• No results found

INSIDE. Filtering Technologies in Symantec Brightmail AntiSpam 6.0

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "INSIDE. Filtering Technologies in Symantec Brightmail AntiSpam 6.0"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

Filtering Technologies in

Symantec Brightmail AntiSpam™ 6.0

INSIDE

INSIDE

Executive summary

The state of spam

Evaluation criteria for an

antispam solution

The Symantec solution

Conclusion

(2)

Table of Contents

Executive summary . . . .1

The state of spam . . . .2

Definition of spam . . . .2

The lifecycle and evolution of spam . . . .3

Spammers’ tactics: spam creation and dissemination . . . .4

Evaluation criteria for an antispam solution . . . .7

Effectiveness . . . .7

Accuracy: avoiding false positives at all costs . . . .8

Proactivity and responsiveness . . . .8

Minimal administration . . . .9

The Symantec solution . . . .10

The BLOC™: spam analysis and operations . . . .10

Multilayered filtering technology . . . .11

Filter delivery and engine updates . . . .16

(3)

Executive summary

Aside from making money, a spammer’s chief obsession is evading antispam filters. The cat-and-mouse game between spammers and antispam vendors has continued for over a decade. The first generations of spam were ASCII-based and somewhat random—easily handled by homegrown approaches and static keyword filters. But that game has evolved. The latest generation of spam incorporates sophisticated tactics such as extreme randomisation, origin concealment, and filter evasion using HTML. Spammers continue to raise the stakes by devising ways to escape filtering and new ways to profit from their actions. This technology brief describes how Symantec’s research and development groups continually adapt filtering techniques to challenge spammers and screen out their spam attacks.

Symantec’s highly adaptive antispam arsenal includes a collection of powerful proactive and responsive filtering technologies backed by a comprehensive spam analysis infrastructure. Together, these elements fortify your organisation with robust antispam protection while providing the industry’s best available accuracy rate (99.9999%).1

This paper covers the following:

• The state of spam. A quick look at the preferred weapons of spammers, including filter evasion and dissemination tactics.

• Essential features of an antispam solution. An overview of the guidelines to consider when evaluating enterprise-calibre antispam products.

• The Symantec solution. A summary of the antispam filtering technologies, infrastructure, and resources Symantec utilises. The topics include Symantec’s comprehensive proactive and responsive filter technologies, its unique spam analysis features, and its 24x7 operations centres.

Symantec Brightmail AntiSpam 6.0™ is the antispam offering using technology from Brightmail, which has focused exclusively on the antispam market for over six years. Symantec Brightmail AntiSpam soft-ware protects over 2,500 of the world’s leading enterprises, including Avaya, eBay, Bechtel, Booz Allen Hamilton, Cypress Semiconductor, Deutsche Bank, Lucent Technologies, and Terra Lycos. As the most-deployed commercial antispam solution, Symantec Brightmail AntiSpam now protects more than 300 million mailboxes worldwide, including over 5 million enterprise seats. These customers count on Symantec for its expertise in spam filtering, its logical and flexible approach to fighting spam at the customer site, and its ongoing commitment to countering spammers’ tactics.

WHAT’S NEW IN VERSION 6.0

Symantec has augmented the award-winning work in previous releases of Brightmail AntiSpam. Here are some of the filtering engine features that have been added or enhanced in this version:

• Integrated Brightmail Reputation Service™. The Brightmail Reputation Service measures an email sender’s reputation for sending legitimate email versus spam.

• Advanced technologies to combat non–English language spam. With new language identification abilities and user tools, Symantec has fortified its defenses against non-English spam.

• Next-generation URL and signature technologies. Symantec’s unique URL filters have been updated to keep pace with new attempts to evade filtering. Among other enhancements, URL filters now examine embedded email links. Attachment signatures are Symantec’s answer to objectionable or dangerous MIME attachments.

1“Anti-Spam Services for SMBs and Middle-Market End-Users,” February 25, 2003 Research Note by J.P. Gownder of the Yankee Group

(4)

The state of spam

This section covers the following: • Definition of spam

• The lifecycle and evolution of spam • Spammers’ tactics

Definition of spam

The average person, when asked to define spam, might respond by citing specific types of offensive or fraudulent email solicitations—the relentless stream of Viagra ads or the creatively punctuated Nigerian scam emails. Others might include chain letters or newsletters in which they have long since lost interest. Still others consider any sort of advertisement from any source, legitimate or not, to be spam. Indeed, for such a subjective mode of communication, an authoritative per-recipient definition can be elusive. However, it remains imperative to distinguish spam sent by malicious spammers from legitimate mail.

Symantec uses the guidelines outlined in Figure 1 to distinguish spam from legitimate email communication.

