|
Viruses, trojans, spyware and phishing may sound more sinister, but spam remains the biggest email-borne threat to businesses. Incredibly, unsolicited emails now account for almost threequarters of all electronic traffic heading for corporate gateways around the world.
Spam’s relatively innocuous name should never blind businesses to the serious harm it can cause. Quite simply, unless adequate defenses are in place, electronic junk mail will inevitably lead to overburdened inboxes, creaking networks and wasted bandwidth. An organization’s efficiency, productivity and profitability will all be prominent, immediate casualties wherever anti-spam protection is not up to the job.
Of course, spam has a very long pedigree and, over the years, email security vendors have responded by strengthening the detection and filtering techniques they offer their clients. But this is a war which escalates remorselessly. Spammers continually devise new, cunning and increasingly sophisticated ways of evading spam defenses and achieving their objectives. In autumn 2007, MessageLabs detected the emergence of a new "smart" weapon in the spammers’ arsenal — so-called "redirector" or "search engine" spam. By early 2008, this had grown into a significant threat — one that businesses need to be aware of and take effective measures to combat.
This MessageLabs whitepaper puts redirector/search engine spam under the spotlight. It explains why the phenomenon evolved and how it works. But it also pinpoints a proven, costeffective solution to this latest manifestation of spammers’ never-ending ingenuity. The information presented here is based on MessageLabs hands-on experience of providing proven messaging and web security management services for over 17,000 clients worldwide, with around 2.5 billion attempted Simple Mail Transfer Protocol (SMTP) connections processed every day on their behalf.
URLs — A Key Battleground
Almost without exception, a spam email will target the recipient with some sort of call to action. In most cases, this will consist of a URL (Universal Resource Locator — an Internet address) accompanied by text saying "visit our online store!" or something similar. In other cases, the call to action might revolve around a phone number or a stock ticker symbol (a series of characters representing a particular listed or publicly traded stock).
But including a URL is by far the most popular technique preferred by spammers. It’s easy to see why. URLs are quick and simple to insert into emails. If clicked on, they will take the recipient of the email directly to the spammer’s website. Unlike the spam email itself — which has to be designed in a way which maximizes its chances of evading anti-spam filters — spammers are not restricted in what they can include on their websites. Little wonder, then, that analysis of URLs contained in emails now plays a key role in efforts to identify spam and stop it from reaching its destination. For example, many security vendors now use "honeypot"’ systems designed with the specific intention of attracting spam. The messages captured by these honeypots can be analyzed and all "bad" or suspicious URLs extracted. (Often, this is achieved by identifying instances where the same URL appears in thousands or even hundreds of thousands of emails — a telltale sign that those emails constitute a spam run). Any email subsequently identified as containing such a URL can then be blocked and prevented from reaching its target. This antispam technique is now well-tested and has proved both efficient and reliable.
To counter URL blocking, spammers have tried a number of different tactics:
- One approach is to add random hostnames and gibberish to a URL. Take the URL http://lhlgca.globren.info/?83217971&men, for example. "lhlgca" and "/?83217971&men" are not part of the core URL. But by changing them slightly in every message sent out, the spammer aims to make the messages more difficult to block. However, security vendors can counter this tactic by focusing on the actual domain part of the URL (“globren.info" in this instance).
|
