Behind the Scenes: Blocking new spam campaigns
Here's a little peek behind the scenes into the details of spam blocking. Last week, I tweeted about a rash of new spam emails we were seeing. There was nothing special about these emails: just the usual prescription pill gibberish. I particularly enjoyed these lines:
"ppikllls for heailth
turkey sandwich toward secretly
gratifying curse over blotched"
What is noteworthy is how quickly our SpamStopsHere team was able to identify and block them (within minutes), so that our customers never even got the chance to read about "turkey sandwich toward secretly." In order to combat the millions of spam emails that are sent everyday, we use multiple filtering methods that are constantly monitored and updated by our SpamStopsHere techs. 24 hours a day.
One of these methods, a content filter, is what allowed us to block this particular set of spam. Content filters work by pattern matching many different parts of an email, including the headers and body of the message. This is actually what allows us to properly pass legitimate email containing words like "Viagra" while blocking actual spam, making SpamStopsHere incredibly effective for organizations like hospitals that may need to receive email with "spam-like" words. For the above spam emails, this content filter matched 13 different components of the email. Here's a sample of the code that's been edited to be more readable:
(num_newlines >=18) & (num_newlines <=20);
num_font_tags = 4;
In this case, the spam had some very specific traits: there would be a big block of 18-20 empty lines (newlines), and the html of the messages contained four <font> tags. Even though the messages were short and obscuring the normal spam keywords - for example "ppikllls" - these characteristics can uniquely identify instances of this spam campaign.
Once the filter is in place, any more spam of the same type is automatically caught and disposed of. In the next Behind the Scenes, we'll take a look at how we discover spam in the first place.
What would you like to learn more about? If you've got a question or an idea for a Behind the Scenes post, just send an email to blog@greenviewdata.com, or send us a message on twitter or facebook!
Security Tradeoffs
Bruce Schneier wrote an excellent summary the other day about the trend in Corporate IT to relax security standards in favor of convenience and flexibility when it comes to new consumer technology. He points out that cloud computing is making this easier, by taking the security burden off of individual devices and operating systems. But the main point he makes at the end is really key:
Security is always a tradeoff, and security decisions are often made for non-security reasons... Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.
For me, this goes back to the idea of a Culture of Security. While I was the IT manager for a small business, the level of compromise I was willing to make regarding devices and security changed depending on my assessment of each individual's "IT savvy." Of course I was totally content to let the programmer use whatever hard- and software he pleased, while the call center reps. were limited to a strictly controlled terminal environment. But my true preference would have been to let everyone use whatever they were comfortable with.
Slowly, we're getting there. More and more hosted services that are platform agnostic and do the security work for you are making the dream of the hottest new toys in the workplace a reality. But as Schneier says, "we'll muddle through, as usual." Invest in a culture of security, and find solutions that remove the burden of security from the users, and we'll reach a corporate gadget utopia in no time.
What Digital Security Really Means
Let's get one thing straight: if you're dealing with sensitive information online then that data should be encrypted. If it isn't, you could be making a big mistake, possibly to the tune of millions of dollars. Every company should be working to secure their digital data. There is no such thing as perfect security; never has been, never will be. But good security is definitely better than none. And yet, there's been a disturbing trend, in the wake of RIM's struggles with foreign governments over the privacy of its encrypted network, to lambaste "the cloud" in a misrepresentation of what we mean when we talk about digital security.
Here's an analogy. In the days before the internet (ok, and still even today), important documents were printed out on paper. And that paper was stored in filing cabinets. And those filing cabinets lived in an office. Hopefully they had drawers that locked, or were behind a door that locked, and only certain people had the keys. If somebody did something bad, hopefully that wrongdoing wasn't recorded on paper, but if it was then you could always try to burn the paper before it was discovered. It certainly wasn't the case that just because you'd locked your paper in a cabinet in your office that the legal system couldn't see it if they asked for it. Or maybe that an enterprising journalist with some lockpicking skills couldn't get to it. The only way to truly secure your data was to not print it out and put it in a filing cabinet in the first place.
Today, digital documents like email have replaced the paper, computers the filing cabinets, and servers (in "the cloud") the locked offices. In the United States, practically the same laws of discovery apply to digital data as physical. In this absurd article on eSecurity Planet, the author quickly concludes that no wireless email is safe from government spying. Well, uh, yeah. Neither is your paper mail. Your landline phone calls are just as at risk as your cell phone calls. The article goes on to explain how wireless networks can be hacked, and that using encryption is essential for your data security. It leaves off the part about how locks can be broken, and keys (physical or digital) can be requested by judges.
This is the fallacious leap being made: that somehow handing your data off to S(P|I)aaS cloud solution fundamentally changes the security of that data. Just take this quote from a sensational article over on GigaOm:
Either way, your data could be at risk. If you send messages over the BlackBerry network, use Skype to call overseas, or send email or use the new voice-calling options from Google, theoretically what you say could be monitored by a foreign government, if India gets its way.
