Let’s start with the good news: According to Kaspersky, in 2013, the proportion of spam in email flows was 70%, which is 2.5 percentage points lower than in 2012. The bad news is that spam that does get through is far more dangerous. According to John Levine, chairman of the Internet Research Task Force's Anti-Spam Research Group (ASRG) and president of the Coalition Against Unsolicited Commercial E-mail, "The ongoing threat is that spam is now essentially 100% criminal, and it's as likely to try to plant bank-account-stealing malware either directly or via links to compromised websites as to sell you something." Ow!
Levine's not the only one who sees spam in 2014 as darker than ever. Michael Osterman, head of Osterman Research, a messaging research firm, completely agrees with Levine. “The fundamental shift in spam has been from a 'legitimate' commerce perspective toward one that is much more focused on malware distribution and other criminally-focused activities,” Osterman says. “I wouldn't go so far to say that spam is near 100% criminal in intent quite yet, but is certainly is approaching that."
Lest you think e-mail is becoming less important in these days of social networks, instant-messaging, and texting, contemplate this statistic from The Radicati Group, which specializes in studying e-mail: "Email is remains the go-to form of communication in the Business world. In 2013, business email accounts total 929 million mailboxes. This figure is expected to grow at an average annual growth rate of about 5% over the next four years, and reach over 1.1 billion by the end of 2017." In short, your clients are going to need spam protection for years to come.
New Developments in Email Spam
Spam is evolving superficially, but at its core, its goal remains the same: Get someone to give you something they otherwise wouldn't, observes Dexter Davies, Spam Operations Center Supervisor for EdgeWave, a cloud-based security company. “Ultimately, a spammer is trying to con someone out of money, information, or access,” he says. “There's always some back-and-forth on the technological front, but spam is really about targeting a human element, and as such always falls back on social engineering."
The technology of spam – the manner in which it’s delivered – changes slowly. A spokesperson for Bitdefender, best known as an anti-virus company, says, "Spam is one of the cyber-crime areas that has changed the least in its existence though it is re-inventing itself successfully year after year." Spam's packing, for example, keeps getting more sophisticated.
The Bitdefender spokesperson continues, "Presentation-wise, spammers are extremely inventive and find new techniques to deliver their message through spam filters and blacklists. First off, spammers read the news. This keeps them up to date with whatever is of interest to people worldwide at a given point and helps them generate credible lures for the intended victims. If, for instance, a political conflict is making the headlines, the next spam campaign will be an adapted Nigerian scam along with dating and employment cons. If a Hollywood celebrity is getting divorced, the campaign will include spam e-mails with bogus links towards naked pictures or exclusive videos."
EdgeWave’s Davies points out, too, that phishing has gotten more sophisticated. “Old phish would only go so far as to have the logo of the entity they claimed to be from; modern stuff is more likely to completely replicate an entire legitimate message from that entity and slightly alter it to either have links point to a malicious website which will look identical to that entity's actual site, or have a log-in dialogue on the box that sends your information some place attackers can collect it."
The content of spam is evolving to become more dangerous in new ways. For instance, Nick Gonzalez, a spokesperson for the security company Barracuda Labs, observes, “One new way we’ve seen are campaigns that use embedded Excel spreadsheets. The spammers break the words into individual cells to bypass the anti-spam tools. When viewed in an email it looks like a typical HTML attachment but it’s much more difficult to analyze."
Another new technique Gonzalez notes is that spammers are changing how they code their message templates. “Spammers send messages containing forms filled with their spammy message in order to avoid shallow scans. After all, a spam engine would likely not scan areas of the messages that are supposed to be filled in by the very user,” he says.
What to Do About Email Spam
So what can you do to protect your clients from spam? Levine suggests that you look for spam-filtering services that use big data programs. "On the filtering side, the news is big data,” he says. “Gmail is state of the art, and their filters are different for every recipient, adaptively filtered based on what they've gotten, what they've complained about or moved among folders, and doubtless other secret stuff."
Google isn't the only group targeting spam with big data filtering techniques. Yahoo has been working on Samoa, an open-source, big data spam-filtering program. Its premise is that old models for mail spam detection get outdated with time; but since a big data-based model can be constantly updated with new data (i.e., spam reports) your filters can stop new spam far faster. Yahoo's not the only one working on this technique. Developers are also using Storm and S4 for possible anti-spam work.
These are largely works in progress.
For solving today’s spam problem, Jonas Falck, CEO of Halon Security, is an advocate of the open-source protocol Domain-based Message Authentication, Reporting & Conformance (DMARC). DMARC is already being used by many of today’s top online payment processors such as eBay, PayPal, and Google etc. use to verify their email distributions.
Falck believes that it is time that DMARC became standardized for enterprises, hosting companies, and email providers to get rid of phishing emails for good. While Halon Security was the first commercial vendor to integrate DMARC with an on-premise security solution, he says, PayPal introduced DMARC in 2007 with Yahoo. “Now other enterprises, financial institutions, brands, etc. are beginning to adopt DMARC. However, the rate of adoption is still not fast enough," Falck says. He is okay with the idea of other companies adopting DMARC even if they don't use his company's implementation.
Traditional server-based spam protection programs, such as the newly-renovated SpamAssassin, still have their place. Other spam killers, such as those offered by Bitdefender offer software development kits as well as helping you customize their programs for your customers.
At day's end, there's no perfect solution. Looking over the anti-spam field, Osterman says, "From what I have seen, the techniques are mostly evolutionary; nothing really new or innovative that has had a marked impact on the effectiveness of anti-spam filtering. The fundamental problems with spam filtering are a) that much of it is 'graymail,' or content that users have opted to receive but might not want on a particular day; and b) the resistance to false positives. The traditional approaches like Bayesian filtering, keyword filtering, blacklists, etc. work reasonably well, although newer techniques like link analysis are better at catching blended threats."
I wish I could recommend a best program or service for you to deploy for your customers, but I can't. As Osterman says, "In terms of vendor effectiveness, I have not seen a good spam bake-off in a long time. Vendors are understandably reluctant to participate, and agreement on the appropriate corpus of spam is always a sticking point."
So, the best you can do is to look at what's currently available in the market to fight spam; test it for yourself and for your clients. Then, when you've found a good one, you can deploy it to your customers.
By Gretchen Hoffman
By Gretchen Hoffman