All posts tagged spam

By on August 4, 2011

The Eerie Quiet of your Junk Folder

Spam volumes on the Internet are down on this time last year. Great news, we can all relax and stop worrying about our Junk or Quarantine folders or that missing million dollar order that might he hiding therein.

Brian Krebs wrote a great piece on the take down of the most prolific botnets, which is thought to be the main cause of drought in spam. It’s certainly true to say that since the likes of Spammit, Rustock, Coreflood, Pushdo and Bredolab have been knobbled the output of spam has been noticeably less.

Less spam is great news, but I’m worried. I suspect this eerie quiet in our spam and junk folders is a false sense of security, and one that is waiting to draw us into a more evil and harmful place.

Think about it this way. You’re a spammer…

Imagine you’ve been spamming people since 1997, persuading them to buy penny stocks, herbal enhancements and more recently fake AV products. You’ve been getting frustrated at the shrinking rate of return on your efforts, for the billions of spam messages you send you’re only seeing a 0.002% return or even less; mind you, at $30 for a bottle of those fake-little-blue-pills that’s still a few million dollars.

Why the decline? Well because we the vendors, are doing a better job of detecting and dealing with spam. Giving customers a 98% anti-spam SLA means we’re confident we can keep that junk and rubbish out of their inboxes. The same is true for personal or webmail accounts, providers are simply getting better at protecting users.

Then just when you thought things couldn’t get much worse someone shuts down your botnet, or the FBI takes away you hosting provider. Bad day at the office?

This is why I am worried…

Given the business challenges the spammers face today it’s no surprise we’re seeing a decline in the volume of spam. But are we? The figures we’re looking at here are related to spam volumes delivered over SMTP based email, and those have been on the wane for some time. The recent precipitous drop makes me feel uneasy about the spammers new business models. You might be surprised I’m using the word ‘business’ in relation to spammers – don’t be; this is their business, they have offices, employees, health-care plans, support lines and staff retreats just like everyone else.

These business models embrace all the latest social media trends. Spammers are simply jumping on the new mechanisms we’re using to communicate, social media gives them everything they need and in many cases an even more targeted audience who are trained to ‘like’ the same things their peers do.

The deeper impact of this switch to less well evolved communication channels, is that the classic AV and AS protections deployed at the corporate gateway are fast being made redundant. Their rules unenforced, their quarantines empty. The threats they protect against are getting onto the network via other means that in many cases are far less well protected. The point is that the spam isn’t going away, it’s just changing and adapting to the marketplace; the users might be breathing a sigh of relief when they look at their inboxes, but I can guarantee you they’re not doing the same elsewhere – Try tweeting the word mortgage or loan and see what happens.

The old money was SMTP email based spam, but just like everything else in corporate IT consumerization is taking over; spammers & scammers are simply keeping up with the trends.

 

 

 

 

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on July 5, 2011

One cheer for DKIM!

Standards work is generally conducted in what feels like slow-motion. More than a few highly-detailed conversations last for months or years. To those of us who’ve spent time in such conversations, it can be big news to learn that big news may be only a few months away. But for maximal, heart-stopping excitement, it should hint at the possibility of some day making real progress against spam.

That’s exactly what seems to be happening in the case of DKIM (Domain Keys Identified Mail), an emerging standard for cryptographically linking each message with the sending domain. In conjunction with some future developments, it could take a big bite out of “phishing” — unsolicited email pretending to come from a trusted institution.

Just a couple weeks ago — hot off the presses, in standards time — the chair of the IETF DKIM working group made the dramatic announcement (in the first paragraph) that things are going well.  This means   it could be as little as a few months before DKIM becomes a Draft Standard — a misleading term that describes the highest level that successful IETF standards generally attain. (MIME, for example, is a Draft Standard.)  I think DKIM will be the first spam-focused standard to complete the standards process.

Exciting, huh?

