Health Articles

Microsoft word - wp03_spam_100824us

The Spam Scramble A Trend Micro White Paper Ever-Growing Spam Volumes Demand a New Approach to Email Security August 2010 Learn about new antispam best practices and the hybrid solution with the power of two

THE SPAM SCRAMBLE
EVER-GROWING SPAM VOLUMES DEMAND A NEW APPROACH TO EMAIL SECURITY
I. INTRODUCTION
Spam continues to plague enterprises. Rising volumes and more targeted phishing attacks threaten enterprise security, especially those with antiquated antispam and anti-malware solutions. The changing nature of spam and Internet borne malware coupled with the increasing volumes have created an urgent need for a new set of best practices and next-generation security solutions that go beyond the scope of traditional email security. The rise in spam volume is not only costly in network resources such as bandwidth, CPU processing, and IT help desk time, the drain on end user productivity in organizations is staggering. In fact, Ferris Research estimated that in 2009, spam cost enterprises $110 billion in reduced productivity worldwide. In addition to the growing volume and nuisance of unwanted mail, spam has become more dangerous. Enterprises are becoming targets of spear phishing and other targeted attacks. Plus the majority of spam email now contains links to malicious websites where malware is waiting to infect unsuspecting users. And since email with bad links doesn't necessarily contain the malicious code itself, these threats can slip past conventional signature-based email security. According to TrendLabs, in 2010, 90-97% all email traffic directed towards enterprises is ‘spam'. In addition, Trend Micro has seen the volume of spam more than double in the past year—with about 200 billion spam emails sent per day. SPAMMERS—WHO ARE THEY AND WHY DO THEY PERSIST?
The senders of the spam are often part of a criminal gang that uses email to
A sample of spam industry "goods for
lure victims and ultimately steal enterprise or customer data—credit cards, sale" by Russian Underground
bank account numbers, or confidential information they can either use (source: TrendLabs, 2010)
themselves or sell on the black market for illegal profit. These gangs treat ƒ Post 1: 1 million custom emails of your cybercrime as a serious and lucrative business venture and work diligently to choice for $100 expand their criminal networks—with little risk of capture. ƒ Post 2: $20 per day to rent spam Organizations such as the Russian Mafia, the Chinese Triads and other criminal organizations have quickly adapted to the "digital underground," ƒ Post 3: 1000 valid emails for $7. Has where it's very difficult to trace the true sources of spam messages. $50K validated Yahoo emails Messages can be sent from nearly anywhere in the world with no physical available. presence required. ƒ Post 4: $50 per day, 100 emails per In addition, spam is actually not illegal in all countries. In some regions, ƒ Post 5: Bundle of 100 bots, total of spam is viewed as a legal form of advertisement. This presents a significant 1012 mails/min. Max of 8k bots for problem for law enforcement agencies—since emails cross multiple borders, hire. $650 dollars to rent for a week, each with different enforcement agencies and incongruent policies on customer can try for free. cybercrime, making prosecution nearly impossible. Often these criminal organizations use stolen credit card credentials to pay for web hosting. For example, they will pay for a month of web hosting with 1 White Paper The Spam Scramble

THE SPAM SCRAMBLE
EVER-GROWING SPAM VOLUMES DEMAND A NEW APPROACH TO EMAIL SECURITY
stolen credit card numbers or take out a free trial, using stolen credit card numbers as deposit. These websites are used as fraudulent storefronts, and of course victims are lured to these sites by deceptive Industry estimates on the global revenue from organized cybercrime vary, with criminal organizations earning millions of dollars annually. Legitimate enterprises that become victims of cybercrime pay the highest price. Ponemon Institute, "… found that the median annualized cost of cybercrime of the 45 organizations in our study is $3.8 million per year, but can range from $1 million to $52 million per year per SPAMMING TECHNIQUES
Spammers today utilize a myriad of methods to propagate their spam messages in an effort to generate
ƒ Botnets: networks of "zombie" malware-infected PCs send email on
Mega-D is the name of one of the most
behalf of the spammer, without the knowledge of their legitimate owners. widespread spam botnets today, though Botnets are controlled by a botmaster, who sells a spamming service to those who wish to send spam. not as prolific as it once was. A single Mega-D spam bot was able to generate ƒ Free email services: public Webmail (for example, Yahoo! Mail) is
misused to send spam. around 2,553,940 spam messages in a span of 24 hours, an average of 1,764 Open proxies: compromised or misconfigured servers can be used to
redirect spam. Known in spammer slang as "peas," open proxies are spam messages per minute. also sold as a service to spammers in a similar way as botnets. ƒ Stolen netblocks: Spammers set up in business as an ISP, typically by
taking over portions of Internet address space MORE ABOUT THE BOTNET THREAT
Spammers are increasingly using "bots", or host computers, which have been compromised through malware to send spam without the knowledge of their owners. Often these spam bots will be part of a larger "botnet," which may consist of many millions of compromised machines controlled by a "bot herder". Trend Labs has noticed large outbreaks of spam originating out of botnets within legitimate MTAs of major Internet Service Providers. A compromised machine within an Internet Service Provider (ISP) can send spam directly or the bot can initiate a session with the ISP's legitimate mail server. Trend Micro continues to work with ISP's to trace and clean the offending IP addresses from their networks. 2 White Paper The Spam Scramble

