Learning spammers' tricks doesn't mean less junk

The industry is learning more and more about tricks used by spammers to get their unwanted messages across, as evidenced by a handful of research studies made public this month from university and vendor labs. But even as their tricks are revealed, spammers continue to stay a step ahead of the filters, techniques and services designed to catch them.

Findings about how spammers take advantage of Internet protocols to hide their tracks, mine free Web hosting sites to make extra money, and pump up stock prices to then dump shares at a profit are just some of the research reports that have surfaced. While some of these reports promise to feed their findings into future product developments or to help strengthen Internet protocols against misuse, by the time the information is implemented spammers will no doubt have found a new set of tricks.

Meanwhile, IT managers see no relief in sight. In a recent report, IDC says spam has climbed back up the priority list of IT managers and holds the No. 3 spot among the greatest threats to enterprise security.

Yet when fighting this sort of arms race with spammers who have financial incentives to jump through myriad technical and social-engineering hoops to get their message through, security (http://www.networkworld.com/topics/security.html) vendors are bound to be playing catch-up, says one IT manager.

"It's the nature of the beast," says April Robinson, network administrator with engineering firm Bernardin, Lochmueller & Associates in Evansville, Ind. "Trying to keep up with 'what in the world will they think of next?' means there will always be that gap" between spammers' tricks and technology that attempts to foil them, she says.

Among the findings made public of late is a study by researchers at the Georgia Institute of Technology's College of Computing that revealed some of the lengths to which spammers will go to hide their tracks.

In an 18-month study of more than 10 million spam messages sent to a single domain, researchers discovered a small group of spammers are using a technique called route hijacking to mask the IP addresses from which spam is sent, which means they can't be caught. Spammers exploit weaknesses in Internet routing protocols essentially to hijack an address space and assume an IP address, then withdraw their route once they've blasted out their spam, according to researchers.

Improving the security of these routing protocols would cut down on the amount of spam on the Internet, says Nick Feamster, a Georgia Tech assistant professor of computing involved in the project. He also plans to use these and future findings to help improve spam-blocking products.

"Because we are researching ways to detect spam based on where in the network it is coming from, rather than simply the contents of the e-mail itself, we are raising the bar considerably higher for spammers, whereas with existing filtering techniques spammers can easily develop new tricks," Feamster says.

Purdue University's Krannert School of Management earlier this month released results of a study on stock-touting schemes, in which spammers buy penny stocks, tout them in blasted e-mail campaigns and dump the stock at a profit.

The study showed that 15 percent of spam messages sent are stock-touting schemes, in which usually only the spammer profits because most recipients who acted on the supposed stock tip lose money and the companies whose stock spammers chose to tout suffer as scorned investors blame them for the bad tip, says Laura Frieder, assistant professor of finance and co-author of the study. The study suggests senders of stock tips should be forced by law to disclose their holdings in any stock they promote.

In another example, security vendor McAfee's Avert Labs recently described a way that spammers have found to make even more money. Online scammers have long used free hosting services such as Yahoo Geocities or Tripod as a way to get around e-mail filters that might otherwise recognize their spam Web sites. Now some enterprising spammers have begun selling each other these free Web pages, McAfee says.

For US$25 per week, a spammer will sell 50 Web-hosting accounts that can be used to redirect Web traffic to sites that normally would be flagged. "These link providers create and maintain thousands of free hosting accounts on behalf of the spammers," wrote McAfee's Nick Kelly in a recent posting to McAfee's Avert Labs blog.

At least one research effort will soon result in a product. A professor and two students at Carnegie Mellon University's CyLab have come up with the Phoolproof Phishing Prevention system, which provides strong authentication between a user's browser and a Web site by a third party - namely, a cell phone or PDA - acting as authenticator.

Researchers have a prototype version of the system working and hope to release a more finished version soon.

Despite spammers' constant developments, some watchers believe the spam-fighting industry is holding its own.

"Most of the [spam] filter authors I know are getting filtering accuracy in the 99.9 percent or better range now . . . and most new mail clients are getting good filters built right in," says Bill Yerazunis, senior research scientist with Mitsubishi Electric Research Laboratories and chairman of the annual MIT Spam Conference. "For the short term we'll see more and more spam, but we'll also see every mail client and service come with built-in spam filtering."

Additional reporting by Robert McMillan, IDG News Service.

Join the newsletter!

Error: Please check your email address.

More about AvertCarnegie Mellon University AustraliaGeoCitiesGeorgia Institute of TechnologyIDC AustraliaMcAfee AustraliaMellonMITMitsubishi AustraliaMitsubishi Electric AustraliaPromiseYahoo

Show Comments

Market Place