If you’re not accustomed to emptying the ocean with a cup, you can be forgiven if you’re breathing normally. But there are dozens of possible antispam measures not yet in use, and they will only work together effectively in the context of a very formal framework — a set of interlocking standards.

To oversimplify a bit: time favors the spammers because it takes far more computer power to examine a message than to send it. This advantage will probably last as long as Moore’s Law does. Eventually, inevitably, we will need to develop a more systematic approach integrating multiple interlocking technologies.

DKIM is, at long last, the first of those pieces. By itself, as its opponents are quick to tell us, DKIM will do NOTHING to stem the tide. But then, while a single rock can’t hold off a flood, a wall of them can.

So, it’s time to celebrate the near-completion of a decade’s work by some very good people. Even though it does almost nothing useful today. With all the energy I can muster, let’s hear it for DKIM: Hip-

[Full disclosure: Eight years ago I helped broker the peace treaty that merged DK and IIM into DKIM.  And Barry Leiba is my friend.]

 

Add your comment (0)

Chief Scientist
Mimecast

Article Tags

, ,

By on April 1, 2011

Why is Email So Complicated? Part 409: Murky Ethics

I’m currently reading a fascinating book, Evolving God, by Barbara King.  Professor King uses her years of experience studying apes as a starting point to explore how humanity evolved religion and ethics.  It turns out that we share certain aspects of morality with apes, a sign that some of our basic morality evolved over eons, going back perhaps seventy million years.

It is because of this evolutionary history that our society doesn’t struggle to manage a “Right to Eat Babies” movement, because nearly all of us have inherited a nearly instinctual morality that characterizes baby-eaters as sick, evil, or both.   Our moral battles instead focus on issues that have arisen relatively recently, in evolutionary terms.  Abortion, for example, didn’t become a battleground issue until it became a safe medical procedure in the previous century.

Email technology is younger than I am, and I don’t seem to have evolved one bit.  Our evolutionary heritage offers no guidance for many of the thorny ethical dilemmas email has created.  Our inability to agree on the definitions of right and wrong surely complicates email immensely.

Take spam:  everyone, save a few sociopaths, loathes it.  But I’ll go way out on a limb here and reveal that I don’t consider spam immoral.  It’s a bad idea that mucks up communication and creates incredible amounts of unnecessary work and expense.   In many ways, it’s more of an question of judgement and etiquette than morality. If you leave a big box of candy with a child and he eats it all, he’s shown bad judgement and perhaps greediness, but I wouldn’t call it immorality.

Now, I’m not trying to start a defense of spam.  I’m as happy as anyone to see spammers shut down, and the worst ones even jailed.  But I see spam as being in large part the fault of a communication system that has eliminated all possibility of regulating behavior through pricing.  Email is, in this sense, what the law calls an attractive nuisance.  A technology deserves some blame for the antisocial uses it facilitates.  Someone who is driving safely but over the speed limit deserves to get a ticket, but hasn’t acted immorally in my book.

This may seem like splitting hairs, but a difference of opinion over morality can easily grow into larger disagreements about laws and punishments.  A thousand  years ago, when abortion was a last resort because it usually killed the mother, discussions over its morality were largely academic, but they certainly aren’t today.  I have heard — though I still can’t believe it — people advocate the death penalty for spammers.  If that ever became a serious movement, the question of the morality of spam would take center stage for sure.

Because I believe that spam is caused by greedy, impolite people, I support filtering, voluntary authentication, moderate legal sanctions, and other countermeasures.  Someone who believes spammers violate the laws of God would likely support harsher measures.  Our evolutionary and cultural heritage gives us no guidance; there were no spammers in the savanna.

Each new technology gives us new ethical gray areas, further complicating our lives.  Email has brought us several more ethical complexities, most more subtle than the morality of spam, which I’ll discuss here in the future.  For now, though, I’ve got to go — there’s a chimpanzee who wants my help getting thousands of bananas out of Nigeria, and it seems like too good an opportunity to pass up.