Really? Guess what: if you send a regular letter through the mail to another country, theoretically it could be read by that government. In some countries, that isn't even theory, it's fact. Going back to our analogy, this is really no different than if you were to store some of your locked filing cabinets full of sensitive paper documents in some other company's warehouse, maybe because you didn't have enough space in yours. Which is actually not an uncommon practice; just ask IronMountain.
I see the main source of people's fear with putting their data in the cloud is that it's no longer completely within their control, and that it's consolidated. If the government wants to see what you've locked in those filing cabinets, at least you know they're looking, and they have to come to your office to do it. But if instead everyone keeps their cabinets in one big warehouse and the government is handed the key by the warehouse owner, it might feel like some security has been compromised.
But of course, that's pretty much a fallacy too. The data passed around the web is never more secure than any physical letter bouncing around the post offices. Data gets passed around servers randomly and with little or no regard for who or what may be lurking there. Corporations harbor legions of computers infested with malware. Data breaches from emails sent to the wrong people, laptops stolen from hotels, usb drives disappearing, employees posting indiscriminately on social networks, etc. etc. highlight that your company's privacy is probably more at risk from itself than any enforced government espionage.
Do I think governments should be given free access to any network data? Certainly not. And it's unfortunate that the increasingly consolidated world of the internet (coupled with this new millenium's climate of terrorism-fueled fear) has perhaps shown some true colors of many governments that we had hoped weren't there. But that isn't an indictment of the cloud or those who trust in its security. We should be happy that hosted solutions mean the data whose privacy we're fighting for is now at least encrypted, where even a few short years ago there would have been no barrier at all to government access.
Because that's what we really mean when we talk about digital security. We mean that the data is being protected from simply being read by anyone who feels like it. That at rest or in motion (in the filing cabinet or in the mail), your sensitive data is not going to be read by anyone who shouldn't read it. That may or may not end up including certain governments, but leave the cloud out of it and remember this common sense: if you really don't want something to be read, don't write it down.
Rustock Botnet Wisely Abandons TLS
The big email spam news from last week was regarding MessageLabs' August Intelligence report, and the revelation that the Rustock botnet had risen to account for nearly 41% of all spam being sent. At over 46 Billion messages sent per day, that's a lot of spam. But the interesting part of the story is that the increase came after the botnet shrunk to about half its former size. How was this possible?
The reason most likely lies in the fact that the botnet operators dropped their use of TLS encryption on the spam they were sending out. Using TLS to encrypt email causes a significant processing overhead, so by eliminating its use the botnet was able to send out more email per infected computer - in fact, over two times more - allowing greater volume even with the reduced number of hosts.
It was actually unclear why Rustock was using TLS to begin with. Speculation is that the operators may have hoped to get more of their spam past filters by encrypting it, which turns out to be a pretty useless tactic. Because TLS only encrypts the session and not the actual email content, then spam blockers have no problem identifying the malicious email once it arrives at the source. For example, with a hosted anti-spam service like SpamStopsHere, there's nothing stopping our software from accepting the encrypted connection, receiving the "secure" email, reading it and clearly recognizing it as spam, and discarding it before it ever reaches the customer's inbox. After losing a large chunk of their botnet, it's no wonder Rustock reverted back to unencrypted spam and "quantity over quality."
But this anecdote serves to highlight a larger issue, which is the use of TLS for encrypting email in the legitimate business world. It may seem absurd to compare the email choices and habits of the most prolific spammer in the world with those of, say, a healthcare provider, but there are some relevant points to be made. While the HITECH Act has made secure communications a priority for any company handling sensitive information, how to properly handle email encryption is still pretty murky. The important distinction to make is that there are two cases to consider: data at rest and data in motion. Using TLS only covers data in motion, which is why using it to encrypt spam doesn't actually help a botnet get more past the filters. To do that, they'd need to use encryption for the data at rest.
In the next few weeks, we'll have a few follow-up articles that go a little more in depth with how TLS and alternate solutions can work to encrypt your emails and get your organization HIPAA compliant. If there's anything specific you'd like to see discussed, please let us know in the comments.
Tags
Categories
Archives
Follow us on Twitter!
- North American Orgs See the Cloud's Benefits http://t.co/yt9lxRcq #cloudComputing #emailSecurity
- New Video: How to protect yourself from dangerous email phishing scams. Share it w/ colleagues. http://t.co/nYdO8qTS #GreenviewData
- New blogs re Google, Facebook and one re encryption for attorneys. New look, too! http://t.co/P7GoCw6M #GreenviewData
- Our New Blog! Already various articles about privacy and security. http://t.co/mDrbqm6Q
- New blog! http://t.co/XMyIWtCp