Print
Discuss
Send to friend
RSS feedsEach week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.
This week John Cheney, chief executive officer of email security company BlackSpider Technologies, outlines some of the increasingly sophisticated techniques that spammers use to fool spam filters.
Are you in the market for Viagra? Or an enlargement? Getting spam through email filters has become an art in word distortion, hidden codes and tagging. Over 60 per cent of all our email is spam and, with the cost of sending it as little as a few pounds for tens of millions of email addresses, the returns for spammers are potentially high.
The simplest and most enduring method of fooling filters is to use 'digit words' or word obfuscation, such as numbers or symbols replacing letters in the middle of the word, designed to fool lexical analysis tools that scan the word content of an email.
But as the most common digit words (such as Vi@gra) are now recognised by most lexical filters, foreign characters and accented letters are starting to appear in their place. But these are the easiest emails for filters to spot, so those that get through tend to be so distorted that they are almost unreadable.
More mature, but still quite common, techniques include HTML obfuscating: placing HTML tags in the middle of words that are invisible to the reader. For example, if a spam filter is set up to recognise the word 'enlargement', or other digit words like it, a spammer might try to fool this by replacing 'enlargement' with 'enlar*obfu*gement'.
Once the email appears on the recipient's screen, the *obfu* becomes invisible, so the reader will simply see the word 'enlargement'.
One technique that has grown in popularity over recent months is 'hash busting' - including text in emails that is not relevant to the email itself.
Hash busting is designed to confuse Bayesian filters, which use statistical probability analysis to identify spam trends. Random groups of words, or freely available text such as chapters from Kipling's Alice in Wonderland are added to the bottom of emails so that Bayesian filters struggle to identify spam patterns. In some cases, this text is invisible - written in tiny one point size, for example.
Varying servers and domain names to host spam image content is also becoming much more commonplace. The website URLs contained in spam emails are relocated every couple of days to a new server which has a number of different domain names directed at it.
This gets round filters that blacklist URLs known to be used by spammers to host content, and they work if the blacklists are not constantly updated.
Similarly, today's spammers are starting to use automatic redirects, so that if you click on a URL link you may find that you are redirected several times before finally reaching the destination website.
Techniques change all the time, since the key to fooling filters is to change behaviour constantly. As soon as a pattern is established, it can be tracked and blocked - but it requires nimble filtering to keep up with new trends.
Next, the spammer has to persuade you to open the email. This is mostly done by appealing to natural curiosity, greed or insecurity: maybe, just maybe, this really is the once-in-a-lifetime chance of winning £10 million, or shedding those extra few pounds of weight, or overcoming impotence.
Some persuasion techniques are more sinister. A recent scam involved 19,000 emails a day sent to innocent internet users, threatening to inform police that their computer had child pornography on it, installed by the spammer, unless a payment of around £50 was made.
Most email users fail to realise how common the use of web bugs is to confirm a recipient's email address, sometimes before the mail is opened; displaying an email in the preview pane is enough to send a message back to the spammer. Of course, once you're on a spammer's list, the emails won't stop coming.
There's no such thing as a silver bullet for spam. No filtering technique used in isolation will prove effective in the long run. But what you can do is use a combination of all the detection technology available, updated continually to protect against evolving spam techniques.
See also:
Spammers are becoming increasingly desperate to beat anti-spam filters 22 Mar 2005
US Operation Web Snare may be responsible for drop in junk mail volumes 08 Sep 2004Industry likely to agree on IP-based sender authentication scheme 25 Jun 2004All Enterprise Security Technology
del.icio.us
Digg this
reddit!
