The war against spam has not come to a swift and just conclusion. Ever since Bill Gates' proclamation in 2004 that spam will be "solved" within two years, the problem has gotten worse, with no light at the end of the tunnel.
As with any conflict, it's instructive to understand how and why it started, how it is being fought and what we can expect.
Spam started primarily as a marketing vehicle. Sending email to harvested lists was the most cost-effective way to get a message out; a very small percentage of responses to these mass mailings was enough to turn a profit.
It wasn't long before spam was used to carry malicious payloads. Ranging from Melissa, I Love You and MyDoom to the most recent scourge, Storm, the email attack is here to stay. The reason is pretty obvious: the attack mechanism remains as profitable as ever.
Sophisticated spammers bring traditional direct marketing tactics to the table, innovating with new campaigns, tracking responses and refining the programs. The rise of PDF spam at the end of 2006 is a great example. PDF spam, designed to evade detection by email security tools, disappeared as quickly as it appeared because it didn't get the same response rates as other techniques.
So we've seen the bad guys return their focus to more traditional methods like plain text and HTML formatted messages, according to Mark Sunner, chief security analyst of email security service provider MessageLabs. They still continue to try new ways to more effectively monetise PDF spam, tuning the offers and subject lines to increase response.
It's a multibillion-dollar business and growing rapidly, so it's no surprise that organised crime is involved, investing heavily in networks that focus on stealing identities and monetising those identities over time.
THRUST AND PARRY
The first generation of spam defense was really about matching messages that we knew were bad--much like traditional antivirus detection is about matching attack signatures.
The battle escalated as the bad guys started to morph their messages by adding random strings and text that would thwart signature detection. Security researchers countered by developing Bayesian filters and other heuristic detection techniques to more effectively catch this frequently changing spam. Fast forward a year or two to 2003-04: All of these techniques were optimised into a spam "cocktail," which determined the relative weighting of these detection mechanisms to maximise effectiveness.
In 2005, reputation-based detection was born, as antispam vendors realised you could determine the likelihood of a sender's intent based on IP address. Known spammers were quickly blocked, and it became a lot harder to get a message into the inbox.
Now, the bad guys increasingly use bots to obscure their true identities and intentions. Since the bot is anonymous and tends not to have a "bad reputation," bots are very effective for a short period of time.
NEWS FROM THE FRONT
The current generation of attacks is focused on getting the victim to take action by clicking on a link to navigate to a malicious website, where the attackers can download Trojans, steal personal information and turn the machine into a zombie. This process is called "multi-stage monetisation", as an attacker builds a long-term relationship with the victim to turn the device into a profit-generating bot.
Why does this continue to work? Basically, despite all the news stories, commercials about identity theft and other warnings, there are still enough gullible users. It's why con artists continue to live off variations on the same tricks decade after decade.
They may use timely news topics--"See Britney Spears in the Nude or "Bin Laden Reported Dead"--that they hope will generate a lot of clicks. Or, they'll send "holiday greetings" attacks in the form of electronic cards to lure you.
The spammers continue to innovate at an astonishing rate; today, the road to email hell tends to run through Google. Spammers' latest ploy is to have Google index their malicious Web sites, then send around links to Google searches--as opposed to direct links to the sites. That's more likely to fool even an educated user.
"If you click the link, which is a legitimate www.google.com link, the result is that you get forwarded by Google directly to the spammer's website," says Message-Labs' Sunner.
This is effective because no Web filters are going to block links directly to Google. To add insult to injury, the bad guys can also get advertising revenue through this attack vector.
BATTLING THE BOTS
By aggregating data on billions of messages and tens of millions of senders, reputation services have emerged to gauge sender intent. The antispam companies can assess, with statistical significance, whether a particular IP address is likely to be sending spam or ham (legitimate messages). Additionally, law enforcement has gotten much more aggressive over the past three years in finding, catching and prosecuting high-volume spammers.
Thus it became important for the bad guys to more effectively mask their intent and stay hidden. This is what drove the interest in and growth of bots as an effective way to mask who they were and what they were doing. The nature of the bot communication makes it very difficult to track the identity of the bot master. The bot masters now have millions of compromised machines at their disposal to deliver spam or launch a denial-of-service attack.
But even bots will be detected and eliminated over time, so the bad guys have tried a different tack, directly attacking legitimate mail servers. If the credentials and passwords of a known good email server can be stolen or acquired via brute force, the spammer has free rein to blast messages until the reputation servers respond by giving that server a bad reputation score.
