Delete Spam

How the Dark Side is Creating the “Notwork”

Delete SpamDespite the massive strides being made in the bandwidth available to users through improved consumer and business connectivity, often, the internet just doesn’t seem responsive enough.  Sure, poorly crafted web sites with poor code can be part of the problem, but just a small part a larger overall problem.

According to Kaspersky Labs, averaged across 2012, spam accounted for 72.1% of all emails, of which around 5% contained a malicious attachment.  Depending on which source you trust, you will be told that between 150 and 300 billion emails are sent every day, or up to 110 trillion emails per year, of which 80 trillion will be essentially just taking up bandwidth (and people’s time, if the messages get through to them).  Although spam volumes are falling as standard advertising emailers are finding it less worth their while using email for these activities, the organized, more malicious spammers are now taking over, with more worrying possible outcomes.

For the organized blackhat using phishing (the sending of what looks like a valid email with a targeted message and links to external code or other means of getting a user “hooked”) or using emails as a means of introducing a Trojan or other payload, email is still a tool of choice. These messages are often harder to pick up as spam, as they are more targeted, but tools are there to try and identify them based on behavior modelling and pattern matching.  With the rise of emails introducing ransomware code such as CryptoLocker, more people and organizations are finding that spam is not just time consuming, but that it can also be very expensive to deal with.

The network hit of a single email is relatively low: however, unless the masses of spam and malicious emails are stopped at source, millions of such messages will take up a horrendous amount of overall bandwidth.  With the growth in image and even video based spam, the average email size is increasing — and slowing down the internet to a point where a large email botnet spewing out billions of emails per day can make certain areas of the internet a “notwork” — just too slow for any real work — particularly in emerging economies.

There are benefits to service providers, telecoms companies and end-users alike to move from the mindset of “it’s a packet of data and we’ll shift it” to “it’s a packet of useless data and we’ll dump it”.

The main one is just in freeing up the internet from a large chunk of the data volume that is slowing it down.  Removing 80 trillion useless messages from the global internet would help to speed up slow areas, and make the management of more real time traffic, such as voice and video, easier.  It would also help avoid the problems of malicious spam with links to external code and phishing messages from being acted upon by the less-aware users.

Also, with the internet of things (IoT) becoming an increasing blob on the radar, the freed-up bandwidth allows the chattiness of IoT traffic to be embraced more easily without massive new investments in yet more bandwidth.

Although proactive filtering and blocking of spam as close to the wire as possible seems to make sense to everyone except the blackhat, there seems little appetite for a concerted approach to trying to stop spam.  It all seems piecemeal, and this still allows the blackhats to carry on with the impact it can have on networks, individuals, and organizations.

If service providers and telecoms operators would work together, rather than in an uncoordinated manner and attempt to stop spam as close to the source as possible, it starts to turn the tables.  Active filtering of emails streams by all the major players would drop spam volumes immediately.  Increased blacklisting of service providers who allow spamming as well as better policing of IP address blocks being used for spamming from private servers would help to stamp out the volumes at source.

Access device-based anti-spam tools, such as Kaspersky, Norton, and McAfee will do little to ameliorate the impact on the overall network, as they are only working against traffic that has already traversed the network.  What is required is something that is closer to the wire.  This was put forward by Trend Micro many years ago, but at the time the capability and cost to deal with line-speed treatment of information streams was not quite up to the task.  Symantec and Dell, amongst others, have brought out appliances that enterprises and service providers can use.  Symantec, GFI, and Wedge Networks have cloud-based systems that can act as filters to remove spam for organizations with their own high-volume email servers and service providers offering hosted email. Using such systems across a geography such as the UK or, better still, across Europe would start to really hurt the spam merchants.

The blackhats would start to see that any mass mailing approach would be less effective and would either have to give in or move to using a different approach.  They could use different vectors, such as trying to depend more on e.g. port 80 data transfers and hooking people via malicious code on web sites, but it becomes harder to lure people there if your emails can’t get through to them.  They could go for extreme targeting (spear phishing) — moving from a numbers game of depending on one being born every minute to trying to identify the high-worth targets and concentrating on them with single emails with no content or behavioral pattern.

As the IoT grows and its traffic increases, dealing with spam should be more of a focus for service providers and telecoms companies.  Unless steps are taken, more areas of the internet will become “notworks” — time to fight the blackhats and recover the internet.

About the author
Clive Longbottom