Spam Control: Key Trends A Ferris Research Webinar September 7, 2005: 8:30am Pacific, 11:30am Eastern, 4:30pm UK, 5:30pm Central European

Slide Presentation Follow along with us online www.infiniteconferencing.com/join Under "Join Conference" simply type in your Participant Code, Name, Organization, and Email address, and click the [Log In] button

Agenda Moderator: Richi Jennings Speakers: Andrew Klein, MailFrontier Rami Habal, Proofpoint Jordan Ritter, Cloudmark Audience Q&A: hit “1” to ask questions, or send email to q@ferris.com 9:30am Pacific: wrap-up

Ferris Research Market & technology research in messaging and collaboration Clients IT departments of organizations Eg: Deutsche Bank, FAA, Hoffman LaRoche, HP Software vendors Eg: Lotus, Microsoft, Oracle, Sun Microsystems Service providers Eg: AOL, British Telecom, MSN, Yahoo Other: Start-up vendors, tech-consultant groups, investors

Coverage Email: spam, archiving, viruses, privacy/encryption, boundary services, migrations and upgrades, regulations compliance Instant messaging: connectivity, archiving, encryption, regulations compliance Team workspaces and Web conferencing Mobile messaging TCO analysis and surveys Other: identity management, calendaring and scheduling, discussion boards, content management systems

Offerings Analyzer Information Service: reports, daily news, monthly webinars, Web library, call-in consulting White papers and short reports for vendors Selected reports sold individually Short consulting projects Speaking: conferences, webinars, press conferences New and free: Daily newsletter and analyst blog Visit http://www.ferris.com for info and signup

Slide Presentation Follow along with us online www.infiniteconferencing.com/join Under "Join Conference" simply type in your Participant Code, Name, Organization, and Email address, and click the [Log In] button

Webinar Logistics During Q&A session, press “1” on phone pad to be connected Can also email questions to q@ferris.com Give first name, then concisely state your question/comment

Richi Jennings Email Security Practice lead richi.jennings@ferris.com

Spam spam spam spam spam Costs $17bn in US, $50bn worldwide Volume not abating Arms race: spammers vs. technologists Legislation begins to be effective International coop.: the London Action Plan 19 agencies from 15 countries Recently joined by China Spammers will move to other media

Anti-spam market Anti-spam is a major part of a $3.5bn email security industry Approaching saturation in initial geographies Substantially a replacement business Single-vendor email security solutions sought Contrast with the “best-of-breed” approach prevalent 12 to 24 months ago

Andrew Klein Threat Center Manager, MailFrontier aklein@mailfrontier.com

Email security challenges Dynamic Threat Environment Viruses, Spam, Zombies Phishing, DHA/DoS Blended threats Internal Threats Stretching IT Resources Point product proliferation Increased responsibilities Limited time to manage Budgets are Tight Cost savings are key TCO critical metric Key Points Dynamic threat environments Variety of attacks Sophisticated attacks are combining threats IT resources are stretched Budgets are tight Script Let’s talk a bit about the challenges companies are facing The first is that they face a dynamic threat environment with a multitude of threats including viruses, spam, phishing, DHA/DoS attacks and internal threats such as zombies and misuse of confidential or sensitive information. In addition, we are seeing new attacks that combine techniques from a variety of threats IT is also stretched with not enough time or resources to manage all point products And budgets are tight so IT is looking at Value and Cost of Ownership when they evaluate products

Lifecycle of a spam email Thousands of email servers Millions of emails sent Hundreds of web sites

Some tricks of the trade Senders Content Links/Sites Open Proxies RBL Poisoning Zombies Domain Authentication Image Only Word Salad Random Sentences Optical Illusions HTML Tricks White on White Text Scrabble Spam Tiny Text Table Spam Friendly Words URL Masking Open Redirects Domain Rotation Good Domain Deflection

The Content Problem There are 1,300,925,111,156,286,160,896 ways to spell \/¡ạģŗǻ Spammers are constantly mutating their attacks You cant write enough rules quickly enough to keep up with the problem Prior knowledge can’t defend against new attacks You need a system that goes beyond rules and scoring methods www.cockeyed.com

The optical illusion effect What you think you see What’s actually there! VIAGRA \/!ÄGRÂ PROZAC PRÓZÄÇ CIALIS Ç!ÄLÌŠ

