How Spammers Fool Spam Filters

Written by CipherTrust

And How to Stop Them

Effectively stopping spam overrepparttar long-term requires much more than blocking individual IP addresses and creating rules based on keywords that spammers typically use. The increasing sophistication of tools spammers use coupled withrepparttar 109510 increasing number of spammers inrepparttar 109511 wild has created a hyper-evolution inrepparttar 109512 variety and volume of spam. The old ways of blockingrepparttar 109513 bad guys just don’t work anymore.

Examining spam and spam-blocking technology can illuminate how this evolution is taking place and what can be done to combat spam and reclaim e-mail asrepparttar 109514 efficient, effective communication tool it was intended to be.

There are several widely-used methods for filtering spam, each of which can be defeated by spammers to some degree. Understandingrepparttar 109515 strengths and weaknesses of each approach andrepparttar 109516 methods spammers use to defeat them isrepparttar 109517 basis of an effective, comprehensive anti-spam strategy.

Signature-based Filters

Signature-based filters examinerepparttar 109518 contents of known spam, usually derived from honey pots, or dummy e-mail addresses set up specifically to collect spam. Once a honey pot receives a spam message,repparttar 109519 content is examined and given a unique identifier. The unique identifier is obtained by assigning a value to each character inrepparttar 109520 e-mail. Once all characters have been assigned a value,repparttar 109521 values are totaled, creatingrepparttar 109522 spam’s signature. The signature is added to a signature database and sent as a regular update torepparttar 109523 e-mail service’s subscribers. The signature is compared to every e-mail coming in torepparttar 109524 network and all matching messages are discarded as spam.

The benefit of signature-based filters is that they rarely produce false-positives, or legitimate e-mail incorrectly identified as spam.

The drawback of signature-based filters is that they are very easy to defeat. Because they are backward-looking, they only deal with spam that has already been sent. Byrepparttar 109525 timerepparttar 109526 honey pot receives a spam message,repparttar 109527 system assigns a signature, andrepparttar 109528 update is sent and installed onrepparttar 109529 subscribers’ network,repparttar 109530 spammer has already sent millions of e-mails. A slight modification ofrepparttar 109531 e-mail message will renderrepparttar 109532 existing signature useless.

Furthermore, spammers can easily evade signature-based filters by using special e-mail software that adds random strings of content torepparttar 109533 subject line and body ofrepparttar 109534 e-mail. Becauserepparttar 109535 variable content altersrepparttar 109536 signature of each e-mail sent byrepparttar 109537 spammer, signature-based spam filters are unable to matchrepparttar 109538 e-mail to known pieces of spam.

Developers of signature-based spam filters have learned to identifyrepparttar 109539 tell-tale signs of automated random character generation. But as is oftenrepparttar 109540 case, spammers remain a step ahead and have developed more sophisticated methods for inserting random content. As a result, most spam continues to fool signature-based filters.

Rule-based (Heuristic) Filtering

Rule-based filters scan e-mail content for predetermined words or phrases that may indicate a message is spam. For example, if an e-mail administrator includesrepparttar 109541 word “sex” on a company’s rule-based list, any e-mail containing this word will be filtered.

The major drawback of this approach isrepparttar 109542 difficulty in identifying keywords that are consistently indicative of spam. While spammers may frequently userepparttar 109543 words “sex” and ‘Viagra” in spam e-mails, these words are also used in legitimate business correspondence, particularly inrepparttar 109544 healthcare industry. Additionally, spammers have learned to obfuscate suspect words by using spellings such as “S*E*X”, or “VI a a GRR A”.

It is impossible to develop dictionaries that identify every possible misspelling of “spammy” keywords. Additionally, because filtering for certain keywords produces large numbers of false positives, many organizations have found they cannot afford to rely solely on rule-based filters to identify spam.