Determining Whether Messages Are Spam

Unsolicited bulk or commercial email messages sent by automated methods to many people

Message sender has no discernible relationship with all or some of the message recipients

Mailing lists sent to multiple users that have no prior relationship to the mailing list

Message headers have been forged or Messages that Symantec

identifies as spam

Messages that:

• Administrators handle with global allowed and blocked sender lists

• End users handle with personal allowed and blocked sender lists, foreign language preferences, and other tools

Unwanted account statements, confirmation messages, service updates, bills, etc.

Unwanted emails where address was given to sender by recipient, friend, or colleague (résumé, jokes, non-bulk direct sales, chain letters, etc.) Emails mistakenly sent to the recipient Unwanted newsletters to which the recipient did not explicitly subscribe,

(5)

Spam messages waste corporate resources. Random, untargeted email sent by automated methods has a measurable impact on enterprises. Such spam directly consumes IT administrators’ time, along with company mail server and storage resources. And, because large companies estimate that their employees spend as much as 15 minutes of their day reading, deleting, and responding to these messages, spam is robbing employees of precious time and costly productivity.2

The lifecycle and evolution of spam

Spam has been a side effect of the Internet for over a decade. In that time, it has matured to follow a predictable lifecycle with three key constituencies (see Figure 2).

The ongoing lifecycle is driving the evolution of spam, both in its form and its implications. As a result of increased antispam filtering, along with the advent of new technologies and opportunities at the spammers’ disposal, spam is rapidly morphing into an even more dangerous phenomenon.

The constant increase of spam is only one part of the equation; just as troubling is the form that many spam attacks are taking (see Figure 3). Gone are the days when spammers would simply send their unsophisticated sales pitches from their own ISP accounts. Filter-resistant spam from concealed senders is quickly becoming the dissemination mechanism of choice for costly virus attacks or email fraud attempts.

The Lifecycle of Spam

Key Challenges for Recipients • Sending messages that

recipients will open • Evading filters • Concealing identity Key Challenges for Spammers

• Dealing with influx of spam

• Ensuring that legitimate mail is received Email Recipient... Antispam Product... Cycle Restarts Spammer... 1. Obtains addresses 2. Creates message 3. Disseminates messages 4. Examines last-known IP and message content

5. Applies antispam filters

6. Views messages 7. Responds or reacts

Figure 2. The lifecycle of spam

(6)

The next section covers the key aspects of the lifecycle from the perspective of the spammer.

Spammers’ tactics: spam creation and dissemination

According to the magazine Business 2.0, for some spammers to bring in $1 million a month, all that is required is a $20 purchase from one out of every 2,000 spammees—a 0.05% response rate. The economics of spam are hard to beat: For next to nothing, spammers can obtain lists of millions of harvested email addresses. The barrier to these riches is antispam filters. This section summarises a few of the tactics used by spammers to evade filtering.

EVADING FILTERS WITH HTML-BASED CONTENT MODIFICATIONS

Large-scale spammers are increasingly adaptable and sophisticated. These people or organisations can cycle through fake domain names and alter subject lines so precisely and efficiently that by the time old-line antispam tactics can discern a pattern, the damage is done and a new attack with different characteristics has already been launched. Mass mail software even allows spammers to run mail through preprogrammed checklists, evaluating whether mail will likely be blocked by spam filters.

The State of Spam

Percentage of Total Internet Email Identified as Spam

Spam Continues to Grow in Volume...

65% Spam in June 2004 70% 60% 50% 40%

...and Continues to Evolve

ASCII Simple text Mutations and Randomization HTML Vary message while maintaining the same look Converging Threats Viruses and worms URL Short messages with links to spam Web pages Phishing More damaging 2001 2004

MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN

(7)

Content modification using HTML is the effective spammer’s latest and most powerful antifiltering technique.

There are many reasons why spammers choose HTML:

• Attracts attention. Using rich media, spammers can add flashy and provocative messages without significantly adding to their costs or file sizes.

• Enables tracking. With embedded beacons and tracking devices that activate as soon as images are downloaded, spammers can verify whether the targeted email address is a live, or valid, address. • Enables randomised or polymorphic spam. Because the underlying text of the messages is unique,

this type of spam is very difficult to filter. Inserting white text on a white background, bogus HTML tags , or HTML tables are just a few of the HTML-based antifiltering tricks.

Due to infinite variations and randomisations, formatting spam in HTML provides spammers with a pow-erful way to circumvent filtering.

EVADING FILTERS WITH URL OBFUSCATION

Spammers frequently use URL-based antifiltering techniques, soliciting recipients to perform a further action beyond just reading the message. In most cases, the spammer wants the recipient to purchase a product or register for a service. To further the transaction, spammers often include a URL that points to a Web site. Spam that encourages recipients to click on a URL is often problematic for antispam filters. First, spammers can introduce an excessive amount of personalisation, sprinkling innocuous and seemingly legitimate text around the intended link. Not only can such text make the email look legitimate, but it also allows spammers to create many substantially different messages where only the underlying URL is the same. There is also a plethora of obfuscation and URL-relaying tactics that spammers can employ to conceal the target URL.

