In the beginning
Spam (unsolicited bulk advertising via email) made its first appearance in the mid 1990s, i.e. as soon as enough people were using email to make this a cost-effective form of advertising. By 1997, spam was regarded as being a problem, and the first Real-Time Black List (RBL) appeared in the same year.
Spammer techniques have evolved in response to the appearance of more and better filters. As soon as security firms develop effective filters, spammers change their tactics to avoid the new spam blockers. And this leads to a vicious circle, with spammers re-investing profits into developing new techniques to evade new spam filters. The situation is spiralling out of control.
The development of spammer techniques
Direct mailing
Initially, spam was sent directly to users. In fact, spammers didn't even need to disguise the sender information. This early spam was easy enough to block: if you black listed specific sender or IP addresses, you were safe. In response, spammers began spoofing sender addresses and forging other technical information.
Open Relay
In the mid-1990s all email servers were open relay - any sender could send an email to any recipient. Spam and other security issues led administrators to start reconfiguring mail servers worldwide. However, the process was relatively slow, and not all mail server owners and administrators were willing to cooperate. Once the process was well underway, security analysts began scanning for the remaining open relay mail servers. These DNS RBLs were made available, making it possible for,security conscious administrators to block incoming mail from listed servers. However, open relay servers are still used for mass mailing.
Modem Pool
As soon as sending spam via open relay became less efficient, spammers began to use dial up connections. They exploited the way in which ISP providers structured dial up services and utilized weaknesses in the system:
* As a rule, ISP mail servers forward incoming mail from clients.
* Dial-up connections are supported by dynamic IP addresses. Spammers can therefore use a new IP address for every mailing session.
In answer to spammer exploitation, ISP providers began to limit the number of emails a user could send in any one session. Lists of suspect dial-up addresses and filters which blocked mail from these addresses appeared on the Internet.
Proxy servers
The new century saw spammers switching to high-speed Internet connections and exploiting hardware vulnerabilities. Cable and ADSL connections allowed spammers to send mass mailing cheaply and quickly. In addition, spammers rapidly discovered that many ADSL modems had built-in socks servers or http proxy servers. Both are simply utilites that divide an Internet channel between multiple computers. The important feature was that anybody from anywhere in the world could access these servers since they had no protection at all. In other words, malicious users could use other people's ADSL connections to do whatever they pleased, including, naturally, sending spam. Moreover, the spam would look as if it had been sent from the victim's IP address. Since millions of people worldwide had these connections, spammers had a field day until hardware manufacturers began securing their equipment.
Zombie or bot networks
In 2003 and 2004 spammers sent the majority of mailing from machines belonging to unsuspecting users. Spammers use malware to install Trojans on users' machines, leaving them open to remote use. Methods used to penetrate victim machines include:
* Trojan droppers and downloaders injected into pirate software which is distributed via file sharing P2P networks (Kazaa, eDonkey etc.).
* Exploiting vulnerabilities in MS Windows and popular applications such as IE & Outlook.
* Email worms
Anyone who has the client part of a program which controls the Trojan that has infected a victim machine controls the machine or network of victim machines. The resulting networks are called bot networks, and are sold and traded among spammers.
Analysts estimate that Trojans are installed on millions of machines worldwide. Modern Trojans are sophisticated enough to download new versions of themselves, download and execute commands from specified websites or IRC channels, send out spam, conduct DDoS attack and much more.
The development of spam content
Content Analysis
Many spam filters work by analysing the content of a message: the message subject, body, and attachments. Spammers today expend significant resources on developing content which will evade content filters.
Simple text and HTML
Originally, spam was simple: identical messages were sent to everyone on a mailing list. These emails were laughably easy to filter out due to the quantity of identical texts.
Personalised mail
Spammers then began to include a greeting based on the recipient's address. Since every message now contained a personalised greeting, filters which blocked identical messages did not detect this type of spam. Security experts developed filters that identified unchanging lines, which would then be added to filtration rules. They also developed fuzzy signature matching, which would detect text which only had minor changes, and statistic based self-modifying filtration technologies such as Bayesian filters.
Random text strings and invisible text
Spammers now often place either text strings from legitimate business emails, or random text strings at the beginning or end of emails in order to evade content filters. Another method used to evade filters is to include invisible text in HTML-format emails: the text is either too tiny to see or the font color matches the background.
Both methods are fairly successful against content and statistical filters. Analysts responded by developing search engines that scanned emails for such typical texts, which also conducted detailed HTML analysis and sophisticated content analysis. Many antispam solutions were able to detect such tricks without even analysing the content of individual emails in detail.
Graphics
Sending spam in graphics format makes it very hard to detect. Analysts are developing methods for extracting and analyzing text contained in graphics files.
Paraphrasing texts
A single advertisement can be endlessly rephrased, making each individual message appear to be a legitimate email. As a result, antispam filters have to be configured using a large number of samples before such messages can be detected as spam.
No comments:
Post a Comment