1. Field of the Invention
The present invention generally relates to threat protection. More specifically, the present invention relates to reputation-based threat protection.
2. Description of the Related Art
Inbound spam volume continues to increase significantly, with no signs of abating. For example, in 2005, an average of 30 billion spam e-mail messages were sent daily. By 2007, that average had quadrupled to 120 billion daily spam messages. Assuming the effectiveness of a company's spam filter had remained the same that equates to a four-fold increase in spam reaching inboxes over a two-year period.
The incentive driving this global spam industry is profit. Despite the catastrophic impact on business productivity and network performance, and an increase in high-profile prosecutions of spammers, spam still works. Most spammers are salespeople who use unsolicited e-mail as an avenue to sell their products or services. Sending e-mail is inexpensive, and despite the general annoyance of spam messaging, some people do respond to spam advertisements. It this takes only a few responses for a spam ad to become profitable for the spammer. In one reported case, a spammer received only a 0.00036% response rate, but was still able to maintain a six-figure income by delivering tens of millions of e-mails a day. In another case, a one-month spam campaign for an herbal supplement took in over half a million dollars in sales. As such, the idea behind spam is to reach as many people as possible to increase the odds of finding even a few respondents. Spamming likewise works in the context of “pump and dump” stock schemes wherein spammers buy stock, generate spam-bot mailing drives to pump up share volumes (and the corresponding price of the stock), and then dump the stock at a profit.
Coordinated industry efforts to stem this ever-growing tide of spam have seen relatively fleeting victories. In 2008, for instance, industry pressure led to the upstream disconnection of the Internet Service Provider (ISP) McColo, causing an instant worldwide drop in spam by as much as 75%. Spam operations merely relocated to other ISPs, however, and spam volumes quickly recovered to their earlier levels. Spammers are constantly working to improve their effectiveness at getting past spam filters. Spam is constantly getting more sophisticated because spammers are typically technically savvy and early adopters of innovative technology.
Examples of innovative technologies include the use botnets, which is a collection of compromised computer systems that are under a common control structure. The compromised systems, called “zombies,” can be directed to send out spam, phishing messages, viruses, and other malware. A computer can become a zombie through downloading a virus or Trojan in the form of executable attachments to e-mails and downloads on Web. A spam attack of millions of spam messages can be sent using a botnet. Each zombie may only send out 1,000 messages for a given attack, but with 10,000 zombies in a botnet, that is 10 million messages.
E-mails sent from zombie machines can appear to originate from the victim's computer and will steal computer resources to send the e-mails, which are often sent out en masse. These zombie machines can not only slow down network effectiveness, but also damage a company's reputation and require costly resources to purge the malicious code. Infected companies, too, face being blacklisted by their ISPs and subsequently are unable to send e-mail. There are an estimated 70 Million to 150 Million zombies active around the world. As many as 25% of computers on the Internet are estimated to be infected with botnets or zombies.
Moreover, when a zombie sends out a spam e-mail, it does so from an assigned Internet address: the sender IP address. Many spam filters rely on the reputation associated with a legitimate sender IP to block spam. To lessen the effectiveness of systems which rely on sender IP reputation, spammers may “borrow” IP addresses with good, or at least neutral, reputation. By limiting the number of spam messages a zombie sends, the spammer may be able to keep the IP address from getting a “bad” reputation.
Spammers may also buy access to a hacked e-mail server. The spammer may then quickly generate a high number of spam messages using the reputation of the company whose server has been hacked. As with the zombie situation, a system on a particular company network may be potentially compromising its sender IP reputation.
E-mail authentication tests the domain an e-mail says it is “from” to determine if the message is really from the IP address of the sending e-mail server. To work, it requires an organization to publish an SPF record, which tells e-mail receivers that a given IP address is allowed to send e-mail for a given domain. Strict set-up of an SPF record, however, means that third party services (e.g., an e-mail marketing company) typically cannot send e-mail on a company's behalf. As a consequence, many companies set up authentication, but leave open the option for other IP addresses to send e-mail (e.g., a third party marketing company). Opening other IP addresses also opens the door for spammers. Moreover, spammers can register domain names and set them up to authenticate properly and then send e-mail from them.
