Everybody hates email spam. It is annoying and wastes time, takes up disk space and can slow down the network, writes Martin Tassev, MD of Loophold Security Distribution. And, despite the increasingly advanced efforts by the companies that make money from combating spam, it continues to grow at a startling rate. From June 2005 to June 2009 the amount of email spam more than quadrupled.
Money is of course the driver of spammers, who are mostly sales people looking to sell products and services. Email is a cheap way to get a message to millions of people – even if most of them do not even read it, the few that do respond make the spammers efforts profitable. In order to keep sending out their messages, spammers have had to have a few tricks up their sleeve in order to bypass spam filters.
* Botnets and zombies – Spammers use ‘botnets’, a collection of computer systems or ‘zombies’, which are all linked to a common control structure. These zombies can be instructed to send out spam, phishing, viruses and other malware. Because IP addresses guilty of sending out too much spam get a ‘bad reputation’, spammers need to limit the number of spam messages sent out by each zombie. In a botnet attack, for example, each zombie could send out 1 000 messages, and with around 10 000 zombies in a botnet, a total of 10 million messages can be sent out at once, without compromising the reputation of a specific IP address.
* Borrowing a good reputation – As mentioned, analysing the reputation of the Sender IP address is a common method used by spam filters to block spam. To counteract this defense, spammers ‘borrow’ IP addresses with a good or neutral reputation. They either create email accounts with Internet Service Providers (ISPs) all around the world, or buy access to a hacked email server and exploit the reputation of the company whose server has been hacked.
* Getting around authentication – Authentication involves establishing whether an email really is from the domain it says it is. Organisations need to publish a Sender Policy Framework (SPF) record, which tells email receivers that a given IP address is allowed to send email for a given domain. With strict set-up of an SPF record, no third party services can send out email on the company’s behalf. Despite the fact that many companies set up authentication, they often leave the option open for other IP addresses to send email, providing a loophole for spammers. Spammers can also set up a domain name of their own to authenticate properly and send spam from it.
* Word salad – Spam filters evaluate the words in an email message and group them into ‘good’ and ‘bad’ words – bad ones being the ones typically found in spam emails. The term ‘word salad’ refers to the spammer’s trick, whereby extra ‘good’ words are added to an email message (those typically not associated with spam). The spam filter will pick up more good words than bad words, and decide that the message is ‘good’.
* Light reading – Taking it a step further than the ‘word salad’ technique, some spam messages contain entire extra sentences and paragraphs added to the message – with the same aim, to add in good words and phrases to skew the spam filters evaluation of the whole message. The use of complete sentences makes it harder for the filter to exclude the good words.
* Tiny text – Another way spammers trick spam filters is by changing the size of the font of some letters, yet making those that make up a message readable. The recipient can read the message, while the spam filter sees a line of gibberish.
* Scrabble spam – While the human brain can decipher a scrambled message like ‘Crteae a more ppsorerous future for yuoserf’, spam filters cannot. And because slang, acronyms, abbreviations and human error feature regularly in our legitimate daily emails, it isn’t feasible to program spam filters to block emails with misspelled words in them. By scrambling the letters in words, spammers are often able to get past spam filters.
* Bad words in disguise – Yet another way spammers get around spam filters is by using symbols, special characters and different character sets to spell out words. For example, VIAGRA becomes /!ǺGRĂ – and it is estimated that there are over 600 quadrillion ways to spell this word using different variations.
* Image tricks – If you receive a spam email with an image in it, by sending it to ‘junk’ you expect that your spam filter will stop the same message from reaching you again. But spammers get around this by making small, unnoticeable changes to the message or image –changing its size by one or two percent, changing the background colour, and making small adjustments to the layout.
* Social engineering – Spammers play on our social relationships and expectations to make the email seem more legitimate – whether it is using the latest news headlines in the subject line to arouse our interest, or in the case of phishing emails, pretending to be a trustworthy source such as a bank to obtain account details. They also send messages with subject lines like ‘check this out’ and a PDF attachment containing the spam message – in this case most people won’t immediately think it is spam.
So what is the solution?
There is no singular technology capable of blocking all spam – as soon as a technology proves to be efficient, as we’ve seen above, spammers work out a way to get around it.
Currently, the best solution is using multiple anti-spam techniques together, which include both reputation analysis and content analysis. Reputation analysis should analyse not only the Sender IP Address and content, but the links/URLs, images, attachments, the emails structure and more.
Effective content analysis techniques can include Bayesian filtering (a method whereby an email’s probability of being spam is determined)), lexigraphical distancing (checking for variations on spam words) and image inference analysis (whereby core features of an image that a spammer cannot manipulate are extracted to help determine if an e-mail is spam), as well as simpler checks like block/allow lists and SPF checks, which combine to work out the true intent of email messages.