THE SPAM SCRAMBLE
EVER-GROWING SPAM VOLUMES DEMAND A NEW APPROACH TO EMAIL SECURITY
Figure 1 shows the size of a particular botnet between March 2010 and the end of July 2010. As shown, the botnet's size has fluctuated over time; it currently comprises around 150,000 bots. This is not a huge botnet but it still generates multimillion dollars in annual revenue. Often the services of the botnet are rented out to third parties for illegal activities such as performing a Denial of Service (DDOS) attack, where the target system is flooded with data in order to slow it down or stop it from responding entirely. DDOS services are for sale for about $70 per day, a small price to cripple a INCREASED SPAM = RISING COST OF SECURITY
The increased volume of bot-generated spam has required enterprises to
Best practice tip:
provide additional resources to process mail, additional bandwidth to receive Set antispam and antivirus filtering the emails, additional storage at their final destination, and investigate new policies for outbound email in addition to strategies for removing the bad mail from their valid business mail. inbound email. This way, a spam generating computer will be quickly While antispam technologies are continually improved to tackle the problem, identified within your corporate network. the spammers understand that they too need to evolve their spam. Most commercial spam filters are updated frequently to allow them to detect the latest spam methods, and therefore do a good job detecting spam on a daily basis. In general, an up-to-date antispam engine will typically catch most spam, but its effectiveness will drop in a matter of hours or days if not 3 White Paper The Spam Scramble

THE SPAM SCRAMBLE
EVER-GROWING SPAM VOLUMES DEMAND A NEW APPROACH TO EMAIL SECURITY
While email administrators strive to preserve the usefulness of their email systems by reducing spam, at the same time, they also need to ensure that legitimate email continues to flow and does not get blocked mistakenly as spam. These "false positives" are possibly more critical to the continuity of a business than allowing a small amount of spam to pass through. More importantly, antispam vendors need to keep refining their detection techniques to take into account the latest spam threats. At the same time, security vendors need to continually work to minimize false detections to ensure that the spam/not spam balance remains acceptable to the user. SPAM CONTROL - SECURITY FEATURES AND BEST PRACTICES
Now that we've discussed the challenges of today's threat landscape, let's take a closer look at the
technologies used by modern antispam solutions. EMAIL AND WEB REPUTATION SERVICES
Central to the fight against the high volume of spam are reputation services. Best practice tip:
Email reputation service analyzes the history of an email server in order to Enterprises should use a high-quality assign a reputation rating. Typically email reputation is available as a email reputation service as a first line of centralized cloud service, queried on demand, allowing an email defense. This will reduce the number of administrator to create policies to block or delay the messages based on the email servers required to further process reputation rating of the sender—usually a known or suspected spammer. the remaining email traffic. Email reputation services can save a considerable amount of resources by rejecting up to 85 percent of all incoming email. Best practice tip:
In addition, advanced antispam engines will employ web reputation by Web reputation is a very powerful tool extracting embedded URL's in emails and comparing them to an in-the-cloud within an antispam engine, providing list of known websites that have a poor reputation, as they are known to excellent defenses against both phishing harbor malware or be used by known spammers. This approach is especially emails and links to malware -infected effective against phishing mails where the URL in the message will take the sites. When choosing an antispam user to an infected site, in some cases, a clone of a valid site, with the intent technology this should be one of the key to steal the victim's login or financial details. criteria. VALID RECIPIENT CHECKING, RATE LIMITING,
AND DIRECTORY HARVESTING
The list of email addresses that spammers use to peddle their wares are typically compilations of addresses bought and sold on the underground market. These lists are compiled from many sources—taken from compromised systems, such as poorly protected (or unethical) ecommerce stores and web servers requiring registration, or directly from the address books of end users that have been infected with a bot. 4 White Paper The Spam Scramble