The goal of blacklisting is to force Internet Service Providers (ISPs) to crack-down on customers who send spam. A blacklisted ISP is blocked from sending e-mail to organizations. When an ISP is blacklisted, they are provided with a list of actions they must take in order to be removed fromrepparttar 109545 blacklist. This controversial method blocks not justrepparttar 109546 spammers, but all ofrepparttar 109547 ISP’s customers. Blacklisting is generally considered an unfriendly approach to stopping spam becauserepparttar 109548 users most affected byrepparttar 109549 blacklist are e-mail users who do not send spam. Many argue blacklisting actually damagesrepparttar 109550 utility of e-mail more than it helps stop spam sincerepparttar 109551 potential for blocking legitimate e-mail is so high.

In addition torepparttar 109552 ethical considerations, there are other problems with blacklists. Many blacklists are not updated frequently enough to maintain effectiveness. Some blacklist administrators are irresponsible in that they immediately block suspect servers without thoroughly investigating complaints or givingrepparttar 109553 ISP time to respond. Another downside is that blacklists are not accurate enough to catch all spam. Only about half of servers used by spammers, regardless of how diligentrepparttar 109554 blacklist administrator may be, are ever cataloged in a given blacklist.

Blacklists are used because they can be partially effective against spammers who repeatedly userepparttar 109555 same ISP or e-mail account to send spam. However, because spammers often change ISPs, re-route e-mail and hijack legitimate servers,repparttar 109556 spammer is a moving target. Blacklist administrators are forced to constantly revise lists, andrepparttar 109557 lag-time between when a spammer begins using a given server and whenrepparttar 109558 blacklist administrator is able to identifyrepparttar 109559 new spam source and add it torepparttar 109560 blacklist allows spammers to send hundreds of millions of e-mails. Spammers consider this constant state of flux a part of doing business and are constantly looking for new servers to send spam messages.

Blacklists, therefore, have some utility in stopping known spammers. Because of their limitations, however, this data should only be used in conjunction with other sources to determine if a given message is spam.


Whitelists are databases of trusted e-mail sources. The list may contain specific e-mail addresses, IP addresses or trusted domains. E-mails received from a whitelisted source are allowed to pass throughrepparttar 109561 system torepparttar 109562 user’s email box. The list is built when users and e-mail administrators manually add trusted sources torepparttar 109563 whitelist. Once built,repparttar 109564 catch-rate for spam can be close to 100%, however, whitelists produce an inordinate number of false positives.

It is virtually impossible to produce an exhaustive list of all possible legitimate e-mail senders because legitimate e-mail can come from any number of sources. To get around this difficulty, some organizations have instituted a challenge-response methodology. When an unknown sender sends an e-mail to a user’s account,repparttar 109565 system automatically sends a challenge back torepparttar 109566 sender. Some challenge-response systems requirerepparttar 109567 sender to read and decipher an image containing letters and numbers. The image is designed to be unreadable by a machine, but easily recognizable by a human. Spammers would not spendrepparttar 109568 time required to go through a large number of challenge-response e-mails, so they droprepparttar 109569 address and move on to those users who don’t use such a system.

Whitelists are only partially successful and impractical for many users. For example, problems can arise when users register for online newsletters, order products online or register for online services. Ifrepparttar 109570 user does not remember to addrepparttar 109571 new e-mail source to their whitelist, or ifrepparttar 109572 domain or source is entered incorrectly,repparttar 109573 communication will fail. Additionally, whitelists impose barriers to legitimate e-mail communication and are viewed by some as just plain rude.

Whitelists are not widely used by e-mail users and administrators as a primary tool to fight spam because ofrepparttar 109574 high number of false positives, andrepparttar 109575 difficulties in creating a comprehensive list of e-mail sources. Because whitelists are not widely used, spammers typically do not develop countermeasures. As with other spam fighting techniques, whitelists are most effective when used in conjunction with other anti-spam tools.

Detecting and Eliminating Computer Viruses at the Gateway

Written by CipherTrust

Traditional anti-virus software only stops known computer viruses – stopping undefined computer viruses requires a different approach.

Inrepparttar past, network administrators scrambled to apply new virus signatures whenever new computer viruses were discovered. While these signatures will stop a known threat, it takes time for anti-virus vendors to develop them. Unfortunately,repparttar 109509 newest and most damaging viruses are able to spread so quickly thatrepparttar 109510 damage is done before a signature can be developed and distributed.