Figure 4. HTML spam: visual and actual

HTML Spam: Visual and Actual

Actual #2

Generic Viagra

For the first time ever, a generic version of Viagra is available to you. GSC-100, the generic equivalent of Viagra, gives you the exact performance and power as Viagra, for HALF THE COST.

Visually

Actual #1

Generic Vi<BAD HTML TAG>agra For the first time ever, a generic version of Viagra is available to you. GSC-100, the generic equivalent of Vi<!HTML Comment>agra, gives you the exact performance and power as Viagra, for HALF THE COST.

Ge<BAD HTML TAG>neric Viagra For the <!HTML Comment> first time ever, a generic version of Viagra is available to you. GSC-100, the generic equivalent of Viagra, gives you the exact performance and power as Viagra, for HALF THE CO<!HTML Comment>ST.

(8)

Mail server that processes mail where neither the sender nor the recipient is a local user.

Connects to the mail server with the open relay, and pushes spam mail through. The origin of the spam appears to be the intermediate server.

Low. Does not hide the source of spam, because most mail transfer agents (MTAs) add a Received: header before relaying the mail. Occasionally. Sometimes administrators use open relays to route around a problem server. Other times, they may forget to turn off open mail relays. Dwindling. Most administrators lock down their relays to stay off blacklists.

Insecure host computer that accepts requests from any random computer to share the Internet connection. Also refers to misconfigured legitimate software or malicious Trojan horse viruses that allow the computer to be used in such a manner.

Connects to port 25 of the mail server as an HTTP service through the open proxy, sends a POST request, and hides the SMTP content in the body of the posted data. The mail server ignores the HTTP headers and accepts the SMTP commands in the body of the email. High. Proxies forward raw TCP/IP connections, leaving no headers. Because proxy servers allow one computer to masquerade as another, it is impossible to identify the actual originating IP address.

No. There are no valid reasons for sending mail through a proxy server.

Method of choice. Most spam is not sent through the conventional mail port; it is almost always relayed using proxies. Thanks to misconfigured software and Trojan horses, vulnerable proxy servers abound. Description

How spammers use them

Identity concealment

Used for sending legitimate mail?

Popularity as source of spam

Open SMTP Relay Open Proxy

Spammers have also proven adept at disguising the external appearance of URLs so that recipients are fooled into believing that the URLs belong to a legitimate organisation. The recent success of email “brand spoofing” attacks are testimony to the power of this tactic. In such attacks, spammers create fraudulent emails and disguise URLs, purporting to originate from legitimate organisations, enticing recipients to provide private and financial information.

DISSEMINATION USING IDENTITY-MASKING RELAYS

Physically sending out bulk email is a trivial matter. Special-purpose email server appliances can send out as many as 1 million email messages per hour. However, to avoid legal repercussions or source blocking via IP address, spammers need a mechanism to conceal their identities.

A common way spammers deal with the concealment issue is by using identity-masking relays. One application of such a technique is the misuse of open proxy servers. Open proxy servers are misconfigured or virus-infected computers that allow traffic for virtually any network service to be channelled through a host computer. The following table shows how open proxy servers used in this way differ from open SMTP relays, which are not actually used to mask identities.

(9)

Spammers routinely identify and hijack insecure proxy servers. Unbeknownst to the owners of the misappropriated computers, spammers then use the computers as vehicles to send huge volumes of unsolicited mail. By some accounts, two-thirds of all spam emanates from these insecure servers. Figure 5 shows how open proxy servers are an ideal way to hide the sender’s identity.

Once spammers discover an open proxy, they will continue to send spam through it, until the open proxy is closed. Spammers are also coming up with new ways to hijack computers to send spam, as evidenced by the recent mass-mailing computer worms, such as Sasser, Netsky, and SoBig. Initial analysis suggests that, while it didn’t have an especially malicious payload, the virus did install a mail program on victims’ computers, setting the stage for an immense network of identity-masking conduits through which spam could be relayed.

For more information about open proxies and other filter evasion tactics, see the following resources: • www.infosecwriters.com/texts.php?op=display&id=54

• www.nanae.org/links.html • www.spam.abuse.net • www.mail-abuse.com

Evaluation criteria for an antispam solution

This section summarises the most important criteria for evaluating an antispam solution. The key metrics are effectiveness, accuracy, and ease of administration. Leading solutions provide a combination of technologies and relieve the administrator of deployment and ongoing maintenance chores.

Effectiveness

While there are many ways to measure the utility of an antispam solution, the bottom line is high spam-blocking effectiveness. Effectiveness is the percentage of spam messages correctly filtered as spam. The terms capture or catch rate are also used to describe this metric.

