How Spammers Fool Spam Filters

And How to Stop Them

Effectively stopping spam over the long-term requires much more than blocking individual IP addresses and creating rules based on keywords that spammers typically use. The increasing sophistication of tools spammers use coupled with the increasing number of spammers in the wild has created a hyper-evolution in the variety and volume of spam. The old ways of blocking the bad guys just don’t work anymore.

Examining spam and spam-blocking technology can illuminate how this evolution is taking place and what can be done to combat spam and reclaim e-mail as the efficient, effective communication tool it was intended to be.

There are several widely-used methods for filtering spam, each of which can be defeated by spammers to some degree. Understanding the strengths and weaknesses of each approach and the methods spammers use to defeat them is the basis of an effective, comprehensive anti-spam strategy.

Signature-based Filters

Signature-based filters examine the contents of known spam, usually derived from honey pots, or dummy e-mail addresses set up specifically to collect spam. Once a honey pot receives a spam message, the content is examined and given a unique identifier. The unique identifier is obtained by assigning a value to each character in the e-mail. Once all characters have been assigned a value, the values are totaled, creating the spam’s signature. The signature is added to a signature database and sent as a regular update to the e-mail service’s subscribers. The signature is compared to every e-mail coming in to the network and all matching messages are discarded as spam.

The benefit of signature-based filters is that they rarely produce false-positives, or legitimate e-mail incorrectly identified as spam.

The drawback of signature-based filters is that they are very easy to defeat. Because they are backward-looking, they only deal with spam that has already been sent. By the time the honey pot receives a spam message, the system assigns a signature, and the update is sent and installed on the subscribers’ network, the spammer has already sent millions of e-mails. A slight modification of the e-mail message will render the existing signature useless.

Furthermore, spammers can easily evade signature-based filters by using special e-mail software that adds random strings of content to the subject line and body of the e-mail. Because the variable content alters the signature of each e-mail sent by the spammer, signature-based spam filters are unable to match the e-mail to known pieces of spam.

Developers of signature-based spam filters have learned to identify the tell-tale signs of automated random character generation. But as is often the case, spammers remain a step ahead and have developed more sophisticated methods for inserting random content. As a result, most spam continues to fool signature-based filters.

Rule-based (Heuristic) Filtering

Rule-based filters scan e-mail content for predetermined words or phrases that may indicate a message is spam. For example, if an e-mail administrator includes the word “sex” on a company’s rule-based list, any e-mail containing this word will be filtered.

The major drawback of this approach is the difficulty in identifying keywords that are consistently indicative of spam. While spammers may frequently use the words “sex” and ‘Viagra” in spam e-mails, these words are also used in legitimate business correspondence, particularly in the healthcare industry. Additionally, spammers have learned to obfuscate suspect words by using spellings such as “S*E*X”, or “VI a a GRR A”.

It is impossible to develop dictionaries that identify every possible misspelling of “spammy” keywords. Additionally, because filtering for certain keywords produces large numbers of false positives, many organizations have found they cannot afford to rely solely on rule-based filters to identify spam.

Blacklists

The goal of blacklisting is to force Internet Service Providers (ISPs) to crack-down on customers who send spam. A blacklisted ISP is blocked from sending e-mail to organizations. When an ISP is blacklisted, they are provided with a list of actions they must take in order to be removed from the blacklist. This controversial method blocks not just the spammers, but all of the ISP’s customers. Blacklisting is generally considered an unfriendly approach to stopping spam because the users most affected by the blacklist are e-mail users who do not send spam. Many argue blacklisting actually damages the utility of e-mail more than it helps stop spam since the potential for blocking legitimate e-mail is so high.

In addition to the ethical considerations, there are other problems with blacklists. Many blacklists are not updated frequently enough to maintain effectiveness. Some blacklist administrators are irresponsible in that they immediately block suspect servers without thoroughly investigating complaints or giving the ISP time to respond. Another downside is that blacklists are not accurate enough to catch all spam. Only about half of servers used by spammers, regardless of how diligent the blacklist administrator may be, are ever cataloged in a given blacklist.

Blacklists are used because they can be partially effective against spammers who repeatedly use the same ISP or e-mail account to send spam. However, because spammers often change ISPs, re-route e-mail and hijack legitimate servers, the spammer is a moving target. Blacklist administrators are forced to constantly revise lists, and the lag-time between when a spammer begins using a given server and when the blacklist administrator is able to identify the new spam source and add it to the blacklist allows spammers to send hundreds of millions of e-mails. Spammers consider this constant state of flux a part of doing business and are constantly looking for new servers to send spam messages.

