Technology White Paper Increase E-mail Security and Maximize Spam Blocking A l a d d i n. c o m / e S a f e
Increase E-mail Security and Maximize Spam Blocking Table of Contents Today s Spam Challenges... 2 The Evolution of New Spam Exploits... 3 The Need for a Muti-tiered Approach... 4 esafe: Comprehensive e-mail Security... 5 Spam Management... 7 Summary... 8 1 Increase E-mail Security and Maximize Spam Blocking
At least 90% of e-mail reaching corporate servers is spam. Spam costs U.S. businesses $612 per employee per year. Nucleus Research, 2007 There has been a 100% growth of spam in the last year. Global spam levels are increasing all the time, hitting an all-time high of 95% of all e-mails sent during a peak in the third quarter of 2007. Commtouch Labs Today s Spam Challenges Spam continues to be one of the most rapidly changing security exploits today, as spammers constantly improve and adjust their techniques and methods in order to evade detection by Antispam products. Spam also continues to increase its close association with computer crime, from Spambot infected PCs unwittingly being used as major spam distributors, to malware-promoting spam e-mails, such as the STORM variants, which contain links to Web-borne malicious code. What started as a minor annoyance more than a decade ago has burgeoned into a major problem that impacts network performance and user productivity, and poses a threat to network security. One of the major challenges in combating spam is that there have become two different types of attacks. The first type of attack involves quick and short outbreaks, which are large in distribution but can last only a few minutes. The second type involves low-key, low-distribution targeted spam attacks. The first type is often associated with commercial spam, often scams, and quick worms. The later can often be associated with phishing and more targeted computer crimes. The two very different natures of these attacks require completely different technologies for proper protection. Another challenge of combating spam is the development of combination spam e-mails that include malicious content, and the creation of more sophisticated and inventive methods to circumvent Antispam solutions, such as the use of image spam, and PDF and Excel attachments. However, one of the largest problems with spam today is that it is being sent almost exclusively by zombies and botnets. This not only allows spam to be distributed in large volumes, but also makes blocking spam more difficult since there is no single sending source. Traditional methods of blocking spam that rely solely on content inspection cannot singlehandedly deal with these new sending methods and the relentless onslaught of spam. Although these methods are very effective in blocking a high percentage of spam, they are not effective in blocking the new blend of spam and e-mail threats, which are specifically designed to circumvent existing Antispam solutions. Today, a solution has to include the ability to evaluate the context of the e-mail, examine the contents, analyze how it is structured, and above all, assess the source. The challenge facing security products is the ability to provide dynamic solutions to a rapidly changing problem, while developing new strategies as the rules of the game change. Equally as important is keeping the false-positive blocking rate as low as possible. This document discusses the changing threats of spam, outlines the challenges and threats associated with spam e-mail, describes the technologies available to fight spam, and explains how esafe can be used as a multi-layered solution to effectively block and manage spam. 2
The Evolution of New Spam Exploits Today spam is a multi-faceted problem that can combine a number of threats. Spammers are employing a multitude of techniques in order to circumvent detection by Antispam products. These new exploits include the use of image spam, legitimate-looking attachments, and the use of foreign languages, to name a few. Image spam Image spam uses one or more images instead of text. These messages use innovative techniques to escape detection, including the use of different background colors. Although the message content is the same, randomization of pixels and the use of snow make each message appear unique, and in this way, tricks spam filters. The use of uncommon and distorted fonts and splitting one image into multiple images are other methods being used to circumvent traditional products. Although the underlying aim and content of image spam is the same as its textual predecessor (e.g. stock pump-and-dump schemes, advertisements for weight loss products, pharmaceuticals, etc.), image spam has proven to be more appealing to recipients and there is a greater likelihood that recipients will open the message and take action. Image spam messages are typically much larger than traditional text spam messages and thus can also place a burden on network resources and consume more bandwidth. Traditional content-based Antispam solutions are unable to successfully block image spam. Attachments Another trend noted over the last year is the use of new types of attachments. Spammers now make widespread use of PDF and Excel attachments in their continuing attempts to make messages appear more legitimate, realistic and trustworthy. By packaging spam messages in legitimate looking formats, spammers are able to bypass traditional Antispam products and still include their message in a standard format of text or images, also including URLs in the message. Phishing Phishing continues to pose a major threat to users, and is constantly evolving. The popularity of social engineering Websites such as YouTube has provided a new platform for spammers to operate by using links to legitimate looking sites that are in fact links to Websites that contain malicious content. In addition, there has been a noted trend towards sending targeted messages that appeal to recipients emotions and in this way attempt to obtain personal information. Furthermore, the influence of organized crime groups is apparent as phishing scams become more sophisticated and professional, as evidenced by the rise in the number of attacks that are financially motivated. Viruses In recent months, a dangerous alliance has been forged between spammers and virus writers, and driven by financial gain. Virus writers are employing spam methods to ensure maximum distribution and maximum damage. E-mail viruses and worms are used for fraudulent purposes, industrial espionage, or to simply steal private information that can be sold to spammers and other questionable buyers. 3 Increase E-mail Security and Maximize Spam Blocking