Using Open Proxies for Identity Masking

Recipient receives spam from an untraceable sender Recipient’s Email Server Misconfigured proxy

server accepts and relays mail, acting as a blind intermediary to virtually any other network address Open Proxy Server

Spammer locates open proxy server and connects to the unsecured port

Spammer’s Server

(10)

Maintaining high effectiveness is challenging for a many reasons. First, the “spam” that constitutes the final few percentage points can often be quite subjective, difficult to address on a global, server-wide basis. Client-side filters may be an option in such cases. Next, an over-aggressive drive toward effectiveness increases the chances of legitimate mail being blocked. Finally, as spam-blocking percentages increase, spammers have an incentive to increase their overall volume to maintain the status quo. And given the adaptability of spammers, today’s defences can quickly become obsolete as spammers find workarounds. As such, vendors must continually monitor and tune their filters. When evaluating current effectiveness claims, it is important to ensure that the vendors demonstrate a commitment and infrastructure necessary to keep pace with spammers.

Accuracy: avoiding false positives at all costs

Antispam solutions must have the highest possible accuracy—the ability of the antispam software to distinguish legitimate messages from spam. More than one or two false positives—legitimate emails that poorly designed antispam filters mistakenly classify as spam—can represent the failure of a product for a user. When users cannot rely on antispam filtering accuracy, they are forced to manually wade through their quarantines and delete spam, a risky and frustrating exercise.

For these and other reasons, Ferris Research3

pegged the overall business cost for false positives at $3.5 billion annually in the United States. Vendors that focused first on eliminating false positives—the collateral damage of over-aggressive filters—and only then incrementally improving spam-blocking

effectiveness made the right choice. Many vendors chose an initially aggressive route, touting solutions with very high spam-blocking. As the business implications of false positives have become apparent, these vendors have been forced to scale back, managing a side effect. Their customers began to question the value of a tool that would routinely sideline mission-critical business communication.

Proactivity and responsiveness

Ideally, an antispam solution would be 100% accurate and 100% effective. Many vendors are forced to manage a trade-off. To block enough spam, the solution must be aggressive. If the solution is too aggressive, it is likely to cause false positives.

High accuracy and effectiveness in antispam filters are driven by two general approaches: responsive and proactive. Calculating Effectiveness Competitive 85% Best in class >95% x 100% (Number of spam messages caught) (Number of spam messages caught) (Number of spam messages missed) + Calculating Accuracy Competitive 99.999% Best in Class 99.9999% x 100% (Total messages filtered) (Total messages filtered) (Number of legitimate messages identified as spam) –

1 false positive in 100,000 messages 1 false positive in 1 million messages

Approach Description Examples Notes

Filters leverage research on actual spam. Very accurate, and legitimate mail is rarely blocked.

Responsive • Signature-based filters

• Attack-driven filters

Extensive and well-managed spam analysis infrastructure is required for effectiveness

(11)

Given the danger of overblocking inherent to more proactive approaches, antispam solutions should carefully combine proactive and responsive filtering techniques. Responsive filters provide an important bulwark against false positives, complementing the effectiveness of proactive filters.

Minimal administration

Although many antispam solutions purport to work out of the box, they actually offload much of the spam-fighting burden on the administrator and end users. For example, many proactive filters require substantial training by administrators for initial and ongoing antispam effectiveness. Some solutions also deal with false positives by recommending that administrators maintain whitelists. Still other solutions, under the guise of “individual spam management,” make the end user do the work.

As an administrator evaluating an antispam product, the question to ask is: How much time do I want to spend fighting and managing spam? Figure 6 demonstrates how complex the process of ongoing filter training can become.

Filter Training and Whitelist Management How Much Time Should Administrators Spend Managing Spam?

Best Results • Supervised learning

• Diligently separate messages into spam and legit folders • Periodically retrain Average Results • Unsupervised training • Feed results from spam back into its training

• Monitor and retrain based on errors

Costs

• Disk space and memory to maintain database

• System performance for message processing and training • Administrator time to track down

false positives and to maintain integration with third-party filters Ensure that systems and filters are up-to-date as spam evolves Message Processing Ongoing Maintenance Create Message Databases Missed Spams

• Manually classify message as spam • Examine where the machine

learning went awry • Create rule for message • Retrain engine/adjust sensitivity settings

Training Procedures 1. Tokenize and analyze corpus 2. Ensure validity of spam and legit corpus

3. Sort mail manually to improve accuracy

4. Remove messages that may skew probabilities (forwarded spam, discussions of spam) 5. Train the filters using the refined

spam corpus and the legit mail corpus

False Positives

• Manually classify message as legit • Retrain engine or adjust sensitivity settings training

• Create a whitelist entry for sender address

Create Message

Databases Train Analysis Corpus Requirements

• One for spam, one for legitimate mail

• Must be large (thousands of messages each)

• Must be generated from one's own mail server to reflect organization’s mail patterns (publicly available corpus not statistically useful)

Engine Retraining Engine Retraining

(12)

The Symantec solution

The BLOC: spam analysis and operations

The high effectiveness and accuracy of Symantec’s filters are made possible by the BLOC (Brightmail Logistics and Operations Centre). The BLOC consists of several centres working cooperatively on three continents, comprising a round-the-clock protection network that spans the globe. These antispam opera-tions centres are responsible for all of the real-time tuning and adjustments that underlie Symantec’s filters. Sophisticated automatic tools, assisted and monitored by BLOC technicians, evaluate mail for new variations of spam, then issue filters to identify and capture similar messages. The BLOC continuously provides updated filters to filtering software running at customer sites. BLOC technicians play an important role in confirming the identification of possible spam. This combination of automation and human intervention allows Symantec Brightmail AntiSpam to adapt in real time to ever-changing spamming techniques, giving it unparalleled flexibility and accuracy as a spam filter.

