Controlling spam
Today, almost all businesses rely on email for part of their communications needs. Yet a staggering proportion of email messages are destined not to communicate, but to do damage.
Industry estimates suggest that as much as 70 per cent of all email traffic is technically illegitimate: it is either wrongly addressed, contains malformed SMTP packets, or is part of a denial of service attack or and attempt to harvest corporate email addresses.
Conventional anti-spam technologies struggle to cope with this increasing volume of illegitimate messages, not least because they have to scan the content of each email to determine whether or not it is spam. Doing so - as well as storing and processing large volumes of unwanted messages - robs companies of valuable IT resources.
Dealing with illegitimate messages at the edge, based on information contained in the email’s “envelope”, is the only proven way to remove a large percentage of illegitimate messages before they even reach companies’ servers. This saves resources, and eases the work of content-based anti-spam systems and will cut the number of unwanted messages reaching the desktop.
The scale of the threat
Email is without a doubt vital to almost all businesses today. Unfortunately, the vast majority of emails now passing across the Internet consist not of essential business messages or even personal correspondence, but spam.
Surveys of businesses and other organisations that rely on the Internet for their communications show that around 70 per cent of inbound email traffic is either spam, or other types of illegitimate messages. Together these are known as “dark traffic”.
As well as straightforward spam, dark traffic comprises directory harvest attacks (DHA); email denial of service (DoS) attacks; malformed SMTP packets, invalid recipient addresses, and other requests and communications unrelated to the delivery of valid email messages.
Most conventional spam, is purely commercial in its intent, setting out to encourage Internet users to buy goods or services. Others are so-called “blended threats”, messages that use social engineering techniques to persuade recipients to open the message and, typically, activate a Trojan, virus or other malware.
But a growing percentage of dark traffic aims to cause damage or disruption to a company or to its IT assets.
Denial of service attacks delivered over email, for example, could take down a company’s mail servers, rendering it unable to do business on line. More sinister still, cyber criminals can use a combination of hacking and spam techniques to “harvest” email addresses and user identities, opening the door to further attacks.
Email-based denial of service attacks could also be directed at network providers, with the knock-on effect of damaging the communications of dozens of businesses that outsource their email hosting.
The threat to corporate IT systems is by no means static. As the quantity of both malformed emails and outright spam grow, legitimate email traffic on the Internet is being drowned out by dark traffic. Industry estimates suggest that just 30 per cent of email traffic is technically valid. Of that valid traffic, two thirds consists of spam or other unsolicited mails. Just one in 10 emails are both legitimate and genuine.
The vast majority of email security systems in production today scan only for the content of the messages, relying on techniques such as keyword scanning. This means they will accept the vast majority of malformed messages as legitimate.
These messages move through a company’s perimeter defences unchecked and pass on intact to email systems and often, the desktop. This places an enormous and unnecessary burden on networks and server resources, as well as wasting staff time.
Dark traffic is forcing businesses to invest in additional bandwidth, storage space and CPU capacity just to collect, store and forward enormous quantities of unwanted email traffic. .
The very high ratio of illegitimate messages to legitimate mail forces companies to invest more and more resources in building spam detection and filtering systems. For some businesses, the need to scan the content of a vast amount of email, just to find the relatively small proportion of real messages, is creates serious bottlenecks within the IT infrastructure.
Unless they act, CIOs could find themselves caught in a spiral of ever-greater investment in order to accommodate a growing quantity of messages that are of little or no value to their businesses.
There are no authentication standards built in to the SMTP email protocol. And as there is no real cost involved in sending email, there are few economic incentives to prevent spammers from continuing to ply their trade. Legal restrictions on spammers have been increased, in particular in the USA. But these measures will do little to deter the authors of other dark traffic types. Their actions are already illegal in much of the world, but enforcement remains extremely difficult. The onus remains on businesses to protect themselves.
