Minimizing Content to Fool Spam Filters
While “hash busting” and Bayesian Poisoning techniques have become familiar to most anti-spam vendors, and countermeasures have been incorporated into their products, spammers are becoming even more covert in their tactics these days. Going beyond fooling the content filter with creative combinations, spammers are taking a more personalized as well as a minimalist approach to get past conventional anti-spam content filters.
The logic behind these spamming techniques is simple: take away or reduce the context of a message to a degree that confuses the content filtering method just enough to allow a message to get through. Because filters on servers in an enterprise must handle messages for hundreds or even thousands of users, it is difficult for the IT department to increase the sensitivity of filters to catch these techniques. That’s because increasing filter sensitivity also increases the risk of blocking substantial numbers of legitimate emails - known as false positives.
For example, more recent spam techniques use messages that are personalized and unique. These messages display very few typical spam identifiers in its content, making it much more difficult for conventional content-based spam filters to catch and block. Spammers are also putting less and less content in their messages so that conventional filtering software has less context in which to assess the validity of the message. This makes it much more difficult for these filters to accurately assess whether a message is spam or not.
The Connection Point Battleground
During the first half of 2004, spammers and hackers have also shifted their techniques away from message gimmicks to focus more on the SMTP connection point in their endless quest to overcome content filtering technology. This change in tactics by spammers does not bode well for organizations that must rely on content filtering technologies to protect their email systems. That’s because conventional content filtering cannot block any of these new attacks at the connection point. They must let a message into the system so they can examine its content - at which point the damage from these attacks has already occurred.
Harvesting Directories and Bringing Down Servers
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.