressions, Bayesian filtering and link analysis, can be used to analyze outgoing email for signs of content leakage. Thus, one of the more popular new functions for email security gateways is to "turn it inside out" and start filtering the outbound mail.
Many large enterprises are investing significant sums in dedicated data leak prevention offerings, but in some cases, the capabilities built into an existing email or Web security gateway may be good enough to stop a large percentage of the information exposure.
Assassins lurk ...
All of these techniques are predicated upon the nameless, faceless attacker and the mass of random victims. But special victims have a big target on their backs. Increasingly, spammers' preferred mechanism is a "one-to-one" marketing approach. Targeting specific victims with highly customized and personal attacks called "whaling," they are going after high-profile, high-net-worth whales. The personal information included in the messages and/or attachments is very difficult to detect as spam.
Sandra Vaughan, VP of marketing and products for Proofpoint, sees these attacks frequently: "For example, a realty/property management customer of ours received a 'government agency compliant'-type phish which listed a lot of detail about the target organization, including the addresses of properties that they no longer manage."
This problem is going to get worse because the bad guys are building replicable business processes to continue leveraging information.
"Some of the more sophisticated criminal organizations now have the power and data to build their own ChoicePoint-like databases of millions of victims for whom they have been able to obtain Social Security numbers, mail/email addresses, phone numbers and other personal information," says Dmitri Alperovitch, director of intelligence analysis for Secure Computing.
OPENING NEW FRONTS
We will continue to see new attacks targeted at the increasingly soft underbelly of today's information systems, such as voice over IP, mobile devices, blogs and other social networks. Here is a brief overview of some of these emerging attacks:
- SMSing. Since mid-2007, a new attack targeting the global user base of SMS users was publicized. Since the user interaction of SMS is limited, the impact of this attack was minimal, but it's certainly the shape of things to come.
- Vishing. Secure Computing has detected an increasing number of attacks targeting voice-over-IP users. The attackers spoof caller ID information, making it very difficult to track the origin of a caller.
- Facebook attacks. We've also seen an increase in attacks on the leading social networks like Facebook, MySpace and a variety of blogging services. We've only started to scratch the surface on how these services will be exploited to further the agenda of the bad guys.
These attacks are nothing more than nuisances now, but at some point they will become more real, and these computing platforms are literally five years behind email in terms of being able to detect and block an attack.
To outsource or Not to outsource?
As the antispam business has evolved, outsourcing to a specialized email security service provider is becoming an attractive alternative to deploying and managing an on-premises gateway. The decision to outsource is largely becoming a religious issue, as these managed services are providing topnotch detection and transparent scaling as spam volumes have skyrocketed over the past three years.
Google acquired Postini last year and is starting to drive down the price of these managed services to roughly a third of what it was at this time last year. As with every other technology market, prices tend not to go back up, so customers will enjoy an increasingly steep cost curve as prices continue to fall.
For customers needing a dedicated gateway due to either highly sensitive email traffic or the need for very granular and specific content filtering controls, Proofpoint offers a "virtual gateway" option as part of its Proofpoint On Demand service. Customers can purchase their own virtual gateway that runs in Proofpoint's cloud to give them the advantages of a managed service and the granularity that a dedicated gateway provides.
Most of the major antispam vendors provide a service-based alternative, so we could see the day when all but the largest, most specialized environments choose one of these managed service options over an on-premises gateway.
Of course, defenders are not standing idly by. As the attackers exploit new fronts with new techniques, security forces are moving swiftly to contest the breach:
- Defense spending. The top-tier antispam vendors invest a lot of money in research to penetrate spam networks, discover bot operators and analyze messages. As the bad guys continue to innovate, this level of investment becomes a cost of doing business--vendors that can't keep up will see their spam catch drop precipitously.
- Homing in. Vendors are supplementing reputation networks in the cloud with data gathered locally by specific customers, as well as cross-referencing with user feedback (the "report spam" button) to continue to track and flag servers that send spam. They are also combining email reputation data with other data sources, such as scanning attacks caught by firewalls and attacks detected by Web filters, to triangulate on the true intention of an IP address with increasing precision.
- Who goes there? A lot of researchers hold to the hope that getting legitimate senders to digitally sign their email and publish SPF records to prove their authenticity will help detect spam. In practice, the bad guys have been at least as effective at getting their authentication credentials in place, undermining the system.
- Sign in. Signatures of spam messages hearken back to the first generation of spam defense, but this technology is making a comeback as the vendors track hundreds, if not thousands of message characteristics that are increasingly hard for the spammers to fool.
- Combined arms. Email-only solutions are becoming increasingly uncommon, as end users want to integrate multiple content security offerings into a combined gateway encompassing email, Web and other messaging applications. Integrated gateways combine reputation information, and also for allowing a user to build a common policy to govern the use of content, regardless of the protocol used to send it.
- Better training. End users are the last line of defense; investing time to educate them will help eliminate a lot of the silly behavior spawning the worldwide epidemic of zombies. User education may be the only defense against whaling attacks that target senior executives with highly personalized solicitations.
The forever war?
Is there an end in sight? Not likely. As long as victims keep clicking on phishing message links, buying fraudulent products online and responding to solicitations, there will still be a significant return on investment for the bad guys, who will continue to send spam at an alarming rate.
"The format and way that messages are delivered will change," says Doug Bowers, senior director of anti-abuse engineering at Symantec, "but in one form or another, spam will continue to exist as long as there are enough people who respond to make it profitable."