Dark traffic analysed
Some dark traffic is a by-product of conventional spam: emails generated automatically by a spammer’s software; obsolete addresses and addresses that users or IT departments have registered, in order to trace spam. Some email - although the amount is generally accepted to be small - is legitimate email accidentally misrouted by the sender.
But a much greater percentage of dark traffic is specifically targeting enterprises and other large organisations, with a view to either damaging their communications abilities, or to gather email addresses to use as the basis for further spam. These attacks are known as denial of service (DoS) and directory harvest attacks (DHA) respectively.
Denial of service attacks against web servers and other enterprise IT assets are well documented, but attacks specifically targeting email infrastructure are a more recent development.
As many as 60 per cent of companies that responded to a recent industry survey reported that they had been hit by an email denial of service attack (see research release attached with UK specific stats). Over half of these said that they had suffered multiple attacks. In the UK, 17 per cent of companies were hit by a denial of service attack late year. Among larger firms — those with over 10,000 staff — the percentage rises to one third of companies.
Some companies report that they are being targeted by multiple attacks; these attacks are also known as “mail bombing” or “flooding”.
Increasingly, cyber criminals are making use of remote computers — or Zombies — to launch distributed denial of service attacks against a range of systems, including email infrastructure. Distributed attacks have the advantage, from the hacker’s point of view, of causing more damage more quickly and being harder to trace to the point of origin. It might also be harder for information security professionals to guard against distributed attacks.
The growth of home PC ownership and broadband connections in particular has made it easier for cyber criminals to launch distributed denial of service attacks, particularly by exploiting vulnerabilities on unwitting users’ computers.
Administrators face the problem that, to most security systems, email-based denial of service attacks appear to be legitimate traffic. It is the sheer volume that aims to disable or disrupt systems.
By targeting email, hackers can cause widespread disruption. The targeted organisation’s mail server might drop connections or refuse legitimate email. Customers trying to reach the organisation will fail to do so, and the attack victim might never establish the value of the business lost as a result.
Directory harvest attacks (DHAs) are particularly worrying to IT managers because they aim to gather information that cyber criminals can use to further compromise IT systems.
The most common reason a cyber criminal would deploy a directory harvest attack over the Internet is order to identify a company’s genuine email addresses. These would then be used either directly by the spammer behind the DHA, or sold on.
The DHA works by a process of elimination. If the sending computer does not receive an invalid recipient reply, then it treats the address as verified and uses it for spam or other purposes.
Gathering email addresses in this way, to generate spam, is an obvious nuisance. But concern is growing among security professionals that cyber criminals are using DHAs in order to establish user names for directory management systems and software applications.
Armed with valid user IDs, the cyber-criminal can use dictionary attacks to establish passwords. Such an attack is likely to break one in 100 mailboxes. Only one valid log in is needed to compromise a corporate email system.
DHA attacks also have the effect of delaying or disrupting legitimate email traffic. Figures from the UK suggest that one in 10 companies overall, and a fifth of large companies, have experienced a directory harvest attack in the last year. Perhaps as worrying, 20 per cent of IT directors did not know whether their organisations had been attacked.
Protecting against dark traffic
By its nature, dark traffic cannot be prevented at an Internet-wide level. For its part, anti-spam legislation only acts as a limited deterrent to those intent on dark traffic attacks. The very fact that dark traffic takes on the appearance of legitimate email means that it is not visible to many of the information security measures currently operated by Internet service providers and companies.
The only way to determine whether an email message is legitimate or dark traffic is to compare the addressee with entries in a company’s directory. If the addressee is listed, the email could still be spam, but the vast majority of illegitimate emails, including most of the traffic used for both denial of service and directory harvest attacks, would remain undelivered.
Businesses, however, will be understandably reluctant to hand over their directory details to third parties, even where doing so will improve their information security defences. But businesses can deploy solutions at the edge of their networks that will filter out malformed SMTP packets, denial of service attacks (based on the messages originating from one or a small number of IP addresses) and directory harvest attempts.
