Who will win the battle - Spammers or Service Providers?



Similar documents
Marketing Do s and Don ts A Sprint Mail Whitepaper

INBOX. How to make sure more s reach your subscribers

The Radicati Group, Inc. ...

An Delivery Report for 2012: Yahoo, Gmail, Hotmail & AOL

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

How to Use Red Condor Spam Filtering

A White Paper. VerticalResponse, Delivery and You A Handy Guide. VerticalResponse,Inc nd Street, Suite 700 San Francisco, CA 94107

How To Ensure Your Is Delivered

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

Being labeled as a spammer will drive your customers way, ruin your business, and can even get you a big fine or a jail sentence!

Evaluating DMARC Effectiveness for the Financial Services Industry

Best Practices: How To Improve Your Survey Invitations and Deliverability Rate

SCORECARD MARKETING. Find Out How Much You Are Really Getting Out of Your Marketing

FILTERING FAQ

Top 40 Marketing Terms You Should Know

Savita Teli 1, Santoshkumar Biradar 2

Managing Junk Mail. About the Junk Mail Filter

Marketing Glossary of Terms

WHITEPAPER. SendGrid Deliverability Guide V2. Everything You Need to Know About Delivering through Your Web Application

SPAM FILTER Service Data Sheet

Quarantined Messages 5 What are quarantined messages? 5 What username and password do I use to access my quarantined messages? 5

Purchase College Barracuda Anti-Spam Firewall User s Guide

How To Prevent Spam From Being Filtered Out Of Your Program

The Latest Internet Threats to Affect Your Organisation. Tom Gillis SVP Worldwide Marketing IronPort Systems, Inc.

Emerging Trends in Fighting Spam

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

Solutions IT Ltd Virus and Antispam filtering solutions

MDaemon configuration recommendations for dealing with spam related issues

5 tips to improve your database. An Experian Data Quality white paper

Deliverability Best Practices by Tamara Gielen

Spam Filtering Methods for Filtering

Enterprise Marketing: The 8 Essential Success Factors

SPAM. What can be done by governments, to prevent spam? What can be done by IT professional bodies?

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

BULK MAIL CAMPAIGN RULES

ModusMail Software Instructions.

Deliverability Counts

A SIMPLIFIED EXPLANATION OF CANADA S NEW LAW ON SPAM

Fighting spam in Australia. A consumer guide

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

How To Filter From A Spam Filter

Malware & Botnets. Botnets

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

SPAM UNDERSTANDING & AVOIDING

Smart E-Marketer s Guide

An Overview of Spam Blocking Techniques

CommuniGator. Avoiding spam filters

Do you need to... Do you need to...

Ipswitch IMail Server with Integrated Technology

eprism Security Suite

Mailwall Remote Features Tour Datasheet

AntiSpam QuickStart Guide

Stop Spam Now! By John Buckman. John Buckman is President of Lyris Technologies, Inc. and programming architect behind Lyris list server.

Anchor s Marketing Glossary and Common Terms

Reputation Metrics Troubleshooter. Share it!

BrightVisions Spam Filter User Guide

Filtering for Spam: PC

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

DST . Product FAQs. Thank you for using our products. DST UK

REVIEW AND ANALYSIS OF SPAM BLOCKING APPLICATIONS

Eloqua Enhanced Branding and Deliverability More s to the inbox means more opportunities and revenue.

Phishing Past, Present and Future

Marketer s Field Guide to Gmail, Outlook.com, and Yahoo!

Anti Spamming Techniques

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Best Practices A WORD TO THE WISE WHITE PAPER BY LAURA ATKINS, CO- FOUNDER

Trend Micro Hosted Security Stop Spam. Save Time.

