Time to stop spam

EPrivacy Group’s software uses time as antispam weapon

The long view of security strategies for your network.

[Note from M. E. Kabay: My good friend and colleague Stephen Cobb sent me this good news about progress in the fight against spam. Introducing delays into network responses is a well-established approach to interfering with automated attacks; for example, automated dictionary attacks on passwords via logon interactions can be stymied by a two- or three-minute delay every few wrong-guesses. I’m glad to see someone implementing this technique to deal with the wretched people who are abusing the ‘Net with their floods of junk.

As a matter of full disclosure, I have no commercial relation whatsoever with the vendor named in the following article. Please communicate directly with Stephen Cobb for all commentary about this article.]

Networks can use time to stop spam - and I mean this quite literally. People may argue about the definition of unsolicited bulk e-mail or spam, but nobody disputes the fact that it continues to grow in volume, month after month, despite lawsuits and legislation (spam is already illegal in 30 states and, since most spam is commercially deceptive, much of it is a violation of the Federal Trade Commission Act).

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

[Note from M. E. Kabay: My good friend and colleague Stephen Cobb sent me this good news about progress in the fight against spam. Introducing delays into network responses is a well-established approach to interfering with automated attacks; for example, automated dictionary attacks on passwords via logon interactions can be stymied by a two- or three-minute delay every few wrong-guesses. I’m glad to see someone implementing this technique to deal with the wretched people who are abusing the ‘Net with their floods of junk.

As a matter of full disclosure, I have no commercial relation whatsoever with the vendor named in the following article. Please communicate directly with Stephen Cobb for all commentary about this article.]

Networks can use time to stop spam - and I mean this quite literally. People may argue about the definition of unsolicited bulk e-mail or spam, but nobody disputes the fact that it continues to grow in volume, month after month, despite lawsuits and legislation (spam is already illegal in 30 states and, since most spam is commercially deceptive, much of it is a violation of the Federal Trade Commission Act).

Nobody disputes the fact that spam places network administrators between a rock and hard place, where the rock is user complaints and the hard place is mail servers that are groaning and, all too often, collapsing, under the weight of expanding spam traffic. Security officers are being challenged as well, by spam’s threat to uptime and availability, and its growing popularity as a distribution mechanism for malicious code and fraudulent scams.

Unfortunately, but perhaps understandably, the most common choice for antispam defense is filtering. This assumes spam is akin to malicious code, something you can readily identify and quarantine. But spam is the Achilles of e-mail threats, at once more powerful and yet more vulnerable. If you doubt the power of spam, talk to your local ISP. When a spammer targets your domain you can be staring down the barrel of a spam cannon firing 6 million messages an hour.

Some spam will always beat filters. This is because spam shares so much digital DNA with legitimate high-volume e-mail - like this newsletter or my Discover card payment reminder - as to be practically indistinguishable. Ratchet up the filters and you lose wanted e-mail. As for blacklisting as a spam defense, that is now fraught with problems too numerous to mention.

Spammers have a strong incentive to beat filters and blacklists: economics. Unlike virus writers, spammers are in it for the money, which turns out to be good news, because that is also their Achilles’ heel.

Consider what happens to a spam cannon when the target network is so slow most of the messages don’t even leave the barrel: It moves on to the next target. In other words, if you can’t get a network to accept a high rate of messages per minute, there is clearly no money to be made there, and you move on.

I know this because my colleagues in ePrivacy Group’s antispam laboratory figured out how to make a large network appear - to spammers - as though it is very slow. When they tried this trick at an ISP whose servers had been collapsing under relentless spam attacks, the effect was immediate and quite astonishing. Spam attacks were either repelled or displaced. The good e-mail came through faster, without false positives, and server loads returned to manageable levels while user complaints plummeted.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.