Spam Protection Backed by the BLOC

Core Services at the BLOC

• Messaging grouping • Filter validation • Filter generation • Filter distribution

Automated Filter Production

Technicians process spam that cannot be handled by automated methods. Human component enables quality assurance and prevention against false positives.

Verification and Research

Technicians and automated tools constantly monitor spam attacks and filter performance at customer sites, making adjustments as necessary.

24x7 Operations

Active management and optimization of the largest trap for spam and email threats.

Probe Network Management

Internet

Some Facts About the BLOC Spam defence coverage: 24x7

Languages spoken: 12

Decoy accounts

Over 2 million monitored:

Decoy (honeypot)

spam processed Tens of millions per day:

Countries

represented by the Over 20 Probe Network™:

Operations center San Francisco locations: Dublin Sydney Taipei

(13)

Spam analysis at the BLOC begins with the patented Probe Network, an extensive array of over 2 million decoy email addresses and domains, also known as spamtraps or honeypots. When extended with junk mail submissions from customers, the Probe Network is statistically representative of over 300 million email inboxes. This global network of email accounts attracts and collects large quantities of spam—tens of millions of spam messages pass through the Probe Network every month. As messages come into the BLOC, automated processes and expert technicians go into action, analysing incoming spam and developing effective countermeasures.

This spam-catching infrastructure gives Symantec knowledge about spam attacks as soon as they happen, making it possible for Symantec to automatically protect its customers against real attacks while tracking the distribution and content of spam attacks worldwide. Unlike other approaches where the filters need to be trained for three to six months before they are effective, Symantec’s Probe Network is real time. It also leverages over six years of history tracking spam and writing antispam filters.

The real-time spam traffic that flows through the Probe Network drives Symantec’s responsive and accurate filters, such as BrightSig2™. Probe Network also provides valuable source and spam URL information for the Brightmail Reputation Service and URL filters, respectively.

The other essential component of Symantec’s spam analysis process is the Business Intelligence team. The mission of the Business Intelligence group is to keep Symantec at the forefront in the war against spam. Among their activities are:

• Constantly analysing spam traffic for new threats and new defenses • Analysing spammers’ frequently used Web sites and mass-mailing software • Monitoring forums and chat rooms frequented by spammers

• Staying abreast of evolving spammer techniques so that defenses can be incorporated in future releases

Multilayered filtering technology

There is no silver bullet against spam. Symantec takes a comprehensive and multilayered approach to spam filtering, employing a variety of filtering techniques to keep spammers at bay. Some of the filters examine the source of the email, while others sift through the message content, leveraging both real-time spam data as well as proactive techniques such as heuristic filtering.

Symantec Brightmail AntiSpam Technologies and Architecture

Heuristics URL Filters • Trojan sources • High-volume spam sources • Safe sources Reputation Filtering Customer-Defined Filters AntiSpam Architecture Signatures • Fraud URLs • Mail URLs • HTTP URLs • Adult URLs • Header analysis • Foreign language • Content analysis • Structural analysis • Body hash

• Body fuzzy signatures • Attachment signatures

• Probe Network • BLOC technicians • Redundant architecture • Real-time filter delivery • Fraud detection • Automated QA

• Personal allow list • Personal block list • Personal language filters • Content filters

• Allowed senders list • Blocked senders list

(14)

Symantec Brightmail AntiSpam incorporates 17 different antispam filtering technologies. Symantec continuously evaluates new filtering techniques and adds new technologies to its arsenal. Each new approach is evaluated to ensure that it does not compromise Symantec’s rigorous accuracy rate—which currently stands at 1 false positive in 1 million messages, an accuracy rate of 99.9999%.

BRIGHTMAIL REPUTATION SERVICE

Reputation-based blocking is a powerful filtering technique that examines the quality or reputation of the sending source or mail server. To this end, Symantec monitors hundreds of thousands of email sources to determine how much email sent from these addresses is legitimate and how much is spam. This data is incorporated into the Brightmail Reputation Service. By tracking data such as mailing patterns, the presence of open proxy or unsecured mail servers, volume of messages sent, and complaints, the Brightmail Reputation Service can determine a reputation value for a given email sender or IP address. In some cases, this value is used to allow or block senders; in other cases it is used in conjunction with other filters.

The Brightmail Reputation Service currently includes the following lists of IP addresses, which are continuously compiled and updated:

• Open Proxy List. IP addresses that are open proxies used by spammers. • Safe List. IP addresses from which virtually no outgoing email is spam.

• Suspect List. IP addresses from which virtually all of the outgoing email is spam. Unlike other collections of source lists, the Brightmail Reputation Service is: • Large in scope. Given that Symantec filters over 15% of the

world’s Internet email (more than 100 billion messages per month) and protects over 300 million end users’ inboxes, Symantec is in a unique position to assess the reputation of email sources. With access to this data, the Brightmail Reputation Service represents a substantial swath of mail server activity.

• Automated and data-driven. Inclusion and removal from the lists is based entirely on traffic patterns of the mail servers. Organisations or individuals cannot request or pay to be added or removed from any lists in the Brightmail Reputation Service.

• Proactive and accurate. Other lists are poorly staffed and simply aggregate information, resulting in sites being

inappropriately blacklisted. The Brightmail Reputation Service, on the other hand, regularly generates its database by proactively seeking out insecure servers and high-volume senders, enabling rapid, automatic updates to the list. For example, in the case of the open proxy list, once an open proxy server identified by the Brightmail Reputation Service is secured by the owner, the server’s IP address will be Reputation Filters

Tactic: Leverages reach of the Probe Network and analytical capabilities of the BLOC to create a reputation profile of email sources

Effective against: Large-scale spammers who use large networks with many domains and IP addresses

Available filters: Dynamically updated IP address lists of open proxy servers, safe servers, and suspect servers

(15)

HEURISTIC FILTERS

Heuristic technology provides a very proactive framework for fighting spam. Heuristic filters analyse the header, body, and envelope information for incoming messages, checking for the presence of distinct spam characteris-tics. For example, excessive exclamation marks or capital letters would increase the spam score for a message. Each message is assigned an overall score, which is then compared to a threshold that determines whether the message is spam or not. Heuristic filters, once they are trained to determine what spam and legitimate mail looks like, can be very effective at identifying new spam.

The downfall of many heuristic filters is that they can create a substantial administrative burden. Worse, if not properly trained and weighted for accuracy, they can produce significant numbers of false positives.

In Symantec Brightmail AntiSpam, heuristic analysis tests are used to determine the likelihood that a message is spam. Each test is weighted to reduce false positives. The total probability that a message spam is examined to determine an overall score.

Symantec’s heuristics are tuned and updated to deliver the standard 99.9999% accuracy4

of Symantec Brightmail AntiSpam. Unlike other solutions, heuristic filtering is not the only tool used by Symantec against all spam attacks. Also, before the filters are deployed at the customer site, Symantec optimises the filters, weighting each heuristic based on how strongly it represents a spam characteristic. Lower-weight heuristic filters—for example, incorrect punctuation—safeguard against false positives. Higher-weight filters, such as those matching a known IP address range of a spammer, are very effective at differentiating spam from legitimate messages.

Symantec’s heuristic filters do not impact administrator resources. No customer tuning or training is required, as Symantec is constantly pruning ineffective or over aggressive filters before automatically deploying filters to the customer site. The filters also do not rely on an interpreted language, such as Perl, which can be resource-intensive, choking server performance as the messages are parsed.

HEADER FILTERS

Symantec’s header filters are a combination of proactive and responsive approaches. To proactively identify first-time spam, header filters consist of regular expression-based filtering rules that exploit commonalities or trends that are present in spam messages. Examples of telltale spam characteristics that a header filter would address include:

• Watermarks of spammer tools. Traces of information left in messages by some spammer tools, for example, the name of the program used to send the message.

• Modified time zones. For example, if the time zone is off by more than 12 hours.

• Spoofed received lines. For example, if the message purports to be coming from an MTA at an organisation that the BLOC knows.

Header filters also target specific spam messages that have passed through Symantec’s vast spam analysis system. These attack-specific filters are very effective, leveraging the Symantec Probe Network and filter delivery system.

4“Anti-Spam Services for SMBs and Middle-Market End-Users,” February 25, 2003 Research Note by J.P. Gownder of the Yankee Group

Heuristic Filters

Tactic: Proactively looks for common spam characteristics in all parts of the message and computes score; if score exceeds threshold, message is spam

Effective against: New spam

Symantec heuristics are tuned for accuracy and performance

Header Filters

Tactic: Traps spam with targeted header-based filters

Effective against: Messages with telltale spam characteristics in the headers

(16)

BRIGHTSIG2 FILTERS

Symantec’s signature technology is the catalyst for Symantec’s industry-leading accuracy rate. In general, spam signatures work by distilling a specific spam attack down to a unique string of bits, or a signature. This essential fingerprint of a spam attack can be used to identify variants of the attack. Accuracy is preserved because signatures are based on actual spam.

