ITWALES.COM - ISPs on front line as spam arms race escalates

Posted: Wed, April 18, 2007

ISPs on front line as spam arms race escalates

by Paul Thackeray

email image ISPs are finding themselves on the front line in the fight against increasingly sophisticated new ways of distributing spam. The latest spam trends, designed to fool traditional spam filtering methods, are sending the amount of spam through the roof - according to the latest industry estimates spam accounts for as much as 80-85% of total email volume. ISPs have to invest heavily in anti-spam solutions simply to ensure email remains a useful tool for users.

So-called "pump and dump" scams where minor stocks are promoted as well as graphics-based spam, are among the latest methods used by spammers in an effort to make a profit from sending spam.

The amount of spam traffic being filtered through ISPs increased four-fold in the last months of 2006. From an end-user perspective, although more spam is getting through, for most people, spam levels remain well below five percent of all emails received. This is testimony to the hard work that the industry - anti-spam vendors and ISPs together - have put in behind the scenes.

The reason for the rise in "pump and dump" spam is that it does not require a link back to a website or ordering system, making it harder to trace its origins. Furthermore, the authorities have so far not caught any perpetrators. The messages have no constant wording, but instead tend to favour strings of random words or conversational-style prose to introduce the stock ticker value. This means there is not a lot for a conventional Bayesian filter to recognise.

Industry bodies like the London Internet Exchange (LINX) are calling for filters capable of examining token groups in addition to single-word tokens. This would increase detection rates for those emails with words that do not conform to any recognised sentence construction.

In 2006, spammers also began to produce graphics-based spam in order to beat filters that had no optical character recognition (OCR) capability. Analysis by our own labs found that as much as 25 percent of all spam messages, especially developing stock and Viagra spam, contains images. The images are usually combined with text.

Again the industry has responded. Anti-spam vendors have been extremely successful at creating fingerprints for this type of image spam. This reduces a lot of the horsepower problems associated with processing image spam. Nevertheless ISPs are investing in more filtering equipment simply to keep pace with the rising tide of spam.

Researchers at the University of Cambridge report that in June 2006 , one particular British ISP was receiving around 6 million emails a day of which 2 to 2.5 million were legitimate ones. By September, the figure was 12 million a day, rising to 18 million a day in October and peaking at 26 million a day by year end (legitimate email has remained constant throughout at 2 to 2.5 million a day).

I n the same period their end users have only seen a relatively small rise in the numbers of spam reaching their mailboxes . This is a great compliment to ISP s and the industry as a whole . It is virtually impossible to run an ISP today without a robust, state-of-the-art filtering system.

Most spam in the UK originates from abroad. The other major source is client PCs, often in the home, that are not properly secured. The good news is that legislation is helping to keep the lid on the spam problem within the U K . Examples of UK companies sending bulk email are rare these days - partly because of legislation, partly because it harms the reputation and partly because of the market education efforts of industry bodies like LINX.

Currently the industry appears to have the spam problem pretty much contained. Even though spam volumes are rising sharply, the industry continually fights back through advances in spam-filtering technology.

But we can expect the criminals and spammers to swing the pendulum back in their favour. According to Spamhaus, a leading anti-spam organisation, there are ju st 220 spam gangs (about 1,000 i nternet users) out of a global i nternet population of more than a billion. People are now paid to design new kinds of spam. They have their own filters and if their spam is blocked, they simply keep adjusting it until the filter lets it through.

There is also more evidence of harnessing botnets - groups of about 10 or so compromised machines - for Google click fraud, sending spam, DoS attacks and for hosting phishing sites. A US-based research company recently reported that as many as 600 new botnets are formed each week.

In summary, the fight against spam is a continual arms race and ISPs are battling daily to stay ahead of a relatively small, but determined number of spam gangs operating on a very large scale. For the moment at least, it seems the problem has been contained , however the trend toward more sophisticated social engineering techniques and increasingly targeted attacks means the race is far from over.

Paul Thackeray is VP EMEA of Barracuda Networks. The company is exhibiting at Infosecurity Europe 2007, Europe's number one dedicated Information security event. Now in its 12th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,600 visitors from every segment of the industry. Held on the 24 - 26 April 2007 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. Find out more and register online at www.infosec.co.uk

Subscribe to
ITWales Updates
Click Here!