Technology White Paper. Increase E-mail Security and Maximize Spam Blocking



Similar documents
Recurrent Patterns Detection Technology. White Paper

Ipswitch IMail Server with Integrated Technology

Commtouch RPD Technology. Network Based Protection Against -Borne Threats

Threat Trend Report Second Quarter 2007

Pattern-based Messaging Security for Hosting Providers

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

Emerging Trends in Fighting Spam

Comprehensive Filtering. Whitepaper

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

Context Adaptive Scanning Engine: Protecting Against the Broadest Range of Blended Threats

100% Malware-Free A Guaranteed Approach

Comprehensive Filtering: Barracuda Spam Firewall Safeguards Legitimate

Trend Micro Hosted Security Stop Spam. Save Time.

PineApp Anti IP Blacklisting

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

Anti-Spam White Paper

Intercept Anti-Spam Quick Start Guide

Panda Cloud Protection

Anti-Phishing Best Practices for ISPs and Mailbox Providers

Image Based Spam: White Paper

MXSweep Hosted Protection

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Attack Intelligence Research Center Monthly Threat Report MalWeb Evolution and Predictions

Attachment spam the latest trend

Choose Your Own - Fighting the Battle Against Zero Day Virus Threats

The spam economy: the convergent spam and virus threats

GFI Product Comparison. GFI MailEssentials vs Barracuda Spam Firewall

Mail-SeCure for virtualized environment

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Trend Micro Hosted Security Stop Spam. Save Time.

FortiMail Filtering Course 221-v2.2 Course Overview

Life After Signatures Pattern Analysis Application for Zombie Detection

FILTERING FAQ

A Guide to Evaluating Security Solutions

Stop Spam. Save Time.

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Software Engineering 4C03 SPAM

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

The Latest Internet Threats to Affect Your Organisation. Tom Gillis SVP Worldwide Marketing IronPort Systems, Inc.

MailMarshal SMTP 2006 Anti-Spam Technology

Image Spam: The Epidemic of 2006

How to Stop Spam s and Bounces

An Overview of Spam Blocking Techniques

Do you need to... Do you need to...

Anti Spam Best Practices

Why Spamhaus is Your Best Approach to Fighting Spam

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

SonicWALL Security Quick Start Guide. Version 4.6

Deploying Layered Security. What is Layered Security?

Antispam Security Best Practices

Precis Overview - The Threat

SPAM FILTER Service Data Sheet

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

eprism Security Suite

Phishing Activity Trends Report June, 2006

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The Radicati Group, Inc. ...

STPIC/Admin/002/ / Date: Sub: Quotation for purchase/renewal of Anti Virus Software Reg.


The Growing Problem of Outbound Spam

Cloud Firewall. 1. Introduction. a. What is Spam?

escan Anti-Spam White Paper

The Increasing Risks from

Top tips for improved network security

Quarantined Messages 5 What are quarantined messages? 5 What username and password do I use to access my quarantined messages? 5

More Details About Your Spam Digest & Dashboard

Powerful and reliable virus and spam protection for your GMS installation

Websense Messaging Security Solutions. Websense Security Websense Hosted Security Websense Hybrid Security

Introduction. SonicWALL Security

ContentCatcher. Voyant Strategies. Best Practice for Gateway Security and Enterprise-class Spam Filtering

Active Threat Control

isheriff CLOUD SECURITY

Who will win the battle - Spammers or Service Providers?

eprism Security Suite

Barracuda Security Service

Phishing Past, Present and Future

Cisco IronPort C670 for Large Enterprises and ISPs

PROTECTING YOUR MAILBOXES. Features SECURITY OF INFORMATION TECHNOLOGIES

Symantec Hosted Mail Security Getting Started Guide

GFI Product Comparison. GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

Global Reputation Monitoring The FortiGuard Security Intelligence Database WHITE PAPER

What is a Mail Gateway?... 1 Mail Gateway Setup Peering... 3 Domain Forwarding... 4 External Address Verification... 4

Spam Classification Techniques

The Spam Scramble. Ever-Growing Spam Volumes Demand a New Approach to Security

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

Protect Your Enterprise With the Leader in Secure Boundary Services

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

An Advanced Reputation Management Approach to Stopping Emerging Threats

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

Gordon State College. Spam Firewall. User Guide

ESET SMART SECURITY 6

ModusMail Software Instructions.