1. Introduction Deliverability-Benchmarks Working with Your Service Provider sent delivered...

Spam DNA Filtering System

HOW TO GET HIGHER OPEN RATES FROM YOUR MARKETING CAMPAIGNS

Anti-Phishing Best Practices for ISPs and Mailbox Providers

Introduction: What is Spam?... 3 How to Bypass Spam Filters Common Mistakes... 7

Panda Cloud Protection

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

Handling Unsolicited Commercial (UCE) or spam using Microsoft Outlook at Staffordshire University

Adaptive Filtering of SPAM

Deliverability. Best Practices for Getting to the Inbox

Transcription:

Who will win the battle - Spammers or Service Providers? Pranaya Krishna. E* Spam Analyst and Digital Evidence Analyst, TATA Consultancy Services Ltd. (pranaya.enugulapally@tcs.com) Abstract Spam is abuse of electronic messaging system to send unsolicited or unwanted messages in bulk quantities. Spam has negative impact on consumers, businesses, service providers, legitimate e-mail marketers and virtually anyone else who uses e-mail for any reason. To contain spam mails and for maximum effectiveness service providers are implementing multi-layer spam detection & prevention architecture and filters. Connection level analysis, context, lexical and image based analysis, bi-directional spam filtering and bounce management are the most common techniques/ approaches adopted by service providers for spam detection & filtering. The spammers arecoming out with new type of techniques and methods like deliverability testing etc., resulting a large difference between the amount of spam sent out and spam blocked by the spam filters every day. The reason for this is lack of incident response team (IRT) with e-mail service providers (ESP).The need of the hour is that every ESP should have an IRT with digital forensic skills to identify the spammer account, reasons for spam filter failure in detecting the spam and for root cause analysis. Keywords: Spam, Phishing, Spammer, Scam, Spam Architecture, Filtering, Deliverability Testing, Incident Response, Honey Trap, Data Points, Root Cause, Header Analysis, Digital Evidence Analysts. *The author to whom correspondence should be addressed : Pranaya Krishna. E 1

1. Introduction Spam is abuse of electronic messaging system to send unsolicited or unwanted messages in bulk quantities. Along with growth of internet and email, there has been dramatic growth in spam in recent years. History of spam dates back to 1978, when the sales representative of Digital Equipment Corporation advertised a computer equipment demonstration to Arpanet users. Probably the first automated large scale commercial use of Spam happened in 1994, when the Phoenix law firm, Canter and Siegel, advertised their services by posting a message to several thousand newsgroups. Email spam has steadily grown since the early 1990 s. Approximately 70% of the e-mail traffic was spam and around 75% of spam emails sent were smaller than 1 KB in size according to many industry reports. Surprisingly, USA based ISPs are generating 17% of global spam whereas the Russia occupies second position accounting to 6%. Botnets, networks of virus-infected computers, are used to send about 90% of spam these days. Today, Spam is mostly used for advertising products such as pharmacy, casinos, weight loss and for sending phishing mails. Spam is also used to exchange secret communication by money launderers, drug sellers for carrying frauds such as advance fee fraud such as the Nigerian "419", Ponzi-Pyramid, stock fraud scam (pump and dump scam) etc. By clicking on hyperlinks spam email may send users to phishing web sites or sites that are hosting malware. Spam email may also include malware such as scripts or other executable file attachments. Spam has negative impacts for consumers, businesses, Service Providers, legitimate e-mail marketers and virtually anyone else who uses e-mail for any reason. Spam is annoying and severely damages the internet company's reputation. 2. Spam detection Architecture & Detection Methods All mail service providers have acceptable use policy and sending spam is a violation of the same. USA, UK, European Union and Canada passed laws to control spam. According to section 66 (A) of Indian Information Technology Act amendment 2008 sending spam is an offence punishable with imprisonment up to three years and with a fine. This section read as sending any message which is grossly offensive or has a menacing character false information for the purpose of causing annoyance, inconvenience, danger, insult, criminal intimidation, enmity, hatred or ill-will any electronic e-mail for the purpose of causing annoyance or inconvenience, or to deceive the addressee about the origin of such messages; The biggest advantage of the Indian amendment is that it regulates the sending of electronic messages, which include electronic mail on all kinds of communication devices, rather than just computer systems, which conforms to the all-encompassing law of Australia and EU than the narrow law of the US that deals only with email spamming. To contain spam mails and for maximum effectiveness, service providers are implementing multi-layer spam detection & prevention architecture and filters. Connection level analysis, Context, lexical and image based analysis, bi-directional spam filtering and bounce management are the most common techniques/ approaches adopted by service providers for spam detection & filtering. Figure 1 gives the Spam detection architecture. 2

