Share this
Mister Wong
Digg
Del.icio.us
Slashdot
Furl
Yahoo
Technorati
Newsvine
Googlize this
Blinklist
Facebook
Wikio
Hear this text
Print
E-mail
Tags
Beating the spammer's box of tricksEveryone hates e-mail spam. It is annoying and wastes time, takes up disk space and can slow down the network. And despite the increasingly advanced efforts by the companies that make money from combating spam, it continues to grow at a startling rate. From June 2005 to June 2009, the amount of e-mail spam more than quadrupled, writes Martin Tassev in this opinion piece.
Money is, of course, the driver of spammers, who are mostly sales people looking to sell products and services. E-mail is a cheap way to get a message to millions of people – even if most of them do not even read it, the few who do respond make the spammers' efforts profitable. In order to keep sending out their messages, spammers have had to develop a few tricks up their sleeve in order to bypass spam filters.
Trick one: Botnets and zombies
Spammers use "botnets", a collection of computer systems or ‘zombies’, which are all linked to a common control structure. These zombies can be instructed to send out spam, phishing, viruses and other malware.
Because IP addresses guilty of sending out too much spam get a ‘bad reputation’, spammers need to limit the number of spam messages sent out by each zombie. In a botnet attack, for example, each zombie could send out 1 000 messages, and with around 10 000 zombies in a botnet, a total of 10 million messages can be sent out at once, without compromising the reputation of a specific IP address.
Trick two: Borrowing a good reputation
As mentioned, analysing the reputation of the Sender IP address is a common method used by spam filters to block spam. To counteract this defence, spammers ‘borrow’ IP addresses with a good or neutral reputation. They either create e-mail accounts with Internet service providers (ISPs) all around the world, or buy access to a hacked e-mail server and exploit the reputation of the company whose server has been hacked.
Trick three: Getting around authentication
Authentication involves establishing whether an e-mail really is from the domain it says it is. Organisations need to publish a Sender Policy Framework (SPF) record, which tells e-mail receivers that a given IP address is allowed to send e-mail for a given domain. With strict setup of an SPF record, no third-party services can send out e-mail on the company’s behalf.
Despite the fact that many companies set up authentication, they often leave the option open for other IP addresses to send e-mail, providing a loophole for spammers.
Spammers can also set up a domain name of their own to authenticate properly and send spam from it.
Trick four: Word salad
Spam filters evaluate the words in an e-mail message and group them into ‘good’ and ‘bad’ words – bad ones being the ones typically found in spam e-mails. The term "word salad" refers to the spammer’s trick, whereby extra ‘good’ words are added to an e-mail message (those typically not associated with spam). The spam filter will pick up more good words than bad words, and decide that the message is ‘good’.
Trick five: Light reading
Taking it a step further than the word salad technique, some spam messages contain entire extra sentences and paragraphs added to the message – with the same aim to add in good words and phrases to skew the spam filters' evaluation of the entire message. The use of complete sentences makes it more difficult for the filter to exclude the good words.
Trick six: Tiny text
Another way in which spammers trick spam filters is by changing the size of the font of some letters, yet making those that make up a message readable. The recipient can read the message, while the spam filter sees a line of gibberish.
Trick seven: Scrabble spam
While the human brain can decipher a scrambled message like "Crteae a more ppsorerous future for yuoserf", spam filters cannot. And because slang, acronyms, abbreviations and human error feature regularly in our legitimate daily e-mails, it is not feasible to programme spam filters to block e-mails with misspelled words in them. By scrambling the letters in words, spammers are often able to get past spam filters.
Trick eight: Bad words in disguise
Yet another way in which spammers get around spam filters is by using symbols, special characters and different character sets to spell out words. For example, VIAGRA becomes \/!?GR? – and it is estimated that there are over 600 quadrillion ways to spell this word using different variations.
Trick nine: Image tricks
If you receive a spam e-mail with an image in it, by sending it to the "junk" box you expect that your spam filter will stop the same message from reaching you again. But spammers get around this by making small, unnoticeable changes to the message or image – changing its size by one or two percent, changing the background colour, and making small adjustments to the layout.
Trick ten: Social engineering
Spammers play on our social relationships and expectations to make the e-mail seem more legitimate – whether it is using the latest news headlines in the subject line to arouse our interest, or in the case of phishing e-mails, pretending to be a trustworthy source such as a bank to obtain account details. They also send messages with subject lines such as "check this out" and a PDF attachment containing the spam message – in this case, most people will not immediately think it is spam.
The solution?
There is no singular technology capable of blocking all spam – as soon as a technology proves to be efficient, as we have seen above, spammers work out a way to get around it.
Currently, the best solution is using multiple anti-spam techniques together, which include both reputation analysis and content analysis. Reputation analysis should analyse not only the Sender IP address and content, but the links/URLs, images, attachments, the e-mail structure and more.
Effective content analysis techniques can include Bayesian spam filtering (a method whereby an e-mail’s probability of being spam is determined)), lexigraphical distancing (checking for variations on spam words), and image inference analysis (whereby core features of an image that a spammer cannot manipulate are extracted to help determine if an e-mail is spam), as well as simpler checks such as block/allow lists and SPF checks, which combine to work out the true intent of e-mail messages.
Martin Tassev is managing director of Loophold Security Distribution and can be contacted at (011) 575 0004 or e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
When I get unwanted mail, which has an Unsubscribe feature, shall use that to advise that I don't want any more from that sender?
Someone has told me that by doing so I am confirming the address asvalid, which makes it more valuable to spammers and those that sell email addresses.
Could you please comment?
Many thanks,