In fact,repparttar 109511 independent testing laboratory foundrepparttar 109512 response times for major anti-virus software publishers to range from just under 7 hours to almost 30 hours , withrepparttar 109513 four leading vendors (Sophos, McAfee, Symantec and Trend Micro) clocking in at no less than 12 hours.

In January 2004,repparttar 109514 computer virus known as “MyDoom” created mass disruption to corporate resources and reputations as it quickly spread through e-mail networks worldwide. At its peak, MyDoom infected one in every five e-mails transmitted overrepparttar 109515 Internet. The worm broke records set by previous malware, such as Sobig.F, to becomerepparttar 109516 fastest-spreading virus ever. This incredible propagation speed left many networks vulnerable - despiterepparttar 109517 presence of anti-virus software - because ofrepparttar 109518 lag time between whenrepparttar 109519 virus outbreak began, and when a virus definition became available.

As a result of recent malware threats, corporations and organizations have learned a painful but important lesson: simply deploying a signature-based solution is no longer enough. Detecting and eliminating computer viruses requires a multi-faceted, rapid-response approach that traditional anti-virus protection cannot provide. Even a single unprotected computer on an enterprise network can bring downrepparttar 109520 entire system in just minutes, rendering evenrepparttar 109521 most expensive and up-to-date software useless.

Why E-Mail is Particularly Susceptible

In many organizations, e-mail has replacedrepparttar 109522 telephone asrepparttar 109523 most useful business tool available. Unfortunately, e-mail has also been a victim of its own success and presents a unique threat torepparttar 109524 enterprise network as a whole.

Detecting and eliminating threats has traditionally beenrepparttar 109525 combined responsibility of firewalls, virus scanners, and intrusion detection systems (IDS) set up by enterprises to defend against attacks. Firewalls prevent unauthorized programs from accessingrepparttar 109526 network, virus scanners scan each PC inrepparttar 109527 network for malicious code, and gateway servers lock down extraneous ports to protect against unauthorized access.

But key Internet-facing applications, including e-mail are unguarded by firewalls. In order to function, e-mail must expose firewall ports, including port 25,repparttar 109528 port used by SMTP (Simple Mail Transfer Protocol) and port 110,repparttar 109529 port used by POP (Post Office Protocol).

When a firewall receives a connection on port 25, it generally assumes thatrepparttar 109530 transmission is e-mail and allows it to flow through torepparttar 109531 e-mail server. The transmission may very well be a valid e-mail; however, it could also be a virus, spam or something much worse. Firewalls are not able to distinguish between “good” mail and “bad” mail and therefore they are unable ot protectrepparttar 109532 e-mail application.

Stop E-Mail Threats atrepparttar 109533 Gateway

Therefore, some sort of protection is needed specifically for e-mail and, sincerepparttar 109534 best place to stop a threat is before it gets insiderepparttar 109535 network,repparttar 109536 protection should be atrepparttar 109537 e-mail gateway. Protectingrepparttar 109538 e-mail gateway requires a coordinated effort to combat a host of issues, including spam, viruses, corporate policy infringements, directory harvest attacks, denial of service attacks, phishing, spoofing, and snooping. As e-mail threats evolve,repparttar 109539 distinction between each of these types of threats becomes blurred.

Furthermore, accuracy in identifying “bad” e-mails is crucial. Extreme care must be taken to avoid filtering out legitimate e-mails (false positives), which could contain important information from customers or partners.

Historically, enterprises have turned to multiple vendors to solve their e-mail security issues. They have relied on anti-virus vendors to protect them from viruses. They use a separate anti-spam vendor to help cut back onrepparttar 109540 spam. Then, there arerepparttar 109541 issues of content filtering, policy enforcement, encryption, and network security. Unfortunatley, attackers are now highly adept at exploiting these non-integrated solutions. This “Swiss cheese” defense has not only been costly, but increasingly ineffective at protecting corporate email systems.

Cont'd on page 2 ==> © 2005
Terms of Use