Spammers use anti-spam protocols to bypass filters

update Spammers have discovered ways of working round protocols that were originally designed to kill spam by allowing e-mail gateways to authenticate the origin of any e-mail. This abuse effectively renders the technologies useless, according to security experts.

update Spammers have discovered ways of working round protocols that were originally designed to kill spam by allowing e-mail gateways to authenticate the origin of any e-mail. This abuse effectively renders the technologies useless, according to security experts.

The SenderID and SPF (Sender Permitted From) protocols have been used by ISPs and e-mail gateways for almost a year in an effort to recognise spam sent using a spoofed address.

However, e-mail security specialist MX Logic reported on Tuesday that it filtered a sample of nearly 18 million unique e-mail messages from June 19 to June 25, and found that 9 percent were from domains with an SPF record and only 0.14 percent contained a SenderID record. Of these supposedly 'legitimate' messages, around 84 percent were spam.

Scott Chasin, chief technology officer at MX Logic, said the anti-spam protocols are being used by spammers to make their messages seem legitimate.

"Spammers continue to leverage SPF and Sender ID with the intention of making their messages appear more legitimate... The strength of these protocols is further compromised by the fact that many legitimate senders have yet to adopt either Sender ID or SPF," said Chasin.

Chasin welcomed efforts by the industry to control spam but didn't believe either technology would solve the problem.

"While we applaud industry efforts to develop e-mail authentication protocols, no domain authentication protocol can guarantee that a message you receive really does come from who you think it comes from," said Chasin.

Andy Lake, director of partners at e-mail security firm Messagelabs Asia Pacific, agreed with Chasm.

"SPF and Sender ID are not making a lot of difference at the moment. They are still immature and have not been proven -- not many people are adopting those policies and we are seeing them being violated already," said Lake.

According to Lake, Internet criminals are registering SPF compliant domains in order to legitimise their messages.

"They have registered domains that are SPF compliant -- some phishing e-mails have also been SPF compliant. People are using single techniques -- such as a blacklist or signature technique -- are in real trouble," said Lake.

Blame the zombies
According to both MX Logic and Messagelabs, between 60 and 70 percent of all spam is being sent from compromised or Zombie PCs that have been hijacked by malware.

MX Logic said that during June, 62 percent of all spam came from zombie systems while Messagelabs claimed the figure is closer to 70 percent. Both companies said the problem is worstening, with MX Logic reporting that spam from zombie systems accounted for 55 percent of spam in May and 44 percent of spam in April.

"The continued proliferation of zombie PCs has levied a heavy cost on ISPs and e-mail end users. Compromised PCs have resulted in millions of e-mail users being unknowingly blacklisted, often through no fault of their own," said Chasin.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All