Spam Menace

Eliminate Spam before it gets to your mail server

Perhaps no problem plagues the Internet as deeply as that of unsolicited junk E-mail, or Spam. While it is quite annoying to end users, spam robs your company of productivity and of system resources and it can be a nightmare for both network administrators and for those who own or manage a company. By Renuka Vembu

Today both individuals and companies agree that spam is one of the biggest problems on the Internet these days. Mail servers, networks and user inboxes are being overwhelmed by the increasing incidence of spam, viruses, phishing frauds and other unwanted e-mail, which is estimated to account for 70-90% of all e-mail received. The Symantec Internet Security Threat Report XIII states that during H2 2007, spam made up 71% of all e-mail traffic monitored at the gateway, a 16% increase over the last six months of 2006. The report found that 80% of all spam detected during this period was composed in English, up from 60% in the previous reporting period. SecureSynergy reported that there was 100% growth of spam last year. Global spam levels are increasing all the time, hitting an all-time high of 95% of all e-mail sent during a peak in the third quarter of 2007, with a scaling trend expected in 2008 and 2009 as well. IDC estimated that the size of business e-mail volumes sent annually worldwide in 2007 was close to five exabytes, nearly doubling over the past two years.

This constant flood of spam not only clogs networks and adversely affects user inboxes, but also drains valuable resources such as bandwidth and storage capacity and interferes with the expedient delivery of legitimate emails particularly in corporate set-ups. The administrative cost of dealing with this flood of spam and other unwanted e-mail is estimated to be as high as $800 per mailbox per year, resulting in a total cost of billions of dollars per year in lost productivity.

An evolving menace

The definition of spam has undergone a drastic change. Earlier, spam was defined as any mail, which was unsolicited. This then moved to selling unacceptable stuff. Now spam has malicious content that causes a computer to crash or contains links and attachments, which gather confidential information, without the user’s knowledge. Individual privacy as well as corporate security is easily compromised, if spam floods the inbox. Threat patterns have evolved over time and are blended today. The evolving threats come in the form of viruses, malware, spam, phishing and pharming and attack a network to steal information as well as reduce application and system performance.

Not all spam is malicious; there are even genuine messages, which are blocked because they are unsolicited. Trying personally to figure out the possibility of a single relevant mail in a heap of spam is tedious and time-consuming. Venu Palakirti, Sales Director, India and SAARC Region/Director, F-Secure asserted, “The challenge for corporations is putting a policy and process around it rather than having to keep up with storage. The policy and process would include how long do you want to keep the spam for, how should you process a request to release an e-mail that ended up in the spam repository, how do you categorize spam. No internal mailing/distribution list should be allowed to receive e-mail from external parties and so on.”

However, spam has a dark side—it amounts to an increase in storage space, consumption of additional bandwidth, waste of time and loss of productivity. New age spam comes with heavy attachments in PDF format or JPEG files, thereby leading to increased bandwidth usage and additional storage space being consumed. Spammers have been designing new ways to evade spam filters. Even with a hit rate is as low as 0.1%; spammers still have a substantial effect as they send tens of thousands of messages out into cyberspace. Spam can even enter through the medium of SMS, MMS, video clips on mobile phones, through downloads and game trials, etc.

Prabhat Kumar Singh, Director, Symantec Response Lab, opined, “Spammers have been working feverishly to devise new ways to evade spam filters. Today e-mail servers are now being flooded with image-based spam that looks like text-based spam, but consists of one or more images in order to defeat traditional spam filtering technology. This means that, more than ever, spam clogs bandwidth, soaks up disk-space, and slows servers, which often forces businesses to increase their storage capacity requirements.” Smaller businesses working with minimal bandwidth are especially feeling the increasing strain that spam is putting on their network, he added.

Different kinds of spam attacks

From mere marketing gimmicks advertising products, to endorsing unacceptable content, to virus infiltration, spam has evolved for the worse. According to Anand Iyer, President, Marketing, Gajshield, there are different types of spam some of the key ones being:

• Spam: Commercial and ideological spam is sent in large quantities; spammers are able to match the language to the country the spam is sent to. English spam is considered the most widely internationally distributed variant.
• Phishing and Vhishing (fraudulent messages): Messages generated by criminals who seek to make a quick buck by posing as banks, transaction-based Web sites (such as eBay and PayPal) and lottery authorities (winning notifications) fall under this category.
• DoES: Denial of E-mail Service (DoES) attacks often originate from competition or protest. The purpose of the inflictor is to cause the mail server to overflow and cause it to reject further mail.
• Mail-bombing: The intention of a mail-bombing initiator is to cause damage to an organization by filling the mail server’s hard drives, choking the organization’s bandwidth and slowing down the organization’s mail flow (causing an attack similar to DoES).
• Trojan horses: They are generated from competition and commonly used to steal competitive information.
• Open relay exploit: The SMTP protocol is old and buggy. Several exploits allow e-mail relay even when a server has not been configured as an open relay system. Spammers’ robots search for exploitable systems to use for spam distribution.

Non Delivery receipt (NDR): Recently, there is a growing phenomenon in which innocent recipients receive, on a daily basis, an alarming volume of NDR notifications, which are generated and sent from legitimate MTAs (Message Transfer Agents) that refuse to forward spam messages to targeted victims. These NDR notifications are sent back to the forged e-mail addresses in the ‘from’ address. While these NDR notifications are not spam, messages they are annoying just the same.

Security risk

Vikas Desai, Lead Technology Consultant, India and SAARC, RSA, The Security Division of EMC, categorized current anti-spam solutions into four primary slabs—filters, reverse lookups, challenges, and cryptography. Each of these solutions offers some relief to the problem, but each has its own significant limitations. Desai said that with spamming methods becoming advanced, it poses significant security risks, which include:

• Identity theft: Phishing and other frauds are distributed as spam, directly leading to identity theft and fraud.
• Viruses: New viruses, worms, Trojans and malware, such as Melissa, Love Bug, MyDoom, Black Widow, etc., used spam techniques to propagate after being triggered by the user.
• Combining exploits and spam: The distinction between malicious hackers and spammers has become less obvious. Many spammers have incorporated malicious code that targets browser, HTML, and JavaScript vulnerabilities.
• Combining viruses and spam: It is widely believed that some viruses are designed to assist spammers. For example, the SoBig worm installed open proxies that were used to relay spam. As spam becomes more prevalent, the use of malware and spyware to support spam is likely to increase.

Anti-spam deployments

To combat every threat, one needs sophisticated tools, which evolve with changing times. Vendors need to make solutions/design appliances that keep adapting themselves to the client requirements and meeting new challenges just as the threats get more serious. There is a need for end-to-end security.

Vendors suggest there were two different types of anti-spam deployments available that suit business requirements:

• Desktop based anti-spam protection that integrates with an e-mail client and tags the spam messages and moves them to a designated spam folder. This is more suitable for home users and users having small networks without a dedicated e-mail server.
• Server based anti-spam, which is installed on the e-mail server itself. It blocks incoming spam messages to all the mail-boxes at the server level. This protection is best suited for users having a large network and a dedicated e-mail server to send and receive e-mail. Here putting the anti-spam solution on the server is the most logical option.

Sekhar Dash, Manager, Offsite Delivery, SecureSynergy explained that deploying Anti-Spam solution will prevent the delivery of unsolicited e-mail, but it requires expertise in Anti-Spam technology, proper configuration of server and knowledge of Mail eXchange records (MX) and DNS. This will increase the administrative control and resource utilization required to manage an anti-spam solution. Sometimes genuine mail is quarantined or blocked due to poor configuration of an anti-spam solution. Organizations can choose either to install the anti-spam software or hardware to protect the e-mail server or outsource the task to a Managed Security Services (MSS) provider. In MSS the spam and malicious content is blocked before it reaches an organization’s gateway or mail server. Outsourcing to a Managed Security Services provider not only reduce the organization’s resource utilization but also save the time and bandwidth utilization.

Source: Logix Consultancy Group Pvt. Ltd.

As per Prashant Mudbidri, Director, Logix Consultancy Group Pvt. Ltd., there are primarily two solution sets available to combat spam:

• A premise or in-house solution, wherein you deploy the appliance or software within your network to weed out spam before it is delivered to the mail server.
• The Outsourced Model, popularly known as Managed E-mail Security, wherein mail is filtered at the domain level on the Internet and what comes in is only clean mail; even the outbound route gets treated the same.

Iyer explained, “New virus distribution methods designed to thwart signature-based anti-virus technology are on the rise. These include ‘short span attacks’, serial variant attacks and attacks launched from botnets. Today’s viruses, worms, Trojans and malware target the primary weakness in anti-virus technology: the time it takes for new signatures or heuristics to be developed and distributed. The result is that customers are without protection for the critical initial period of 12-20 hours when the spread of the viruses or worms is the highest and are bound to get infected by viruses during this time frame.”

Designing an anti-spam solution

There are several parameters to be followed while designing any product/ solution, which can be application software or a network solution. Kartik Shahani, Regional Director, McAfee India, said that parameters such as number of employees in the organization using e-mail, the number of messages per employee, average size of a message, the kind of business it is engaged in, would give a fix on network traffic and this is required to map an application for any client. He said that malware extrapolated to phishing attacks, then to e-mail and voice.

Surendra Singh, Regional Director, SAARC and India, Websense Inc, opined that hosted e-mail, which is adopted on a wide basis internationally, would be the best answer to combat the growing threat of spam. The primary challenge of formulating and deploying any solution should scale as per the requirement, and handle the workload. A virus creator does not stop at releasing his creation into the wild. He comes up with variations of the same virus, and hence anti-virus solutions have to updated constantly with the latest patches or signatures.

Palakirti stated that functionality, usability and security, were the three key aspects that an anti-spam solution had to have. “The product must be able to function according to your expectations and it should be user friendly enough, and most importantly, it must be secure. Security should not be bolt on; it must be built in and thought of from the very beginning when you are designing the product,” he asserted.

Mahesh Gupta, Business Development Manager, Network Security, Cisco India and SAARC, also added that intelligence needs to be at the end-point, and segmenting the network into multiple domains, with the monitoring and visibility aspect given due prominence.

Dash opined that a combination of old and new detection technologies would prevent spam. Spammers are using Lexical text analysis method to bypass an anti-spam solution, which examines the content of the e-mail and looks for strings of text that can be interpreted as spam such as offers to purchase something, offer to use services, solicitation to visit a Web site, etc. It is based on lexical rules that include Boolean logic with operators like OR, AND, NOT, etc. However, using the following combination of techniques, spam can be reduced to the lowest possible minimum and yet not block legitimate e-mail.

• Real-time black lists (RBL)
• Internal black lists
• DNS lookup
• Spoofed sender n Header analysis
• Mail-bombing prevention
• E-mail harvesting prevention
• Subject analysis
• Spam database
• Lexical text analysis
• Statistical text analysis
• Heuristic analysis
• Porn image detection
• Web Beacon detection
• Optical Character Recognition (OCR)

Text manipulation detection

• URL classification

Issues to be addressed

Ram Kumar Balina, Director, Global IT Operations and Information Security, Virtusa opined on the core issues that need to be dealt with:

• Ensure that the product does not send unsolicited mail, which could potentially be considered as spam.
• Ensure the products do not publish contact details of people that can be used for spreading spam.
• The products do not communicate to any public SMTP servers that could exploit the systems and end up spreading spam.
• The product should be modular, to fix any issues that could potentially be exploited for spreading spam.
• Ensure that a team is available and that it addresses any complaints from the customer.

Capt. Raghu Raman, CEO, Mahindra Special Services Group (MSSG), explained that opportunity loss was one of the principal concerns, as legitimate e-mail sometimes is caught in the process.

Spam is a combination of unsolicited junk, harmful content like contraband, pornography, or anything with a shade of vulgarity, and malicious software. Capt. Raman firmly said that spam was a behavioral problem. He was also optimistic that the problem was a significant one affecting both government and industry alike; and that by 2010, there will be action initiated against spammers. He also stressed on solution like—strategic level initiatives, collaborative initiative, and architecture enveloping several layers.

Going by the suggestions and expert views, it is recommended that more than products, organizations should plan proper policies to handle spam, analyze their mail patterns and conduct periodic reviews to reduce the menace of spam.

renuka.vembu@expressindia.com