Figure 1: Spam Detection Architecture Whitelists and Blacklists are a straightforward method of blocking spam using lists of email addresses, IP addresses, and/or domains that are considered safe (whitelists) or unsafe (blacklists) to determine whether to accept or block messages from a sender. There are several public blacklists that are utilized by email security vendors today, such as Spamhaus, SORBS, DSBL etc. To protect the interests of their customers, mail filters were added to the mail architecture and regularly updates the definitions. List Based / Rule Based, Content based, Bayesian Filter are the most common spam filtering techniques. Figure 2 shows the Layered approach for the detection of Spam. Content filters were able to easily detect spam keywords in the bodies of messages. This technique, however, was susceptible to false positives, because many of the spam keywords also had legitimate uses. Gray messages, which are not clearly spam or good mail, present significant obstacles to training and evaluating global spam filters. 3

Figure 2: Layered approach for detection of spam Even then, the spam count has not gone down as expected, instead it is growing. The difference between the amount of spam sent out and the amount of spam blocked by the spam filters is increasing day by day. This is not because of failure of spam filters, but the success of spammers. Yes, spammers have grown smart. They have got the ideas to bypass the spam filters. To bypass a mail filter, one need not be an expert in the technology, but should have an idea about the way it works. 3. Deliverability testing Content Based scanning is an effective way to block Phishing. Based on content and header of the mail, it iseither scored as spam or ham. This was one method which troubled the spammer, as he/she had no idea whether the phishing mail sent by him/her scored as a spam or not. In other words, spammer will not know whether the phishing mail reached the target inbox or junk folder. To overcome this failure, spammers came up with a new method of checking the deliverability of their mails called deliverability testing. In this method the phisher targets the users of an e-mail service provider (ESP) e.g. mydomain.com. Before sending the mail, the spammer will create an account for himself with @mydomain.com (e.g. qwerty@mydomain.com) and send the spam to 10 people along with qwerty@mydomain.com. Now the phisher sends out mails to 11 people, out of which one is his own account. The phisher can check the deliverability of his phishing mails by just checking his own account i.e. qwerty@mydomain.com. If the spam filter used by mydomain.com identifies it as spam, it will send this mail to junk folders of all the users along with qwerty@mydomain.com, else it will push it to the inbox which helps the spammer to know whether his mail is identified by the filter or not. If the phishing mail is identified by the filter, the phisher will immediately change the content and sends another mail to all the users. This goes on until the mail reaches the inbox of users. When the spammer follows this method to check the deliverability, the filters are not really guarding the user mail box. Now the question is how to identify the spammer? What action has to be taken against the spammer? 4

