Click Here
for more articles |
|
|
How Spammers Fool Rule-based and Signature-Based Spam Filters |
by:
Paul Judge, CTO, CipherTrust, Inc. |
Effectively stopping spam overlong-term requires much more than blocking individual IP addresses and creating rules based on keywords that spammers typically use. The increasing sophistication of spam tools coupled withincreasing number of spammers inwild has createdhyper-evolution invariety and volume of spam. The old ways of blockingbad guys just don’t work anymore.
Examining spam and spam-blocking technology can illuminate how this evolution is taking place and what can be done to combat spam and reclaim e-mail asefficient, effective communication tool it was intended to be.
Heuristics (Rule-based Filtering)
One method used to combat spam is Rule-based, or Heuristic Filtering. Rule-based filters scan email content for predetermined words or phrases that may indicatemessage is spam. For example, ifemail administrator includesword "sex" oncompany’s rule-based list, any email containing this word will be filtered.
The major drawback of this approach isdifficulty in identifying keywords that are consistently indicative of spam. While spammers may frequently usewords “sex” and ‘Viagra” in spam emails, these words are also used in legitimate business correspondence, particularly inhealthcare industry. Additionally, spammers have learned to obfuscate suspect words by using spellings such as "S*E*X", or "VIa GRR A".
It is impossible to develop dictionaries that identify every possible misspelling of "spammy" keywords. Additionally, because filtering for certain keywords produces large numbers of false positives, many organizations have found they cannot afford to rely solely on rule-based filters to identify spam.
Signature-Based Spam Filters
Another method used to combat spam is Signature-based Filtering. Signature-based filters examinecontents of known spam, usually derived from honey pots, or dummy email addresses set up specifically to collect spam. Oncehoney pot receivesspam message,content is examined and givenunique identifier. The unique identifier is obtained by assigningvalue to each character inemail. Once all characters have been assignedvalue,values are totaled, creatingspam’s signature. The signature is added tosignature database and sent asregular update toemail service’s subscribers. The signature is compared to every email coming in tonetwork and all matching messages are discarded as spam.
The benefit of signature-based filters is that they rarely produce false-positives, or legitimate email incorrectly identified as spam. The drawback of signature-based filters is that they are very easy to defeat. Because they are backward-looking, they only deal with spam that has already been sent. Bytimehoney pot receivesspam message,system assignssignature, andupdate is sent and installed onsubscribers’ network,spammer has already sent millions of emails. A slight modification ofemail message will renderexisting signature useless.
Furthermore, spammers can easily evade signature-based filters by using special email software that adds random strings of content tosubject line and body ofemail. Becausevariable content alterssignature of each email sent byspammer, signature-based spam filters are unable to matchemail to known pieces of spam.
Developers of signature-based spam filters have learned to identifytell-tale signs of automated random character generation. But as is oftencase, spammers remainstep ahead and have developed more sophisticated methods for inserting random content. Asresult, most spam continues to fool signature-based filters.
The Solution
When used individually, each anti-spam technique has been systematically overcome by spammers. Grandiose plans to ridworld of spam, such as chargingpenny for each e-mail received or forcing servers to solve mathematical problems before delivering e-mail, have been proposed with few results. These schemes are not realistic and would requirelarge percentage ofpopulation to adoptsame anti-spam method in order to be effective. You can learn more aboutfight against spam by visiting our website at www.ciphertrust.com and downloading our whitepapers.
Aboutauthor:
Dr. Paul Judge isnoted scholar and entrepreneur. He is Chief Technology Officer at CipherTrust,industry's largest provider of enterprise email security. The company’s flagship product, IronMail providesbest of breed enterprise anti spam solution designed to stop spam, phishing attacks and other email-based threats. Learn more by visiting www.ciphertrust.com/products/spam_and_fraud_protection today.
Circulated by Article Emporium
|
|
