Application security

Spam a man-made email security disaster in its own right

In August 2005, the levees in New Orleans fought hard to withstand the pressure, but the volume of water was simply more than they were designed to handle. The destruction that resulted has been well documented, and one year later we are still seeing the effects of the storm. While the destruction caused by spam does not equal the devastation seen in New Orleans, email systems around the world face a surge of spam that is many times what the systems were architected to handle. The result of this overload is email downtime and lost messages resulting in the disruption of business and personal communications.

The force behind this is not global warming and climate changes, but instead is a set of changes by a global organization of profit seeking businesspeople, technologists and criminals. This collaboration crosses geographic boundaries and political borders. It is the perfect storm of hackers that have honed their skills by writing viruses and defacing websites over the years and a group of unscrupulous marketing and sales managers that offer them a way to monetize their skill set. This group has created a multimillion-dollar market.

Their quest for higher profits has created extreme pollution of the email ecosystem. In the physical world, we consider the air polluted if it contains 200 pollutants per million parts of air. In the email ecosystem, there are 780,000 spam messages per million email messages. The pollution of the email ecosystem on a good day is three orders of magnitude worse than the smog in Los Angeles on a bad day. This pollution is costly. A typical Fortune 2000 company invests about $10 Million in their email infrastructure. Consider the fact that 78 percent of that or $7.8 Million is spent just to receive unwanted messages, phishing and viruses.

Beyond this quantitative view, email communication is suffering from a loss of trust. The spoofing and phishing problem has caused end users to question the legitimacy of every message. So, even genuine emails are ignored. Think of the burden that this introduces upon financial institutions and other companies that regularly communicate with customers via email. It is an entirely new form of DoS. These companies are not able to communicate with their own customers because of this distrust of email. Further, the fear of false positives, legitimate emails blocked by spam filters, has caused many to treat email as an unreliable transport. How many times has someone called you to ensure that you received an email they sent? This has fundamentally changed email from a reliable service to best effort.

The attackers have made changes that rattled most "common knowledge." By this I mean the core assumptions that were used in anti-spam systems are now outdated. For example, for years content filtering was used to find words commonly used in spam messages like "mortgage rates" or "cheap Rolexes." Today's image spam makes content filtering useless. All of the text is embedded in a graphic so there is no content to filter. Another anti-spam approach that was popularized a few years ago focused on the call for action - the website, email address, or phone number that spammers wanted you to use to purchase what they were advertising. This filtering approach is useless against stock spam - a growing breed of spam that is not trying to directly sell a product but is instead promoting a stock.

The attackers have not only changed their messages but also their delivery mechanisms. Zombies have become the No. 1 source of threats on the internet. About 260,000 new zombies are activated daily and start their mission of carrying out the work of their controllers. This number has increased 40 percent in the last year. This means three new zombies become active every second. Traditional reactive approaches such as blacklist and virus signatures can not keep up with a threat that is so distributed and rapidly propagating

There are two approaches that organizations must adopt to protect against today's messaging threats: authentication and reputation system. Authentication mechanisms such as Sender ID and Domain Keys Identified Mail (DKIM) allow an organization to reclaim its email identity and brand. Today about one-third of all email is authenticated. This is meaningful adoption given that the proposals were just being formed in the Anti-Spam Research Group three years ago. Reputation systems provide organizations with global intelligence to provide local protection against zombies and other malicious hosts.

The trends signified by authentication and reputation systems are promising. On one side, the industry is moving from relying simply on detection mechanisms to preventive and protective approaches. Secondly, the authentication movement shows the change from a fail open approach that focuses on detecting spam to a fail closed approach that also embraces a focus on identifying legitimate traffic and ensuring its delivery. Whatever these trends and changes may be, the security world is continuing to work to build stronger levees, protecting networks from the ongoing storms of messaging threats.

-Paul Judge is CTO of Secure Computing.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.