The battleground in the ongoing fight against spam by organizations worldwide is shifting based on new tactics from spammers and hackers designed to defeat conventional anti-spam content filtering solutions. Despite the enactment of the CAN-SPAM Act by Congress in the U.S. and Britain’s Privacy and Electronic Communications regulations, the incidence of spam and malicious emails carrying viruses and worms continues to increase – and grow more sophisticated through techniques that make traditional or first-generation content filtering technology less effective.
Minimizing Content to Fool Spam Filters
While “hash busting” and Bayesian Poisoning techniques have become familiar to most anti-spam vendors, and countermeasures have been incorporated into their products, spammers are becoming even more covert in their tactics these days. Going beyond fooling the content filter with creative combinations, spammers are taking a more personalized as well as a minimalist approach to get past conventional anti-spam content filters.
The logic behind these spamming techniques is simple: take away or reduce the context of a message to a degree that confuses the content filtering method just enough to allow a message to get through. Because filters on servers in an enterprise must handle messages for hundreds or even thousands of users, it is difficult for the IT department to increase the sensitivity of filters to catch these techniques. That’s because increasing filter sensitivity also increases the risk of blocking substantial numbers of legitimate emails – known as false positives.
For example, more recent spam techniques use messages that are personalized and unique. These messages display very few typical spam identifiers in its content, making it much more difficult for conventional content-based spam filters to catch and block. Spammers are also putting less and less content in their messages so that conventional filtering software has less context in which to assess the validity of the message. This makes it much more difficult for these filters to accurately assess whether a message is spam or not.
The Connection Point Battleground
During the first half of 2004, spammers and hackers have also shifted their techniques away from message gimmicks to focus more on the SMTP connection point in their endless quest to overcome content filtering technology. This change in tactics by spammers does not bode well for organizations that must rely on content filtering technologies to protect their email systems. That’s because conventional content filtering cannot block any of these new attacks at the connection point. They must let a message into the system so they can examine its content – at which point the damage from these attacks has already occurred.
Harvesting Directories and Bringing Down Servers
A prime example of this new connection point threat is known as directory harvest attacks (DHAs). DHAs are designed to net spammers lists of valid email addresses to which they can send spam or sell to other spammers. It works like this. An open source or stand-alone Mail Transfer Agent (MTA) typically responds to email delivery attempt requests with a simple “yes” or “no”. If the response is “no”, the sending server gets an error message since the address is invalid and mail for that address cannot be delivered. If the sending server gets a “yes”, it knows the address is valid and a message can be delivered.
Spammers, list brokers or other unscrupulous culprits exploit this simple functionality to harvest legitimate email addresses from a corporate directory by sending thousands (or even hundreds of thousands) of messages to multiple addresses such as firstname.lastname@example.org, or email@example.com. Spammers track all of the addresses that do not bounce back or generate errors, and consider these valid addresses, which are then compiled into lists that are then sold or distributed to other spammers. In fact, it is not uncommon for new users of popular email systems like Yahoo or Hotmail to receive spam before they’ve ever used their new email address!
Directory harvest attacks also have a very damaging side effect: consuming enormous amounts of email server resources while email servers try to cope with DHA probes.
Lotus Notes and Exchange servers, for example, generally accept all messages for their domain by default. This only aggravates the negative impact of a directory harvest attack because the spammer assumes all the attempted addresses are valid, and thus will send more spam or sell the attempted addresses to others.
Unfortunately, directory harvest attacks are often launched simultaneously, from many different computers. The resulting spike in traffic from the directory harvest attack can easily knock an email server offline.
Anti-spam Solutions Must Go Beyond Content Filtering
Because of the harmful impact from DHAs on email system performance, directory harvest attacks must be treated as more than just an email inbox or end user annoyance issue. Directory harvest attacks cannot be stopped by conventional content filtering found in appliances or software since there is no “content”. Nor can spam messages that reduce or eliminate “content” in a message be reliably blocked with content filtering.
The detection of minimal content spam and DHAs needs to occur in real time, at the SMTP connection point, in order to prevent them from ever reaching the email gateway. Fortunately there are commercially available solutions today that can prevent email connection point attacks and block spam from shifting IP addresses. There is also technology that can dynamically recognize the legitimate IP addresses of organizations, for example, and perform a real time IP address assessment helping to minimize false positives. It’s important that you consider these newly evolving threats as you evaluate your existing anti-spam tools and plan your email security strategy for protecting the critical communications so vital to your firm.