Kaspersky Security Bulletin, January - June 2006: Spam Report
Kaspersky Security Bulletin, January - June 2006: Spam ReportAndrey Kalinin, Anna VlasovaSep 22 2006 Spam in the First Half of 2006 This report analyzes the volume and types of spam detected during the first half of 2006, and the new approaches and techniques used to send spam. Predictions regarding the future evolution of spam in the second half of the year are also included. The report is aimed at IT security professionals and users who are interested in the problem of spam. Kaspersky Lab receives and analyzes approximately 300,000 - 500,000 spam emails per day. The spam comes from several sources: dedicated spam traps, samples from email traffic, and samples provided by clients and partners. All incoming spam traffic is automatically classified, and a proportion is also analyzed manually. A unique spam classification system helps maintain detailed records of the volume and types of spam.Sending Spam: The Technical DetailsDuring the first half of 2006 technologies currently used to send spam continued to evolve steadily. The techniques used by contemporary spammers are multiple, and include the following: •Viruses which target PCs •Distributed management of zombie networks •Systems that make it possible to control PCs and servers remotely •Automatic template-based email generators The interdependence of these techniques has reached such a level that new innovations in mass mailing will take more than several months to appear. However, at the same time, the methods currently being used to send spam are evolving.The following are still being used to send spam: •Networks of zombie computers, i.e. botnets.•Web servers and vulnerabilities in popular server-based software.BotnetsMost spam is sent via botnets. The number of botnets is increasing steadily, while the networks themselves are becoming ever larger. Last year, the Dutch police arrested the creators of a network of 1.5 million PCs - a record which has not yet been broken. This doesn't mean that there aren't other giant botnets out there - it just means that the authorities haven't been able to pinpoint them or their owners yet.Currently, the controllers of botnets are moving from using IRC to HTTP. Moreover, centralized networks (i.e., those that have several control nodes to which other zombie computers can connect) more and more often have a control center that is located on a dedicated “spam-resistant” server1. Thus the dedicated server serves a second purpose, not as a source of spam, but as a control center for botnets.Decentralized botnets have also become more popular; these are made up of zombie computers that attempt to connect to as many other zombies as possible. Commands are then passed from one computer to another within the network. Such networks can be managed via any of the computers in the network.In an effort to fight spam, Internet providers that provide services to end users have introduced the following restrictions: 1.Prohibiting sending mail directly to mail relays other than that belonging to the provider. This is in order to monitor all outgoing mail. 2.Restricting the number of outgoing messages sent by one user in a defined period of time. A user may be banned altogether or face stringent restrictions if s/he exceeds the limit. 3.Filtering the content of outgoing emails with the same filters used for incoming mail. These measures help limit mass mailings from botnets that either send spam directly, or that send large quantities of spam from the same computer, and do not cause problems for the average user. In response, spammers have begun to use a large number of zombie computers to produce spam, thus reducing the number of emails sent from a single machine. . Another method used for mass mailing is to send spam via the provider's mail server, which is identified either by a network scan or via an analysis of the settings in the user's mail client.________________________________________1 The term ‘”Spam-resistant” server’ refers to servers leased from a provider which will allow the server to be used to send spam and which will ignore complaints. Usually, such providers are located in countries where there is little or no anti-spam legislation.Web Servers
Tell others about
this page:
Comments? Questions? Email Here