Blacklists, therefore, have some utility in stopping known spammers. Because of their limitations, however, this data should only be used in conjunction with other sources to determine if a given message is spam.

Whitelists

Whitelists are databases of trusted e-mail sources. The list may contain specific e-mail addresses, IP addresses or trusted domains. E-mails received from a whitelisted source are allowed to pass through the system to the user’s email box. The list is built when users and e-mail administrators manually add trusted sources to the whitelist. Once built, the catch-rate for spam can be close to 100%, however, whitelists produce an inordinate number of false positives.

It is virtually impossible to produce an exhaustive list of all possible legitimate e-mail senders because legitimate e-mail can come from any number of sources. To get around this difficulty, some organizations have instituted a challenge-response methodology. When an unknown sender sends an e-mail to a user’s account, the system automatically sends a challenge back to the sender. Some challenge-response systems require the sender to read and decipher an image containing letters and numbers. The image is designed to be unreadable by a machine, but easily recognizable by a human. Spammers would not spend the time required to go through a large number of challenge-response e-mails, so they drop the address and move on to those users who don’t use such a system.

Whitelists are only partially successful and impractical for many users. For example, problems can arise when users register for online newsletters, order products online or register for online services. If the user does not remember to add the new e-mail source to their whitelist, or if the domain or source is entered incorrectly, the communication will fail. Additionally, whitelists impose barriers to legitimate e-mail communication and are viewed by some as just plain rude.

Whitelists are not widely used by e-mail users and administrators as a primary tool to fight spam because of the high number of false positives, and the difficulties in creating a comprehensive list of e-mail sources. Because whitelists are not widely used, spammers typically do not develop countermeasures. As with other spam fighting techniques, whitelists are most effective when used in conjunction with other anti-spam tools.

Bayesian Filters

Named after Thomas Bayes, an English mathematician, Bayesian Logic is used in decision making and inferential statistics. Bayesian Filers maintain a database of known spam and ham, or legitimate e-mail. Once the database is large enough, the system ranks the words according to the probability they will appear in a spam message.

Words more likely to appear in spam are given a high score (between 51 and 100), and words likely to appear in legitimate e-mail are given a low score (between 1 and 50). For example, the words “free” and “sex” generally have values between 95 and 98, whereas the words “emphasis” or “disadvantage” may have a score between 1 and 4.

Commonly used words such as “the” and “that”, and words new to the Bayesian filters are given a neutral score between 40 and 50 and would not be used in the system’s algorithm.

When the system receives an e-mail, it breaks the message down into tokens, or words with values assigned to them. The system utilizes the tokens with scores on the high and low end of the range and develops a score for the e-mail as a whole. If the e-mail has more spam tokens than ham tokens, the e-mail will have a high spam score. The e-mail administrator determines a threshold score the system uses to allow e-mail to pass through to users.

Bayesian filters are effective at filtering spam and minimizing false positives. Because they adapt and learn based on user feedback, Bayesian Filers produce better results as they are used within an organization over time.

Bayesian filters are not, however, foolproof. Spammers have learned which words Bayesian Filters consider spammy and have developed ways to insert non-spammy words into e-mails to lower the message’s overall spam score. By adding in paragraphs of text from novels or news stories, spammers can dilute the effects of high-ranking words. Text insertion has also caused normally legitimate words that are found in novels or news stories to have an inflated spam score. This may potentially render Bayesian filters less effective over time.

Another approach spammers use to fool Bayesian filters is to create less spammy e-mails. For example, a spammer may send an e-mail containing only the phrase, “Here’s the link…”. This approach can neutralize the spam score and entice users to click on a link to a Web site containing the spammer’s message. To block this type of spam, the filter would have to be designed to follow the link and scan the content of the Web site users are asked to visit. This type of filtering is not currently employed by Bayesian filters because it would be prohibitively expensive in terms of server resources and could potentially be used as a method of launching denial of service attacks against commercial servers.

As with all single-method spam filtering methodologies, Bayesian filters are effective against certain techniques spammers use to fool spam filters, but are not a magic bullet to solving the spam problem. Bayesian filters are most effective when combined with other methods of spam detection.

The Solution

When used alone, each anti-spam technique has been systematically overcome by spammers. Grandiose plans to rid the world of spam, such as like charging a penny for each e-mail received or forcing servers to solve mathematical problems before delivering e-mail, have been proposed with few results. These schemes are not realistic and would require a large percentage of the population to adopt the same spam eradication method in order to be effective.

Working alone, each individual spam-blocking technique works with varying degrees of effectiveness and is susceptible to a certain number of false positives. Fortunately, the solution is already at hand. IronMail®, the secure e-mail gateway appliance from CipherTrust®, provides a highly accurate solution by correlating the results of single-detection techniques with its industry-leading correlation engine, the Spam Profiler™.

Learn more about stopping spam by requesting CipherTrust’s free whitepaper, “Controlling Spam: The IronMail Way”.

The core of IronMail’s spam capabilities, the Spam Profiler analyzes, inspects and scores e-mail on over one thousand different message characteristics. Each method is weighed based on historical accuracy rates and analysis by CipherTrust’s experienced research team.

Optimizing the Spam Profiler requires precise calibration and testing thousands of combinations of values associated with various message characteristics. To automate this process, CipherTrust developed Genetic Optimization™, an advanced analysis technique that replicates cutting-edge DNA matching models. Genetic Optimization identifies the best possible combination of values for all characteristics examined by the Spam Profiler and automatically tunes the IronMail appliance, reducing administrator intervention and assuring optimum protection against spam and spam-born threats.

Take The Next Step

Learn more about how IronMail can secure enterprise e-mail systems by visiting www.ciphertrust.com or requesting CipherTrust’s free whitepaper, “Controlling Spam: The IronMail Way”. This resource will provide the information you need to make an informed decision about eliminating spam and securing your e-mail systems.




Article Source: http://www.BharatBhasha.com
Article Url: http://www.bharatbhasha.com/email.php/18037

Other Articles related to "How Spammers Fool Spam Filters" by CipherTrust

•3 Criteria for Controlling Enterprise Spam by CipherTrustOr: T*ake Y O U R email ba & ack + From the Sp@mmers! 0400constrictor bubble snake informational If you have a business, then you have a spam problem. The efficiencies of communicating through e-mail not only benefit organizations like yours; they also benefit the spammers who profit off of sending pernicious e-mails to millions of people every day. In fact, spam is so cost-effective that it costs less than $0.0004 to send a single spam. That’s 25 emails for just one penny! The... •Does Your Email Reputation System Have a Bad Rep Does Your Email Reputation System Have a Bad Rep?   by CipherTrustThe recent spike in the volume of spam traveling across the Internet, combined with the dangers of phishing and virus attacks that frequently accompany these messages, has forced enterprises to reconsider how they determine which messages will be allowed into their network. The latest advances in anti-spam technology have been enabled in part by the use of reputation services which determine the “good” and “bad” senders. There... •Increase Efficiency with Intelligent Email Traffic Control by CipherTrustWork Smarter, Not HarderCipherTrust’s IronMail has helped some of the largest enterprises in the world stem the flood of spam to their end users, as well as address a host of other e-mail threats. IronMail’s unique Spam Profiler tool provides maximum effectiveness by scrutinizing thousands of characteristics of every message to determine a spam score. But the challenges for enterprises today do not stop at identifying and blocking spam. With spam volumes continuing to increase... •Your Reputation Precedes You by CipherTrust A Look at the Past, Present and Future of Email Reputation Systems “Reputation, reputation, reputation! Oh, I have lost my reputation! I have lost the immortal part of myself, and what remains is bestial.”--Spoken by Cassio, in Shakespeare’s Othello (circa 1602)Though written over four centuries ago, the sentiment behind these words still holds true – you’re nothing without your reputation. Every day, different reputation systems dictate who you are to those who don’t know you.... •Maximizing Email Security ROI Stop Spam and Save by CipherTrustThis is the first of a five-part series on Maximizing Email Security ROI In the realm of email security threats, the costs of spam are relatively easy to recognize. Although most organizations rarely, if ever, take the time to calculate their spam costs, they can easily account for the losses caused by spam with regards to employee productivity, consumption of IT resources and help desk costs. Harder to measure are the less obvious, and potentially catastrophic, costs incurred... •Why Corporations Need to Worry About Phishing by CipherTrustPhishing is a relatively new form of online fraud that focuses on fooling the victim into providing sensitive financial or personal information to a bogus website that bears a significant resemblance to a tried and true online brand. Typically, the victim provides information into a form on the imposter site, which then relays the information to the fraudster. Although this form of fraud is relatively new, its prevalence is exploding. From November 2003 to May 2004, Phishing... •Detecting and Eliminating Computer Viruses at the Gateway by CipherTrustTraditional anti-virus software only stops known computer viruses – stopping undefined computer viruses requires a different approach.In the past, network administrators scrambled to apply new virus signatures whenever new computer viruses were discovered. While these signatures will stop a known threat, it takes time for anti-virus vendors to develop them. Unfortunately, the newest and most damaging viruses are able to spread so quickly that the damage is done before a... •Maximizing E mail Security ROI Part IV The Digital Monsters under Your Bed E Mail Intruders by CipherTrust This is the last of a five-part series on Maximizing Email Security ROI. Remember your kid fears? As soon as the lights went out, the monsters under your bed began plotting ways to get you. Somehow, though, you always managed to outsmart them and make it through the night. Then one night you grew up, and the monsters went away for good. Well, they're back. And they've unionized.International rings of hackers, many backed by funds from organized crime groups, are the new... •Maximizing Email Security ROI Part III No More Mr Nice Guy Enforcing E Mail Policy by CipherTrustThis is the third of a five-part series on Maximizing E-mail Security ROI.E-mail is an easy, cheap and readily available form of communication. It’s a great tool for businesses, but without proper safeguards in place to regulate the information transmitted it can also be a potential threat. An effective e-mail policy should be all-encompassing, helping organizations comply with federal regulations, protect intellectual property and prevent offensive materials from being... •E mail Security Governance E mail Encryption and Authentication as a Business Enabler by CipherTrust How to Easily Secure Your E-mail System and Comply with HIPAA, Sarbanes-Oxley, and GLBA RegulationsWhile recent government regulations vary in scope and purpose, the need to protect and ensure the integrity of information is universal. Much of the information germane to business today is assimilated and communicated over messaging platforms such as e-mail. As a result, the need for a comprehensive approach to the secure delivery of e-mail affects almost all organizations,...