Add your comment (1)

Chief Scientist
Mimecast

Article Tags

, ,

By on February 25, 2011

Why Is Email So Complicated? Part 127: There’s No Central Authority

 

Recently, Facebook announced a 95% reduction in certain kinds of spam.  Taken at face(book) value, that sounds like a tremendous breakthrough, but there’s less here than meets the eye, because the “certain kinds” are basically only those that are internal to Facebook, and the solutions are hard to generalize to the broader spam problem.

What Facebook has done is essentially allow users to provide feedback about which messages from Facebook applications are unwanted.  By consolidating such feedback, Facebook can block further unwanted messages to most other users, and even sometimes completely block an antisocial application.   If Facebook can be clever enough to learn like that, why can’t your email reader?

The answer is that it could, if only email weren’t so darned complicated.  In the Facebook situation, all the offending messages are being both generated and read from within Facebook.  The good folks at Facebook have complete control of the entire lifespan of such messages.  They know exactly who sent the message, how many such messages were sent, and so on.  None of this is true for your email reader.

The idea of letting users vote about spam is a good one, and not a new one; researchers at IBM and elsewhere have demonstrated the value of letting users vote about which messages are spam, and using those votes to decide which similar messages to block in the future.  But those experiments have also highlighted the difficulties.

The world of email is one of many independent actors, interacting according to well-specified standard protocols, all of which are often ignored or misunderstood.  If your mail reader gives you a button to click on when you think a message is spam, what should happen when you do so?  Obviously your mail reader needs to send your vote (which may itself be wrong or accidental) to some server that collects it, consolidates it, and feeds the result into your spam filter.

But all of the actors in this scenario are heterogeneous.  Your organization may have any number of mail reading interfaces, each of which needs to provide a button and behave similarly when it is pressed.  You might be using any of a number of spam filters, which may or may not be prepared to accept voting data, for which there is no standard representation.  Worst of all, the server that collects the spam votes can’t necessarily trust all the information it gets; your machine may be compromised by a virus, for example, that deliberately corrupts the antispam voting database by labeling good messages as spam or spam messages as good.

Facebook doesn’t have any of these problems when it deals with mail from Facebook applications to Facebook users.  It can watch exactly what users do with messages, and map that back directly to the applications that send them.  For similar reasons, spam wasn’t a big problem back in the day when email was often a closed garden, and AOL users could only send to other AOL users.  A single authority in charge of everything makes it easier to enforce rules and policies.  But who wants a single authority in charge of the whole Internet?  The cure would be worse than the disease.

The lack of a central authority is one of the defining features of the Internet, and reflects its origins in the effort to build a network that could survive nuclear war.  The result is a net that is remarkably decentralized, democratic, and chaotic.  The only way to end the chaos would be to regiment the net to an unprecedented degree, essentially to guarantee strong authentication for everyone who sends an email or does anything else on the net.  This would be nice for anyone who hates spam, but more importantly, a boon for any government that wants to crush dissent, or any corrupt organization that wants to halt all leaks and criticism.  That’s a terrible tradeoff, but I’m not terribly worried about it ever happening.  The net’s design favors the most powerful force in the universe:  chaos.  I wouldn’t bet against it.

CC Image via jurvetson on Flickr

Add your comment (2)

Chief Scientist
Mimecast

Article Tags

, ,

By on December 16, 2010

More Eggs, More Baskets: The Importance of Diversity in Email Management

Recently I wrote about the big kerfluffle where SORBS put MessageLabs on a blacklist, and MessageLabs’ customers’ emails stopped going through to SORBS’ users. I suggested that customers shouldn’t be quite so quick to point fingers, because email is a complicated business and accidents can happen to anyone.