Simplicity Value Documentation 3.5/5 5/5 4.5/5 Functionality Performance Overall 4/5 4.5/5 86%

Attack Intelligence Research Center Monthly Threat Report MalWeb Continues to Make Waves on Legitimate Sites

Evaluating DMARC Effectiveness for the Financial Services Industry

Symantec Intelligence Report: February 2013

Transcription:

Technology White Paper Increase E-mail Security and Maximize Spam Blocking A l a d d i n. c o m / e S a f e

Increase E-mail Security and Maximize Spam Blocking Table of Contents Today s Spam Challenges... 2 The Evolution of New Spam Exploits... 3 The Need for a Muti-tiered Approach... 4 esafe: Comprehensive e-mail Security... 5 Spam Management... 7 Summary... 8 1 Increase E-mail Security and Maximize Spam Blocking

At least 90% of e-mail reaching corporate servers is spam. Spam costs U.S. businesses $612 per employee per year. Nucleus Research, 2007 There has been a 100% growth of spam in the last year. Global spam levels are increasing all the time, hitting an all-time high of 95% of all e-mails sent during a peak in the third quarter of 2007. Commtouch Labs Today s Spam Challenges Spam continues to be one of the most rapidly changing security exploits today, as spammers constantly improve and adjust their techniques and methods in order to evade detection by Antispam products. Spam also continues to increase its close association with computer crime, from Spambot infected PCs unwittingly being used as major spam distributors, to malware-promoting spam e-mails, such as the STORM variants, which contain links to Web-borne malicious code. What started as a minor annoyance more than a decade ago has burgeoned into a major problem that impacts network performance and user productivity, and poses a threat to network security. One of the major challenges in combating spam is that there have become two different types of attacks. The first type of attack involves quick and short outbreaks, which are large in distribution but can last only a few minutes. The second type involves low-key, low-distribution targeted spam attacks. The first type is often associated with commercial spam, often scams, and quick worms. The later can often be associated with phishing and more targeted computer crimes. The two very different natures of these attacks require completely different technologies for proper protection. Another challenge of combating spam is the development of combination spam e-mails that include malicious content, and the creation of more sophisticated and inventive methods to circumvent Antispam solutions, such as the use of image spam, and PDF and Excel attachments. However, one of the largest problems with spam today is that it is being sent almost exclusively by zombies and botnets. This not only allows spam to be distributed in large volumes, but also makes blocking spam more difficult since there is no single sending source. Traditional methods of blocking spam that rely solely on content inspection cannot singlehandedly deal with these new sending methods and the relentless onslaught of spam. Although these methods are very effective in blocking a high percentage of spam, they are not effective in blocking the new blend of spam and e-mail threats, which are specifically designed to circumvent existing Antispam solutions. Today, a solution has to include the ability to evaluate the context of the e-mail, examine the contents, analyze how it is structured, and above all, assess the source. The challenge facing security products is the ability to provide dynamic solutions to a rapidly changing problem, while developing new strategies as the rules of the game change. Equally as important is keeping the false-positive blocking rate as low as possible. This document discusses the changing threats of spam, outlines the challenges and threats associated with spam e-mail, describes the technologies available to fight spam, and explains how esafe can be used as a multi-layered solution to effectively block and manage spam. 2

