The state of spam 2009, Part 2

The long view of security strategies for your network.

In the next three columns, I’m reporting verbatim the responses of Cloudmark Chief Technical Officer Jamie de Guerre to a couple of questions I asked him about the state of spam today. Everything that follows is de Guerre’s own text with minor edits.

Slideshow: Famous last words about spam

* * *

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In the next three columns, I’m reporting verbatim the responses of Cloudmark Chief Technical Officer Jamie de Guerre to a couple of questions I asked him about the state of spam today. Everything that follows is de Guerre’s own text with minor edits.

Slideshow: Famous last words about spam

* * *

What’s changed since last year in the fight against spam?

I think there have been several changes and a couple of events that happened in the past year that are interesting and will have an effect on how spam is sent in the coming year. Those that come to mind include:
• The McColo takedown
• Changes made by ICANN to prevent domain tasting and other scams
• Spammers increasingly using free hosting services for their call to action in messages
• Spammers increasingly using free Webmail services to send spam
• Spammers targeting new media such as social networking

First, as you probably know, McColo was a Web hosting firm that was taken offline because its services were being used as a gateway for spam activity. The McColo services were being leveraged to host domains used as the call to action in spam e-mail (pharmacy spam in particular), to host command-and-control servers for major botnets and for other malicious services like child pornography Web sites.

Of these, the one that affected spam the most was the takedown of several major command-and-control servers for major botnets. After McColo went offline, many antispam vendors observed dramatic drops in the spam volumes sent to customers. Cloudmark did not see nearly as large a drop-off at our major operator customers, probably for two reasons:
• Most major operators block all messages from dynamic IP addresses, which minimizes the effects of botnets, and
• The most advanced attackers conduct targeted attacks on the world’s largest operators, but do not necessarily send those attacks to businesses.

Antispam vendors that primarily service businesses probably saw a larger drop in spam volumes than Cloudmark did.

The effect that the McColo shutdown will have on spam in the coming year is that we will see botnets become more advanced and spammers become more careful about how they plan for fault recovery. Some major spammers had become comfortable and grown reliant on McColo without building in reliable capabilities for failover in the event that a major host is taken down. Their failure was not because of technical difficulty but because the spammers became complacent.

I think that in 2009 we will see spammers become more careful, an increased use of more advanced bots, and improved distribution and failover mechanisms. Spam volumes are already recovering quickly as spammers get existing botnets working with new command-and-control servers and deploy new botnets like Mega-D.

Second, ICANN, the body that controls and regulates the naming system for the Internet, has made some positive changes to its policies that will interfere with spammers. The main change is one that should significantly lower the ability for registrars and attackers to conduct domain tasting.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.