Spam: Bigger, Faster, and More Dangerous

Subscription Options

Recent statistics on the growth and cost of spam are sobering. According to threat data from MX Logic, the United States receives 33.5 percent of all spam—more than any other country. While it is true that anti-spam technology has come a long way toward blocking unwanted email, the technical aptitude and wherewithal of spammers is on par with, and at times much greater than, those that design preventative solutions.

Regardless of vendor-proclaimed prowess, spam continues to leak through email gateways at an alarming rate. “According to analyst firm Radicati, spam accounts for nearly 75 percent of messaging traffic and is set to grow to 82 percent by 2011,” notes Chris Bradley, VP of marketing and business development at MessageGate. Not only is the growth of spam increasing, but the objectives behind it, as well as the methods employed, have significantly raised the stakes. What used to be nothing more than an annoyance is now a serious threat—increasingly used as an attack vector for the proliferation of viruses, phishing, and worms. The explosive growth of spam also puts considerable financial strain on the enterprise. Ferris Research predicts that spam will cost companies $140 billion USD worldwide in 2008—$42 billion in the U.S. alone.

Spammer Ingenuity

Abaca Technology Corporation attributes the rising cost of spam to its increasing volume coupled with the growing sophistication of the spammers. Steve Kirsch, founder and chairman of the board for Abaca, points out that spammers are getting more adept at cracking CAPTCHAS (Completely Automated Public Turing Test to tell Computers and Humans Apart), so that they can launch their attacks directly from Internet Service Providers (ISPs), such as Hotmail and Google.

CAPTCHAS—which ask a user to type a random series of letters and numbers into box before allowing a message to be sent—were designed to help identify approved senders, while weeding out autobots. Spammers, on the other hand, have developed unique algorithms and applications able to defeat the CAPTCHA, making their brand of spam especially difficult to detect. “Some spammers are using techniques to mask spam, such as integrating personal information to make messages more believable,” Bradley adds, “thus [they are] more likely to be successful.”

“Much more malicious and dangerous spam is being circulated today,” believes Sam Masiello, director of Threat Management for MX Logic. “Many attribute the shift to a change in mindset amongst spammers. Until a few years ago, cyber criminals were primarily motivated by notoriety—to see if they could outsmart the filters and to achieve bragging rights in the underground community. Today, more and more spammers are motivated by economics, largely driven by the underground black-market for personal information such as credit card numbers, Social Security numbers and so on.”

When Size Matters

MessageGate predicts that the ongoing daily problems with email will only continue to get worse, noting that a company with 5,000 active email users should expect 900 or more unauthorized releases of private information and around 150 unwanted, questionable, emails daily. When the experts say that spam is getting worse, not only are they referring to the types of emails coming through the filters, but also the volume. Bandwidth consumption is commonly listed among the dangers of spam. Why? “Spammers can hijack 90 percent or more of a network’s bandwidth,” explains Kirsch. “A good spam filter can protect this resource by filtering messages before they reach the network or mail server. Additional memory does not solve the problem, especially with the growing volume of spam hitting these networks. As the volume of spam increases, it becomes increasingly necessary to accurately identify which traffic should be blocked.”

Masiello adds that spam volume affects large companies and ISPs the most, often having little impact on the average employee. “The increasing volume means that companies, IT managers, and ISPs have to continue increasing their filtering capabilities. Of course this requires them to spend more money and use more resources. In addition, the more spam pollution on the Internet highway, the less reliable and efficient email becomes for us all.”

“Think of your local freeway or highway,” explains Masiello. “The more people driving the highways, the slower and less reliable the highway transportation system is.” One solution is to build more highways, but that approach has limits warns Masiello. Similarly, the Internet highway has limits. “What’s changed in the last two years is the dramatic increase in spam traffic. In early 2004 spam levels hovered around 66 percent of all email traffic. By mid 2006 this percentage rose to about 73 percent. Fast forward to today—spam now accounts for as much as 95 percent of all email traffic crossing the Internet.”

Merely adding more hardware and upgrading existing infrastructure is not a solution. Masiello points out that servers are only upgradeable to a point before its necessary to buy entirely new systems. “Organizations are only willing to spend so much to horizontally scale out their mail systems to stop traffic that will never end up in their user’s inboxes. A primary question for service providers and organizations alike is, ‘how will you identify malicious traffic faster, and drop the connection so that a minimum amount of systems resources on their servers are utilized?’”

“Once Burned” Need Not Apply

User education remains at the top of the list for business best practices. Why, then after endless coverage of terrible email viruses, would seemingly intelligent individuals open the “Hi, it’s me!” attachment?

“While it may seem difficult to imagine anyone falling for [phishing attacks], keep in mind that these messages are sent to tens or even hundreds of millions of people. Even if .0001 percent out of 100 million people opens the email, that’s 100 people. It generally doesn’t cost the spammer any more to send one message versus one billion messages. It’s simply a numbers game. In the end, deliverability equals profitability for the spammer,” said Masiello.

Many of today’s spam or phishing attacks are designed around social engineering. Meant to pique the recipients’ interest, spammers choose topics they believe will catch people’s attention. As Kirsch explains it, effective social engineering is the single most important factor to any cyber crime campaign. “If the tactic used doesn’t grab someone’s attention and make them want to click the link or open the attachment in the email, then the ROI to the spammer will be significantly reduced.”

Kirsch adds that user education only goes so far, “Phishing attacks are cleverly designed to elicit a response. Clearly, we need both better techniques to detect them and also better user education.” Eradicating spam may not be possible in our lifetime. As long as there is human curiosity, opened attachments will open doors in the enterprise network.

Expert Recommendations and Advice

Organizations need to be protected believes Sam Masiello, director of Threat Management for MX Logic. He suggests the following steps:

Invest in a top-notch email and virus filtering solution. Consider a managed service with the benefit that it does not need to be installed, monitored or upgraded by the company. It’s all done automatically.
Educate employees. Do not limit training to email security. Threats can be accessed and delivered via the Web, IM, and even cell phones.
Establish clear guidelines. The majority of security breaches and data loss incidents are the result of human error.

Steve Kirsch, founder and chairman of the board for Abaca Technology recommends organizations:

Select a spam filter that does not rely on content filtering or heuristics, both of which are easily defeated by spammers.
Reduce the volume of spam that consumes the company network. Choose a solution that does not rely on content to rate the message.
Increase overall security. Make sure to have some sort of phishing protection in the browser selected.