Spammers responded to first-generation signature technology by introducing large amounts of personalisation and HTML obfuscation. Symantec, in turn, responded with its patented BrightSig2 technology. BrightSig2 technology is the cornerstone of Symantec’s signature technology. The technology characterises spam attacks using proprietary algorithms, which are added to a

database of known spam. BrightSig2 matches seemingly random messages that originate from a single attack, which expedites and streamlines filter creation and deployment. This process enables Symantec to create tight targeted filters without having to write numerous such filters against a single attack. By distilling a complex and evolving attack to its DNA, more spam can be deflected with a single filter. BrightSig2 now has specific defenses against HTML spam, specifically combating randomisation and HTML noise (comments, constants, bad tags) that spammers insert to evade filters.

ATTACHMENT SIGNATURES

Message attachments have long been a favourite tool of spammers. By attach-ing a deceptively named file or image to an email, spammers tempt recipients to click through and open the file. Often, the result is annoyance: The recipient must contend with an an explicitly offensive image. Other times, the attachment might be malicious content, such as a Trojan horse, worm, or an executable that wreaks havoc on the recipient’s computer. In response, many organisations are now simply deleting all attachment types of a certain kind (e.g., exe or zip) that have caused problems, even if a particular incoming attachment is legitimate business communication.

Attachment signatures, which target specific MIME attachments, are the latest example of Symantec’s signature technology. With fuzzy algorithms similar to BrightSig2, attachment signatures enable Symantec to create filters based on

a particular MIME attachment (for example, a specific pornographic image used in a real-time spam attack) and stop that attachment from reaching customers. Attachment signatures make it unnecessary to block entire categories of certain attachments.

BrightSig2 Filters

Tactic: Strips random HTML from spam and uses fuzzy logic to group messages Effective against: Highly randomized, HTML-based spam attacks

Unique to Symantec

Attachment Signatures Tactic: Extracts a precise signature of

objectionable or malicious attachments in spam messages (e.g., pornographic image or worm) Effective against: Embedded images, executables, zip files, etc.

(17)

URL FILTERS

This version of Symantec Brightmail AntiSpam continues innovation in URL-based filtering technologies. URL filters now address mailto URL links, preventing end users from replying to spammers via email. This next generation of URL filters also improves Symantec’s ability to reverse new methods of URL masking and obfuscation techniques developed by spammers in recent months. This patent-pending URL filter technology leverages infrastructure elements that are unique to Symantec. Using real-time spam data, Symantec builds a list of spammers’ Web sites. At the customer site, URL filters compare embedded links in messages to the list of spam URLs maintained at Symantec. This list is created by using a combination of offline and real-time processes, incorporating URLs from the following sources:

• Probe Network data. The majority of the spam URLs are extracted from incoming spam and historical data from the Probe Network.

• Trusted third-party lists. URL lists maintained by third-party vendors and partners are also carefully verified, cross-checked, and incorporated into Symantec’s spam URL list.

URL filters are especially effective against:

• Disguised URLs. URL filters reverse spammers’ attempts to encode URLs with extraneous characters. This newest version of URL filters features expanded defenses against URL obfuscation and filter evasion tactics.

• Extreme randomisation. URL filters can identify a message as spam even if spammers place so much randomisation into a message that other filters are ineffective.

• Very short messages. If a message consists of innocuous HTML text or simply a URL link to a spam Web page, URL filters would identify and block the message.

FOREIGN LANGUAGE ANTISPAM TECHNOLOGY

Symantec estimates that between 10 and 20% of all global spam is written in languages other than English, making non-English spam a critical issue for any company doing business outside the United States. As multilingual spam becomes a larger problem for organisations, antispam solutions must take into account the language in which messages are written. With new antispam operations centres in Taipei and Sydney, Symantec increased its global presence and multilingual base to help prevent spam sent from foreign countries from evading detection.

Symantec Brightmail AntiSpam 6.0 features language identification abilities and a new series of heuristics that apply only to that language. By identifying the language of a message if it’s written in one of a variety (11) languages, Symantec Brightmail AntiSpam can run only the filters that apply to the message’s language, resulting in better performance. In addition, using the Brightmail Plug-In for Outlook, end users can now define the languages in which they want to receive messages.

Although the Language Identification features are always deployed in Symantec’s Heuristics filters, the per-language actions are currently supported only when the plug-in is deployed on desktops. The plug-in is a toolbar that lets users customise aspects of Symantec filtering.

URL Filters

Tactic: Identifies spam URLs in messages. Removes characters that conceal a Web site address in a message

Effective against: Call-to-action spam attacks; spam attacks with common URLs and radically different bodies

Unique to Symantec

Defenses Against Non-English Spam Tactic: Address pervasive non-English language spam with a combination of technology and infrastructure

✓ Language-agnostic filtering technology ✓ Language identification

✓ Language-specific heuristics ✓ Fluent/multilingual BLOC technicians ✓ Per-user language preferences

(18)

CONTENT FILTERING AND OTHER ADMINISTRATOR TOOLS

Although Symantec Brightmail AntiSpam administrators need never create custom filters, the software provides graphical customisation tools to allow administrators to be more aggressive in targeting unwanted mail.