Directory Harvest Attacks (DHA) It is estimated that over 80% of spam today is generated by zombies. Herald Tribune, 2007 This form of attack harvests legitimate e-mail addresses from corporate mail servers by sending thousands of e-mails to a specific company (domain) using different permutations of common usernames. By keeping track of which addresses are rejected by the corporate mail server, spammers create lists of legitimate users for their own use, or for sale and distribution to other spammers. Other than the obvious inherent danger of allowing legitimate e-mail addresses to fall into the wrong hands, directory harvest attacks also consume large amounts of bandwidth resulting in productivity and availability problems. Common Characteristics of Spam Attacks In addition to the sheer volume of the latest spam outbreaks, several underlying common characteristics that are used to avoid detection have been identified: Spam outbreaks involve large numbers of spam messages to achieve the highest possible response rate and ROI. Messages are released in a relatively short period of time for maximum impact, and before Antispam solutions can detect the outbreak. Messages are altered to hamper detection based on lexical analysis. It is difficult to identify the origin of messages in an outbreak. These characteristics can be directly attributed to the widespread use of zombie machines and botnets large networks of compromised computers that can be remotely controlled and used for malicious purposes, without the owner s knowledge. The use of botnets allows the launching of spam outbreaks and malware attacks on a massive scale, carrying out DoS attacks, performing identity theft, and hosting malicious and illegal Websites. These attacks use multiple sources and dynamic IP addresses that impede the creation of blacklists of bad IP addresses and also result in a high percentage of false-positives. The Need for a Multi-Tiered Approach Traditional Antispam products using blacklisting and content detection have been rendered ineffective by the combination of botnets and innovative spammer technology. The evolution and nature of today s spam as described has given rise to a need for solutions that do not rely on message content only, but instead have the ability to identify spam outbreaks in real-time, based on the context of the e-mail. Protection from today s spam can only be achieved by blocking e-mail from suspected spam sources based on the source IP address or domain, and by analyzing spam e-mail for distribution and structure patterns that can indicate spam outbreaks. Furthermore, in order to assure productivity on behalf of the user and the IT staff, spam blocking must be as transparent as possible, while still minimizing false positives and providing the tools necessary for effective program management and reporting. Self-managed user quarantine repositories for spam can remove most of the burden from the administrator, while enabling users to create their own trusted senders list, and retrieve blocked messages independently. Self-managing functionality and comprehensive reporting features in a spam solution can significantly reduce staff administration requirements and TCO, while also improving the end-user experience. 4
esafe: Comprehensive e-mail Security esafe Advanced Antispam utilizes dual-engine functionality to detect and block spam by analyzing both the context and the content of e-mail messages for spam attributes and distribution patterns. esafe s Antispam technology is based on the combination of real-time reputation and distribution patterns analysis PLUS advanced deep content analysis methods that inspect remaining messages for spam and malicious content. The unique combination of two layers of protection enables esafe to block the majority of spam and worm e-mail at the perimeter before it can enter the network. 1. When an e-mail is received by esafe, it is sent to Real-time Distribution and Reputation (RDR) Engine #1. Here, certain unique patterns are extracted (including e-mail header, body and attachments) effectively creating a unique and small digest e-mail identifier. 2. This digest is then transmitted to the Real Time Detection Center (RTDC), where it is checked against current known spam and worm outbreaks. If the result indicates that neither spam nor worm was found, the e-mail is sent to the Content Analysis (CA) Engine #2. 3. In engine #2, content is checked for spam using various techniques that include heuristics, signatures, links to known spam Websites etc. If the e-mail is not identified as spam, it is then checked for malicious and unwanted content that includes among other thing phishing, malware, viruses, unwanted files etc. At each of the steps, e-mail found to contain malicious content and/or spam is quarantined, and a Quarantine Report is sent to the user. 4. Clean and safe e-mail is delivered to the user. Analyzing Context: esafe Real-time Reputation Analysis Spammers employ various techniques and sending methods in order to disguise illegitimate e- mail. However, all messages in an outbreak share at least one common characteristic that can link it with the other messages in the outbreak. For example, in spam or phishing e-mail, users can be lured to a specific Web site, e-mail can contain the same malicious code, or PDF spam might contain a similar attachment. esafe s Real-time Distribution and Reputation (RDR) Engine is based on global recurrent-pattern analysis in combination with a sender reputation and rating technology, which analyses large volumes of in-transit e-mail from across the world in real-time, and identifies recurrent message patterns. These results are aggregated and saved in a centralized data center and are used to identify e-mail-borne attacks. 5 Increase E-mail Security and Maximize Spam Blocking
The RDR engine is content-agnostic and focuses on extracting and analyzing patterns that are in the message envelope during the SMTP session, and also in the message header, body, and attachments. Because of this, it is capable of recognizing an outbreak regardless of the payload, language, message format, and encoding type. In addition to identifying new threat patterns, RDR technology is also used to reconfirm and enhance the classification of already-identified message patterns. Besides distribution pattern data, the datacenter also includes a real-time reputation score of the e-mail sender, which is dynamic in order to ensure that legitimate e-mail servers are not permanently blacklisted, which can be the case if abuse of a mail server has occurred, or if a spammer is on the same subnet, which is a common scenario in some ISPs and in some regions. By default esafe places all messages found to contain spam in a Spam Quarantine, sending a daily report to users which lists all e-mail addressed to them that had been blocked as spam. Since what is considered spam by one user is not necessarily considered spam by another (for example, newsletters and mailing lists), the use of spam management tools allows for the minimizing of false-positives. Analyzing Content: esafe Content Analysis Engine The second layer of esafe Advanced Antispam protection is the Content Analysis (CA) Engine. This protection layer uses various methods to deeply inspect and analyze the content in incoming e-mail, including the following: Smart signature matching: extracts hash signatures from incoming e-mail and compares them against a database of known spam e-mail messages. The signature database is updated throughout each day with information derived from real-time spam collectors. Text analysis: identifies spam based on statistics derived from analyzing large collections of spam messages in real-time. Flow control: searches for identical e-mail messages over a specific time frame. e-mail messages which appear multiple times during this period but originate from different sources are noted, and if the number of occurrences exceeds a predefined threshold value, the e-mail is blocked as spam. Bayesian classification: uses statistics derived from the analysis of large collections of spam messages. The system can be trained to specifically identify spam with a high identification rate and low false-positive rate. Phishing: uses a combination of techniques to determine whether or not an e-mail is a potential phishing e-mail. Fuzzy fingerprint: A new analysis method designed to combat the latest spam techniques, such as spam e-mails contain images with small modifications (e.g. random pixels, corruption etc.). Meta-heuristics: identifies spam by searching for common spam characteristics such as the usage of mixed foreign character sets, image links that are server queries, use of a mixture of obscure and/or non-printable characters, different encoding methods, etc. In addition to identifying various spam characteristics, the heuristic system also cleans e-mail from junk characters and HTML tags so that hash-signatures can be extracted and compared with the signature database. This method also allows for the identification of polymorphic spam. URL categories: searches for URL links in e-mail messages and checks which category the URL belongs to. Organizations are able to define which categories to block or allow. Known spam URLs: identifies links to Web sites known to belong to spammers. Structure analysis: these techniques analyze the HTML structure of the e-mail message to calculate unique signatures and check them against the spam database. Finger print: checks e-mail attachment fingerprints (MD5 hashes) against fingerprints stored in the database, to determine whether or not the e-mail contains known spam attachments or embedded images. 6
Spam Management esafe s innovative spam management controls and self-provisioning features help to increase user productivity and reduce both TCO and IT staff requirements. Users receive Spam Quarantine Reports and manage their own quarantined e-mail directly by receiving a list of all mail sent to the user and blocked as spam. Viewing the report does not require logging in or using a username and password, and users can quickly browse the list of spam e-mails and if necessary, select an action, including Release and Learn. esafe s self-learning capabilities assist in reducing the false-positive blocking rate by allowing users to release e-mail mistakenly blocked and create lists of non-spam senders (white lists) for future use. This method of selfprovisioning also reduces the burden on IT managers and subsequently reduces TCO. There is no need for IT staff to constantly review and check e-mail to determine what is and is not spam. Further, with suspicious e-mails stored in quarantine and not sent through mail servers, esafe eliminates the need for additional backup or storage requirements. 7 Increase E-mail Security and Maximize Spam Blocking
Summary Spam continues to become more sophisticated and elusive, while spammers and cybercriminals employ innovative and devious methods to stay ahead. Antispam solutions must provide realtime solutions that can quickly adapt to evolving challenges while remaining attentive to user productivity in order to keep the number of incorrectly blocked e-mails as low as possible. esafe s Advanced Antispam solution provides a multilayered e-mail defense that includes reputation analysis and deep content inspection for total protection against today s spam exploits. User-driven quarantine reports that enable self-provisioning help organizations improve productivity and lower staff management requirements. 8
For more contact information, visit: www.aladdin.com/contact 5/2008 Aladdin Knowledge Systems, Ltd. All rights reserved. Aladdin and HASP are registered trademarks and HASP SRM is a trademark of Aladdin Knowledge Systems, Ltd. All other names are trademarks or registered trademarks of their respective owners. North America: +1-800-562-2543, +1-847-818-3800 UK: +44-1753-622-266 Germany: +49-89-89-4221-0 France: +33-1-41-37-70-30 Benelux: +31-30-688-0800 Spain: +34-91-375-99-00 Italy: +39-022-4126712 Israel: +972-3-978-1111 China: +86-21-63847800 India: +919-82-1217402 Japan: +81-426-607-191 All other inquiries: +972-3-978-1111