In-Depth

Spammers Increasing Methods to Avoid Detection

Techniques for challenging and defeating spam filters continue to grow

• By Mathew Schwartz
• 09/03/2003

Spammers use a combination of techniques to increase the chances of getting a message through. The most malicious kind of spam operates on the social engineering principle—it tells a user to click a link, or apes the look of a financial firm to try and capture social security and credit card numbers. Experts recommend that organizations frequently remind users about the dangers of such attacks.

They may have to, since spam just keeps on coming. “Spammers are using ever more sophisticated and aggressive techniques to avoid detection,” notes Susan Larson, vice president for global content operations at SurfControl. For example, spammers can use HTML e-mails to circumvent or confuse filtering tools, especially those based on dictionaries or statistical sampling. SurfControl estimates that 95 percent of all spam is HTML-based. In addition, 99 percent of all adult-oriented spam uses HTML e-mails.

The most sophisticated spammers, she says, also use Web hosting services overseas, as well as overseas e-mail addresses, to better hide identities and rapidly switch domain names without having to burn through new ISPs. That makes identifying them purely based on e-mail return address extremely difficult.

In particular, Larson identifies six top spam techniques currently being used; she also recommends organizations adjust their spam filtering software accordingly. Those techniques include:

• Hidden agenda: Spammers use ASCII control code to represent letters, or random words. They may also intersperse visible lettering with white text on a white background. Users end up seeing the intended message, however filtering tools using dictionaries have difficulty discerning it.

• Address validation: If an HTML e-mail contains an image and a user clicks on it, or another link, it can set in motion an e-mail address validation. In other words, spammers can encode in the link a user clicks on the e-mail address of the actual user. In effect, they’ve just “captured” the user as a real user, and can escalate the spam sent to that address.

• Hidden domains: By using an “@” symbol in a URL, spammers can disguise the link a user clicks on, then redirect them to another site that may utilize known vulnerabilities to gain access to the user’s machine, or attempt some kind of social engineering.

• Funny lettering. How many megabytes are needed to account for all of the potential misspellings that spammers can use? Too many. Think of two common examples, says Larson: V1agra or M0RTG4GE. That’s why users should watch out for tools that just scan e-mail for keywords, says Ferris Research analyst Marten Nelson. “Those are very general tools, and what you end up generating is a lot of false positives.”

• Hidden content: To confuse spam scanners or statistical filters, spammers hide content in JavaScript or HTML browser window frames.

“These deceptive tactics are making it easier than ever for spammers to prosper and harder than ever for technology companies and law enforcement officials to identify and stop them,” says Larson.

Taking into account the myriad ways spammers try to circumvent filtering tools, it’s a cat-and-mouse game between spammers and spam filter vendors. Nevertheless, experts say that an effective anti-spam tool should filter between 80 and 90 percent of all spam, while generating minimal false positives.