Tumbleweed Uncovers Dark Traffic – The Hidden Email Threat

Redwood City, CA – March 22, 2005 – Tumbleweed Communications Corp. (NASDAQ:TMWD) today released the “Dark Traffic Report” for Q1, 2005, which examines email traffic composition from a network perspective. The Dark Traffic Report includes data on the prevalence of network-level threats to email infrastructures, the impact to organizations, and the current alternatives for solving the problem. Dark Traffic is made up of spam, Directory Harvest Attacks (DHA), email Denial of Service (DoS) attacks, malformed SMTP packets, invalid recipient addresses, and other requests and communications unrelated to the delivery of valid email messages. The Dark Traffic Report defines and analyzes email security information gathered through a combination of research interviews with enterprise IT and email administrators, and taps of raw email network data aggregated from traffic monitors positioned in top enterprises throughout the US.

Within the general email network traffic volume, the percentage considered to be legitimate business communications has been steadily shrinking. Spam, phishing attacks, and email borne viruses have generally been identified as the culprits based on information gleaned from anti-spam and anti-virus solutions, which usually focus on filtering and analyzing email message content. “Dark Traffic” by contrast, is measured at the network and application level, and currently represents up to 70% of total inbound email packets. Because this kind of invalid SMTP traffic may appear legitimate to network firewalls and content-centric email security solutions, it is passed on to an organization’s corporate email servers for processing. The result – organizations are over-resourcing their email infrastructure by more than 50% to handle traffic that does not belong on their network.

In a survey of over 100 top enterprise IT and email administrators in the US, over 50% of organizations recognized that they had been hit by an email denial-of-service attack, over 40% recognized that they had been the victim of a directory harvest attack, and a significant percentage had email intercepted or their email servers hacked in the preceding 12 months.

Although just over half of all IT and email administrators are aware that they have suffered one or more specific network-level attacks which caused slowdowns or failures, many lack the tools to do much more than ride them out. The most common solution in a known attack is to manually block the source IP address, closely followed by “hope it goes away.” Better defenses are available at low cost, however. The introduction of a low-cost application-aware network-layer solution at the edge of the network could increase messaging performance, increase uptime, and reduce capital expenditures on email server and hygiene infrastructure which are due to volume limitations.

“When we first began to closely examine email traffic composition at the network level, we were caught off guard by the volumes of hidden traffic flowing into the enterprise under the radar,” said John Thielens, CTO of Tumbleweed Communications. “It was clear that incorporating a network-layer solution into a security infrastructure would be key for comprehensive threat prevention.”

For more information and analysis, please download a copy of the “Dark Traffic Report” for Q1, 2005 free of charge at
http://www.tumbleweed.com/pdfs/
TMWD_DarkTraffic_Email_Report-Q105.pdf

About Email Denial of Service Attacks
Email denial of service attacks (also called “DoS attacks,” “mail bombing” or “flooding”) attempt to overwhelm an email relay or server with a huge volume of messages, causing the server to drop connections or refuse legitimate email. Distributed DoS attacks (DDoS) are often launched from armies of zombie computers that have been infected with email viruses, worms, or spyware. These zombies can be controlled remotely by the hacker who sent them, and can be targeted to attack one or several specific victims. DoS attacks are generally malicious in nature, with the goal of disabling a targeted organization’s network. Note that in the Dark Traffic Report we are only focusing on DoS attacks in email – DoS attacks exist across many other Internet protocols outside of our purview here, including HTTP, IM, FTP, RPC, etc.

About Directory Harvest Attacks
The goal of a directory harvest attack (DHA) is to identify valid email addresses within a given domain. The traditional purpose has been to gather lists of valid email addresses for resale or for targeting future spam attacks. But with the rise of Active Directory and single sign-on technologies in the enterprise, the threat extends to network and information security. Network login credentials and email address are often configured to be the same. As a result, email application security is critical to prevent directory loss, which can deliver thousands of usernames to outsiders, allowing them to focus cracking efforts on the exact username list with the goal of breaching the network itself. This puts confidential operational and customer data at risk of compromise.

About Tumbleweed’s Message Protection Lab
Tumbleweed’s 24×7 Message Protection Lab (MPL) analyzes real time email traffic and historical trends to identify email threats, including spam, phishing, Dark Traffic, and other malicious email. The MPL is staffed by threat analysis experts who leverage sophisticated technologies to evaluate over 300 million messages per day and continually identify new spammer and hacker trends and tactics, and create new heuristics used by Tumbleweed’s Spam Analysis Engine to stop them. New email security heuristics are published via the Tumbleweed Anti-Spam Service 12-14 times per day. The MPL analyzes both legitimate and non-legitimate email gathered internationally and provided by enterprise customers, to ensure that the Tumbleweed Anti-Spam Service minimizes false positives in a business environment.

About Tumbleweed Communications Corp.
Tumbleweed provides security solutions for email protection, file transfers, and identity validation that allow organizations to safely conduct business over the Internet. Tumbleweed offers these solutions in three comprehensive product suites: MailGate, SecureTransport and Valicert Validation Authority. MailGate provides protection against spam, viruses and attacks, and enables policy-based message filtering, encryption and routing. SecureTransport enables business to safely exchange large files and transactions without proprietary software. Valicert Validation Authority is the world-leading solution for determining the validity of digital certificates. Tumbleweed’s enterprise and government customers include ABN Amro, Bank of America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), St. Luke’s Episcopal Healthcare System, the US Food and Drug Administration, the US Department of Defense, and all four branches of the US Armed Forces. Tumbleweed was founded in 1993 and is headquartered in Redwood City, Calif. For additional information about Tumbleweed go to www.tumbleweed.com or call 650-216-2000.

SAFE HARBOR STATEMENT
Tumbleweed cautions that forward-looking statements contained in this press release are based on plans and expectations as of the date of the press release, and that a number of factors could cause the actual results to differ materially from the guidance given at this time. These factors are described in the Safe Harbor statement below.

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to sales of products related to Dark Traffic, as well as trends identified in any Dark Traffic Report. In some cases, forward-looking statements can be identified by terminology such as “may,” “will,” “should,” “potential,” “continue,” “expects,” “anticipates,” “intends,” “plans,” “believes,” “estimates,” and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed’s Form 10-K filed March 16, 2005.

Tumbleweed assumes no obligation to update information contained in this press release, which represents the Company’s expectations only as of the date of this release and should not be viewed as a statement about the Company’s expectations after such date. Although this release may remain available on the Company’s website or elsewhere, its continued availability does not indicate that the Company is reaffirming or confirming any of the information contained herein.