The Evolution of New Spam Exploits Today spam is a multi-faceted problem that can combine a number of threats. Spammers are employing a multitude of techniques in order to circumvent detection by Antispam products. These new exploits include the use of image spam, legitimate-looking attachments, and the use of foreign languages, to name a few. Image spam Image spam uses one or more images instead of text. These messages use innovative techniques to escape detection, including the use of different background colors. Although the message content is the same, randomization of pixels and the use of snow make each message appear unique, and in this way, tricks spam filters. The use of uncommon and distorted fonts and splitting one image into multiple images are other methods being used to circumvent traditional products. Although the underlying aim and content of image spam is the same as its textual predecessor (e.g. stock pump-and-dump schemes, advertisements for weight loss products, pharmaceuticals, etc.), image spam has proven to be more appealing to recipients and there is a greater likelihood that recipients will open the message and take action. Image spam messages are typically much larger than traditional text spam messages and thus can also place a burden on network resources and consume more bandwidth. Traditional content-based Antispam solutions are unable to successfully block image spam. Attachments Another trend noted over the last year is the use of new types of attachments. Spammers now make widespread use of PDF and Excel attachments in their continuing attempts to make messages appear more legitimate, realistic and trustworthy. By packaging spam messages in legitimate looking formats, spammers are able to bypass traditional Antispam products and still include their message in a standard format of text or images, also including URLs in the message. Phishing Phishing continues to pose a major threat to users, and is constantly evolving. The popularity of social engineering Websites such as YouTube has provided a new platform for spammers to operate by using links to legitimate looking sites that are in fact links to Websites that contain malicious content. In addition, there has been a noted trend towards sending targeted messages that appeal to recipients emotions and in this way attempt to obtain personal information. Furthermore, the influence of organized crime groups is apparent as phishing scams become more sophisticated and professional, as evidenced by the rise in the number of attacks that are financially motivated. Viruses In recent months, a dangerous alliance has been forged between spammers and virus writers, and driven by financial gain. Virus writers are employing spam methods to ensure maximum distribution and maximum damage. E-mail viruses and worms are used for fraudulent purposes, industrial espionage, or to simply steal private information that can be sold to spammers and other questionable buyers. 3 Increase E-mail Security and Maximize Spam Blocking

Directory Harvest Attacks (DHA) It is estimated that over 80% of spam today is generated by zombies. Herald Tribune, 2007 This form of attack harvests legitimate e-mail addresses from corporate mail servers by sending thousands of e-mails to a specific company (domain) using different permutations of common usernames. By keeping track of which addresses are rejected by the corporate mail server, spammers create lists of legitimate users for their own use, or for sale and distribution to other spammers. Other than the obvious inherent danger of allowing legitimate e-mail addresses to fall into the wrong hands, directory harvest attacks also consume large amounts of bandwidth resulting in productivity and availability problems. Common Characteristics of Spam Attacks In addition to the sheer volume of the latest spam outbreaks, several underlying common characteristics that are used to avoid detection have been identified: Spam outbreaks involve large numbers of spam messages to achieve the highest possible response rate and ROI. Messages are released in a relatively short period of time for maximum impact, and before Antispam solutions can detect the outbreak. Messages are altered to hamper detection based on lexical analysis. It is difficult to identify the origin of messages in an outbreak. These characteristics can be directly attributed to the widespread use of zombie machines and botnets large networks of compromised computers that can be remotely controlled and used for malicious purposes, without the owner s knowledge. The use of botnets allows the launching of spam outbreaks and malware attacks on a massive scale, carrying out DoS attacks, performing identity theft, and hosting malicious and illegal Websites. These attacks use multiple sources and dynamic IP addresses that impede the creation of blacklists of bad IP addresses and also result in a high percentage of false-positives. The Need for a Multi-Tiered Approach Traditional Antispam products using blacklisting and content detection have been rendered ineffective by the combination of botnets and innovative spammer technology. The evolution and nature of today s spam as described has given rise to a need for solutions that do not rely on message content only, but instead have the ability to identify spam outbreaks in real-time, based on the context of the e-mail. Protection from today s spam can only be achieved by blocking e-mail from suspected spam sources based on the source IP address or domain, and by analyzing spam e-mail for distribution and structure patterns that can indicate spam outbreaks. Furthermore, in order to assure productivity on behalf of the user and the IT staff, spam blocking must be as transparent as possible, while still minimizing false positives and providing the tools necessary for effective program management and reporting. Self-managed user quarantine repositories for spam can remove most of the burden from the administrator, while enabling users to create their own trusted senders list, and retrieve blocked messages independently. Self-managing functionality and comprehensive reporting features in a spam solution can significantly reduce staff administration requirements and TCO, while also improving the end-user experience. 4

