Computer Crime Research Center


Controlling spam

Date: September 29, 2005

Today, almost all businesses rely on email for part of their communications needs. Yet a staggering proportion of email messages are destined not to communicate, but to do damage.

Industry estimates suggest that as much as 70 per cent of all email traffic is technically illegitimate: it is either wrongly addressed, contains malformed SMTP packets, or is part of a denial of service attack or and attempt to harvest corporate email addresses.

Conventional anti-spam technologies struggle to cope with this increasing volume of illegitimate messages, not least because they have to scan the content of each email to determine whether or not it is spam. Doing so - as well as storing and processing large volumes of unwanted messages - robs companies of valuable IT resources.

Dealing with illegitimate messages at the edge, based on information contained in the email’s “envelope”, is the only proven way to remove a large percentage of illegitimate messages before they even reach companies’ servers. This saves resources, and eases the work of content-based anti-spam systems and will cut the number of unwanted messages reaching the desktop.

The scale of the threat

Email is without a doubt vital to almost all businesses today. Unfortunately, the vast majority of emails now passing across the Internet consist not of essential business messages or even personal correspondence, but spam.

Surveys of businesses and other organisations that rely on the Internet for their communications show that around 70 per cent of inbound email traffic is either spam, or other types of illegitimate messages. Together these are known as “dark traffic”.

As well as straightforward spam, dark traffic comprises directory harvest attacks (DHA); email denial of service (DoS) attacks; malformed SMTP packets, invalid recipient addresses, and other requests and communications unrelated to the delivery of valid email messages.

Most conventional spam, is purely commercial in its intent, setting out to encourage Internet users to buy goods or services. Others are so-called “blended threats”, messages that use social engineering techniques to persuade recipients to open the message and, typically, activate a Trojan, virus or other malware.

But a growing percentage of dark traffic aims to cause damage or disruption to a company or to its IT assets.

Denial of service attacks delivered over email, for example, could take down a company’s mail servers, rendering it unable to do business on line. More sinister still, cyber criminals can use a combination of hacking and spam techniques to “harvest” email addresses and user identities, opening the door to further attacks.

Email-based denial of service attacks could also be directed at network providers, with the knock-on effect of damaging the communications of dozens of businesses that outsource their email hosting.

The threat to corporate IT systems is by no means static. As the quantity of both malformed emails and outright spam grow, legitimate email traffic on the Internet is being drowned out by dark traffic. Industry estimates suggest that just 30 per cent of email traffic is technically valid. Of that valid traffic, two thirds consists of spam or other unsolicited mails. Just one in 10 emails are both legitimate and genuine.

The vast majority of email security systems in production today scan only for the content of the messages, relying on techniques such as keyword scanning. This means they will accept the vast majority of malformed messages as legitimate.

These messages move through a company’s perimeter defences unchecked and pass on intact to email systems and often, the desktop. This places an enormous and unnecessary burden on networks and server resources, as well as wasting staff time.

Dark traffic is forcing businesses to invest in additional bandwidth, storage space and CPU capacity just to collect, store and forward enormous quantities of unwanted email traffic. .

The very high ratio of illegitimate messages to legitimate mail forces companies to invest more and more resources in building spam detection and filtering systems. For some businesses, the need to scan the content of a vast amount of email, just to find the relatively small proportion of real messages, is creates serious bottlenecks within the IT infrastructure.

Unless they act, CIOs could find themselves caught in a spiral of ever-greater investment in order to accommodate a growing quantity of messages that are of little or no value to their businesses.

There are no authentication standards built in to the SMTP email protocol. And as there is no real cost involved in sending email, there are few economic incentives to prevent spammers from continuing to ply their trade. Legal restrictions on spammers have been increased, in particular in the USA. But these measures will do little to deter the authors of other dark traffic types. Their actions are already illegal in much of the world, but enforcement remains extremely difficult. The onus remains on businesses to protect themselves.

Dark traffic analysed

Some dark traffic is a by-product of conventional spam: emails generated automatically by a spammer’s software; obsolete addresses and addresses that users or IT departments have registered, in order to trace spam. Some email - although the amount is generally accepted to be small - is legitimate email accidentally misrouted by the sender.

But a much greater percentage of dark traffic is specifically targeting enterprises and other large organisations, with a view to either damaging their communications abilities, or to gather email addresses to use as the basis for further spam. These attacks are known as denial of service (DoS) and directory harvest attacks (DHA) respectively.

Denial of service attacks against web servers and other enterprise IT assets are well documented, but attacks specifically targeting email infrastructure are a more recent development.

As many as 60 per cent of companies that responded to a recent industry survey reported that they had been hit by an email denial of service attack (see research release attached with UK specific stats). Over half of these said that they had suffered multiple attacks. In the UK, 17 per cent of companies were hit by a denial of service attack late year. Among larger firms -- those with over 10,000 staff -- the percentage rises to one third of companies.

Some companies report that they are being targeted by multiple attacks; these attacks are also known as “mail bombing” or “flooding”.

Increasingly, cyber criminals are making use of remote computers -- or Zombies -- to launch distributed denial of service attacks against a range of systems, including email infrastructure. Distributed attacks have the advantage, from the hacker’s point of view, of causing more damage more quickly and being harder to trace to the point of origin. It might also be harder for information security professionals to guard against distributed attacks.

The growth of home PC ownership and broadband connections in particular has made it easier for cyber criminals to launch distributed denial of service attacks, particularly by exploiting vulnerabilities on unwitting users’ computers.

Administrators face the problem that, to most security systems, email-based denial of service attacks appear to be legitimate traffic. It is the sheer volume that aims to disable or disrupt systems.

By targeting email, hackers can cause widespread disruption. The targeted organisation’s mail server might drop connections or refuse legitimate email. Customers trying to reach the organisation will fail to do so, and the attack victim might never establish the value of the business lost as a result.

Directory harvest attacks (DHAs) are particularly worrying to IT managers because they aim to gather information that cyber criminals can use to further compromise IT systems.

The most common reason a cyber criminal would deploy a directory harvest attack over the Internet is order to identify a company’s genuine email addresses. These would then be used either directly by the spammer behind the DHA, or sold on.

The DHA works by a process of elimination. If the sending computer does not receive an invalid recipient reply, then it treats the address as verified and uses it for spam or other purposes.

Gathering email addresses in this way, to generate spam, is an obvious nuisance. But concern is growing among security professionals that cyber criminals are using DHAs in order to establish user names for directory management systems and software applications.

Armed with valid user IDs, the cyber-criminal can use dictionary attacks to establish passwords. Such an attack is likely to break one in 100 mailboxes. Only one valid log in is needed to compromise a corporate email system.

DHA attacks also have the effect of delaying or disrupting legitimate email traffic. Figures from the UK suggest that one in 10 companies overall, and a fifth of large companies, have experienced a directory harvest attack in the last year. Perhaps as worrying, 20 per cent of IT directors did not know whether their organisations had been attacked.

Protecting against dark traffic

By its nature, dark traffic cannot be prevented at an Internet-wide level. For its part, anti-spam legislation...
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo