Cover

Combating spam

Spam is proliferating at an alarming rate in terms of sophistication and technology, so much so that it is putting the brakes on smooth business communication, writes Nivedan Prakash

The spam menace has been a cause for concern for most organizations. More than half of the world’s e-mails consist of spam, ranging from possibly useful information, through unwanted information to downright offensive or malicious material. These spam mails may include sexually explicit content and can even trigger phishing.

The rise in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. From spam to malware, high-tech opportunists use a multitude of techniques to make a quick buck off the steadily booming number of people surfing the Internet, and the spam menace is growing year on year.

In today’s corporate network, when spam enters a corporate server, it translates into a high cost for the organization. This cost is not just in terms of wastage of storage and bandwidth, but also in terms of the time of resources that employees waste weeding out these unwanted messages, apart from the risk of phishing. Today, spam represents about 90% of all e-mail and according to Websense Security Labs (WSL), 3 in 50 messages led to phishing sites in the month of October 2008, an increase of 240% over the previous month.

According to other industry sources, spam costs businesses around $20.5 billion annually in decreased productivity as well as in technical expenses. The average loss per employee annually because of spam is approximately $1,934.

On a global scale, the estimated cost of spam to the economy is approximately $25 billion per year causing financial costs and losses in productivity for service providers, businesses and end-users alike. To add to it, the format of such spam attacks keeps evolving as spammers keep using newer and more sophisticated techniques and evade existing spam detection applications.  

Here we could just say that as the use of e-mail is growing in organizations, so is the spam problem. Spam is significantly reducing the efficiency of e-mail usage as time and money are wasted through the daily routine of ‘check email-detect spam-delete’ actions.

Spam trends

Spam has rapidly evolved to using sophisticated techniques for evading detection since the initial text or html-based e-mails. Image-based spam started spreading in 2006-2007 and PDF and Excel spam for stock pump-and-dump scams followed. Spammers have used these formats with the objective of avoiding detection in face of the growing sophistication of anti-spam solutions.

Bala Girisaballa, VP-Head of Product Management & Marketing, iViZ, commented, “There is a fundamental shift in the way attackers think. Today, the attackers have become tactical and they are commercially motivated. They no longer break into a system to prove their capability or technological expertise. In the new age philosophy, they are now choosing soft targets. Their goal is to create as much damage as possible. They look at the easiest path to attack e.g. phishing and e-mail spamming. The second is the most preferred route for them, as it is much easier and cheaper to launch an attack. The result of this entire change of trend is that e-mail spamming is seeing almost 100% growth year-on-year. In some cases, it is actually much more.”

The latest technique employed by spammers to evade detection is that of hiding their bad reputation by using valid or reputed mail servers, mainly Web mail accounts. The latest trend is to steal legitimate e-mail senders’ credentials, compromising e-mail account enrollment processes and automatically registering thousands of free e-mail accounts. In addition, malware hidden in legitimate sites is on the rise. Spammers continue to use attractive content like celebrities and doomsday announcements for greater effectiveness. 

The main motivation for spammers is money. Says Digvijaysinh Chudasama, VP- Sales, Cyberoam (India), “Though spammers pay as little as 0.025 cents to send an e-mail message with billions of spam messages sent each day, all these fractions of cents start to add up to real money. This is not how much it cost to spam, but rather how much the spammer is getting for sending it.”

The spamming community has evolved into a sophisticated and structured underground economy where motivation has moved from simple malicious intent to financial fraud that pays huge rewards and cuts deep into a business’ bottom line. Incentives are provided to spammers for getting control of as many PCs as possible anywhere on the globe through the distribution of malware.

Shubhomoy Biswas, Country Director, India, SonicWALL, asserted, “Spit or spam over Internet telephony is a growing spam threat that organizations today come across. In recent times, the scourge of spam has spread to mobile phones. Mobile spam is growing, and seems to be a more open market than traditional e-mail spam. Junk mail sent to mobile handsets is set to explode as hackers target new Web-enabled smartphones.”

In the month of October 2008, 90.5% of spam detected by WSL included a URL. WSL detected 5 million instances of 413 unique zero-day viruses found before patches for the same were issued. The longest window of exposure to zero-day viruses before an AV signature was made available was one week. This means that the threat landscape is dangerous and it is growing more sophisticated and blended.

Govind Rammurthy, CEO and MD, MicroWorld, stated, “The spam market is growing at the rate of more than 50% annually. The market is expected to grow to more than $850 million by the end of this year. Anti-spam solutions are deployed in multiple layers by both corporate and ISPs. This trend is going to continue in the near future too as businesses have understood the impact of spam.”