But there’s another lesson to be learned as well. Our customers — and I’m sure some of our savvier competitors’ customers — were scarcely affected. The recipients most badly affected, almost by definition, were the ones that were overly relying on a single source of information about what is and isn’t spam. Even the most well-run, well-intentioned service will occasionally make a mistake, but it’s less likely that two will make the same mistake simultaneously. If you only absolutely block mail when two independent sources say to block it, you’re much less likely to be causing the kind of critical situations we saw last week.

At first blush, this would seem to suggest that the promise of cloud providers and appliance vendors — to take these worries out of your hands — is a false one. But in reality that depends on the way those third party providers are conceptualizing their own roles. If they are themselves making sure that a wide variety of factors are considered, you’ll probably get better results than if you did it yourself.

It’s easy, simple, and probably a mistake to give a single blacklisting agency total veto power over mail entering your site. But it’s reasonable to expect that your service provider is in fact basing such decisions on multiple sources of information. Any antispam company can, if it so chooses, base its decisions on multiple factors; the only incentive in the other direction is the potential cost of that information. When costs leads to short-cuts, decisions may sometimes be made based on isolated bad information.

At Mimecast, we subscribe and give weight to several independent blacklists, but we don’t give any of them absolute veto power over mail to our customers. Among other things, we automatically whitelist the email addresses with which our customers have communicated in the past. This means that if an email sender’s site had been blacklisted, we would be more likely to block most mail coming from that site, but would still allow mail from known correspondents.

In the current state of the art, whitelisting past correspondents simply trumps broader blacklists. No anti-spam technique is perfect; issues of identity spoofing are always present, and future countermeasures by the spammers may make this technique less valuable some day. Fighting spam well means you’re running hard just to stay in place; last week’s events give me even more confidence that we’re running in the right direction.

As I’ve said many times, email is a very, very complicated business. That’s a good reason to outsource it, to be sure, but only to a provider with a healthy respect for the complexity of email today, and a commitment to evolve along with it into an even more complex future.

Add your comment (0)

Chief Scientist
Mimecast

Article Tags

, , ,

By on November 12, 2010

Watching from the sidelines: Messagelabs vs SORBS

This week has brought us news of a battle, almost certainly unintentional, between two major antispam services.  It seems that SORBS has put MessageLabs on a blacklist that is blocking outbound email from MessageLabs customers.

Now, you might think that, since I’m Chief Scientist for a third email security company, Mimecast, I would just be sitting back and enjoying this development. But while I can’t deny that there’s a certain pleasure to be obtained from watching your competitors hit each other over the head with sticks, I think that both companies are being somewhat unfairly vilified in the popular portrayal of this little spat.

View from the sideline

To explain why I would want to defend both MessaageLabs and SORBS while they’re happily beating each other up, it’s necessary to say a little about the structure and complexity of the Internet in general and antispam technology in particular.  The enormous success of the Internet has come, almost entirely, from the development of clearly-specified protocols that are used by otherwise competitive parties.

Mail flows between Lotus Notes, Microsoft Exchange, Gmail, and other tools because the implementers are all doing their best — for the most part — to comply with a set of vendor-neutral standards from the IETF, such as SMTP and MIME.

This kind of “coopetition” is hard to do in any case, but it gets much harder in any security-related area, because you are fighting an active opponent.  It’s hard enough to get multiple vendors to converge on a single standard and its interpretation; things get really complicated when they have to cooperate at subverting a clever, active opponent such as a spammer.  The bad guys are actively trying to find holes or ambiguities in the protocols, and to exploit them for anti-social ends.

In other words, spam control is hard, and there’s no rule book for doing it well.  Like local police who rush in to arrest a crime ring that turns out to be FBI agents on a sting operation, the good guys can easily end up shooting at each other with the best of intentions.

Of course, police work can be good or sloppy.  Maybe the FBI didn’t keep local police informed about the sting, or maybe the local police didn’t tell the FBI what they were up to.  The mere fact that they’re shooting at each other doesn’t begin to tell you who’s at fault.  I could easily believe that either SORBS, MessageLabs, both, or neither were at fault here, so I hate seeing a rush to judgement.  With most of the mechanisms fully automated, this kind of blacklisting could probably happen to any of us.

