Spammer trick of the month: Delayed DNS

Each month, I'll talk about a particular spammer trick; spammers employ a number of sneaky tricks to avoid spam filters, and they're always inventing new ones. This week on Security Levity... the delayed DNS hack.

Spammers and botnet developers are an ingenious bunch. If spam wasn't so obnoxious and criminal, it would be easy to be impressed by some of their imaginative technical solutions. I want to talk about a recent innovation that spammers have developed to thwart spam filters that use link inspection techniques.

First, some background. Link inspection filtering works by inspecting the links within a suspect email message: by looking at the content of the linked-to Web page, and/or by accessing a reputation centralized service. These techniques help a spam filter decide whether or not the message is spam.

What some spammers have been doing recently is to control where their links point to, changing the location at a critical moment. They do this to try and thwart spam filters. They deliberately make the links point to a benign page during the time that filters are scanning the message. But then they switch it to a spam site, in time for when the users will be reading the message.

Spammers do this by a combination of careful timing and manipulation of the DNS. First, they make sure they send the spam during the night (based on the timezones of the targeted recipients). During this time, they ensure the DNS hostname for the link resolves to a legitimate site, or perhaps to nowhere at all. This of course prevents the spam filter from discovering a malicious link. Later, once the spam messages have been delivered, the spammers switch the DNS to point to their spammy site. They need to make sure they do this in time before the recipients wake up and start reading their email. This is a technique that can confuse spam filters that use link inspection in a naïve way. The arms race between spammers and spam filter technologists continues, as ever.  

This has been the first in a monthly series of posts about spammer tactics. If there's a particular tactic you'd like to see explained, please let me know.

I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!

When he's not dowsing the DNS, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon