Minimizing Content to Fool Spam Filters
While “hash busting” and Bayesian Poisoning techniques have become familiar to most anti-spam vendors, and countermeasures have been incorporated into their products, spammers are becoming even more covert in their tactics these days. Going beyond fooling the content filter with creative combinations, spammers are taking a more personalized as well as a minimalist approach to get past conventional anti-spam content filters.
The logic behind these spamming techniques is simple: take away or reduce the context of a message to a degree that confuses the content filtering method just enough to allow a message to get through. Because filters on servers in an enterprise must handle messages for hundreds or even thousands of users, it is difficult for the IT department to increase the sensitivity of filters to catch these techniques. That’s because increasing filter sensitivity also increases the risk of blocking substantial numbers of legitimate emails - known as false positives.
For example, more recent spam techniques use messages that are personalized and unique. These messages display very few typical spam identifiers in its content, making it much more difficult for conventional content-based spam filters to catch and block. Spammers are also putting less and less content in their messages so that conventional filtering software has less context in which to assess the validity of the message. This makes it much more difficult for these filters to accurately assess whether a message is spam or not.
The Connection Point Battleground
During the first half of 2004, spammers and hackers have also shifted their techniques away from message gimmicks to focus more on the SMTP connection point in their endless quest to overcome content filtering technology. This change in tactics by spammers does not bode well for organizations that must rely on content filtering technologies to protect their email systems. That’s because conventional content filtering cannot block any of these new attacks at the connection point. They must let a message into the system so they can examine its content - at which point the damage from these attacks has already occurred.
Harvesting Directories and Bringing Down Servers
A prime example of this new connection point threat is known as directory harvest attacks (DHAs). DHAs are designed to net spammers lists of valid email addresses to which they can send spam or sell to other spammers. It works like this. An open source or stand-alone Mail Transfer Agent (MTA) typically responds to email delivery attempt requests with a simple “yes” or “no”. If the response is “no”, the sending server gets an error message since the address is invalid and mail for that address cannot be delivered. If the sending server gets a “yes”, it knows the address is valid and a message can be delivered.