A simple HTML trick Take control of your troubles What you see … Here’s what this spam e-mail looks like under the hood, if you actually look at the html code. Spammers have all sorts of tricks. This is a very common one, inserting comments between valid letters. The comments don’t display on the screen, but they throw off the spam filter because it doesn’t recognize the bad words. There are 218,000 spam patterns that we have identified. This is just one of them. We look for patterns. What the spam filter sees … <B>Ta<!V>k<!O>e<!U>Cont<!V>r<!K>ol of<!Z>Y<!T>ou<!R>r t<!F>r<!Z>oub<!F>les!</B>

ppsorerous = prosperous Scrabble spam Scramble the middle letters Make the first and last letters correct Reader still recognizes the words Crteae = Create mroe = more fuutre = future domlipa = diploma ppsorerous = prosperous tesetd = tested

Word salad The use of “good” words to trick the filter into thinking the message is legitimate

Tiny text Tiny texts between the words Easy for a person to read the “real” message Hard to decipher for the filter Person GainsapllgbInchesazjjnjbfsPatchuoodgsd Filter GainSAPLLGBInchesAZJJNJBFSPatchUOQDGSDN

Tiny text II Tiny texts at the end of the message Word salad or random sentences of tiny text Hard to decipher for the filter Person Tom Sawyer and Huckleberry the war or 1812 every Friday is payday in the book christine was a shy women or 35 easter is in april this year Filter Tom Sawyer and Huckleberry the war of 1812 every Friday is payday in the book Christine was a shy women of 35 easter is in April this year

Click and drag in the text of the message to see the hidden text. White on White text Text that is the same color as the background Adds good words and sentences to the email These words are not usually visible by the person Looking for a new mortgage? How about 2.5% fixed for 30 years. Unbelievable? Click here to find out more. Person Click and drag in the text of the message to see the hidden text. Jim and his dog went to town there off in the distance was Looking for a new mortgage? How about 2.5% fixed for 30 years. Unbelievable? Click here to find out more. May is the best time to be in Washington Filter

World-Wide Community Input Email threat blocking Senders Content Links/Sites Authentication Reputation RBLs Filtering Bayesian Filtering Lexigraphical Distancing Divergence Detection Contact Points URL Tricks Link RBLs World-Wide Community Input Constant Monitoring Research

Rami Habal Senior Product Manager, Proofpoint rhabal@proofpoint.com

Key spam trends Spam Evolution Spammers follow anti-spam development Best techniques survive - weak ones die Stealth Attacks Spam comes from different source IP addresses Threat Convergence Combinations of different attack vectors Spammer Objective: Evade signatures, key word filters, RBLs/Reputation services in order to make money through identity theft and other means

Recent spam techniques to avoid detection Hashbusting text Confuse filter Image spam No words; hard OCR ASCII art No trigger words Probe Emails Blank emails Roundabout language No trigger words Clever Rendering No trigger words Phish/Pharm messages Look legitimate

Brand + Image + Tracking URL + Hashbusting All the text is put in an Image with tracking info in the URL The only “real” text is Hashbusting text at the bottom of email used to trick filters

“Spam-Spam” Spamming Servers available Hijacked IPs allow you to stay ahead of DNS Block Lists Yours for $600/month We are spammers

Some phish attacks explicitly ask for money Mercy Corps phish Rode the coat tails of the 2004 Tsunami tragedy 800,000 emails sent Victimized known charity’s brand Linked to Paypal account Caught! Unemployed painter from Pittsburgh looking to pay for debt and car repairs Paypal account collected $150 in “donations” Charged with Fraud on $25K bail Valid Logo Call to Action …takes you to PayPal

Consumer brands and public consciousness: not just banks & eBay

Spam technology evolution Time Sophistication 3rd Generation Technologies 2nd Generation Technologies Result Heuristics; Bayesian; Cocktail of 1st and 2nd generation High FPs High Administration Machine Learning Logistic Regression Support Vector Machines Predictive 1st Generation Technologies Result Signatures; RBLs Low FPs Low Effectiveness Result High Effectiveness Low FPs Low Administration

Technology requirements Gateway-based solution Save cost by reducing bandwidth and mail server load Predictive power No need to see email, sender or specific words beforehand As sophisticated as attacks Examines a high volume of attributes, in combination

Technology requirements Comprehensive security model Stops blended threats along various vectors Automated protection and updates No need for administrator to be a spam expert even as techniques evolve Confident scoring No need for manual review of results because of false positives/negatives

The spam road ahead Threat sophistication and emerging attacks Personalized phish attacks - leveraging all brands, including your IT department Targeting blacklists Blending new attacks Collaboration More organization among spammers and fraudsters