Another spamming technique involves the use of “word salad,” which is when spammers add what appears to be random words to an e-mail message. The extra words to the e-mail are added to be read and evaluated by the recipients' spam filter. Generally, the extra words are considered “good” words (i.e., not typically found in a spam e-mail) according to most spam filters. As such, when the message is evaluated, there are now more “good” words than “bad” words (e.g., “enhance” and “love life”). If there are more good words than bad words, the spam filter may decide the message is good. Similarly, some e-mail spam messages contain more than extra words; they have entire sentences and paragraphs added to the message. The idea is to add in “good” words and phrases to the evaluation and the use of complete sentences attempts to make it harder to exclude these “good” words from the evaluation of the message content.
Generally, spam filters read e-mail looking for words and phrases it considers “bad” (i.e., indicative of spam) and if there is enough “bad” content, a message can be considered spam. A spammer may try to disguise the bad words and phrases from the filter but still make them readable to the recipient, on the hope that the recipient will want what the spammer is selling. The spammer therefore changes the size of fonts, making extraneous letters “disappear” (e.g., too small to be legible to the human eye) so that the recipient can easily read the message, while the spam filter sees only a line of gibberish.
Another strategy used by spammer is to use misspelled words in the hopes that the spam filter will not be able to understand the words. Many legitimate e-mails, however, may not necessarily use formal or correct spelling. Many people use slang, jargon, acronyms, abbreviations, and even IM and text messaging terms.
Optical illusions are also common using tricks to disguise “bad” words. In this case, the spammer uses symbols, special characters, and even alternate character sets to create the different variations. Using this method, it is estimated that there are over 600 quadrillion ways to spell “Viagra.” Writing separate rules for each variation would be an extremely difficult and time-consuming task. Alternatively, a spammer may use spam images rather than text. Even where spam filters can recognize an image as being indicative of spam, the image may be altered so that it may look the same to a reader, but are not actually the same image. Small changes make the images different.
More recently, spammers have focused their attention on IP address reputation systems. As these types of systems have grown in popularity, spammers and hackers have increasingly focused their attacks on compromising legitimate mail severs at companies with good reputations, and cracking Web mail accounts at ISPs, such as Yahoo or Gmail. This allows spammers to avoid traditional IP reputation systems by sending bad mail from the servers of good businesses that have been compromised. Such tricks may cause spam to look and sound legitimate so the spam can get past the spam filter and into the recipient inbox. Because the sender is an actual person whose friends have likely whitelisted that sender e-mail account, spam sent using that e-mail account is likely to get past a spam filter. In a related trick, spammers may use the latest headlines as the e-mail subject. The headlines may not only add legitimacy to the e-mail, but also often raises the recipient's interest in opening the e-mail.
Phishing scams pose another significant threat. Distinct from other spam, phishing e-mails are specifically created to imitate legitimate e-mails, often copying actual corporate communication. Such phishing e-mails appear to be from a bank or other trusted source. The intent is to obtain account information related to financial accounts or other identity information. Billions of phishing e-mails are sent out every month, and these can lead to identity theft, security breaches, and financial loss and liability. Leveraging social engineering techniques to evade corporate security systems, criminals gain network access and steal confidential corporate data and financial assets. With the unwitting cooperation of an employee, network defenses such as firewalls, Intrusion Detection and Prevention systems and secure identification cards can become ineffective. Because phishing e-mails are designed to look like legitimate business correspondence, they consistently elude standard spam filters, and e-mail policies alone are an insufficient defense. Phishing defense requires specific analysis, identification and handling.
Some attacks rely on misrepresenting the content of the message. In some instances, spammers may attach real PDF or similar files to a message that contains the spam message. The actual e-mail body may say little, except perhaps something innocuous: “Joe, check this out” or “Q3 revenue forecast.” Similarly, backscatter or NDR (non-deliverable-return) spam are messages that look like returned e-mails that could not be delivered to their intended sender. Spammers spoof such messages, attempting to bypass the e-mail security system.
