Few people in the IT security world know more about identifying and stopping spam and other unwanted email than Paul Judge. Now the chief technology officer at Secure Computing, Judge spent years at CipherTrust studying spammers, their motives and tactics and thinking of ways to stay a step ahead of them. Judge sat down with Executive Editor Dennis Fisher recently to discuss the progress of the battle against spam and whether security technology has reached the limits of its ability to help in the fight.
Paul Judge: They're having somewhat of a positive effect I think. A lot of the technology that we've seen up till now has been designed to pick out the bad mails. That made sense when spam was 15% of all mail, but now that it's 85%, it doesn't make a lot of sense to be picking out nine out of 10 mails. Now, we can authenticate good messages and pull them out of the mail stream and move them to higher ground. Things like reputation systems and DKIM give us a record of good senders so we know who sends good mail and who doesn't. Some of the ISPs have been doing outbound authentication for a while and it's working. Some of the bigger legitimate companies that are using DKIM or Sender ID are saying, if you get anything from me that fails Sender ID, please drop it. They'd rather have messages with broken signatures dropped than have them hurt their reputations.
But we're still seeing a lot of spoofing and phishing going on.
Judge: Yeah, the odd thing about some of these authentication methods, especially at the beginning, is that the spammers were deploying authentication faster than legitimate companies were. Some naïve implementations gave them points for that. So they were actually able to build up good reputations for a little while. So I think in order to continue to make a dent in the problem, we have to change the approach. Right now, we live in a world where a lot of companies don't take this 'fail-closed' approach that prevents anything but approved mails from getting through. That needs to be the focus. The spammers right now are still focused on the technology of getting around traditional spam filters. We're seeing a lot of image spam and even PDF spam now. We're seeing 400,000 to 450,000 new IP addresses sending out spam every day. These are machines that were not spamming the previous day. Six months ago, that number was 175,000. So they're clearly not having trouble finding new recruits for their botnets. Their problem now is how to hide the content and how to monetize it. The system isn't that efficient right now.
Is there a way for you to raise the cost of doing business for the spammers?
What's the next step in the process then? If spam is still making these guys a lot of money, what will slow them down?
Judge: Prosecution does seem to have some deterrent effect. We have some number of sort of good-guy spammers, grey spammers, who are walking away. I got a call from a guy who is on the Spamhaus top 10 list of spammers who was looking for a job. He was getting out of the game. And this is a guy who said he was regularly making one or two million dollars a month. But he's seeing his friends being arrested or sued. So the kind of spammer we're facing now is different. This is a type of adversary who never targeted end users before. They'd go after big financial institutions or retailers. Now they're working with financial backers and their goal isn't necessarily to get you to respond to a spam, it's to plant a Trojan on your PC. So instead of setting up a phishing site and spamming out mails to entice users to visit it, they plant a Trojan on your machine that can do active code injection. When you go visit your online banking site, it's still the legitimate site, but instead of just asking for username and password, it also asks for your ATM PIN. These are people who we haven't seen before.
One of the things that always seems to be a challenge is the international nature of this problem. Has the cooperation among law enforcement agencies in various countries improved at all?
Judge: It has gotten better. There's a substantial amount more than we saw before. The question we've all been focusing on is, what do we do that's different than we've done before? We've been focused on large, centralized attackers in the past. Now we have very decentralized attackers. We're beginning to question the technology and processes we're deploying.
Along that same line, do you think we're reaching the limits of what technology can do to address the spam problem?
Judge: I believe there's still more we can do, technologically speaking. We need it do more. We're getting to the limits of traditional filtering. But more people are protected now and the protection is better. There are a number of these challenge-response systems, but how do we scale that for an enterprise or service provider? There's still a fair amount of work left ahead of us. We're at the point where we can block 89% of spam just with a reputation system. But we need something that can react to the three to four new spam machines we're seeing every second. There's a large amount of catch-up work to be done there.
This was first published in May 2007