Effect on business

Spam has branched out into various forms by using constant variations and can range from a simple nuisance e-mail to ones that are harmful and malicious. The ones affecting businesses are the Viagra kind of spam, which is more on the nuisance side.

Organizations are incurring huge expenses battling spam against excess bandwidth usage. Spam dissipates employee time, burdens mail servers with a heavy processing load, eats up disk space on both servers and client machines, and reduces overall network performance. With the help of spam, threats like spyware, adware and Trojan horses can infiltrate networks. The biggest threat however are phishing attacks, which looks like a legitimate e-mail that can fool employees at large. Moreover, this area is becoming complex. Even the most Internet savvy users can fall prey to this kind of attacks.

“The inclusion of malware converts spam-related threats into blended ones. There are different threats with the prominent ones being spam messages having links to infected or compromised Web sites that infect a PC. Re-direction or search engine spam has also grown rapidly over last couple of years,” asserted Sanjay Katkar, CTO, Quick Heal Technologies.

Manish Bansal, Marketing Manager, Websense Software Services India, said, “Unlike earlier days, today most spam messages contain URLs embedded into the mail itself.  The other menace is Zero-day attacks. These attacks are difficult to detect and result in significant financial and productivity losses to organizations.”

Companies also fear attachment spam that was a trend in the past years. These spam messages require added storage space for their partner. These spam mails affect an organization’s business in several ways including the loss of private and confidential data, legal issues that might arise due to its content, loss of bandwidth, storage space and resource wastage, and updating system requirements.

Biswas explained, “Because spammers are hijacking personal computers and stealing bandwidth to send an unlimited number of spam messages at virtually no cost, businesses can face an escalating series of expenses to ensure their e-mails remain a viable and productive tool.”

“Today an organization faces spam threats that are furtive and concealed; while being bigger, smarter, more wicked and destructive. The threats are in the form of multi-vector attacks, which operate across e-mail and the Internet to get past traditional security tools. Email and Web-based attacks like phishing and spyware are costing businesses and consumers’ loss in productivity, financial losses, as well as brand damage,” added Rajiv Chadha, Vice President-Sales, VeriSign Services India.

Dealing with the menace

Organizations can deal with the spam menace by choosing either to install the anti-spam software or hardware to protect e-mail servers or outsource the task to a Managed Security Services (MSS) provider. In MSS, the spam and the malicious content is blocked before it reaches an organization’s gateway or mail server. Outsourcing to a MSS provider not only reduces the organization’s resource utilization but also saves the time and bandwidth utilization.

Migrating to a hosted e-mail security solution would be another best answer to combat the growing threat of spam. According to Osterman Research survey report, most decision makers do believe that hosted messaging security offerings can provide a number of advantages, including reducing cost for IT labor and upgrades, improvements in the capture rates for spam, viruses and other threats, and greater organizational flexibility.

Alex Ongena, Director UTM, Appliance and Authentication Service Division, Vasco Data Security, pointed out, “The most effective way is to limit the number of e-mail entrances (gateways) in the organization and to deploy an anti-spam solution on every gateway. The investment is rather small, ranging from about $20 per user per year in small organizations to $5-10 per user per year in larger organizations.”

Meanwhile, the most important criterion in fighting spam is the ability of a solution to adapt quickly enough to the rapid change of distribution and infiltration techniques invented by spammers and virus authors. To combat such e-mail-borne threats effectively a successful solution must address a growing number of challenges. It has to have a proactive detection technology that continues to outwit the spammers who invent new methods to propagate e-mail-borne threats.

Where the future lies

On the outset, the future of large-scale spam looks a dim one. Public outrage and the drain on bandwidth and Internet resources as a whole have forged a bond of common anger between common computer users and big businesses worldwide leading to many countries adopting stringent laws to counter spam. However, spam can never be completely stopped as long as it continues to be profitable.

Biswas asserted, “Statistics show that the problem is set to grow. Better spam filtering software is the ideal. However, it is difficult to provide a catchall solution, particularly as image spam and other interesting methods of spam mailings continue to grow. Indeed, one thing that’s guaranteed in the future of spam is that spamming techniques will grow more and more advanced—and more and more devious, too.”

As far as the future is concerned, advent of new technologies will result in new ways to send spam as long as there is money in it for the spammers. Future spam will also evolve into blended threats. Spammers have started analyzing the results of their activities and are now targeting spam and phishing for different segments of the e-mail databases that they have procured.

nivedan.prakash@expressindia.com