Spam fighters losing ground

Conflict escalates, volume escalates, monitors see it all

Computer security analysts who fight spam face the same thankless task as goalkeepers: They don't get much credit for the unsolicited e-mail they stop, only demerits for the ones that get through.

But those few messages that wriggle past increasingly sophisticated filters constitute the greatest threats on the Internet.

The messages range from relatively harmless pitches for human growth hormones to ones with malicious code attached that could steal passwords or documents from a machine.

The sheer volume of spam still threatens to bring the Internet to a crisis point. Up to 90% of all e-mail traffic is spam, a figure that has crept upward in recent years. The forecast isn't good, either.

"We see spam just going up to the point where Internet servers start having difficulty," said Steven Linford, chief executive officer of Spamhaus, a London nonprofit organization that generates a list used by technology companies and organizations running e-mail servers to block spam.

"Spam will tend to increase to where it will be 99 percent of all e-mail on the Internet," he said. "At that point, governments will start to take notice."

The front line of defense for most computers connected to the Internet is antispam software that tries to determine whether a message is legitimate. Antispam software uses a number of methods to make that decision.

The software can block messages coming from a particular IP (Internet Protocol) address of a computer known to send spam. Messages containing links to potentially harmful Web sites can be halted using URL (uniform resource locator) filtering. Security vendors can tweak special "rules" for their antispam engines, such as blocking messages containing certain kinds of text identified as common to spam.

Antispam software usually aims to filter out 98% of bad messages. Any higher level of filtering tends to snag real messages and cut off critical business communication.

So spammers are aiming for the narrow, 2% window -- and even in the last few months have honed new methods to hit the in-box bull's eye, experts say.

Sophos PLC, one of many security vendors with antispam software, has analysts stationed at four labs -- in Abingdon, England; Vancouver, British Columbia; Boston; and Sydney -- watching the Internet 24 hours a day, seven days a week for threatening spam and malicious software.

Sophos' lab in Abingdon doesn't look much different from any other office. But it's mission control for security analysts with special rules: No computers or electronic equipment can be brought inside, and the room remains locked.

While Sophos catches hundreds of new malware and spam samples a day, many can be stopped immediately using software if the samples show similar characteristics to known problem code.

New, unique ones are prioritized and doled out to researchers for inspection, and Sophos quickly updates its software to block them.

"We're unusual in the respect that we like to receive spam," said Mark Harris, director of the lab.

That's because spam does leave a trail, albeit one that's often a confusing series of hops between servers around the world. But those clues are enough to block it.

Sophos catches spam in "traps" -- abandoned e-mail addresses and domains that have been donated for the purpose of spam research. Messages sent to those addresses are invariably spam, the first clue a message is garbage.

On a recent day, Paul Baccas, a spam research analyst, pulled duty. A message titled "Let's go" caught his attention after it landed in a spam trap of addresses monitored by Sophos that belonged to a telecommunications company that went bust six years ago.

Machine analysis ranked the message as likely being spam, but the filter let it through. Human analysis revealed it wasn't a legitimate message. Deeper investigation showed a tangle of false information peppered with international locales.

The message contained a link to a Web site selling "human growth hormone," a product advertised recently through spam aimed at U.S. users, Baccas said.

The Web site was registered with a hosting company in Hong Kong less than an hour before the spam message was received by Sophos, Baccas said. It was registered by a person in Detroit according to the whois data.

It's uncertain whether the registered name is real, according to Graham Cluley, chief technology consultant for Sophos.

The state abbreviation in the whois database, however, was incorrect. A call to the phone number listed found it disconnected. Adding to the ruse, the return address for the spam message contained a ".pl" suffix, indicating it came from Poland. But that information is also easily faked.

"Basically, he's sent an e-mail to a company that hasn't existed in six years within 45 minutes of him registering the Web site," Baccas said. "That's very suspicious."

The approach is one in a rich bag of tricks spammers employ to beat security software. Lately, analysts have noticed a sharp uptick in spam messages with images containing words, which can defeat text analysis.

Another method spammers use is adding or subtracting just a few pixels in every image, which to a computer makes the message look unique and good. To defeat optical character recognition (OCR) technology -- which can read words embedded in images -- spammers introduce colored pixels to create image noise.

Humans, for example, can make out a letter "C," but a machine begins to struggle if the technique is used, said Simon Heron, director of operations for security vendor Network Box Corp. It's the spammer equivalent of using hairspray on a license plate to confuse a speed camera, which also uses OCR, he said.

"Basically, they've got a little program which is actually able to generate a slightly different e-mail each time even though the picture to the human eye looks absolutely identical," Heron said.

But the spam fighters aren't giving up. In the next two weeks, Spamhaus is planning to roll out a new approach to halt the number of "zombie" machines sending spam.

Zombie machines are ones that are remotely controlled by hackers and used to send spam. These machines -- scattered around the world in shifting networks called "botnets" -- are a huge component of the spam problem.

Spamhaus' Policy Block List (PBL) will block large ranges of IP addresses of end-user computers that should be using their ISP's (Internet Service Provider's) servers to send mail, Linford said. Most computers on the Internet that are directly sending out e-mail are spammers, he said, although Spamhaus has a mechanism for incorporating exceptions.

The ISPs will submit lists to Spamhaus, which will push them out to those that use its list to block spam, including businesses such as Sophos and Microsoft Corp.

"It's an arms race with spammers," Linford said. "It [the PBL] will certainly be an extremely good weapon."

But he's not sure for how long. "Obviously, by this time next year, the spammers will have found a way around it," Linford said.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon