In the beginning Spam (unsolicited bulk advertising via email) made
its first appearance in the mid 1990s, i.e. as soon as enough people
were using email to make this a cost-effective form of advertising. By
1997, spam was regarded as being a problem, and the first Real-Time
Black List (RBL) appeared in the same year. Spammer techniques have
evolved in response to the appearance of more and better filters. As
soon as security firms develop effective filters, spammers change their
tactics to avoid the new spam blockers. And this leads to a vicious
circle, with spammers re-investing profits into developing new
techniques to evade new spam filters. The situation is spiralling out
of control. The development of spammer techniques Direct mailing Initially,
spam was sent directly to users. In fact, spammers didn't even need to
disguise the sender information. This early spam was easy enough to
block: if you black listed specific sender or IP addresses, you were
safe. In response, spammers began spoofing sender addresses and forging
other technical information. Open Relay In the mid-1990s all
email servers were open relay - any sender could send an email to any
recipient. Spam and other security issues led administrators to start
reconfiguring mail servers worldwide. However, the process was
relatively slow, and not all mail server owners and administrators were
willing to cooperate. Once the process was well underway, security
analysts began scanning for the remaining open relay mail servers.
These DNS RBLs were made available, making it possible for,security
conscious administrators to block incoming mail from listed servers.
However, open relay servers are still used for mass mailing. Modem Pool As
soon as sending spam via open relay became less efficient, spammers
began to use dial up connections. They exploited the way in which ISP
providers structured dial up services and utilized weaknesses in the
system: As a rule, ISP mail servers forward incoming mail from clients. Dial-up
connections are supported by dynamic IP addresses. Spammers can
therefore use a new IP address for every mailing session. In answer
to spammer exploitation, ISP providers began to limit the number of
emails a user could send in any one session. Lists of suspect dial-up
addresses and filters which blocked mail from these addresses appeared
on the Internet. Proxy servers The new century saw spammers
switching to high-speed Internet connections and exploiting hardware
vulnerabilities. Cable and ADSL connections allowed spammers to send
mass mailing cheaply and quickly. In addition, spammers rapidly
discovered that many ADSL modems had built-in socks servers or http
proxy servers. Both are simply utilites that divide an Internet channel
between multiple computers. The important feature was that anybody from
anywhere in the world could access these servers since they had no
protection at all. In other words, malicious users could use other
people's ADSL connections to do whatever they pleased, including,
naturally, sending spam. Moreover, the spam would look as if it had
been sent from the victim's IP address. Since millions of people
worldwide had these connections, spammers had a field day until
hardware manufacturers began securing their equipment. Zombie or bot networks In
2003 and 2004 spammers sent the majority of mailing from machines
belonging to unsuspecting users. Spammers use malware to install
Trojans on users' machines, leaving them open to remote use. Methods
used to penetrate victim machines include: Trojan droppers and
downloaders injected into pirate software which is distributed via file
sharing P2P networks (Kazaa, eDonkey etc.). Exploiting vulnerabilities in MS Windows and popular applications such as IE & Outlook. Email worms Anyone
who has the client part of a program which controls the Trojan that has
infected a victim machine controls the machine or network of victim
machines. The resulting networks are called bot networks, and are sold
and traded among spammers. Analysts estimate that Trojans are
installed on millions of machines worldwide. Modern Trojans are
sophisticated enough to download new versions of themselves, download
and execute commands from specified websites or IRC channels, send out
spam, conduct DDoS attack and much more. The development of spam content Content Analysis Many
spam filters work by analysing the content of a message: the message
subject, body, and attachments. Spammers today expend significant
resources on developing content which will evade content filters. Simple text and HTML Originally,
spam was simple: identical messages were sent to everyone on a mailing
list. These emails were laughably easy to filter out due to the
quantity of identical texts. Personalised mail Spammers then
began to include a greeting based on the recipient's address. Since
every message now contained a personalised greeting, filters which
blocked identical messages did not detect this type of spam. Security
experts developed filters that identified unchanging lines, which would
then be added to filtration rules. They also developed fuzzy signature
matching, which would detect text which only had minor changes, and
statistic based self-modifying filtration technologies such as Bayesian
filters. Random text strings and invisible text Spammers now
often place either text strings from legitimate business emails, or
random text strings at the beginning or end of emails in order to evade
content filters. Another method used to evade filters is to include
invisible text in HTML-format emails: the text is either too tiny to
see or the font color matches the background. Both methods are
fairly successful against content and statistical filters. Analysts
responded by developing search engines that scanned emails for such
typical texts, which also conducted detailed HTML analysis and
sophisticated content analysis. Many antispam solutions were able to
detect such tricks without even analysing the content of individual
emails in detail. Graphics Sending spam in graphics format makes
it very hard to detect. Analysts are developing methods for extracting
and analyzing text contained in graphics files. Paraphrasing texts A
single advertisement can be endlessly rephrased, making each individual
message appear to be a legitimate email. As a result, antispam filters
have to be configured using a large number of samples before such
messages can be detected as spam. Summary Currently, spammers
usually use the last three methods in a variety of combinations. Many
antispam solutions are incapable of detecting all three. As long as
spamming remains profitable, users with poor-quality antispam software
will continue to find their mailboxes clogged with advertising.