THE SPAM SCRAMBLE
EVER-GROWING SPAM VOLUMES DEMAND A NEW APPROACH TO EMAIL SECURITY
Another method of obtaining recipient email address lists is done through Best practice tip:
brute force. Leveraging the immense processing power of the botnets within Many email content security solutions their command, the spammers will simply guess at common email have options to automatically update the addresses, using large dictionaries of common forenames, surnames and list of valid recipients, by integrating with address syntaxes, e.g.: corporate LDAP. Enabling this functionality means that the list of valid ƒ [email protected] recipients will be automatically updated in ƒ [email protected] a timely fashion without additional steps ƒ [email protected] for the administrator. ƒ [email protected] Best practice tip:
Once an organization is under attack, the corporate email server will reject If your email security solution has options messages for unknown recipients. Each of these rejections is logged as an to enable directory harvest protection and invalid email address and the next combination is attempted. This technique rate limiting, you should enable these. is known as a directory harvest attack, as the spammer will attempt to guess However, you should monitor the email every email address within the corporate address book. Once harvested, the flows carefully as in some cases this may directory information will be used to build new spam lists, or if the company cause valid emails to be delayed. Your is well known, resold on the black market to allow targeted attacks to be security vendor should be able to provide carried out against that organization. details on how to test and configure these features if necessary The main defense against this kind of attack is a combination of a valid recipient list, combined with intelligence about the connections into email security software. Great care needs to be taken to ensure that by rejecting messages to unknown recipients, you don't expose the valid addresses during a directory harvest attack. This is done either by accepting and silently dropping messages to invalid recipients or by monitoring the mail flow into each domain, and then applying intelligent rate limiting. HEURISTIC ANTI SPAM ANALYSIS
Another weapon in the battle against spam is the heuristic-based antispam Best practice tip:
engine. During heuristic analysis, the spam message is processed by a The heuristic antispam engine should be series of many hundreds or thousands of rules, dependant on the complexity set at the default level, and set to tag of the antispam engine in use. These rules look for the occurrences of key spam messages rather than delete them. words, patterns, and characteristics within the message that would be The sensitivity can gradually be raised indicative of spam. Such rules may look for key words often used in spam, over a period of time to balance the catch such as Viagra, the proximity of words in relation to other words, such as rate versus the false positive rate. More looking for "discount" close to "medication," attempts to obfuscate or hide advanced solutions offer the option to words—instead of using "Viagra," character replacement would be used to take different actions based on the create a word that looks similar to the human eye, such as "v1ágrá." Other probability of spam. For example, the common rules search for items such as whitespace or lightly colored text in email administrator could create a rule to between characters such as "vabicdaefghirjka". Another key rule is the delete messages that are highly likely to analysis of any URLs located within the message. be spam, and quarantine or tag messages that are less certain. 5 White Paper The Spam Scramble

THE SPAM SCRAMBLE
EVER-GROWING SPAM VOLUMES DEMAND A NEW APPROACH TO EMAIL SECURITY
For each of these rules executed against the message, a score is given, with Best practice tip:
a total score provided after processing all of the rules. If the total score for For any antispam solution to be effective, the message exceeds the thresholds set, then the message is considered it should be granular enough to allow spam and treated accordingly. The setting of the thresholds for heuristic different policies and sensitivities to be antispam engines is one of the most problematic areas of email security—if applied to different domains or groups of the heuristic engine is too "aggressive," then the spam catch rate will be very domains as they are likely to have high, but so will the false positive rate. If it's too low, then there will be differing requirements. minimal false positives, but a high volume of undetected spam. A ‘one size fits all' approach to spam sensitivity rarely fits all customers due to the wildly different types of legitimate email traffic—nearly all heuristic engines require Best practice tip:
a degree of tuning to their environment to be most effective. A gateway email security solution should leverage machine learning for phishing ADAPTIVE TECHNOLOGIES
and spam outbreak prevention. Another layer of protection essential to today's threat landscape is Gateway email security should be part of responsive and adaptive technologies, both locally and through community a larger threat intelligence community, so that there is global threat intelligence Statistical analysis, machine learning, and adaptive technologies can be used at an organization's gateway by tracking traffic patterns, hashing email messages, pulling out information in embedded URL links, looking for content typical of spam and other behaviors which would indicate a spam attack. These patterns and signatures can be used to stop a targeted spam or phishing attack in its tracks—right at the targeted enterprise gateway. The pattern files can then be shared with all enterprises through a cloud-based repository of information. And with a global system of correlated threat data, all customers are better protected from spam outbreaks compared to an email security appliance sitting alone at the network edge. In particular, enterprises benefit from much needed zero day protection against emerging threats. CLOUD SERVICE FOR ANTISPAM
To counter the need for dedicated on-premise hardware and support, many Best practice tip:
customers are looking to cloud-based antispam solutions to avoid these Using a cloud service to block a high resource costs, routing their email messages through a third party for proportion of emails before they reach scanning before they are delivered into their infrastructure. Cloud-based the customer's network, drastically services are designed to be on-demand and elastic in order to provide reduces resource utilization in both the flexibility in both, cost and scalability, as well as having a centralized team of customer's email servers and internet mail security experts to ensure that the solution employs the latest antispam connection. This service should be techniques to maximize detection rates. Enterprises can, and should, backed by an aggressive Service Level leverage the cloud to provide a first line of defense for spam filtering. Agreement (SLA). 6 White Paper The Spam Scramble

THE SPAM SCRAMBLE
EVER-GROWING SPAM VOLUMES DEMAND A NEW APPROACH TO EMAIL SECURITY
THE INDUSTRY'S FIRST HYBRID EMAIL SECURITY:
INTERSCAN MESSAGING SECURITY VIRTUAL APPLIANCE
Trend Micro has developed the industry's first integrated hybrid SaaS email security solution designed to
provide the benefits of both a cloud-based solution (to remove a high percentage of messages within the cloud), and an on-premise VMware Ready virtual appliance (to give an enterprise the fine level of policy enforcement that they require and the privacy they prefer). With this hybrid solution, enterprises can minimize outlay on expensive dedicated appliances and also leverage the latest virtualization technologies. LAYERED SECURITY MANAGED FROM A SINGLE CONSOLE
These components are linked transparently, one in the cloud to remove a large percentage of unwanted inbound emails, and another on the enterprise premises, for more granular policies and policy/privacy enforcement of outbound email. This greatly simplifies the configuration process for the enterprise since both cloud and on-premises components are managed from a single console. In addition, the solution queries its local message tracking logs, and searches the cloud component of the solution for the equivalent logs. A single set of results are shown, combining both local and cloud results into a single log. FIRST LINE OF DEFENSE: EMAIL REPUTATION AND WEB REPUTATION
InterScan Messaging Security Virtual Appliance employs email reputation, web reputation, traffic shaping, and heuristics—to weed out unwanted content before it hits the network edge. These technologies leverage unique cloud-client architecture, powered by the Trend Micro™ Smart Protection Network™, a global network of threat intelligence sensors. Email reputation policies stop mail sent by known spammers— blocking up to 85 percent of all email. Meanwhile, web reputation blocks emails with links to infected or malicious websites. Email, web, and file reputation threat data is correlated by the Smart Protection Network in the cloud to stop threats as soon as they emerge. As the volume of threats increases to thousands per hour, the need for comprehensive, immediate and correlated threat intelligence is critical to protecting your PRIVACY AND CONTROL WITH ON-PREMISE SECURITY
Emails flagged for further inspection are quarantined on premise; no email is stored in the cloud—none. Inbound email security layers including DHA protection, machine learning, and granular content filtering controls are also available on premise. In addition, outbound content inspection, spam and virus filtering, and encryption secure outbound content and provide early detection of bot activity. THE HYBRID SOLUTION ALIGNED WITH ALL OF TODAY'S ANTISPAM BEST PRACTICES
The hybrid email security approach within InterScan Messaging Security Virtual Appliance removes many of the obstacles for enterprises that desire the benefits of both an in-the-cloud solution and an on-premise solution. And the benefits are significant, including lower management overhead and better alignment with antispam best practices as discussed within this document. The results set a new standard in terms of greatly reducing the volumes of spam received by the enterprise—without interfering with business critical 2010 Trend Micro, Incorporated. All rights reserved. Trend Micro, InterScan, Trend Micro Smart Protection Network, and the t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. WP03_Spam_100824US 7 White Paper The Spam Scramble

Source: http://www.trendmicro.dk/media/wp/spam-whitepaper-en.pdf