Spam Fight Escalates

Wily hucksters use clever ruses to bypass corporate defenses

Computer security analysts who fight spam face the same thankless task as goalkeepers: They don’t get much credit for the unsolicited e-mail they stop, only demerits for the ones that get through. But those few messages that wriggle past increasingly sophisticated filters constitute the greatest threats on the Internet. The sheer volume of spam threatens to bring the Internet to a crisis point. The amount of all e-mail traffic that is spam has recently risen to 85%, according to the Messaging Anti-Abuse Work Group in San Francisco.

Sophos spam analyst Paul Baccas looks at a queue of suspicious messages at the company's lab in Abingdon, England.

Sophos spam analyst Paul Baccas looks at a queue of suspicious messages at the company's lab in Abingdon, England.“We see spam just going up to the point where Internet servers start having difficulty,” says Steven Linford, CEO of The Spamhaus Project Ltd., a London-based nonprofit that generates a list of spam sources that organizations can use to block spam.

“Spam will tend to increase to where it will be 99% of all e-mail on the Internet,” he says. “At that point, governments will start to take notice.”

Antispam software usually aims to filter out 98% of bad messages — any higher level of filtering tends to snag real messages.

So spammers are aiming for the 2% window, and in the past few months, they have even honed new methods to hit the in-box bull’s-eye, experts say.

Sophos PLC, one of many vendors of antispam software, has analysts at its SophosLabs facilities in Abingdon, England; Vancouver, British Columbia; Boston; and Sydney, Australia, watching the Internet around the clock for threatening spam and malicious software.

The Sophos lab in Abingdon doesn’t look much different from any other office. But it’s mission control for security analysts with special rules: No computers or electronic equipment can be brought inside, and the room remains locked.

Sophos catches spam in “traps” — abandoned e-mail addresses and domains that have been donated for the purpose of research. Messages sent to those addresses are invariably spam. Sophos catches hundreds of new malware and spam samples each day; many can be stopped immediately if the samples show characteristics that are similar to known problem code.

New, unique spam messages are prioritized and doled out to researchers for inspection. Spam does leave a trail, albeit one that’s often a confusing series of hops between servers around the world. After following the trail, Sophos updates its software to block the spam source.

“We’re unusual in the respect that we like to receive spam,” said Mark Harris, global director of SophosLabs.

On a recent day, a message entitled “Let’s go” landed in a spam trap monitored by Sophos. The message contained a link to a Web site selling “human growth hormone,” a product advertised recently through spam aimed at U.S. users, says Paul Baccas, a spam research analyst.

A person in Detroit had registered the Web site with a hosting company in Hong Kong less than an hour before the spam message was received by Sophos, Baccas says. The registered name, obtained through Whois data, may not be real, says Graham Cluley, chief technology consultant at Sophos.

The state abbreviation in the Whois database was incorrect. A call to the phone number listed found it disconnected. Adding to the ruse, the return address for the spam message contained a “.pl” suffix, indicating that it came from Poland. But that data is also easily faked.

The approach is one in a bag of tricks spammers use to beat security software. Lately, analysts have noticed a sharp uptick in messages with images containing words, which can defeat text-analysis tools.

Another spam method is adding or subtracting a few pixels in every image, which to a computer makes the message look unique and good. To defeat optical character recognition (OCR) technology, which can read words embedded in images, spammers introduce colored pixels to create image noise.

“Basically, they’ve got a little program which is actually able to generate a slightly different e-mail each time, even though the picture to the human eye looks absolutely identical,” says Simon Heron, director of operations at security vendor Network Box Corp.

Spamhaus is also planning to roll out a tool called Policy Block List (PBL), which will block a large number of IP addresses of end-user computers that should be using their Internet providers’ servers to send mail, Linford says. Most computers that directly send out e-mail are spammers, he says.

“It’s an arms race with spammers,” says Linford. “Obviously, by this time next year, the spammers will have found a way around [the PBL].”

Kirk writes for the IDG News Service.


Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon