Upload
eric-doyle
View
214
Download
1
Embed Size (px)
Citation preview
Junk email now accounts for almost 60% of all email, up from
just 10% in 2001.
This was revealed at the International Spam Enforcement
Workshop in London in October. The US Federal Trade
Commission (FTC) and the UK's Office of Fair Trading (OFT) co-
hosted the event.
Not long ago email was being hailed as the "killer app" of the
internet; the advent of blind mass mailings has made this
appellation chillingly suitable. The ratio of emails in individual
mailboxes can often exceed 60%. This arteriosclerosis of the
digital arteries will eventually cause stokes and heart attacks, if
not killing the patient, then severely debilitating it.
Efforts to curb spam through national legislation have failed.
The October workshop brought together representatives from
more than 20 countries to see if international cooperation might
work.
Bob Jones, managing director of network appliance vendor
Equiinet, believes that national legislation has little impact
because spammers can always find a country that has no spam
laws. He wants a "postage" system for emails. An email tariff
would hit the spammers where it hurts — in the business plans,
he says.
He admits he is a lone voice. "I can't see why emails couldn't be
charged for in the same way as telephone calls and traditional
mail," he said. "It's up to the telcos and ISPs, which in many cases
are the same thing. They already have massive billing systems that
could easily be modified to handle email. I'm not saying it's a
trivial task but it isn't rocket science either."
Jones' solution may be radical but it is interesting. Even if ISPs
adopted the SMS text messaging model of making messages free
to moderate users but hitting high volume users, it could dissuade
many international spamming companies.
The main objectors are likely to be those who believe the
internet should be "free" and "uncorporatised", and those whose
accounts are used to send spam.
Like Equiinet, Wall Data sells dedicated security appliances and
uses them to defend the company's own mail servers. Managing
director Ian Kilpatrick has studied the economics involved. "We
receive huge amounts of spam because we're out there in the
market. Our Barracuda appliance is clearing out about 28,000
emails a day. One of our technical guys was spending over two
hours a day going through all the suspect emails to see if there was
anything genuine in there," he said.
This is the root of the problem. No matter how efficient the
antispam system is, there is always the chance that a genuine
message is identified as spam — the false positive. This worries
Kilpatrick more than a spam email in his mailbox. Consequently,
he can justify the cost of a technically qualified person spending
two hours each day going through the mail.
te
ch
no
lo
gy
24In
fosecu
rity Tod
ayN
ovember/D
ecember 2004
Spam rules — andthere’s nothingyou can do
Eric Doyle
The nasty truth about spam is that it works. That’s why it’ll be with us for at least the next seven years.
“Charge for emails in thesame way as telephone calls”
Gartner Hype Cycle diagram
te
ch
no
lo
gy
Reducing the spam load would save every company time and
money. Even "postage" on outgoing emails would probably cost
less than the time spent sifting the wheat from the chaff.
But spam is not always unwelcome: most people’s spam is one
person's information. And there are enough of them to encourage
the spammers.
Market intelligenceKilpatrick and Jones admit that spam can reveal market
intelligence, as when spam comes from competitors or their
agents. In other cases spam may point to software pirates and
counterfeiters. This might interest marketing and legal
departments and the cops, but is irrelevant to most workers.
No doubt the best spam filter is the human eye. But this has led
to a spamming scam run by a company called eProvisia. This
outfit claims to offer hand sorting of emails for $20 per year.
Close examination of the Web site (eprovisia.dione.cc) shows
that it is based on the ‘Palmyra Atoll (Uninhabited Sovereign
Territory)’, has customers in 40 countries (not all recognised by
the UN) and $62 million in reserves (based on Palmyran dollars).
This is topped off with a service agreement that boils down to a
legal rights waiver if no service is given in return for your money.
In fact the Palmyran atoll is a wildlife reserve in the North Pacific
with no inhabitants other than a few temporary conservationists.
Layered defenceIn the real world, dealing with spam takes several checks. As spam
sometimes carries malware, the first check should be by antivirus
software.
Next, the system should check the origin of the message. Most
antispam software or services provide blacklist/whitelist
protection. Known spam sites are blacklisted for blocking and
friendly addresses pre-cleared.
Next the system should look for key words and phrases. This is
the first level where false positives may become a problem.
More sophisticated protection is still being refined. The most
popular is Bayesian filtering. This calculates the probability of a
message being spam from its content. Unlike pattern matching, a
Bayesian filter uses adaptive learning to compare spam and good
email and find stylistic differences. Emails are then graded
according to their "spaminess".
Bayesian filtering has a high rate of detection and often gives few
false positives. But it is best used on a desktop or individual basis
to avoid the filter becoming too bloated with all users’ preferences
and hence less discriminating.
Because of successes in filtering, spammers are looking for ways
to avoid detection. Many spam
emails now contain lists of
random words or sections
of irrelevant text that
improve their chances of
slipping through.
Weighting for Godot?IBM thinks user interactions offer
a better way. Stuart McRae, IT
specialist for IBM Lotus
Workplace Strategy, says
"The SpamGuru analyses
a message, and, based on
user weighting, decides
whether it is spam. There
is an interface where the
user can reject messages
Info
security To
day
Novem
ber/Decem
ber 200425
Gartner's Anti-spam hintsBe aware that most spam is a scam
If an offer looks too good to be true, it probably is
If an e mail looks doubtful, delete it
Use a spam filter
Avoid clicking on adverts in spam messages; they coulddownload a virus
Protect your e mail address. Do not share it with peopleyou do not know.
Emails are then gradedaccording to their spaminess.
“Will the internet never be clean?”
Equiinet’s Bob Jones:postage required
as spam. SpamGuru collates all
the information about the
characteristics of those
messages and starts to do
weighting on new emails to
decide whether they are likely to
be spam."
SpamGuru uses Bayesian detection and other tests to reduce
false positives. A new process, Chung Kwei, detects complex
patterns in messages that go beyond simple word or phrase
identification. Intelligent rendering exposes hidden elements in
MIME messages to uncover redirections hidden under Web links.
Spoof detection also analyses DNS and domain records to see
whether a message was spoofed or sent from a less reliable SMTP
server.
IBM claims this goes beyond the MARID MTA authentication
record used in Sender ID, without the need for explicit publication
of outgoing mail servers.
Send in the clownsSender ID is a joint initiative between Microsoft and Chinese firm
Pobox. It is a proposed standard that the Internet Engineering
Task Force (IETF) may ratify. It has two elements: Sender Policy
Framework (SPF) from Pobox, and Microsoft's Purported
Responsible Address (PRA). These work in tandem to verify that
the sender address given is not a false or spoofed address.
The sender's email server publishes a list of the Internet
Protocol (IP) addresses on its outbound mail server. The
recipient's server extracts the sender address given in the email
and compares it to this list. If there is a mismatch the email is
labelled as possible spam.
The IETF ratification process is presently bogged down in
disputes between Microsoft, some ISPs and the Open Source
community over the inclusion of patents for PRA and the need to
register with Microsoft to use the technology.
Seven more yearsBoth the IBM and Sender ID initiatives are aimed at lightening the
spam burden but neither will solve it. In a speech to the recent
Gartner IT Security Summit in London, Ant Allan, a research
director at Gartner Research, said "I am sceptical that Sender ID
and similar initiatives will quickly improve the situation. All
authentication and reputation systems are in embryonic stages,
where the greatest value is derived if all Internet users (or, at least,
a large number of senders) belong to the same system.
"In 2003, the IETF established the ASRG (Anti Spam Research
Group) to develop standards for spam elimination. Gartner does
not expect significant standards with corporate deployments
earlier than 2011."
Martino Corbelli, marketing director for antispam specialist
SurfControl, admitted "there is no silver bullet against spam —
that is the golden rule, but it is no excuse for not trying.
Each filter will have some impact but none will completely
eliminate spam."
Comply or dieSender ID relies on all ISPs acting responsibly. A "comply or die"
facility means ISPs that refuse to publish their servers’ addresses
could be isolated as potential spamming sites. To make this work
would require universal adoption and that could be the problem.
Even legislation cannot force universal adoption. Corbelli said
"It's difficult to enforce local laws when spammers may be on the
other side of the world and very difficult to track down," he said.
"Local legislation is a toothless dog but it's still important because
it defines standards and offers a guide to good practice so that
people know where they stand."
te
ch
no
lo
gy
26In
fosecu
rity Tod
ayN
ovember/D
ecember 2004
ISPs that refuse to publishtheir servers’ addresses could
be isolated.
Wall Data’s Kilpatrick:Barracuda
SurfControl’s Corbelli: no silver bullet
Customers drive spammersCorbelli has seen spamming techniques adapt not only to
antispam measures but also to pressure from spammers'
customers. "At first, spammers simply used to make up email
addresses and charge for the number of emails transmitted but
now they harvest real mail addresses. This is because the way
they get paid has changed. They now get paid on responses, and
the only way to improve the response count is to improve the mail
address data. Good data is shared and so the lists grow and the
spam increases."
We try harderAs with the virus and worm community, the measures put in
place to block their efforts merely encourage spammers to try
harder. Their victims’ best option is to follow current best
practice. Gartner recommends that spam filtering be deployed at
the outermost layer of the email environment to prevent it from
consuming network and storage resources.
The company notes a tendency to combining firewall, antivirus
and antispam measures, but it does not recommend this for
organisations with more than 750 users. Running the data stream
through a series of filters can slow systems noticeably. It
recommends leaving the firewall to do its job of intrusion
protection and applying spam detection in front of the mail servers.
If Gartner’s prediction is correct, spam will be a problem for at
least seven more years. New search engines are making email
searches faster and this may speed up the identification of false
positives. But this is the best one can hope for now.
Legislation and filtering offer partial solutions but initiatives
like Sender ID may prove more effective. In the long term, the
solution is to track the spammers to their lairs and shut them
out. This means persuading responsible ISPs to agree to some
universal authentication scheme, encourage users to pressurise
their ISP to comply or move to a registered ISP, and ignore
messages from elsewhere. In short, we need a truly open standard
with no proprietary catches.
te
ch
no
lo
gy
27In
fosecu
rity Tod
ayN
ovember/D
ecember 2004
IBM Lotus’s McCrae:SpamGuru