4. Incident Response Team In the scenario of successful deliverability testing, every ESP should have an incident response team (IRT) to monitor mail traffic and customer complaints. Whenever a customer reports a phishing mail as spam or moves it to spam folder, it should be forwarded to IRT for updating their mail filter definitions and to identify and block the spammer. Question may arise saying, once the virus definitions are updated, what is the need to identify the spammer? Root cause analysis is always the best practice and helps in proactively identifying the spam or phishing campaign. In this scenario, the end point for root cause analysis is identifying the deliverability testing account and the respective owner of that account. The best and efficient way to find the deliverability account is by finding patterns for spammer activity. Usually every ESP restrains its users to send a fixed number of mails per day. For example, mydomain.com restrains an account to send 1000 mails per day. Assume a scenario, where the phisher is having a kit with huge number of phishing pages (e.g. phishing pages of various banks, Gmail, yahoo mail, PayPal, etc.). In the first go, the phisher sends out mails asking for credentials to 1000 Gmail users. Among them one account is phisher owned account i.e. qwerty@mydomain.com. In the second attempt he will send mails asking for credentials to another new set of 1000 users from another compromised account or by creating an alias account, among which one recipient is qwerty@mydomain.com. In the same manner, spammer will send to various bank users, PayPal account holders, etc., Let us consider the mail filter failed to block the spam and they all have entered the inbox of respective users. Among 1000 users, usually there will be few smart users, who identify the phishing mail and move it to the junk folder. When this is done, it alerts the IRT and their action starts by updating mail filter definitions. The next job of IRT is to check why the mail filter failed to block it and to study the root cause. The IRT course of action should be as under: 1. If the phisher is sending the phishing link in the mail, based on the URL, IRT should search all the mail stores and identify the users who received the same URL using monitoring tool currently available with all ESPs. When the IRT figure out the accounts, they should be able to identify 1000 users. 2. When the second campaign happens, IRT have to again run the similar process and identify the next 1000 accounts. This process is repeated to identify the 5000 accounts which received the phishing link. 3. IRT should now concentrate on pattern analysis, by checking how many mails each account received with same URL. 4. Since the phisher sent only one phishing mail to every one, ideally IRT have to see only one mail. But in every batch of 1000 accounts, qwerty@mydomain.com is included. So IRT will be seeing qwerty@mydomain.com receiving 5 mails with same URL, whereas rest 4995 receive only 1 mail. Now, IRT have to check for the information of qwerty@mydomain.com. This information is gathered during the account creation and is given by the support team of any ESP. The information captured during the creation of the account is email ID, date of creation, IP address, location of the IP, address given by the spammerswhile creating the account. From these details IRT should be able to confirm that this account is phisher owned account. Root Cause Identification 1. IRT can do this by checking the Email address. The email address used for sending the phishing mails will be matching the legitimate email ID. Ex: let us assume the legitimate support email id for mydomain.com is support@mydomain.com, the 5

phisher account would be ssupport@mydomain.com. If the email address of suspicious account is similar to above example, IRT have got the first data point. 2. Now, IRT can check the creation time of the suspicious account. Usually the phisher starts sending out phishing mails at the earliest time. So the time difference between the first mail sent and the account creation is minimal. This is your second data point. 3. Then, IRT have to check the IP address from which the mail was sent. For the very obvious reasons, the user would give a fake address at the registration time. Therefore, if the address given by the phisher during the account creation time and the IP address doesn t match, it should become your third data point. Ideally these 3 data points should give IRT a confirmation on the account. This happens in respect of 9 out of 10 cases. But, if these 3 data points are not helping in taking a decision, then IRT have to fetch the phishing mail and perform header analysis, by professional digital evidence analysts. For an IRT, these 3 data points should give sufficient information about the account. Considering the IRT have identified the suspicious account, what action has to be taken against it? Should the account be deactivated immediately? No. No action needs to be taken. When IRT deactivates the account, the phisher creates another account and sends phishing mails again. In such cases, IRT have to identify that account by spending time in following the entire procedure discussed above. Therefore IRT should not take any action against the account. Instead, IRT has to move the account to a state where the mails received or sent from phisher email ID should be sent to the filter for analysis as well as one copy to phisher own id i.e. qwerty@mydomain.com. By doing so, the phisher will not know that his account is identified and being monitored. This can be called as a honey trap. All the incoming and outgoing mails from qwerty@mydomain.com should be analysed by the IRT team for heat maps and proactively catch the phisher. 5. Conclusion Spam is an ever-increasing problem. The techniques currently used by most anti-spam software are fairly easy to evade by tweaking the message a little. To effectively combat spam, every ESP should have an IRT as their first level of defence. IRT should be equipped with skill set of digital forensics, analytical and pattern analysis capabilities and also should have in depth knowledge of organisation mail architecture. Team should find the patterns with the data points and proactively block the phisher. There should be a common repository of spammers and hackers, where every organisation can consider them for building their spam filters and analyzing their patterns. The ESP should therefore come forward to feed the repositories which will help in proactive blocking of spammers. References: 1. https://en.wikipedia.org/wiki/history_of_email_spam History of Spam 2. http://www.internetsociety.org/sites/default/files/history%20of%20spam.pdf History of spam 3. https://www.spamhaus.org/ Trends in spamming and phishing. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information