One of the keys to preventing virus outbreaks within an organization is having the latest virus signatures and detection rules in place. Since spam is one of the primary means of spreading malware, this is especially true for email scanners and spam filters.
According to a FBI Crime and Security Survey, 65 percent of companies had been affected by virus attacks during the previous year. This is in spite of the fact that 97 percent of the surveyed companies were using industry-leading virus protection, and following “best practices” like enabling automatic updates. This information highlights the need for overlapping protection. Maintainers of antivirus software respond to new threats at differing rates, and while some are more responsive than others, none are always first or always best at deploying updates.
Utilizing spam filters or other email security solutions which incorporate two or more virus engines increases a company’s chance of early protection when new threats are introduced. It also eliminates the situation where single point of failure might arise, such as when one antivirus vendor’s update network has been compromised or is off-line. Adding complimentary technologies like heuristic analysis and reputation filtering offers the most comprehensive protection.
Running multiple antivirus products on corporate desktops is probably not feasible because of the competition for computing resources and incompatibilities during real-time protection. However, running multiple engines sequentially to scan incoming email at the server level can significantly reduce early exposure to malware while maintaining reasonable throughput.
At the end of 2010, we saw a resurgence of some vintage tactics spammers used three or more years ago to bypass content-based spam filters. In particular, three old ploys were revived for use in conjunction with newer trends (like falsifying alerts from social networking sites) for some fresh spam tactics, as seen in the Commtouch Q4 2010 Internet Threats Trend Report.
The first all-too-familiar tactic spammers revived in recent months is the use of hidden text. Fonts are shrunk down as small as possible and changed to white so as to make them invisible to the reader over an email background. Random typing that’s invisible to the eye but visible to spam filters is inserted in the middle of words that are standard red flags to Bayesian, heuristic, and other content-based spam filters. To the recipient, words simply appear to have sporadic, erroneous spaces in them; to the spam filter, however, those spaces are actually several characters, making the words unrecognizable, and therefore not cause for a block or re-direct into a junk mail folder.
A second tactic seen again at the end of 2010 after some time is the use of Google’s cache tool to sneak spam website links past content-based anti-spam technology. Google is, by default, a white-listed, or acceptable, domain to most spam filters. By going to a website through Google’s cached version link, the resulting URL begins with the Google domain name. By turning this URL into a hot link in an email, many spam filters are accepting, while the recipient is still taken to the spammer’s intended address via a typically seamless redirect.
The third vintage spam tactic enjoying new life since the end of 2010 is known as ASCII art. This refers to the careful arrangement of computer characters (letters, digits, and symbols) to form a larger representation of an image. Just type “ASCII art” in as a Google image search to see plenty of impressive examples. Using ASCII art, spammers can create representations of letters and words without actually typing those words. Hence, content-based spam filters remain unaware of the words and phrases that a human reader will see.
These revived spam tactics underscore the ongoing need in 2011 for an email security system that doesn’t rely solely on content-based methodologies. Effective spam filtering products have a multi-tiered approach that evaluates the validity of an incoming email message based on a variety of factors.