esafe: Comprehensive e-mail Security esafe Advanced Antispam utilizes dual-engine functionality to detect and block spam by analyzing both the context and the content of e-mail messages for spam attributes and distribution patterns. esafe s Antispam technology is based on the combination of real-time reputation and distribution patterns analysis PLUS advanced deep content analysis methods that inspect remaining messages for spam and malicious content. The unique combination of two layers of protection enables esafe to block the majority of spam and worm e-mail at the perimeter before it can enter the network. 1. When an e-mail is received by esafe, it is sent to Real-time Distribution and Reputation (RDR) Engine #1. Here, certain unique patterns are extracted (including e-mail header, body and attachments) effectively creating a unique and small digest e-mail identifier. 2. This digest is then transmitted to the Real Time Detection Center (RTDC), where it is checked against current known spam and worm outbreaks. If the result indicates that neither spam nor worm was found, the e-mail is sent to the Content Analysis (CA) Engine #2. 3. In engine #2, content is checked for spam using various techniques that include heuristics, signatures, links to known spam Websites etc. If the e-mail is not identified as spam, it is then checked for malicious and unwanted content that includes among other thing phishing, malware, viruses, unwanted files etc. At each of the steps, e-mail found to contain malicious content and/or spam is quarantined, and a Quarantine Report is sent to the user. 4. Clean and safe e-mail is delivered to the user. Analyzing Context: esafe Real-time Reputation Analysis Spammers employ various techniques and sending methods in order to disguise illegitimate e- mail. However, all messages in an outbreak share at least one common characteristic that can link it with the other messages in the outbreak. For example, in spam or phishing e-mail, users can be lured to a specific Web site, e-mail can contain the same malicious code, or PDF spam might contain a similar attachment. esafe s Real-time Distribution and Reputation (RDR) Engine is based on global recurrent-pattern analysis in combination with a sender reputation and rating technology, which analyses large volumes of in-transit e-mail from across the world in real-time, and identifies recurrent message patterns. These results are aggregated and saved in a centralized data center and are used to identify e-mail-borne attacks. 5 Increase E-mail Security and Maximize Spam Blocking