While I don’t know who to blame in this case, I am pretty sure that MessageLabs doesn’t deserve to have customers abandon it simply because of this incident, as a few have indicated they will do.  Every anti-spam company has to walk the line between aggression in fighting spam and defence against its customers being inadvertently labelled spammers.  (And note the word inadvertent:  Mimecast, for example, vets and trains its potential customers to try to ensure that they aren’t spammers, intentional or not.)

My colleagues and I are happy to offer dozens of good reasons for users of MessageLabs, SORBS, or other email security services to switch to Mimecast.   But this incident isn’t one of them.  MessageLabs was the victim of an unhappy accident, and while it may or may not share some blame with SORBS, such accidents can, in the end, happen to anyone.   Perfection is an admirable goal, but an unreasonable expectation.

Image (c) storem

Add your comment (3)

Chief Scientist
Mimecast

Article Tags

, , ,

By on October 11, 2010

Email vs Snail Mail usage #Infographic

Email vs Post in the USA

Email stats to tweet:

  • 14.4 Trillion Emails sent in the US vs 177bn via Snail Mail »tweet«
  • (at least) 81% of email is spam vs only 47% of post is junk »tweet«
  • For every item of Post sent in the US, 81 emails are sent  »tweet«

Add your comment (0)

Cloud Strategist
Mimecast

Article Tags

, ,

By on September 13, 2010

Here You Have – the worm, virus, trojan combo

Not since Nimda and Code Red has there been so much excitement over a virus propagated around the Internet; the news channels are rolling out all sorts of experts for their doom and gloom opinions, and the dollar amount of lost business is already being totted up by those affected. The list of companies hit so far includes some household names like Comcast, Coca-Cola, ABC and NASA.

The similarities of the ‘Here you have’ worm and the likes of the ILOVEYOU and AnnaKournikova worms have not gone unnoticed – for example HYH uses the same subject line as AnnaKournikova!

Today I expect many of those affected by the HYH worm will be asking how it managed to propagate so well using mechanisms that have been in such wide use of the past 15 years. You have to give it to the writers of HYH, that’s a real retro-worm right there.

HYH has done alarmingly well since it was first spotted in the wild. It’s Worm like characteristics of using email as a distribution mechanism are not new, but the fact that HYH dodged so many security systems is a big surprise. Could this be because too many organizations have not yet protected their users from web borne threats by implementing URL scanning technology in both email and web browsing sessions? The Trojan like qualities of its socially engineered download link have duped many into clicking on the malicious link, surely we should know better? HYH will also email itself to your Outlook contacts as well as copy itself through network shares and drives. All in all HYH is a multifaceted nightmare that on the face of it appeared to look like many of the other worms out there today – yet HYH has been hugely successful. This is perhaps a factor of distribution via email and infection via URL where simply not enough zero day exploit protection was afforded to users.

All of this has left many administrators with only one option, and this isn’t something they have considered for a long time – unplug the network, take everything offline until you can get on-top of the problem. A sysadmin or network admins nightmare. Of those affected some may be able to rely on external continuity systems that offer both security and continuity, but the unlucky ones are probably looking at a long weekend of cleaning and patching.

So whilst others pick apart HYH and its impact on networks and the Internet, I can’t help but notice that this whole saga forces us to once more worry about issues we thought were dealt with. The spam and virus threat isn’t something that’s going to go away, and if anything HYH shows us that it is still possible for chaos to erupt at a moment’s notice. Chaos that can clearly come from the most unexpected direction.

Now is the time to review your setup, email security isn’t a done deal it’s a dynamic system that needs attention. If you haven’t already considered the HYH chaos as a source of downtime, and add that scenario to your continuity plan. And, last but not least, go back to the users and re-educate them on the threats that are clearly still out there.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, , ,

By on August 31, 2010

Getting behind the botnet, a solution?

