Computer Crime Research Center


Controlling spam

Date: September 29, 2005

... Internet-wide level. For its part, anti-spam legislation only acts as a limited deterrent to those intent on dark traffic attacks. The very fact that dark traffic takes on the appearance of legitimate email means that it is not visible to many of the information security measures currently operated by Internet service providers and companies.

The only way to determine whether an email message is legitimate or dark traffic is to compare the addressee with entries in a company’s directory. If the addressee is listed, the email could still be spam, but the vast majority of illegitimate emails, including most of the traffic used for both denial of service and directory harvest attacks, would remain undelivered.

Businesses, however, will be understandably reluctant to hand over their directory details to third parties, even where doing so will improve their information security defences. But businesses can deploy solutions at the edge of their networks that will filter out malformed SMTP packets, denial of service attacks (based on the messages originating from one or a small number of IP addresses) and directory harvest attempts.

Such technology does not replace anti-spam systems based on content filtering, but works alongside them. Conventional spam filtering remains necessary to protect employees’ mailboxes from spam launched against pre-harvested addresses or those bought from a list, as well as for other purposes such as blocking messages with inappropriate content.

Building a layered approach to spam is both efficient and more effective. Two sets of filtering systems greatly cuts the chances of spam messages slipping through the net, but it should also reduce the number of “false rejects” by allowing finer tuning of content-based filters.

But the main argument for deploying scanners at the edge to pick up and block dark traffic is efficiency.

Given that only around 10 per cent of email is legitimate traffic, but that 70 per cent of all messages are believed to be denial of service attacks, directory harvest attacks or have invalid recipients, blocking this mail at an early a stage as possible vastly reduces the load on conventional, content-based filtering systems.

Edge-based systems work by examining the sender’s IP address and the “envelope” headers of an email message, in order to detect dark traffic. If the message is rejected, the content simply never reaches the content filtering systems, let alone the corporate email servers.

As an edge system only looks at envelop data, it will typically be five to six times as quick as a content filter with a similar configuration. In fact, combining a single content filter system with an edge-based filter should be as effective as six standalone content filters.

By blocking more illegitimate email, the combined filters will also save on storage and processing needs, further bolstering the return on investment. Moreover, only edge-based systems can pick up and block denial of service attacks. By the time the messages reach the content filters, it is already too late to stop a denial of service attack.

Case study

Case Study: A UK-based telecoms organisation experienced eight email-based denial of service attacks between March 2004 and March 2005. When the company audited its email traffic, it found that just five per cent of it was legitimate.

The business’ existing email filtering systems were able to block most of the illegitimate messages, but this came at a cost: emails to staff were delayed by 12 to 24 hours. The cost to email users’ productivity was put at 100 a day. A conservative estimate by the company put the cost of each DoS attack at just over 125,000.

Installing an edge filtering server brought immediate benefits in terms of both security and by reducing costs. The company moved from three servers handling content filtering to one edge server and one content filter server. The system is also future-proof: the company believes that the new set up should still be able to cope, even if email volumes double.


Businesses cannot afford to be complacent about the security threats and potential disruption contained in email.

Only a relatively small percentage of the email traffic currently reaching company IT systems is both valid and wanted. Just over two-thirds (67 per cent) of emails that are technically legitimate are, in fact, spam messages or other unsolicited emails.

Dealing with such emails wastes a large amount of employee time and places an unwanted burden on IT resources, both in terms of storing and processing messages and in running anti-spam services based around content filtering. Increasingly cyber criminals are also making use of email to carry out denial of service attacks, especially on large corporations.

Protecting against such attacks with conventional anti-spam systems is difficult, if not impossible. Nor can companies continue to invest ever-greater resources in anti-spam filters and more powerful mail servers.

However, it is possible to deal with much of today’s illegitimate email traffic by filtering it at the edge of the corporate network. Such edge filters block emails based on information contained in the message envelope, including the sender’s IP address.

As much as 70 per cent of todays email traffic is illegitimate from a technical standpoint, it can be blocked at the edge. This is both more effective and efficient than relying on content-based filtering alone. Filtering out dark traffic at the network edge is cost effective, removes bottlenecks and ultimately, improves corporate information security in a way that other anti-spam measures cannot achieve on their own.

The Solution

The costs of a denial of service or directory harvest attack on a company’s existing email infrastructure are real and tangible.

Only with a network defence operating at the perimeter of the organisation can IT departments can keep these new threats at bay. Providing this defence requires utilising your local 'directory' to prevent directory harvest attacks and using dynamic algorithms to identify denial of service attacks as they occur.

Forecasts suggest that these attacks will only increase year-on-year, but it is not all bad news. Investing in an edge defence such as Tumbleweed’s MailGate Edge will improve security and prolong the useful life of existing defences, leading to lower costs and greater productivity.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo