The Pathogenesis of Dark Traffic Attacks

Email is without a doubt vital to almost all businesses today. Unfortunately, the vast majority of emails now passing across the Internet consist not of essential business messages or even personal correspondence, but spam.

Surveys of businesses and other organisations that rely on the Internet for their communications show that around 83 per cent of inbound email traffic is either spam, or other types of illegitimate messages. Together these are known as “dark traffic”.

A Growing Problem

As well as straightforward spam, dark traffic comprises directory harvest attacks (DHA); email denial of service (DoS) attacks; malformed SMTP packets, invalid recipient addresses, and other requests and communications unrelated to the delivery of valid email messages.

Most conventional spam, is purely commercial in its intent, setting out to encourage Internet users to buy goods or services. Others are so-called “blended threats”, messages that use social engineering techniques to persuade recipients to open the message and, typically, activate a Trojan, virus or other malware.

But a growing percentage of dark traffic aims to cause damage or disruption to a company or to its IT assets.

Denial of service attacks delivered over email, for example, could take down a company’s mail servers, rendering it unable to do business on line. More sinister still, cyber criminals can use a combination of hacking and spam techniques to “harvest” email addresses and user identities, opening the door to further attacks.

Email-based denial of service attacks could also be directed at network providers, with the knock-on effect of damaging the communications of dozens of businesses that outsource their email hosting.

The threat to corporate IT systems is by no means static. As the quantity of both malformed emails and outright spam grow, legitimate email traffic on the Internet is being drowned out by dark traffic. Industry estimates suggest that just 27 per cent of email traffic is technically valid. Of that valid traffic, two thirds consists of spam or other unsolicited mails.

Why Businesses need To Act

The vast majority of email security systems in production today scan only for the content of the messages, relying on techniques such as keyword scanning. This means they will accept the vast majority of malformed messages as legitimate.

Dark traffic is forcing businesses to invest in additional bandwidth, storage space and CPU capacity just to collect, store and forward enormous quantities of unwanted email traffic.

The very high ratio of illegitimate messages to legitimate mail forces companies to invest more and more resources in building spam detection and filtering systems. For some businesses, the need to scan the content of a vast amount of email, just to find the relatively small proportion of real messages, is creates serious bottlenecks within the IT infrastructure.

Unless they act, CIOs could find themselves caught in a spiral of ever-greater investment in order to accommodate a growing quantity of messages that are of little or no value to their businesses.

Although there are some emerging email authentication standards, such as SPF, SenderID and DKIM, there is no expectation that these can resolve the spam problem. And as there is no real cost involved in sending email, there are few economic incentives to prevent spammers from continuing to ply their trade. Legal restrictions on spammers have been increased, in particular in the USA. But these measures will do little to deter the authors of other dark traffic types. Their actions are already illegal in much of the world, but enforcement remains extremely difficult. The onus remains on businesses to protect themselves.

What Can Be Done?

By its nature, dark traffic cannot be prevented at an Internet-wide level. For its part, anti-spam legislation only acts as a limited deterrent to those intent on dark traffic attacks. The very fact that dark traffic takes on the appearance of legitimate email means that it is not visible to many of the information security measures currently operated by Internet service providers and companies.

The only way to determine whether an email message is legitimate or dark traffic is to compare the addressee with entries in a company’s directory. If the addressee is listed, the email could still be spam, but the vast majority of illegitimate emails, including most of the traffic used for both denial of service and directory harvest attacks, would remain undelivered.

Businesses, however, will be understandably reluctant to hand over their directory details to third parties, even where doing so will improve their information security defences. But businesses can deploy solutions at the edge of their networks that will filter out malformed SMTP packets, denial of service attacks (based on the messages originating from one or a small number of IP addresses) and directory harvest attempts.

Such technology does not replace anti-spam systems based on content filtering, but works alongside them. Conventional spam filtering remains necessary to protect employees’ mailboxes from spam launched against pre-harvested addresses or those bought from a list, as well as for other purposes such as blocking messages with inappropriate content.

Building a layered approach to spam is both efficient and more effective. Two sets of filtering systems greatly cuts the chances of spam messages slipping through the net, but it should also reduce the number of “false rejects” by allowing finer tuning of content-based filters.

But the main argument for deploying scanners at the edge to pick up and block dark traffic is efficiency.

Given that only around 10 per cent of email is legitimate traffic, but that 83 per cent of all messages are believed to be denial of service attacks, directory harvest attacks or have invalid recipients, blocking this mail at an early a stage as possible vastly reduces the load on conventional, content-based filtering systems.

Edge-based systems work by examining the sender’s IP address and the “envelope” headers of an email message, in order to detect dark traffic. If the message is rejected, the content simply never reaches the content filtering systems, let alone the corporate email servers.

As an edge system only looks at envelop data, it will typically be five to six times as quick as a content filter with a similar configuration. In fact, combining a single content filter system with an edge-based filter should be as effective as six standalone content filters.

By blocking more illegitimate email, the combined filters will also save on storage and processing needs, further bolstering the return on investment. Moreover, only edge-based systems can pick up and block denial of service attacks. By the time the messages reach the content filters, it is already too late to stop a denial of service attack.

Filtering out dark traffic at the network edge is cost effective, removes bottlenecks and ultimately, improves corporate information security in a way that other anti-spam measures cannot achieve on their own.

Don't miss