Such technology does not replace anti-spam systems based on content filtering, but works alongside them. Conventional spam filtering remains necessary to protect employees’ mailboxes from spam launched against pre-harvested addresses or those bought from a list, as well as for other purposes such as blocking messages with inappropriate content.
Building a layered approach to spam is both efficient and more effective. Two sets of filtering systems greatly cuts the chances of spam messages slipping through the net, but it should also reduce the number of “false rejects” by allowing finer tuning of content-based filters.
But the main argument for deploying scanners at the edge to pick up and block dark traffic is efficiency.
Given that only around 10 per cent of email is legitimate traffic, but that 70 per cent of all messages are believed to be denial of service attacks, directory harvest attacks or have invalid recipients, blocking this mail at an early a stage as possible vastly reduces the load on conventional, content-based filtering systems.
Edge-based systems work by examining the sender’s IP address and the “envelope” headers of an email message, in order to detect dark traffic. If the message is rejected, the content simply never reaches the content filtering systems, let alone the corporate email servers.
As an edge system only looks at envelop data, it will typically be five to six times as quick as a content filter with a similar configuration. In fact, combining a single content filter system with an edge-based filter should be as effective as six standalone content filters.
By blocking more illegitimate email, the combined filters will also save on storage and processing needs, further bolstering the return on investment. Moreover, only edge-based systems can pick up and block denial of service attacks. By the time the messages reach the content filters, it is already too late to stop a denial of service attack.
Case study
Case Study: A UK-based telecoms organisation experienced eight email-based denial of service attacks between March 2004 and March 2005. When the company audited its email traffic, it found that just five per cent of it was legitimate.
The business’ existing email filtering systems were able to block most of the illegitimate messages, but this came at a cost: emails to staff were delayed by 12 to 24 hours. The cost to email users’ productivity was put at £100 a day. A conservative estimate by the company put the cost of each DoS attack at just over £125,000.
Installing an edge filtering server brought immediate benefits in terms of both security and by reducing costs. The company moved from three servers handling content filtering to one edge server and one content filter server. The system is also future-proof: the company believes that the new set up should still be able to cope, even if email volumes double.
Conclusions
Businesses cannot afford to be complacent about the security threats and potential disruption contained in email.
Only a relatively small percentage of the email traffic currently reaching company IT systems is both valid and wanted. Just over two-thirds (67 per cent) of emails that are technically legitimate are, in fact, spam messages or other unsolicited emails.
Dealing with such emails wastes a large amount of employee time and places an unwanted burden on IT resources, both in terms of storing and processing messages and in running anti-spam services based around content filtering. Increasingly cyber criminals are also making use of email to carry out denial of service attacks, especially on large corporations.
Protecting against such attacks with conventional anti-spam systems is difficult, if not impossible. Nor can companies continue to invest ever-greater resources in anti-spam filters and more powerful mail servers.
However, it is possible to deal with much of today’s illegitimate email traffic by filtering it at the edge of the corporate network. Such edge filters block emails based on information contained in the message envelope, including the sender’s IP address.
As much as 70 per cent of todays email traffic is illegitimate from a technical standpoint, it can be blocked at the edge. This is both more effective and efficient than relying on content-based filtering alone. Filtering out dark traffic at the network edge is cost effective, removes bottlenecks and ultimately, improves corporate information security in a way that other anti-spam measures cannot achieve on their own.
The Solution
The costs of a denial of service or directory harvest attack on a company’s existing email infrastructure are real and tangible.
Only with a network defence operating at the perimeter of the organisation can IT departments can keep these new threats at bay. Providing this defence requires utilising your local ‘directory’ to prevent directory harvest attacks and using dynamic algorithms to identify denial of service attacks as they occur.
Forecasts suggest that these attacks will only increase year-on-year, but it is not all bad news. Investing in an edge defence such as Tumbleweed’s MailGate Edge will improve security and prolong the useful life of existing defences, leading to lower costs and greater productivity.