Everybodys seen it by now. Spam is up like gangbusters in the last few months. And not just in volume; a lot more of it is getting through filtering mechanisms that had previously been pretty reliable. Its an aggravating and depressing situation.
A number of factors have contributed to the situation, and what they all have in common, unfortunately, is that spammers are getting much more sophisticated.
Botnets have gotten so sophisticated that theyre almost impossible to shut down. This surge of spam is, perhaps, a show of strength, as well as the botmasters exercising the fruits of their efforts developing an underground network.
How big is the surge? Postini, the largest hosted secure e-mail provider out there, handling over 1 billion messages a day, ought to know, and know in real time. The company says spam volume is up 120 percent over the last year, but 59 percent in the last two months. Thats in line with numbers Ive heard bandied about elsewhere, and its a huge rate of increase.
Another factor is what security vendor Borderware calls “anti-anti-spam spam,” meaning spam that attempts to defeat anti-spam measures. Spammers have learned all sorts of tricks.
For instance, if a recipient rejects the message, they are attempting to resend the message like a real mail server will. Spammers historically have had naive mail transfer programs that send a message and then move on, ignoring any errors.
Many anti-spam systems rely on this characteristic to employ a technique called graylisting. They reject the message once from any sender they do not recognize and accept it on resubmission, whitelisting the sender at the same time. This all assumes that a spammer wont retransmit. Graylisting seems headed for the ash heap of anti-spam history.
But the most interesting factor, also from the “anti-anti-spam spam” department, is advances in image spam. Weve seen image spam for years, but its gotten much fancier. Incidentally, Borderware is expected to announce new technology next week related to fighting image spam.
You cant just block images in e-mail. (Well, technically you can, but people wouldnt stand for it.) So you have to figure out, somehow, which are the bad guys. There have been two basic methods employed: fingerprinting and OCR.
With fingerprinting you try to identify a specific graphic through some set of characteristics, perhaps as simple as a CRC of its contents, perhaps some more complicated pattern recognition. You can determine, even offline by human examination, if the graphic is spam, and then when another graphic with the same fingerprint shows up you block it.
The counter to this technique is actually pretty obvious: By modifying relatively few pixels in the graphic, say by changing the color slightly in every 10th pixel, you distort the fingerprint. Now introduce some randomization into that, by randomizing the pattern of changed pixels and the color shift, and fingerprinting becomes far more difficult. There are vendors working on solutions though, as well hear in the near future.
OCR works by attempting to “read” the characters out of the graphics. Its an old idea; a friend of mine got an OCR patent back in the mid-80s thats already expired. OCR works pretty well under stable, simple circumstances, like black block characters on white paper, but its not hard to make life difficult for an OCR algorithm.
Random dark clumps of pixels on the image create the analog of dirt on the paper. Or how about “speckling,” in which patterns and color changes are inserted into the character drawing in the graphic?
Its not unlike a “captcha,” one of those Turing tests you have to pass in order to sign up for a Yahoo Mail account or similar things. They take a dirty graphic and draw characters on it, often wavy and distorted characters. You can read them, but they are hard for a program to read.
But wait, it gets worse. Spammers are taking advantage of GIF file features to make things even harder for anti-spam tools. The first technique is to use an animated GIF and to put the spam message on a second or subsequent and last image. Theres a good chance that anti-spam software will only examine the first image. There are also layered GIFs that allow you to place different characters of a message in layers and appear to the user to be a single flat image. But software that examines the image will not easily see the picture the user sees.
Its interesting that this latest flare-up in the spam war is costing both spammers and anti-spammers dearly. Its probably less of an issue for spammers because their costs are largely fixed and they offload much of the bandwidth and processing costs on to unsuspecting infected bot users. But anti-spammers are incurring much greater costs in processing and bandwidth.
Ive always been a fan of outsourced services like Postini for mail security, and its times like this that they really save your butt. Are your network and your mail security infrastructure ready for a 60 percent increase in spam? I suspect a lot of companies with underpowered appliances are losing mail from overloaded hardware these days. But Postini can handle it, and to the extent that it is effective in blocking the spam, you dont even see the increase in bandwidth, let alone the spam.
Of course, Postini is not perfect in blocking spam; nobody is, which means that it has to be going up for everyone. If your anti-spam system blocks 97 percent of spam and you get 1,000 spam messages a day, a 60 percent increase means 18 more spam messages getting through than before.
Some time ago I asked in a column, rhetorically, whether people would put up with spam as it approached 100 percent of the corpus of e-mail. According to Postini were at 91 percent and rising, and I have to ask again: How bad does it have to get? The truth is that it can get a lot worse than it is now before enough people contemplate really serious measures.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer