Spammers and Messaging Vendors in Constant Battle of One-Upmanship
Like comic book super villains, spam kingpins always seem to find new ways to thwart the technology heroes that fight against junk mail. Just as it seems that theyâ€™ve finally been vanquished, they manage to elude the traps laid by anti-spam technology vendors in order to flood the inboxes of innocent users.
Last year was a case in point. Throughout much of 2006 there were some in the IT industry that were ready to proclaim victory over the spam problem, only to find a new wave of spam cropping up late in the year that was even tougher and more filter-proof than before.
While the resurgence surprised some, many in the anti-spam community were hardly shocked by the up tick that started at the end of the year. â€œSpam kind of reemerged with a vengeance last year, but thatâ€™s not new,â€ says Willy Leichter, director of product marketing for Tumbleweed. â€œOr, itâ€™s not new to us. Thereâ€™ve been these waves of spam countermeasures that will be effective for a few months, then the spammers adapt. Theyâ€™re very responsive to whether theyâ€™re being blocked and whether somethingâ€™s getting through. And theyâ€™re very much monitoring what the defensive techniques are. So, itâ€™s this ongoing spy-vs-spy game where these cycles have gone on.â€
Countering Image Spam Influx
Much of this recent flare-up of spam can be attributed to the latest weapon in the spammerâ€™s arsenal: image spam. Spammers got wise to the last generation of text filters and began pitching their wares by embedding words into images.
â€œItâ€™s shaken the industry up. A lot of the older filters that are signature base just got blown by,â€ Leichter says. Security messaging companies such as Tumbleweed fired a shot over the spammersâ€™ ramparts by indexing frequently used spam images and blocking messages embedded with these files. But the spammers have been responding with even more sophisticated methods to push image spam through.
â€œWeâ€™re rapidly getting into the second or third round of image spam innovation,â€ Leichter says. â€œYou almost have to have a grudging respect these guys. What theyâ€™ve very cleverly done is started to randomize them so that every one is different. Like snowflakes.â€
For example, some spammers have created programs that will make slight changes to a source image to create thousands of different images out of a single file. â€œThey can change the colors, they can put some random line and patterns and things in the background to make it more difficult for the automated character recognition to try to analyze it,â€ says Paul Wood, senior analyst for MessageLabs. â€œSometimes they have wavy lines or text so that you can read it as a person, but a computer will find it really hard to read.â€
These techniques have vendors scrambling around the clock to find ways to win this latest round of one-upmanship. Many have had to gain the right people and resources to better understand image technology, a niche that wasnâ€™t top-of-mind for most messaging vendors until very recently.
â€œWhat we had to do to defend against it is to get into image processing technology â€“ kind of analogous to what we do with text,â€ Leichter says. â€œBut youâ€™ve actually got to dissect the image and tell if youâ€™ve seen a similar one before. That involves very sophisticated state-of-the-art mathematics to determine if this image is new or not. Anything short of that is just guessing around the fringes.â€
Looking outside the envelope
However, simply playing the image analysis game may only do so much. Spammers are already reacting to the processing of spam images in a number of ways that will likely flummox filters yet again.
â€œWhat weâ€™re starting to see now is, itâ€™s still image spam, but itâ€™s slightly different in that the image isnâ€™t attached to the message itself, itâ€™s hosted on the Internet on free file sharing sites like FreeShare, ImageShack and a number of others,â€ Wood says. And even beyond the immediate horizon, there will likely be new innovations to get around old filters because that is how spammers have been operating for years.
According to experts such as Leichter and Wood, this is why vendors must take a more rounded approach to the problem, rather than simply reacting to the content of the spam. â€œSpam is kind of viewed as one monolithic problem but itâ€™s actually many different problems that usually fall into one of two different buckets,â€ Leichter says. â€œOne is looking inside the envelope, reading the message and trying to figure out whether you want it or not. The other is just looking at the outside of the envelope and looking for other clues that would tell you that this is not something you even need to open. Like you do with junk mail.â€
These â€˜outside the envelopeâ€™ tactics used to simply rely on simple IP reputation filters, but many types of these filters and spam blacklists have been rendered ineffective by spammersâ€™ botnets, which allow them to fly under the radar by only sending a few e-mails per originating IP address. This makes it difficult to spot bad IPs simply by volume of sent e-mail.
As a result, says Wood, vendors have turned to complex scoring systems that not only take sender IP into account but also look at other factors such as headers that a user normally wouldnâ€™t see.
Usually users only see headers such as the â€œToâ€ and â€œFromâ€ fields, he says. But there are many more behind the scenes that researches can use that will better help identify the mailâ€™s source. â€œThereâ€™s some other patterns that if it was sent from a legitimate mail package, say Outlook or Thunderbird, they have a kind of pattern. Those headers appear in a certain order and you can almost â€œfingerprintâ€ them to a degree â€“ so you know that if itâ€™s a genuine message from someone using Mozilla Thunderbird it will have these headers and they will appear in this order,â€ Wood says. â€œBut if itâ€™s come from a botnet, they typically donâ€™t spend that much time making them look that accurate. They will put in the headers to try to spoof, say, Outlook Express message but in fact it wonâ€™t necessarily appear to be completely genuine, if you start to analyze it closely. And thatâ€™s something that we can then do at a greater level.â€
While all of these techniques used by vendors do a lot to buffet the onslaught of new spam methods, some experts believe there is a major flaw in this approach. Garth Bruen with KnujOn says that the prevailing antispam lines of defense are only treating the symptoms of the real problem.
â€œBeyond the analysis, you have to ask a simple question. What do the spammers want?â€ he says. â€œIn addition to looking at the technical aspects of spam we have to look at whatâ€™s driving spam, whatâ€™s enabling it in the world of crime. We have to partner up with global initiatives to stop traffic of counterfeit goods and pharmaceuticals across international borders. You have to push the issue with your government and say this is an important problem and weâ€™re also concerned about the problems behind it. And you have to provide law enforcement with actionable information.â€
That is Bruenâ€™s goal with KnujOn, which is a non-profit side project designed to analyze as many spam messages as he and his volunteers can get their hands on. Rather than simply ignoring the root problem and constantly looking for ways to simply filter spam, businesses can do more for the greater good by helping researchers examine and track spam in order to provide authorities with that information. (Read more on Bruen:Financial Institutions: Fight Back Against Unwanted Email).