Our friends at MessageLabs released their monthly Intelligence Report this week. A number of other outlets and blogs have already reported on the prevalence of the Rustock Botnet, accounting for up-to 41% of spam. The MessageLabs report also goes onto highlight the current spam rate  at an alarmingly high 92.2%, up from 88% in July.

How did we get here? How have we managed to put up with this nonsense for so long? The rise of Botnets like Rustock, Grum, Lethic and Storm have made the problem more significant, and things are only going to get worse. We seem no closer to a solution to the spam problem than ever?

There has been much lambasting of Bill Gates since 2004 when he famously said that by 2006 “… spam will soon be a thing of the past.” Gates predicted that spam would be killed through the electronic equivalent of a stamp, and at the time various vendors were dabbling in similar standards-driven methods for authenticating genuine email and its sender. If only we understood then how important the botnet would become in the global spam problem.

The FUSSP

There is a concept in the anti-spam world called the FUSSP, an acronym for the Final Ultimate Solution to the Spam Problem; when you think have the FUSSP you may submit it to fussp.org and IETF, but there is a long list of criteria your FUSSP must fulfil – for example if your idea requires all SMTP gateways in the world to be the same or a replacement for SMTP, you have already failed.

Asking the world for the FUSSP is a great demonstration of crowd-sourcing a solution to a problem – but I can’t help but think that we’re missing an opportunity here.

A Coalition?

What if, we the collective email security vendors of the world unite to form an alliance against spam, viruses and phishing. We already have the knowledge, research and technology to do this but we choose to use it competitively rather than collaboratively. In a sense we would collectively BE the FUSSP.

This is a big problem that requires a big-thinking solution, bigger than each of us can imagine individually – if we could form this coalition we might be able to win this battle once and for all.

Then again, would a coalition be as agile as the dark forces driving the dark SMTP traffic business?
Or would it simply get so bogged down by bureaucratic red tape that it never managed to realise its goals?

As per usual the greater good comes in second place and the users of email systems suffer…

please comment and lets see what you think, I would like to see if anyone thinks this could work!

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on August 2, 2010

Email Security: keep on running!

There is a race being run right now, a race that never ends, where the participants can’t stop for a breather, one of those races you keenly enter, but halfway through ask yourself why am I doing this again?

It’s the sort of race that appears to chase a point that is constantly moving with the horizon.

Running into the sunset

Enough of the race & horizon metaphor…

What I’m talking about is the constant cat and mouse game that we all play with the spammers, phishers, virus writer and general internet nasties. Almost every user who is exposed to the Internet understands the sort of problems that exist. Email administrators in particular have the tricky job of protecting their users and are best placed to understand the problem. But, keeping up with the ever changing threat landscape is a constant balance and battle, and takes dedication if you’re prepared to fight that fight yourself.

Research tells us that senders of malicious email, (by which I mean spam, virus, phishing and all the other junk out there) are trying to get each individual piece of malicious email into your inbox within 11 minutes of the time they release it to the wild. If it takes longer, they move on. Why is this? Because within those 11 minutes the security vendors of the world have detected the new threat and have started to issue updates to protect their client base against it.

As with most things the early bird does indeed get the worm, or in this case your inbox gets the worm (or spam, or phishing attack).

Many on-site security appliances and software solutions have these updates pushed down to them by their respective vendors, which is a great idea but strikes me as a little too slow. If this is all about speed, we really need to be thinking about the fastest and most efficient way of keeping up.

If I were a spammer…

…or virus writer, I would be depending on, and even taking advantage of, the slow reaction of you or your security vendor, I would be hoping that someone somewhere isn’t as alert as perhaps they should be.

Of course in my new dark world of spamming, phishing and viruses, the nature of my business is speed and money. The faster I am the more money I make. I will be praying on people who don’t think like this, people who are slower than I am.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, , ,