In-Depth

A Loaf, a Phish, and a Reputation

Spam and phishing attacks are getting worse, and new Web threats will complicate networks until some reputations are established

It’s the hallway conversation you have with some regularity—a coworker states, “I’ve been getting more spam lately.”

The observation is absolutely correct. Commtouch Software noted that in 2006 the spam tsunami increased 30 percent over the previous year and business users got a 50 percent increase in the electronic flood. Depending on which prognosticator and target you choose, spam levels reach up to 98 percent of e-mail volume.

I feel the pain. Like most of us, I have several e-mail accounts. My institutional mailbox gets three to 20 spam messages a day. Two of my outside mailboxes, including the one named at the end of this column, reject over 30 percent of the e-mails outright but received an incredible 60,850 messages in 2006, averaging 83 spam messages per account per day.

What astonished me was penciling some simple figures about the spam at my institution. Assume it takes an employee just one second to identify and delete the spam. Assume the person is eighty percent productive and the average fully-loaded employee costs are just $12 an hour. That’s a per-person, per-incident cost of about one-quarter cent per person.

A spam message hitting all employee mailboxes (20,000 of them for my employer) costs the institution perhaps $50 per incident. Multiply that, by, say five unsolicited messages per day and the annual productivity drain comes to just over $456,000. I suspect a similar exercise using your own numbers may yield a similarly stunning estimate.

The amount of junk mail hitting mailboxes grew because spammers got better at their work. They innovated by using graphic images rather than text to carry their message. Images are tougher to analyze by text filters and are easily modified to escape bitmap comparisons. Additionally, spammers became better at harnessing infected PC systems remotely into large botnets hurling millions of messages an hour.

A sunny spot is that e-mails containing a viral payload, according to Sophos PLC, dropped from one in 91 six months ago to one in 391 in December, 2006. More e-mail filtering and antivirus software is adapting to recent changes in image spam and e-mail viruses in the continuous cat-and-mouse game.

According to Ronald J. O'Brien, senior security analyst at Sophos, an emerging vector is shifting to the Web for delivering malware. “The SMTP gateway (for e-mail) is relatively stable and secure, but HTTP gateway is not secure,” he notes.

One method for malware is the traditionally disguised phishing e-mail that entices a person to click a Web link that loads infectious code. The other is putting infectious code on Web pages of sites that employees approach without a high level of cautious such as social-networking sites Myspace or Facebook or popular user-contributed sites such as Wikipedia. The infectious code’s purpose is usually to harvest personal (or corporate) information or become another remotely controlled bot in the net to perpetuate spam. Either way, data is at risk.

Another method gaining more attention: cyberfelons turning into cyber-swatters and grabbing the domain names that are misspellings of popular Web sites. Rather than planting an advertisement or redirection to pornographic sites, the subsequent Web site rewards the hapless visiting misspeller with an infection attempt.

Defending Your Data

Beyond usual antivirus and computer-registry lockdowns and user-level best practices, one obvious defense to this new trend is end-point application control, which Sophos joins other vendors by adding this capability to its antivirus forte, to stop programs from running.

The other defense is central HTTP gateway filtering, either through the current parameter firewall or through additional infrastructure. The previous justification for this filtering was that it kept employees productive by blocking access to certain Web sites. Now, adding HTTP filtering—even if used solely as a defense against malicious Web infections—is a justifiable pursuit.

All these actions mitigate the wave of mal-mails hitting the parameter, but don’t reduce their numbers. That’s because I disagree with O’Brien. I agree that SMTP—Simple Mail Transport Protocol, the backbone of Internet e-mail—is fantastically robust for moving messages. The problem is that SMTP is too simple to demand authentication and remains hopelessly broken. It neither ensures the sender is who he/she claims to be or even that the IP address of the sender is accurate. Spammers can maneuver fleets of trucks through the holes of SMTP.

One defense against the traditional spam is the black-list registry that blocks e-mail sent from ranges of IP addresses used by known spammers. Yet the nimbleness of spammers and the rise of the botnets operating from myriad address have reduced the effectiveness of these remedies.

Charles Stiles, co-vice chair of the Messaging Anti-Abuse Working Group (MAAWG), explores the alternatives. He states, “Authentication is a key component to the problem of spam. But authentication alone will not stop spam, but applying the appropriate reputation to the right people will make an impact.”

Reputation is the message concept you’ll hear more about in 2007 as the MAAWG, whose 87-firm membership covers over 487 million mailboxes, wrestles with assuring all valid messages, including IM and VOIP, get to their destination. Reputation combines authentication, assuring the sender’s identity, with known characteristics such as the IP subnet addresses assigned to the sender’s organization and items such registered SMTP servers for an enterprise or institution.

The process allows mail hosts to have greater granularity in judging whether to accept or reject messages. For example, a mail host can require a higher reputation score before accepting a thousand e-mail messages in an hour from a specific source than it would from a handful of messages from the same source. It can allow numbers of e-mail from known e-mail hosts from within an organization, such as a university, while blocking out multiple e-mails sent from that organization’s IP address space but not from the usual e-mail sources.

The process for assigning reputation will involve some form of central registries and the entire infrastructure for handling reputation will evolve for several years. A couple of players in the field include Return Path and Cloudmark. According to Stiles, the real benefits from reputation should start 18 to 24 months from now, but to me it is an important part of cutting down the electronic offal of the Internet.

For now, it’s antivirus and e-mail filters and HTTP filtering and educating users, and lots of patience and punching the delete key and some self-justified collective annoyance for the monstrous loaves of spam, twelve truckloads of phish, and mountains of Web-site infections.

Keep your postmaster’s and IT security group’s eyes on reputation which in 2008 may finally put a major finger in the spam dikes.

Must Read Articles