Nov 15 2007

New Spike in Spam

Keep PDFs and eCards from flooding your e-mail inboxes.

Spam has continued to flow through e-mail servers across the Internet and around the world. It hasn’t gone away. However, spam filtering and blocking tools are so effective the vast majority of spam never makes it to an inbox. The purveyors of spam must have been on an extended vacation, because they seemed to do little to innovate new techniques or circumvent the spam filters — until recently.

Lately there has been a resurgence of spam. Spam may not make up any more or less of the overall volume of e-mail traffic, but much more of the new type of spam is getting past blocking tools and into users’ inboxes. Recent innovations in spam delivery are outsmarting the existing spam filter technologies.

Outsmarting the Spam Blockers

Spam filters rely primarily on analyzing the text and using custom algorithms and keywords to determine whether the message is likely to be spam. But what if the spam is not text? The beginning of the new wave was image-based spam.

With image-based spam, the spam content is converted to an image that is embedded in the e-mail. The spam filters can’t analyze the text, because technically there is none, but users can still read the text in the image.

The flood of image-based spam sparked new filtering and blocking techniques by the antispam manufacturers, attempting to determine whether an e-mail with an embedded image is spam. The spammers did not sit idly by, though. There are two relatively new spam techniques that are getting past blocking utilities and plaguing users: e-card spam and PDF spam.

Greeted by Spam

E-card spam preys on the growing popularity of electronic greeting cards. The e-card spam arrives as an e-mail claiming that you’ve received an electronic greeting. The first clue that it is spam, or a fake, is that the message tends to state that it is from a specific person. Obviously, if you do not know anyone by the name alleged to have sent the e-mail, you can delete it and move on.

But many users will click the link out of sheer curiosity. What they find on the other end of the link is not the electronic greeting they had hoped for, but usually some form of malware installation. The Storm Worm has had tremendous success, due in part to the gullibility of users clicking on e-card spam.

Pump-and-Dump PDF

The other current incarnation of spam uses PDF file attachments. Even organizations that have banned most types of file attachments to guard against malware still allow PDF files because they are not executable. They may not be able to run and install malware, but they can still be more than a simple nuisance.

A lot of the PDF spam is aimed at pump-and-dump stock market schemes. Often, the PDF appears to be an analyst or market report suggesting that a company is a solid investment. According to research from antivirus vendor Sophos, the PDF may even appear to be several pages long, but reading past the first few pages will reveal meaningless gibberish.

When naïve users follow through on the “stock report” and purchase the stock, the value of the company and the stock share price go up. The spammer, who owns thousands of shares of the company, can then sell his or her stock at the artificially inflated price and turn a significant profit.

Common Sense Is King

The antispam vendors will continue to develop new methods of detecting and filtering these messages, but as quickly as they do, the spammers will most likely come up with new techniques to circumvent the filters. Ultimately, common sense is the best weapon against spam.

Users need to be educated and they need to exercise some discretion when opening file attachments or clicking links in e-mail. There is no dead West African politician who wants to share $42 million with you. Microsoft is not conducting any sweepstakes in which you have won millions, nor is it operating an e-mail test in conjunction with Disney. Somebody named Roger who you have never met did not send you an electronic greeting card. That company you mysteriously received an errant analyst report on is not the next big thing and will not make you rich.

With just a little common sense, users can protect themselves from the vast majority of these threats. A little less curiosity and a lot more use of the delete key will go a long way toward eliminating spam as a profitable endeavor.

Fighting the Spam Epidemic

There are a few steps administrators can take to protect their networks and their users from these types of spam. First, communicate and educate users. Make sure your users are aware these messages are a threat and, more important, educate them not to open or execute any e-mail from unknown sources.

In addition, administrators should have some type of antispam protection in place. It may be network-based, such as a standalone appliance or an application running on the e-mail gateway, or you can deploy antispam software on individual desktops, or both. It is also important to make sure antispam tools are kept up to date so they protect against the latest emerging spam techniques.

Antispam solutions are generally only as good as the latest update, though, and may not be effective against new threats. To minimize the potential for malicious attachments to slip through spam defenses, some organizations restrict the types of files that are allowed in. It was once considered safe to accept ZIP and PDF files, but spammers have exploited that safety.

Some organizations create custom file types to allow files in. For example, you can block PDF files but allow PDX files. Doing so would require that a sender rename a file with the PDX extension and that the recipient rename it to its original file extension in order for the file to function. Using an additional extension, such as 123.ZIP, would still require the sender to rename the file in order to get past a file extension filter, but would not need to be renamed by the recipient in order to be used.

Using these techniques can minimize your exposure to spam and help you stay one step ahead of the spammers.

Tony Bradley, a Microsoft MVP (Most Valuable Professional) in Windows security, is a computer security consultant with BT INS in Houston and is the author of Essential Computer Security.