Directory Harvest Attacks (DHAs) are exhaustive “brute force” attacks. DHAs bombard mail servers with e-mails sent to variations of possible e-mail addresses to check which ones bounce and which are legitimate. The extensive volume of a DHA strains e-mail infrastructures. In addition, DHAs acquire information on e-mail addresses for the company to be used later in follow-up, targeted spam, virus and phishing attacks. Similarly, Denial of Service (DoS) attacks are malicious attempts to bring down e-mail infrastructures. By sending an enormous volume of e-mail traffic into an organization at a coordinated time, attackers attempt to overwhelm the network and e-mail infrastructure, bringing e-mail to a complete stop.
Spammers will continually attempt to plague e-mail inboxes until it is no longer profitable for the spammer or there is a hack-proof prevention method that everyone uses. There is no singular technology that can stop all spam, and history has shown that when a given technology begins to work well, spammers attack it with a vengeance. Meanwhile, IT departments are left with having to allocate more resources to clean out swamped mailboxes, maintain key business communications and undo the damage done by newly emerging e-mail-borne threats.
Outbound threats are also becoming a top priority for IT administrators and CEOs, based upon fears of regulatory non-compliance and the leakage of sensitive intellectual property or confidential information. All organizations are faced with the challenge of meeting e-mail compliance requirements, whether regulatory compliance from government legislation, such as HIPAA, GLBA, or SOX; industry standards; or corporate compliance, such as preventing offensive e-mails or protecting intellectual property. Data leaks are not limited to malicious acts; most confidential data leaks are likely due to employee carelessness. With these various compliance requirements, encryption and archiving options alone are not enough. Organizations must have robust policy management and enforcement options to meet the range of compliance needs.
One recently adopted industry approach to anti-spam is Sender Identification (Sender ID). This technique authenticates the IP address of an external e-mail server that is making an inbound connection to the network to see if it matches the domain name of the e-mail sender. This assumes the sender has published a Sender Policy Framework (SPF) record and that the record is correctly set-up. There are two primary issues with this technique. First, spammers can create valid SPF records. Second, most companies do not like the restrictions Sender ID places their ability to have e-mail sent on their behalf. For example, using a third-party vendor to send e-mail messages to customers could cause an SPF failure.
Another inbound technique often attacked by spammers is Bayesian content analysis, which infers the probability of an e-mail being spam based upon combinations of specific individual words. Bayesian analysis can be a very powerful, but in practice, there is no universal definition for spam content, as each person has a different degree of tolerance and curiosity. Some companies try to train a Bayesian filter based on an organization's e-mail. This opens the door to Bayesian poisoning attack by spammers who place “good” content in spam messages in an attempt to skew the Bayesian scoring system. So while Bayesian content analysis is an excellent technique, by itself, it may not be able to meet the challenge of defending against today's pervasive spammers.
It is just as important to monitor and control outbound e-mail as inbound e-mail. Unfortunately, many small and midsize businesses choose to forego deploying outbound e-mail protection. This carries with it the highest risk of compromise of private or proprietary information. To lower that risk, many organizations have established and communicated written e-mail usage policies. While these written policies are a step in the right direction, best practice is to automatically analyze and enforce outbound e-mail polices in order to ensure compliance with internal and external regulations.
Over the years, spam has evolved from an annoyance to a serious threat to productivity and security. Inbound and outbound e-mail threats continue to proliferate at exponential rates. Simultaneously, e-mail-borne threats are also becoming more advanced. Increasingly, these more advanced threats blend spam, phishing, spyware, viruses, Trojans and other malware, into sophisticated blended attacks. As spam has evolved, traditional anti-spam systems have correspondingly evolved into more powerful and comprehensive e-mail security solutions.
The nature of spam is changing, incorporating a wide spectrum of e-mail-borne attacks that can stifle productivity, infect corporate networks and undermine corporate reputation and regularity compliance. In response, the nature of anti-spam defense is changing as well. Presently available single-point (single-technology) analytic solutions may not be sufficient to counter the constantly morphing forms of spam. Even multiple techniques, if they are not updated regularly, are not enough to keep spam at bay for long. Moreover, rigid scoring often ends up blocking e-mail that users actually want to receive. E-mail security solutions now require a sophisticated blend of technologies focused on both inbound and outbound protection.
There is, therefore, a need for improved systems and methods for threat protection from spam.