The RDR engine is content-agnostic and focuses on extracting and analyzing patterns that are in the message envelope during the SMTP session, and also in the message header, body, and attachments. Because of this, it is capable of recognizing an outbreak regardless of the payload, language, message format, and encoding type. In addition to identifying new threat patterns, RDR technology is also used to reconfirm and enhance the classification of already-identified message patterns. Besides distribution pattern data, the datacenter also includes a real-time reputation score of the e-mail sender, which is dynamic in order to ensure that legitimate e-mail servers are not permanently blacklisted, which can be the case if abuse of a mail server has occurred, or if a spammer is on the same subnet, which is a common scenario in some ISPs and in some regions. By default esafe places all messages found to contain spam in a Spam Quarantine, sending a daily report to users which lists all e-mail addressed to them that had been blocked as spam. Since what is considered spam by one user is not necessarily considered spam by another (for example, newsletters and mailing lists), the use of spam management tools allows for the minimizing of false-positives. Analyzing Content: esafe Content Analysis Engine The second layer of esafe Advanced Antispam protection is the Content Analysis (CA) Engine. This protection layer uses various methods to deeply inspect and analyze the content in incoming e-mail, including the following: Smart signature matching: extracts hash signatures from incoming e-mail and compares them against a database of known spam e-mail messages. The signature database is updated throughout each day with information derived from real-time spam collectors. Text analysis: identifies spam based on statistics derived from analyzing large collections of spam messages in real-time. Flow control: searches for identical e-mail messages over a specific time frame. e-mail messages which appear multiple times during this period but originate from different sources are noted, and if the number of occurrences exceeds a predefined threshold value, the e-mail is blocked as spam. Bayesian classification: uses statistics derived from the analysis of large collections of spam messages. The system can be trained to specifically identify spam with a high identification rate and low false-positive rate. Phishing: uses a combination of techniques to determine whether or not an e-mail is a potential phishing e-mail. Fuzzy fingerprint: A new analysis method designed to combat the latest spam techniques, such as spam e-mails contain images with small modifications (e.g. random pixels, corruption etc.). Meta-heuristics: identifies spam by searching for common spam characteristics such as the usage of mixed foreign character sets, image links that are server queries, use of a mixture of obscure and/or non-printable characters, different encoding methods, etc. In addition to identifying various spam characteristics, the heuristic system also cleans e-mail from junk characters and HTML tags so that hash-signatures can be extracted and compared with the signature database. This method also allows for the identification of polymorphic spam. URL categories: searches for URL links in e-mail messages and checks which category the URL belongs to. Organizations are able to define which categories to block or allow. Known spam URLs: identifies links to Web sites known to belong to spammers. Structure analysis: these techniques analyze the HTML structure of the e-mail message to calculate unique signatures and check them against the spam database. Finger print: checks e-mail attachment fingerprints (MD5 hashes) against fingerprints stored in the database, to determine whether or not the e-mail contains known spam attachments or embedded images. 6

Spam Management esafe s innovative spam management controls and self-provisioning features help to increase user productivity and reduce both TCO and IT staff requirements. Users receive Spam Quarantine Reports and manage their own quarantined e-mail directly by receiving a list of all mail sent to the user and blocked as spam. Viewing the report does not require logging in or using a username and password, and users can quickly browse the list of spam e-mails and if necessary, select an action, including Release and Learn. esafe s self-learning capabilities assist in reducing the false-positive blocking rate by allowing users to release e-mail mistakenly blocked and create lists of non-spam senders (white lists) for future use. This method of selfprovisioning also reduces the burden on IT managers and subsequently reduces TCO. There is no need for IT staff to constantly review and check e-mail to determine what is and is not spam. Further, with suspicious e-mails stored in quarantine and not sent through mail servers, esafe eliminates the need for additional backup or storage requirements. 7 Increase E-mail Security and Maximize Spam Blocking

Summary Spam continues to become more sophisticated and elusive, while spammers and cybercriminals employ innovative and devious methods to stay ahead. Antispam solutions must provide realtime solutions that can quickly adapt to evolving challenges while remaining attentive to user productivity in order to keep the number of incorrectly blocked e-mails as low as possible. esafe s Advanced Antispam solution provides a multilayered e-mail defense that includes reputation analysis and deep content inspection for total protection against today s spam exploits. User-driven quarantine reports that enable self-provisioning help organizations improve productivity and lower staff management requirements. 8

For more contact information, visit: www.aladdin.com/contact 5/2008 Aladdin Knowledge Systems, Ltd. All rights reserved. Aladdin and HASP are registered trademarks and HASP SRM is a trademark of Aladdin Knowledge Systems, Ltd. All other names are trademarks or registered trademarks of their respective owners. North America: +1-800-562-2543, +1-847-818-3800 UK: +44-1753-622-266 Germany: +49-89-89-4221-0 France: +33-1-41-37-70-30 Benelux: +31-30-688-0800 Spain: +34-91-375-99-00 Italy: +39-022-4126712 Israel: +972-3-978-1111 China: +86-21-63847800 India: +919-82-1217402 Japan: +81-426-607-191 All other inquiries: +972-3-978-1111

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information