The Shifting Tactics of Spammers: Protect Your Firm Against the Newest Email Threats
by Scott Petry - Founder & Senior Vice President of Products and Engineering, Postini - Monday, 11 April 2005.
The battleground in the ongoing fight against spam by organizations worldwide is shifting based on new tactics from spammers and hackers designed to defeat conventional anti-spam content filtering solutions. Despite the enactment of the CAN-SPAM Act by Congress in the U.S. and Britain’s Privacy and Electronic Communications regulations, the incidence of spam and malicious emails carrying viruses and worms continues to increase - and grow more sophisticated through techniques that make traditional or first-generation content filtering technology less effective.

Minimizing Content to Fool Spam Filters

While “hash busting” and Bayesian Poisoning techniques have become familiar to most anti-spam vendors, and countermeasures have been incorporated into their products, spammers are becoming even more covert in their tactics these days. Going beyond fooling the content filter with creative combinations, spammers are taking a more personalized as well as a minimalist approach to get past conventional anti-spam content filters.

The logic behind these spamming techniques is simple: take away or reduce the context of a message to a degree that confuses the content filtering method just enough to allow a message to get through. Because filters on servers in an enterprise must handle messages for hundreds or even thousands of users, it is difficult for the IT department to increase the sensitivity of filters to catch these techniques. That’s because increasing filter sensitivity also increases the risk of blocking substantial numbers of legitimate emails - known as false positives.

For example, more recent spam techniques use messages that are personalized and unique. These messages display very few typical spam identifiers in its content, making it much more difficult for conventional content-based spam filters to catch and block. Spammers are also putting less and less content in their messages so that conventional filtering software has less context in which to assess the validity of the message. This makes it much more difficult for these filters to accurately assess whether a message is spam or not.

The Connection Point Battleground

During the first half of 2004, spammers and hackers have also shifted their techniques away from message gimmicks to focus more on the SMTP connection point in their endless quest to overcome content filtering technology. This change in tactics by spammers does not bode well for organizations that must rely on content filtering technologies to protect their email systems. That’s because conventional content filtering cannot block any of these new attacks at the connection point. They must let a message into the system so they can examine its content - at which point the damage from these attacks has already occurred.

Harvesting Directories and Bringing Down Servers

A prime example of this new connection point threat is known as directory harvest attacks (DHAs). DHAs are designed to net spammers lists of valid email addresses to which they can send spam or sell to other spammers. It works like this. An open source or stand-alone Mail Transfer Agent (MTA) typically responds to email delivery attempt requests with a simple “yes” or “no”. If the response is “no”, the sending server gets an error message since the address is invalid and mail for that address cannot be delivered. If the sending server gets a “yes”, it knows the address is valid and a message can be delivered.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th