Source-based filtering is overtaking content-based filtering as the main way to block spam. The trend is only likely to continue as companies adopt sender authentication technologies and participate in reputation services.
Postini Inc.’s worldwide director of products, Andrew Lochart, said that spammers are always figuring out new ways to get around content filters, but hiding their source IP and its behavior is a lot harder for them to do.
Spammers are just taking the content out of the messages, said Lochart. There’s so little data in them that a content analysis filter might say it’s spam 60% certainty, rather than 90% certainty, there’s just not enough data to work with
Increasingly popular tricks include removing all the plaintext and HTML in favor of a GIF or JPEG image. When there is text, it looks more and more like legitimate email. URLs are in some cases being replaced by phone numbers, Lochart said.
The alternative to content filtering techniques is to calculate the likelihood of a mail being spam by domain name, URL or source IP address. Symantec’s Brightmail, for example, says it catches 70% of spam just looking at the included URLs.
Meanwhile, Microsoft Corp. and others are pushing the new Sender ID specification as a way for mail servers to verify that the server that last forwarded the email was authorized to do so on behalf of the domain the mail claims to come from.
The problem is that Microsoft and others are talking about it like it’s some kind of panacea, Lochart said. Sender ID does have several limitations, the most obvious of which is the restrictions it could place on mobile users.
Sender ID may be a good way to stop domain spoofing. Postini will support it this year, but says IP addresses are a more solid way to identify senders. Unlike domain names, source IP addresses cannot be spoofed in an SMTP connection.
Postini says it receives 401 million SMTP connection attempts per day, and that it blocks 53% of them before the message is even sent, based on the source. Of the connections that are permitted, content filters identify 38% of the messages as spam.
The company also says that this data shows that spammers are using botnets of compromised PCs not only to send spam, but to conduct the directory harvest attacks (DHAs) that they often use to populate their mailing lists.
A DHA is a means of determining the legitimacy of an email address by doing a recipient address lookup against a mail server. No messages need to be sent – the spammer just uses a normal feature of SMTP to determine if the address exists.
According to Postini, its customers in April were hit by an average of 189 DHAs a day, up from 103 a day six months earlier. But the number of individual lookups per attack declined from 286 to 213 over the same period.
Lochart said this shows that spammers are trying to stay under the radar by reducing the impact of their attacks. At the same time, a single attack will originate from hundreds of IP addresses simultaneously, indicating a botnet is in play.