Few people in the IT security world know more about
identifying and stopping spam and other unwanted email than Paul
Judge. Now the chief technology officer at Secure Computing, Judge
spent years at CipherTrust studying spammers, their motives and
tactics and thinking of ways to stay a step ahead of them. Judge
sat down with Executive Editor Dennis Fisher recently to discuss
the progress of the battle against spam and whether security
technology has reached the limits of its ability to help in the
fight.
![]() | ![]() | ![]() | ![]() | ![]() | The spammers right now are still
focused on the technology of getting around traditional spam
filters.
Paul Judge,
chief technology officer, Secure Computing
Inc. |
| ![]() | ![]() | ![]() | ![]() | ![]() |
| ![]() |
![]() |
How much of an effect are things like the Sender ID Framework and
DKIM (Domain Keys Identified Mail) having on the overall spam
problem?
Paul Judge: They're having somewhat of a positive effect I think. A
lot of the technology that we've seen up till now has been designed
to pick out the bad mails. That made sense when spam was 15% of all
mail, but now that it's 85%, it doesn't make a lot of sense to be
picking out nine out of 10 mails. Now, we can authenticate good
messages and pull them out of the mail stream and move them to
higher ground. Things like reputation systems and DKIM give us a
record of good senders so we know who sends good mail and who
doesn't. Some of the ISPs have been doing outbound authentication
for a while and it's working. Some of the bigger legitimate
companies that are using DKIM or Sender ID are saying, if you get
anything from me that fails Sender ID, please drop it. They'd
rather have messages with broken signatures dropped than have them
hurt their reputations.
But we're still seeing a lot of spoofing and phishing going
on.
Judge: Yeah, the odd thing about some of these authentication
methods, especially at the beginning, is that the spammers were
deploying authentication faster than legitimate companies were.
Some naïve implementations gave them points for that. So they were
actually able to build up good reputations for a little while. So I
think in order to continue to make a dent in the problem, we have
to change the approach. Right now, we live in a world where a lot
of companies don't take this 'fail-closed' approach that prevents
anything but approved mails from getting through. That needs to be
the focus. The spammers right now are still focused on the
technology of getting around traditional spam filters. We're seeing
a lot of image spam and even PDF spam now. We're seeing 400,000 to
450,000 new IP addresses sending out spam every day. These are
machines that were not spamming the previous day. Six months ago,
that number was 175,000. So they're clearly not having trouble
finding new recruits for their botnets. Their problem now is how to
hide the content and how to monetize it. The system isn't that
efficient right now.
Is there a way for you to raise the cost of doing business
for the spammers?
Judge:
![]() |
| Fighting spam: |
New image spam sneaks into inboxes: Researchers at Secure
Computing Corp. have discovered a new form of image spam that is
sneaking into corporate systems and clogging inboxes.
Reputation systems gaining credibility in fight against spam:
Now that nearly all organizations are employing some sort of
anti-spam technology, spammers know their only hope for success
lies with outwitting spam-detection strategies. But as Mike Rothman
writes, the emergence of reputation-based systems is making
headway.
Spam crackdown: Bloggers take on the SEC: The Securities and
Exchange Commission's crackdown of 35 accused spam pushers is
getting a mixed reception by bloggers.
Tip:
Battling image spam: The threat environment is changing once
again as spammers investigate new technologies in an effort to stay
one step ahead of spam filters. Their latest technique: image spam.
In this tip, Mike Chapple provides an example of image spam and
explains how it can be
thwarted. |
|
| ![]() |
![]() |
I spend a lot of time thinking about the problem from that point of
view, from the financial side of the equation. How do we make it
unprofitable for the spammers? The challenge is that for them, any
positive response rate is a profit. The cost of doing business is
so low, if they send out a million emails and get a response rate
of half a percent, that's all profit. It's not clear that there's a
direct way to introduce more cost into the equation.
What's the next step in the process then? If spam is still
making these guys a lot of money, what will slow them
down?
Judge: Prosecution does seem to have some deterrent effect. We have
some number of sort of good-guy spammers, grey spammers, who are
walking away. I got a call from a guy who is on the Spamhaus top 10
list of spammers who was looking for a job. He was getting out of
the game. And this is a guy who said he was regularly making one or
two million dollars a month. But he's seeing his friends being
arrested or sued. So the kind of spammer we're facing now is
different. This is a type of adversary who never targeted end users
before. They'd go after big financial institutions or retailers.
Now they're working with financial backers and their goal isn't
necessarily to get you to respond to a spam, it's to plant a Trojan
on your PC. So instead of setting up a phishing site and spamming
out mails to entice users to visit it, they plant a Trojan on your
machine that can do active code injection. When you go visit your
online banking site, it's still the legitimate site, but instead of
just asking for username and password, it also asks for your ATM
PIN. These are people who we haven't seen before.
One of the things that always seems to be a challenge is the
international nature of this problem. Has the cooperation among law
enforcement agencies in various countries improved at
all?
Judge: It has gotten better. There's a substantial amount more than
we saw before. The question we've all been focusing on is, what do
we do that's different than we've done before? We've been focused
on large, centralized attackers in the past. Now we have very
decentralized attackers. We're beginning to question the technology
and processes we're deploying.
Along that same line, do you think we're reaching the limits
of what technology can do to address the spam problem?
Judge: I believe there's still more we can do, technologically
speaking. We need it do more. We're getting to the limits of
traditional filtering. But more people are protected now and the
protection is better. There are a number of these
challenge-response systems, but how do we scale that for an
enterprise or service provider? There's still a fair amount of work
left ahead of us. We're at the point where we can block 89% of spam
just with a reputation system. But we need something that can react
to the three to four new spam machines we're seeing every second.
There's a large amount of catch-up work to be done there.