Spammers are also increasingly compromising free hosting companies and co-opting the built-in SMTP server running on the host to blast messages unfettered until the reputation score of the server is affected. Of course, there is significant collateral damage as the legitimate senders are blacklisted.
ASSASSINS LURK...
All of these techniques are predicated upon the nameless, faceless attacker and the mass of random victims. But special victims have a big target on their backs. Increasingly, spammers' preferred mechanism is a "one-to-one" marketing approach. Targeting specific victims with highly customised and personal attacks called "whaling," they are going after high-profile, high-net-worth whales. The personal information included in the messages and/or attachments is very difficult to detect as spam.
Sandra Vaughan, VP of marketing and products for Proofpoint, sees these attacks frequently: "For example, a realty/property management customer of ours received a 'government agency compliant'-type phish which listed a lot of detail about the target organisation, including the addresses of properties that they no longer manage."
This problem is going to get worse because the bad guys are building replicable business processes to continue leveraging information.
"Some of the more sophisticated criminal organisations now have the power and data to build their own ChoicePoint-like databases of millions of victims for whom they have been able to obtain Social Security numbers, mail/email addresses, phone numbers and other personal information," says Dmitri Alperovitch, director of intelligence analysis for Secure Computing.
OPENING NEW FRONTS
We will continue to see new attacks targeted at the increasingly soft underbelly of today's information systems, such as voice over IP, mobile devices, blogs and other social networks. Here is a brief overview of some of these emerging attacks:
- SMSing. Since mid-2007, a new attack targeting the global user base of SMS users was publicised. Since the user interaction of SMS is limited, the impact of this attack was minimal, but it's certainly the shape of things to come.
- Vishing. Secure Computing has detected an increasing number of attacks targeting voice-over-IP users. The attackers spoof caller ID information, making it very difficult to track the origin of a caller.
- Facebook attacks. We've also seen an increase in attacks on the leading social networks like Facebook, MySpace and a variety of blogging services. We've only started to scratch the surface on how these services will be exploited to further the agenda of the bad guys.
These attacks are nothing more than nuisances now, but at some point they will become more real, and these computing platforms are literally five years behind email in terms of being able to detect and block an attack.
Of course, defenders are not standing idly by. As the attackers exploit new fronts with new techniques, security forces are moving swiftly to contest the breach:
- Defense spending. The top-tier antispam vendors invest a lot of money in research to penetrate spam networks, discover bot operators and analyse messages. As the bad guys continue to innovate, this level of investment becomes a cost of doing business--vendors that can't keep up will see their spam catch drop precipitously.
- Homing in. Vendors are supplementing reputation networks in the cloud with data gathered locally by specific customers, as well as cross-referencing with user feedback (the "report spam" button) to continue to track and flag servers that send spam. They are also combining email reputation data with other data sources, such as scanning attacks caught by firewalls and attacks detected by Web filters, to triangulate on the true intention of an IP address with increasing precision.
- Who goes there? A lot of researchers hold to the hope that getting legitimate senders to digitally sign their email and publish SPF records to prove their authenticity will help detect spam. In practice, the bad guys have been at least as effective at getting their authentication credentials in place, undermining the system.
- Sign in. Signatures of spam messages hearken back to the first generation of spam defense, but this technology is making a comeback as the vendors track hundreds, if not thousands of message characteristics that are increasingly hard for the spammers to fool.
- Combined arms. Email-only solutions are becoming increasingly uncommon, as end users want to integrate multiple content security offerings into a combined gateway encompassing email, Web and other messaging applications. Integrated gateways combine reputation information, and also for allowing a user to build a common policy to govern the use of content, regardless of the protocol used to send it.
- Better training. End users are the last line of defense; investing time to educate them will help eliminate a lot of the silly behavior spawning the worldwide epidemic of zombies. User education may be the only defense against whaling attacks that target senior executives with highly personalised solicitations.
THE FOREVER WAR?
Is there an end in sight? Not likely. As long as victims keep clicking on phishing message links, buying fraudulent products online and responding to solicitations, there will still be a significant return on investment for the bad guys, who will continue to send spam at an alarming rate.
"The format and way that messages are delivered will change," says Doug Bowers, senior director of anti-abuse engineering at Symantec, "but in one form or another, spam will continue to exist as long as there are enough people who respond to make it profitable."