Click here to see More Articles by CipherTrust

Articles In LimeLight

Putting The "Ad" Into Adwords By Peter Astley-Sparke Added on Monday, April 28, 2008 How To Find A Chanel Handbag And Save Money By Tori A Hewitt Added on Saturday, April 26, 2008 What Businesses Should Know About Training Metrics By Sam Miller Added on Friday, April 18, 2008 Cheap Holiday Vacations During The Winter By Michael Peterson Added on Monday, April 21, 2008 Few Advantages Of Second Mortgage By Kim Lee Added on Tuesday, April 29, 2008 Does Your Small Home Business Have A Blog? By K. Faram Added on Saturday, May 3, 2008 Network Marketing Lead Generation - Why It’s Important To Keep Your Pipeline Full? By Jason Paul Added on Saturday, May 3, 2008 Apply For Credit Cards: The Basic Necessities Unplugged By Devin Gilliland Added on Friday, April 25, 2008 New Approaches To Email Marketing Without Spamming By Deepak Dutta Added on Tuesday, April 29, 2008 Shopping Around For A Second Mortgage By Kim Lee Added on Friday, May 2, 2008 The Next Generation Of Dvd Players For Your Vehicle By Mark Robinson Added on Saturday, April 19, 2008 3 Tips For Choosing The Best Network Marketing Business Opportunity By Jason Paul Added on Thursday, May 1, 2008 How To Clean A Mattress - And Keep It Clean By Tori A Hewitt Added on Monday, April 28, 2008 Baseball Field Lighting By Camille Howe Added on Friday, May 2, 2008 Children And Step Families By Andrew Ashworth Added on Monday, April 28, 2008 How To Find Time To Start A Business By Tony Scorch Added on Saturday, May 3, 2008 A Relaxing Bahamas Resort On Andros Island By Jason Law Added on Wednesday, April 30, 2008 Not Knowing This Causes Man To Choke On The Cset By Mark Buckingway Added on Tuesday, May 13, 2008 Discourage Washer Mildew By Markus Skupeika Added on Saturday, April 19, 2008 Can You Imagine Your Life Without A Mobile Phone? By Lijo George Added on Monday, April 28, 2008