The battleground in the ongoing fight against spam by organizations worldwide is shifting based on new tactics from spammers and hackers designed to defeat conventional anti-spam content filtering solutions. Despite the enactment of the CAN-SPAM Act by Congress in the U.S. and Britain’s Privacy and Electronic Communications regulations, the incidence of spam and malicious emails carrying viruses and worms continues to increase - and grow more sophisticated through techniques that make traditional or first-generation content filtering technology less effective.

Minimizing Content to Fool Spam Filters

While “hash busting” and Bayesian Poisoning techniques have become familiar to most anti-spam vendors, and countermeasures have been incorporated into their products, spammers are becoming even more covert in their tactics these days. Going beyond fooling the content filter with creative combinations, spammers are taking a more personalized as well as a minimalist approach to get past conventional anti-spam content filters.

The logic behind these spamming techniques is simple: take away or reduce the context of a message to a degree that confuses the content filtering method just enough to allow a message to get through. Because filters on servers in an enterprise must handle messages for hundreds or even thousands of users, it is difficult for the IT department to increase the sensitivity of filters to catch these techniques. That’s because increasing filter sensitivity also increases the risk of blocking substantial numbers of legitimate emails - known as false positives.


For example, more recent spam techniques use messages that are personalized and unique. These messages display very few typical spam identifiers in its content, making it much more difficult for conventional content-based spam filters to catch and block. Spammers are also putting less and less content in their messages so that conventional filtering software has less context in which to assess the validity of the message. This makes it much more difficult for these filters to accurately assess whether a message is spam or not.

The Connection Point Battleground

During the first half of 2004, spammers and hackers have also shifted their techniques away from message gimmicks to focus more on the SMTP connection point in their endless quest to overcome content filtering technology. This change in tactics by spammers does not bode well for organizations that must rely on content filtering technologies to protect their email systems. That’s because conventional content filtering cannot block any of these new attacks at the connection point. They must let a message into the system so they can examine its content - at which point the damage from these attacks has already occurred.

Harvesting Directories and Bringing Down Servers