Dec 07 2011

Anatomy of a Spam Attack

Avoid these scams by exploring the sender’s motivation and technique.

“High-quality pharmaceuticals direct to you from our Canadian pharmacy. No prescription required, discreet and confidential. Viagra, Levitra, and more direct to your home.”

“Greetings. I represent the recently exiled Prince Matubi of Nigeria. The prince wishes to transfer a large sum of money to relatives in the United States.”

We’ve all received these messages and think the same thing when we receive them: Nobody falls for these things, right? Unfortunately, that wishful thinking is incorrect — people fall for these scams every day. The simple fact is that if the economics of sending unsolicited commercial e-mail, or spam, didn’t work out, the spammers would simply cease to exist.

The spam messages that appear in your inbox are merely the tip of a large iceberg that makes up the underground economy and shadow Internet of spam senders and the merchants who rely upon them. But you can protect yourself and your company against spam if you know how spam attacks work behind the scenes.

The Origins of Spam

The obvious question to start an exploration of the world of unsolicited commercial e-mail is “Where does spam come from?” The very simple answer to that question is “from an e-mail server.” Every spam message begins its life in the same manner as the legitimate e-mail that you receive every day — as a text message on an e-mail server connected to the Internet. That server then forwards the message, perhaps through a series of intermediary servers, to the e-mail provider that hosts your account and places it in your inbox.

Of course, legitimate e-mail providers don’t want anything to do with spam for two main reasons. First, they are the victims of spam in the first place. The more spam that crosses the Internet, the more spam they need to filter out of their inbound mail stream. Second, a provider that gains a reputation for sending spam messages will quickly find its e-mail server on a blacklist, unable to send mail to any legitimate servers.

In the early days of spam, marketers seeking to send unsolicited messages exploited legitimate e-mail servers that were inadvertently misconfigured to pass along any message they received, without verifying that the sender or receiver had an account on the system. These systems, known as “open relays,” became pretty much a thing of the past, as security professionals moved to close the holes in their e-mail servers and the antispam industry developed blacklists to block messages from known open relays.

Today, spammers have shifted to a new attack method: the use of armies of virus-infected computers known as botnets. These computers, sitting on desks and kitchen counters around the country, become infected by malicious software when users browse to infected sites or unintentionally install dangerous software on them. Once infected, they become part of a large botnet consisting of thousands of computers around the world. These botnets are rented out to spammers, hackers and other miscreants who use them to engage in illegal or unethical activities that are shunned on the mainstream Internet. The most prevalent use of botnets is the sending of spam e-mail messages through the legitimate e-mail accounts configured on the computers by their owners.

Infrastructure Behind a Click

Once a spam message arrives in the target’s inbox, the work of the spammer has just begun. The spammer now has to provide the infrastructure needed to offer the user a web page, take their order and collect payment.

First, the web link in the message must be valid. This requires the use of the Domain Name Service (DNS) to convert the domain name in the URL to the IP address of the web server hosting the content. While legitimate DNS services normally reject applications from sites known to support spam, there is an entire industry offering so-called “bulletproof DNS” that is designed to support spam campaigns.

Once the domain name is resolved, the resulting IP address must be that of a web server offering up the spammer’s pitch. Again, legitimate web hosts normally refuse to host spam-advertised websites, but there is a shadow industry of unsavory providers who have no such qualms.

If a victim actually places an order for a product, he or she provides a credit card number that must make its way onto the legitimate financial network so that the spammer can collect the funds. While mainstream banks take care to verify the legitimacy of merchants requesting new accounts, it only takes a few bad actors to fund the underground economy. Kirill Levchenko of the University of California, San Diego, along with several colleagues, conducted research that suggested a single acquiring bank, Azerigazbank, might be responsible for payment fulfillment for up to 60 percent of the spam sent.

How Often Is Spam Successful?

In a study of one spam attack, Chris Kanich of the University of California, San Diego and his colleagues at the University of California, Berkeley estimated that of the 347 million messages sent, 82 million were successfully delivered. Only a tiny fraction of those messages (10,522) resulted in the user clicking on a website, and ultimately there were 28 products sold. That success rate of 0.000008% is incredibly low — literally less than one in a million — but the economics of spam are such that it still might have been profitable.

Preventing Spam Attacks

The most important tool you can employ to protect your users from becoming victims of spam attacks is education. Despite the fact that spam attacks succeed very infrequently, it takes only a few gullible victims to fund the millions of unsolicited messages that plague us every day. Make sure your users are informed enough not to click on the links found in suspicious messages.

You also should make use of modern spam filtering technology to protect your organization. In addition to blocking messages from known spam senders and filtering inbound e-mail for content that resembles known spam attacks, you might also wish to use web content filters to prevent users from accidentally browsing to the web servers used by spam marketers. Waging the war against spam requires patience, but the tools are readily available.


aaa 1