The Pathogenesis of Dark Traffic Attacks
by Soeren Bech - Wednesday, 29 March 2006.
Email is without a doubt vital to almost all businesses today. Unfortunately, the vast majority of emails now passing across the Internet consist not of essential business messages or even personal correspondence, but spam.

Surveys of businesses and other organisations that rely on the Internet for their communications show that around 83 per cent of inbound email traffic is either spam, or other types of illegitimate messages. Together these are known as “dark traffic”.

A Growing Problem

As well as straightforward spam, dark traffic comprises directory harvest attacks (DHA); email denial of service (DoS) attacks; malformed SMTP packets, invalid recipient addresses, and other requests and communications unrelated to the delivery of valid email messages.

Most conventional spam, is purely commercial in its intent, setting out to encourage Internet users to buy goods or services. Others are so-called “blended threats”, messages that use social engineering techniques to persuade recipients to open the message and, typically, activate a Trojan, virus or other malware.

But a growing percentage of dark traffic aims to cause damage or disruption to a company or to its IT assets.

Denial of service attacks delivered over email, for example, could take down a company’s mail servers, rendering it unable to do business on line. More sinister still, cyber criminals can use a combination of hacking and spam techniques to “harvest” email addresses and user identities, opening the door to further attacks.

Email-based denial of service attacks could also be directed at network providers, with the knock-on effect of damaging the communications of dozens of businesses that outsource their email hosting.

The threat to corporate IT systems is by no means static. As the quantity of both malformed emails and outright spam grow, legitimate email traffic on the Internet is being drowned out by dark traffic. Industry estimates suggest that just 27 per cent of email traffic is technically valid. Of that valid traffic, two thirds consists of spam or other unsolicited mails.

Why Businesses need To Act

The vast majority of email security systems in production today scan only for the content of the messages, relying on techniques such as keyword scanning. This means they will accept the vast majority of malformed messages as legitimate.

Dark traffic is forcing businesses to invest in additional bandwidth, storage space and CPU capacity just to collect, store and forward enormous quantities of unwanted email traffic.

The very high ratio of illegitimate messages to legitimate mail forces companies to invest more and more resources in building spam detection and filtering systems. For some businesses, the need to scan the content of a vast amount of email, just to find the relatively small proportion of real messages, is creates serious bottlenecks within the IT infrastructure.

Unless they act, CIOs could find themselves caught in a spiral of ever-greater investment in order to accommodate a growing quantity of messages that are of little or no value to their businesses.

Although there are some emerging email authentication standards, such as SPF, SenderID and DKIM, there is no expectation that these can resolve the spam problem. And as there is no real cost involved in sending email, there are few economic incentives to prevent spammers from continuing to ply their trade. Legal restrictions on spammers have been increased, in particular in the USA. But these measures will do little to deter the authors of other dark traffic types. Their actions are already illegal in much of the world, but enforcement remains extremely difficult. The onus remains on businesses to protect themselves.

What Can Be Done?


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th