By William Jackson
Its been almost four years since the passage of the Can-Spam Act, yet
spam remains as big a problem as ever. Neither congressional mandate nor
technological advances seems to have had much effect. Heuristics,
traffic analysis, content analysis, blacklisting and other recent
advances in filtering have siphoned off only the smallest portion of
E-mail security firm MessageLabs Inc. of New York reported large spikes
in late 2006, surges that brought the level of spam to 74 percent of all
e-mail traffic in November. But that figure counted only the spam that
penetrated perimeter defenses. The real figure was a staggering 89.4
percent, according to the company.
Those figures jibe with what is being seen by the Justice Departments
Computer Emergency Readiness Team, which shares responsibility for
keeping unwanted messages out of inboxes. DOJCERT program manager Kevin
Cox said as much as 80 percent of the traffic hitting the gateways is
spam, and the departments filters stop 8 million to 10 million unwanted
messages each month.
If we didnt filter this, we wouldnt be able to get anything else done,
Spam filtering is getting better, Cox said. Weve made great strides in
the past couple of years. But the battle still requires constant
attention to counter the constant adaptations in what security
professionals call a cat-and-mouse game. Spammers are determined to see
just how good you really are, said Penny Freeman, director of sales
engineering for Marshal Inc. of Atlanta.
Follow the Money
The reason the battle continues unabated after so many years is money.
For the spammers, there is a financial incentive, Cox said.
And profit is a powerful incentive.
Spam falls into two broad categories, both of which can produce a profit
for the spammer. There are fraudulent messages that carry malicious
payloads or direct users to a site where they can be cheated or
infected, and there are more legitimate messages from those selling
something. Whether the spammer is selling Rolex watch knock-offs,
stealing your personal data or taking over your computer to send more
spam, there is money to be made.
How much money is impossible to say, because this is an underground
economy. But traditional wisdom is that because of the scale and
cost-effectiveness of spamming, only a small percentage of success is
needed to produce great returns.
One of the best measures of these returns is the volume of spam itself,
said Doug Bowers, senior director of anti-abuse engineering for Symantec
Corp. of Cupertino, Calif. To the extent we are seeing spam volume
increasing, that is an indication they are having some success.
Freeman said, as long as there are buyers, there are going to be
The volume of spam fluctuates throughout the year, spiking at times as
new tricks and delivery methods emerge. The significance of the spikes
is open to debate. At Marshal, where a 40 percent increase was noted in
late November, the spike was seen as tied to the Christmas shopping
That has happened ever year for the 10 years Ive been in the industry,
But the spikes seen at DOJ do not appear to be seasonal, Cox said. What
we see is pretty random.
Botnets to the Fore
One undeniable trend in spam over the past several years has been the
growth of automated networks of compromised computers, or botnets, to
distribute vast quantities of unwanted e-mail.
Were seeing botnets continue to play an increasing role, said Symantecs
Bowers. To build botnets, worms troll the Internet for vulnerable
computers to infect.
Once infected, a computer typically contacts a control computer and
downloads software that can be used by spammers. Unlike the worms of
several years ago that spread quickly, generated high levels of network
traffic and generally called attention to themselves, todays worms are
quieter. If not exactly flying under the radar, they operate quietly
enough to let a controller assemble networks of thousands of zombies,
either for his own use or for sale to the highest bidder.
The cost of spam is not always apparent. In fact, the definition of spam
is not clear-cut. What one person calls spam another might see as a
legitimate offer. Spam is in large part a problem of free speech,
The ability to freely discuss whatever you want to discuss is the reason
it will never be fully controlled, she said.
But that does not mean that every network or user must accept whatever
someone else wants to send out. Acceptable-use policies for network
resources require some level of control over what comes in as well as
what goes out, and network operators have a legitimate interest in
Even spam that does not reach its destination takes its toll. Network
resources are strained when a program spews out millions of messages to
made-up addresses, assuming that some addresses will be valid within
each domain. And servers get tied up rejecting these bad addresses even
before the traffic hits the spam filters.
Much of the recent spike in spam traffic has been attributed to the
activity of two pieces of Trojan code, SpamThru and Warezov or Stration.
Warezov comes as an e-mail attachment, sent out in batches of a few tens
of thousands before it morphs enough to avoid new antivirus signatures,
said Paul Wood, chief information security analyst at MessageLabs Ltd.
Its very easy to do this, he said. Its not huge volumes, compared to
infections spread on a massive scale by worms a few years ago. But
volumes are large enough to create large networks of computers that pull
down software to execute spam runs.
According to the iDefense Labs at VeriSign Inc. of Mountain View,
Calif., Warezov checks to see that its host computer is not already on a
spam blacklist before beginning to send out spam.
Wood described SpamThru, which usually is unwittingly downloaded from a
malicious Web site, as more sophisticated. Rather than having a central
command and control computer for the infected network, SpamThru zombies
use peer-to-peer networking, eliminating any single point of failure and
making the botnet more resilient.
Blasting out spam at a rate of thousands or millions of messages an hour
does little good if they do not get through. As security companies get
better at identifying and blocking unwanted e-mails, spammers adapt by
adopting new techniques to disguise their messages. One recent trend is
image spam, which uses attached images rather than text to deliver a
message, avoiding text scanners.
Marshal reported a rapid growth in the volume of image spam last fall,
which accounted for nearly a third of all spam by late November. The
newest trick is not just an image, but multiple images.
What is interesting is the evolution were seeing, said Bowers.
An image can be identified and filtered once it is known, so spammers
began slicing images into pieces to make filtering more difficult.
Sliced images are reassembled in the end users viewer to display the
message. When filters adapted to that trick, spammers went to slicing
and dicing the images into more pieces, and some now are composing
messages with a separate image for each letter, something like a ransom
It really does look like someone has cut letters from a newspaper,
Bowers said. But the technique cuts both ways, Freeman said.
The irony is that spammers are unwittingly making it easier for us to
spot spam, she said. Image spam is very distinctive. It has unusual
properties that normal business e-mail does not have.
The defenders have one advantage over the spammers trying to sneak their
unwanted messages through, Cox said.
They have only a limited amount of things they can modify in a message
once it has been identified as spam, he said. This makes it easier to
spot spam even as it morphs.
Easier, maybe, but not necessarily easy.
Successfully blocking image spam depends on looking at every aspect of
the message, Bowers said. That means not only scanning the content to
identify patterns and checking the senders IP address, but also looking
for traffic patterns at the network and Internet levels.
The Justice Department uses a layered defense against spam that includes
the end user, Cox said.
We work closely with the team that manages our mail gateway, he said.
Users who spot spam in their inboxes notify DOJCERT or the gateway team
so that spam filters can be adjusted. Depending on end-users for
fine-tuning the filters is not a perfect process, Cox said.
Some will just delete the spam, and were not going to get the full
picture, he said. But enough of them report it to give a good sense of
what is getting through and how to stop it.
As the team became more comfortable with the filters at the gateway,
they have been applied in as many spots as possible, including mail
servers and desktops. There is time involved, Cox said of job of
stopping spam. I dont think well ever get to a point where we wont have
But spam filters have improved and have made a difference, he said.
Before, our team had a much larger role in addressing spam, he said.
That staff time has lessened.
Copyright 1996-2007 Post-Newsweek Media, Inc. All Rights Reserved.
Subscribe to InfoSec News