Dmitri Alperovitch talks about reputation-based spam protection

1 2 Page 2
Page 2 of 2

Image based spam appeared on the scene about two years ago. That's when spammers realized that instead of sending a text based promotion message they can encode it as an image and send you that image as an attachment. They noticed that the effectiveness from the standpoint of the user still clicking and reacting to that spam hasn't really degraded. A lot of the filters that are out there trying to analyze that message content have failed miserably in trying to understand what that image is, and whether it represents malicious content or not. So on the reputation system front that really hasn't impacted us much because we're not worried about text, we're not worried about particular formats, we're really looking at various parameters of the message as a whole and applying the reputation to the patterns that are within that message. So whether it's image based spam or video based spam or audio based spam we don't really care. Now if you are a text based analysis filter that's running on the local gateway then you probably have seen your effectiveness go down dramatically because of this technique.

What's the most dangerous type of spam attack?

The most dangerous ones are the scams that are trying to steal your identity or steal your financial records. Nowadays we see the phishing attacks a lot that pretend to come from your bank but in reality are just trying to steal your credentials so that they can empty your bank account. Spam that sends out links to malware, so that they can compromise a system and steal all of the passwords located on your machine, is now very popular. These are the most dangerous. But really all the spam that's out there is creating a huge headache for a lot of organizations because over 90% of email now is spam, so they're able to saturate this very important and critical channel for communication, with all this junk. And unless you have good filters in place, a lot of it goes through and causes you to lose productivity as you're trying to delete the stuff, and that's in the best case scenario when you're not clicking on the links and getting compromised. And in the course of going through that mailbox and trying to find the 10 legitimate messages in 100 that you would see, you would misplace the legitimate message that may be out there that might be drowned out by all this junk.

Who are the biggest perpetrators? Is spam a big business, or is it just small timers trying to make a quick buck?

It varies, but it is believed that most spam it is sent by about 200 top spammers. And they're present all over the world. Some of these individuals are located in the United States, and they've been prosecuted successfully, and some of them have even been forced to close up shop. A lot of the spammers are now operating out of Eastern Europe where the law enforcement has not yet been able to reach them. One of the other things that has changed is that it is now an affiliate-based business. For example, there are affiliate networks for drugs where they provide you with order forms and an order processing system, and all they ask is that you send these emails on their behalf and draw customers in, and then they give you a percentage of the sales. So it is very easy for you now to set up your own business as a spammer with one of these affiliates. And all you have to do is compromise a couple thousand machines, deploy your own spam sending software, and you're in business. So the barriers to entry have been lowered dramatically.

I would think there would be easier ways to sell Viagra. Why do they keep doing it?

People do react and people do buy the stuff. One thing to keep in mind is that they're not actually selling Viagra, there have been a number of investigations to actually find out what you get, and typically what you get is a package from a factory in India, and when you do the analysis of the composition of that drug you find that it's nothing like Viagra. God knows what components they've actually used to produce that blue pill. So it's incredibly dangerous to buy that sort of stuff and consume it. Most of these things are completely fraudulent, so they're not just violating laws in terms of sending unsolicited mail, they are actually violating quite a few other laws as well as far as the delivery of the product goes.

We have these botnets with huge networks of zombie computers, how does a reputation system work within those?

I think that's where it really shines and can really provide the best protection because the way these botnets work is that a machine gets compromised and instantly used for malicious purposes, whether it's for sending spam or hosting malicious websites. They use it for a few hours literally, until these blacklists out there react and people report that there is abuse associated with that machine and they get shut down. Or they simply turn it off because it becomes less effective to use it. But really in those first few hours of attack, reputation systems are the only ones that can protect you and block that content that is originating from that machine quickly enough because they are able to react in real time.

What happens for example, if my computer gets hijacked into a botnet, and it gets used to send out spam? But I'm not a spammer, I'm a victim. Does the reputation system label me a spammer?

It depends. If you are a legitimate organization that is actually sending out email from that machine, it's a legitimate mail server. The reputation system would be able to see that legitimate content and would not automatically lower your reputation down to the level of spammer. It will raise it enough to make sure that all the email from this point forward gets scrutinized, but it will not block it outright. The blacklist may very well do that because they have no view into that legitimate mail. Now if on the other hand, you're not sending any email from that machine, and are relaying email through your ISP for example as is the common case, then your reputation will get adjusted to the spammer level and all the email traffic will get blocked from that machine.

What are the spammers doing to try to get around the reputation system?

They really haven't been able to figure out how to do that. Their answer has been to try to get more machines, to try to send more mail through the ISP networks that are out there. They are trying to relay more mail through Gmail and Hotmail, which can be blocked by the reputation system on the IP level because of course these systems send a lot of legitimate mail as well. But really the content based reputation that we apply, the reputation of the links that are within that spam message, really provides a great level of effectiveness even if the IP address that they're sending from is neutral.

Are there any privacy concerns?

Not really because we're selling the reputation service as part of our overall solution to the customer, so they don't have to buy it. By virtue of selecting us they allow us to do this. And also we're not reading their email. We're not looking at the content, we're only looking at this meta data about the email, about where it's coming from and where it's originating and how it is being sent, and there are no privacy concerns associated with that level of data.

What about remediation, if a site gets incorrectly labeled? Is there a process to get back on the good side of the reputation system?

Absolutely. We provide a variety of methods for customers to report false positives to us through automated means. We deliver for example, a desktop client, a toolbar that integrates directly into your Outlook or other email client, and with the click of a button, you can report to us either a spam that got through or a message that got misclassified. We also have a web site called which is kind of unique in the industry, because it provides a free view into the reputation system, extending its reach beyond just our customer base so anyone can go onto that web site and put in an IP address or a URL and view the current and past history and reputation that we've assigned to that particular entity. No one else in the industry does that. And right then and there from that website, you can also send us an email to request a change in reputation if you think we've got it wrong.

What are some of the shortcomings and potential limitations of reputation security

Just like any method, it is not foolproof so it's not going to block all of the spam for you. Usually they are about 90 percent effective on their own, so they can reduce the amount of junk that your server has to process. You really want to apply, as with any security solution, the defense-in-depth approach--so you want to layer you security and apply various technologies in order to get the maximum degree of effectiveness. So the reputation system can block about 90 percent of the inbound spam and for the other 10 percent, you want to apply some of the local analysis technology that can get you to that 99.8 or 99.9 percent effectiveness.

This story, "Dmitri Alperovitch talks about reputation-based spam protection" was originally published by ITworld.


Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon