Saturday 9 December 2006

Spam Volumes: What's Really Going on Here?

The sky is falling! The sky is falling! Spam has doubled / spammers are winning / spam is 80% of all mail / 90% of mail / 110%, etc. etc. etc...

Yawn.

I'm getting bored with self-serving anti-spam vendors flinging dubious statistics around. Yes, spam volumes have increased recently, but doubled? Much of this seems to be counting from an artificially-small base during a quiet summer for spam.

Here's my take on what's happening. A bit stream-of-consciousness, so please excuse. Grateful for your thoughts.

The growth in spam is chiefly down to two factors:

  1. Demand-side -- stock kiting gangs wanting access to more and more sending capacity
  2. Supply side -- new, bigger botnets with more sophisticated command and control mechanisms, which are more resistant to being shut down and can send fewer messages per zombie (because they're bigger), so stay under the radar longer
This is compounded by bad statistics, which make the growth seem bigger than it actually is:
  1. New botnets spewing spam from PCs not on blacklists, so a smaller proportion of spam gets rejected (and thus never seen in quarantines)
  2. New botnets resistant to anti-spam techniques such as greylisting (because they have real, autonomous MTAs), so a smaller proportion of spam gets rejected (and thus never seen in quarantines)
  3. New botnets employing content morphing tricks that are fooling many vendors' content filters, so more spam reaches the inbox -- then naive commentators wrongly assume that a doubling of spam in the inbox equals a doubling of spam on the Internet
The image spam messages tend to be about 10x bigger than "normal" (say median 30K compared with 3K), so spam volumes are now much higher in terms of bits on the wire.

Some anti-spam vendors are coping quite adequately with the new techniques, but seem to have broken PR departments ;-)

I trust Commtouch's and MessageLabs's data more than most -- my reading is that spam volumes increased measurably about a month ago, but not to the extent that Chicken Licken would have us believe.

Thoughts?

Friday 8 December 2006

Ciao! Interesting Social Engineering Attack

Here's an interesting way of getting your victim to download a Trojan horse. Some users in Italy have been receiving messages "from" a lawyers' office that appear to be replies to a message that the victim never sent.

The messages warn the victim that the lawyer has received pornographic spam from them, threatening the victim with legal action if it happens again. It goes on to say that the victim probably has some sort of virus on their PC and suggests that they download a virus cleanser, to which there's a helpful link in the message.

Of course, the link downloads a Trojan.

Not only that, but the names used for the lawyers seem to be real organizations. I've heard reports that at least one legal firm has four phones permanently tied up with victims calling about these "threatening-yet-helpful" messages apparently sent by the lawyers.

Like this post? Please Digg it, so others can find it.

Hat tip: Symantec's Security Response team.
Also noted by Paolo Attivissimo and Luca Curatola of Neodigital2k.

Tuesday 5 December 2006

"Challenge/response filters have more Achilles' heels than they have feet"

I am such a media whore. That was your humble blogger, quoted in an InformationWeek article:

Spam Filtering Floods Innocent Inboxes
Do challenge/response spam filtering systems create more problems than they solve? One analyst argues against them.
By Thomas Claburn

Two weeks ago, Ferris Research messaging analyst Richi Jennings awoke to find his e-mail inbox filling with spam at a rate of about a message per second. Over the course of two days, a spammer using a bot net -- a collection of PCs that have been subverted through security exploits to send spam -- sent an estimated 10 million messages that purported to come from several of Jennings's e-mail addresses.

That resulted in more than 25,000 bounce messages, from ISPs that return spam to the supposed sender (rather than deleting it) and from challenge/response filters that reply to spam with a note asking the listed sender to answer a challenge question before the initial message gets delivered.
...
Despite the fact the Symantec's Brightmail service did "an impressively good job" in blocking most of the bounced e-mails, Jennings nonetheless had to deal with hundreds of unwanted messages.
...
"Over the last year or two, I've spoken to countless challenge/response filter vendors and they all have their own excuse about why their solution is completely different, and really, yes, they agree this is a problem with badly written challenge/response spam filters, but their spam filter would never do anything so stupid and broken," says Jennings. "And of course I'm looking at an example from just about every one of those vendors that I got two weeks ago."
...
Tal Golan, CTO, president, and founder of Sendio, maker of a challenge/response e-mail appliance used by more than 150 enterprise consumers, disagrees strongly with Jennings's assertion that challenge-based filtering has problems. "Without question, the benefit to the whole community at large drastically outweighs that FUD [fear, uncertainty, and doubt] that's out there in the marketplace that somehow challenge/response makes the problem worse," he says. "The real issue is that filters don't work. From our perspective, challenge/response is the only solution. This whole concept of backscatter is just not true. Very, very rarely do spammers forge the e-mail addresses of legitimate companies anymore."

[Read the full article]