Jordan Ritter Founder and CTO, Cloudmark jordan@cloudmark.com

The phishing problem Phishing is different from Spam Characteristics of Phishing Targeted Transient Dynamic Sophisticated Costly Criminals vs. Marketers Exploit trust relationships vs. Increase product awareness Difficult vs. Easy to identify Theft vs. Annoyance Lost money vs. Lost time Old industry vs. Relatively new Only similarity is the use of Email. Targeted Attack small specific groups based on harvested data Transient Attacks are time sensitive and short-lived (a few hours to a few days) Dynamic Phishing sites move across many compromised hosts Coordinated and organized Increasingly sophisticated micro-economy has emerged Costly Ferris Research stat to be used

Scamming the scammers Covert Channels: All data collected by Cloudmark research staff, lead by Chris Abad, as featured in the Wall Street Journal Data originates from detailed analysis of email messages seen by Cloudmark systems, as well as analysis of Internet Relay Chat (IRC) channel communication and browsing behavior Higher volumes More channels Education Channels Links to other fraud types

Phishing trends 6 Months Ago Today Future Reusable content Zombies & botnets employed for attack dispersal & harvesting Reusable content URL spoofing prevalent Ecommerce vendors Existing online trust relationships Limited checks in place “Cashing” via forged, unencrypted ATM cards More sophisticated and targeted communication Exploiting basic trust Subvert networks, computers, phones Evolving towards true hacking/cracking Problem Shifting Attackers regroup as systems harden External to internal Multi-level value extraction & indirect attacks Investments (penny stock spoofing) SVA accounts Direct cyclical attacks Reusable templates Current targets: Smaller banks ISPs Credit cards and security programs More common, typical trust relationships New attacks Pharming Electronic identity theft is only beginning

Effective solutions: Reputation-based Modeled as a social solution to a social problem Real global, consensus-based reputation vs. vendor-specific Fully Automated Phishers are sophisticated Manual intervention will ultimately fail to keep up with phishers Self-Organizing Dynamically respond to a rapidly evolving model of good/bad Self-Correcting Technology must be capable of adjusting for mistakes automatically True Real-time Like AV, minimizing response time from attack to block is key End-to-end automated True Realtime Objective Dynamic Self-correcting

Alternative approach Traditional Approach Alternative Approach New spam/phishing Attack?? Analysis of new threat Write new rules Deploy new rules/lists Honeypots - Partly automated – Manual - Hours/days delay before protection - Outdated data Alternative Approach New spam/phishing Block Attack User - Reputation Content -Reputation URL -Reputation Feedback from users * End to end Automation * Near-zero-hour response

Q&A Hit “1” on phone pad to ask a question or make comment Or email question/comment to q@ferris.com Give your first name, then concisely state your question/comment

Wrap-Up Evaluations Next webinar: September 14, 8:30am PST “Mobile Messaging Devices: Key Trends” Register at www.ferris.com

Speaker Biography Andrew Klein manages the MailFrontier Threat Center where he wades through the daily deluge of spam, virus, and phishing emails to discover, categorize, and stop the latest malicious tricks and trends. His 20 plus years of software development and product management experience with Baan, PeopleSoft, the US Government, and others are aimed squarely at eradicating the scourge of junk email from corporate inboxes everywhere. Klein is a regular industry speaker on trends in spam and phishing having presented at RSA, the MIT Spam Conference, and the Commonwealth Club as well as other venues. Klein holds a BS in Information Systems Management from the University of Maryland, and an MBA from San Jose State University.

Speaker Biography Rami Habal is Senior Product Manager at Proofpoint, where he is responsible for Proofpoint’s flagship messaging security solution, the Proofpoint Protection Server and works closely with the Proofpoint Anti-Spam Research Lab. Prior to Proofpoint, Rami worked at Mohr Davidow Ventures, Cisco, Hughes Electronics, and several startups. He holds a BSEE from UVa. He also holds master’s degrees in Business and Public Administration from MIT and Harvard, respectively.

Speaker Biography Jordan Ritter’s expertise within a diverse range of disciplines and architectures has helped create some of the Internet’s most popular software. Previously Jordan co-founded Napster, Inc., developing their ground-breaking P2P technologies alongside Shawn Fanning before the company was funded in August 1999. As Chief Server Architect, he led the development and management of the server back-end software and infrastructure to support 50 million users worldwide in less than a year. Jordan is a frequent contributor to the Open-Source Community, having authored free software commonly included in modern Linux distributions as well as Windows software currently licensed by Microsoft.