Thinking ahead of the spammers

"Our side is 100 percent reactive," says Scott Chasin, "and that's the difficult part." Chasin is Chief Technology Office for security specialist MX Logic, and he tries but can never quite think ahead of the spammers.

Chasin's background is in computer security; he was also founder, in 1995, of usa.net, the first Web-based email provider. He has spent 11 years watching the spam battles. This last round, the spammers have clearly won. Spam volume always takes a leap upward in late autumn, but this year seems particularly bad.

"There's been a double or quadruple leap since the beginning of October industry-wide," says Chasin. This year's big innovation: "pump-and-dump image stock spam". You've seen them: inline GIFs above a lot of useless text. The real spam message is the words in the GIF, which advise you to buy some stock or other. They are exceptional inbox invaders - the junk text fools Bayesian filters, and the images, like snowflakes, are all unique, generated and supplied by template servers and deployed by botnets whose command and control have been decentralised using peer-to-peer techniques. There is no one signature to detect, and the images defeat optical character recognition.

"In some cases," says Chasin, "each letter in the spam is actually different." He calls these "ransom spam", after old-style ransom notes in which each letter was cut out of a different magazine. "They're a bunch of images put together to form a new letter."

Some 80 percent of spam originates from botnets - megagangs of virus-infected PCs controlled remotely. "This is probably the biggest threat to the Internet since it was created and commercialised. I say this because the botnets have multipurpose payloads. They're polymorphic. We're seeing queen bots, where they can essentially infect a PC and then monitor the anti-virus signature engines and time their propagation." These viruses send spam, and also scour infected PCs for passwords, email addresses, and financial data. Chasin says some even download anti-virus software to ensure no competing viruses are present.

In fact, says Chasin, the challenge now for the spammers is "They have so much data (passwords, user names, PINs) that they have a real datamining issue." Spam has become better funded and, he says, the tool of organised crime. "We're starting to see this underground criminal culture where the organised criminal units can send out a young teen to surf eBay and commit fraud using someone's username and password keylogged from a bot to purchase goods and services and remail them back to for example Europe, where they can be sold on the black market. There is a lot of motivation for these guys. They're coming off the street and onto the Internet."

Chasin's predictions for the future aren't a lot cheerier. VoIP's ability to spoof caller ID enables "vhishing" for passwords and PINs that appears to come from your bank's phone number. "Once VoIP is mainstream, there'll be attacks around call hijacking, voice spam insertion, redirection to spam voicemail systems, and a lot of hijacking of "click to call" functionality. In addition, other common protocols, such as DNS (PPT), will be hijacked to defraud customers.

Chasin calls today's filtering "a bandaid, not a cure." Providers keep spending on bigger pipes; the economics are forcing them to work harder to stop spam from exiting their networks: managing (or blocking) port 25, or putting customers in "walled gardens" until their infected computers are cleaned. Increasing cooperation among security vendors is also important; until recently there wasn't even a common naming structure for viruses, Trojans, and bots.

So: is email irretrievably broken? "Technology can only give so much," he says. "There's an opportunity in future - something like Biomark, proves I'm a human and a button in email clients, 'show me all from humans'." But, he adds, "Email has a legacy, and that openness is going to be difficult to close down." For now, the best option is public and private inboxes, better filtering, and more reliance on known senders. µ

L'INQ
Pelicancrossing.net