Using the Custom Filters Editor, part of the Control Centre interface, administrators can create content filters to proactively block or handle mail that does not meet the criteria of spam.

With this graphical interface, administrators can:

• Filter email from marketing lists that generate user complaints or use excessive bandwidth • Control message volume and protect bandwidth by filtering out oversized messages • Block specific types of adult content

• Block chain letters

• Block a particular email-borne virus

Symantec also provides administrators with a host of other methods to customise filtering, for example, using lists of allowed and blocked senders, spam thresholds, and so on.

Filter delivery and engine updates

Every minute, Symantec software deployed at customer sites initiates a secure HTTPS connection with the BLOC. Using this pull-based connection, filter updates flow from the BLOC to the customer site. Using a similar mechanism, spam-filtering statistics from customer sites are transmitted to the BLOC, allowing the BLOC to gauge the performance and effectiveness of deployed filters.

This global spam filter update process has many advantages:

• Easy administration. Rules and filters are automatically and securely downloaded and installed. Heuristic filters are auto-updated every few weeks. New spam signatures and filters are pulled down from Symantec automatically, in real time, whenever there is a new spam outbreak. Unless they choose to augment filters using the Custom Filters Editor, administrators need never manually write, train, or update existing rules or filters.

• Antispam protection. The Symantec software at the customer site always has the most current antispam filters, and the BLOC has constant visibility into how effectively those filters are performing. • Security and privacy. Two-way validation guarantees that filtering rules are coming from Symantec

and cannot be spoofed by any other entity. Also, no confidential customer information is transmitted to Symantec during the collection of the package of aggregate rule statistics.

• Availability. The filtering software is never stopped during the update process. This capability prevents messages from getting through during the update process, which would leave the mail server unprotected.

(19)

Conclusion

The lifecycle of spam continues to evolve. Spammers are escalating the battle with new filter evasion and dissemination techniques.

In response, Symantec has fortified its filtering engine and its approach to the spam problem. Patented or proprietary technologies such as BrightSig2 and the Brightmail Reputation Service have been updated to address the most complex and egregious spam: randomised spam and spam relayed through unsuspecting open proxy servers. Other filters, such as heuristic filters, proactively assess the probability of a message being spam. The updated URL filters tackle spam with URLs, a new and growing category of spam.

These and other antispam filters used by Symantec Brightmail AntiSpam are backed by the largest and most comprehensive spam-fighting resources. The patented Probe Network and Symantec’s globally distributed BLOC infrastructure are further layers of defence, rounding out an accurate, effective, and unique answer to the spam problem.

For more information about Symantec products and services, visit www.symantec.com.

(20)

References

Download now ( PDF - 20 Page - 145.83 KB )

Related documents

Veranderende bedreigingen Security in het virtuele datacenter

Antispam Web Filtering Antivirus Intrusion Prevention App Control IP Reputation Spam Malicious Link Exploit Malware Bot Commands &amp; Stolen Data Spam Malicious Link Exploit

A Closer Look At Physician Assisted Suicide. Vermont Voices. A Closer Look At

We want the Vermont State Legislature to fi nd the wisdom and compassion to provide quality healthcare for ALL before spending more time legalizing a pill to help

PDSA Special Report. How to Hire and Terminate Developers

Some important things to consider before asking that person to come in for an interview is; do you like the way they talk, do you think they would fit into your culture, what

EFFECTIVENESS, EFFICIENCY AND PROMPTNESS OF CLAIMS HANDLING PROCESS IN THE NIGERIAN INSURANCE INDUSTRY

More so, regulators and other stakeholders within the industry should at regular interval intensify effort to ascertaining the claims handling procedural methods in use by

MEDICAL MALPRACTICE INSURANCE REPORT: A STUDY OF MARKET CONDITIONS AND POTENTIAL SOLUTIONS TO THE RECENT CRISIS

The data shows a moderately strong negative correlation (-0.5876) between the number of insurers reporting medical liability insurance premium and the median insurer incurred

Software-As-A-Service Development: Driving Forces Of Process Change

The experts in the conducted case studies of vendors that offer traditional on-premises software as well as Software-as-a-Service perceive the concept to impact

Insurance. Glossary of Policy Types

Vehicles titled in a company name must be covered under a business auto policy. Commercial autos are rated on the basis of their use and range of operation. Many policies do not

LEGISLATIVE ASSEMBLY OF NEW BRUNSWICK Fourth Session, 57 th Legislative Assembly ROUTINE PROCEEDINGS

THAT an address be presented to His Honour the Lieutenant-Governor, praying that he cause to be laid upon the table of the House all documentation including correspondence,