Press Release - For Immediate Release
Spammers Continue Innovation: IronPort Study Shows Image-based Spam, Hit & Run, and Increased Volumes Latest Threat to Your Inbox
IronPort’s Anti-Spam Engine Stays One Step Ahead of the World’s Most Notorious Spammers and Their Techniques
SAN BRUNO, Calif. – June 28, 2006 – IronPort® Systems Inc., the leader in gateway security, today announced new industry research, which shows an increased prevalence of “image-based spam”—an advanced technique that spammers have adopted to evade detection. Image-based spam bypasses both traditional content and signature scanning and contains little or no text to analyze, instead including a .gif or .jpeg file with an image. The image contains the spam message in the form of text and graphics, similar to an HTML email, making it difficult for a machine to easily recognize the text. Image-based spam has exploded—growing from less than 1 percent of all spam in June of 2005 to more than 12 percent of all spam in June 2006. This represents more than five billion image-based spam messages sent per day—78 percent of which pass right through first and second generation spam filters. The study was conducted using SenderBase data, which represents 25 percent of the worlds email traffic and data from more than 100,000 ISPs, universities, and corporations around the world.
Spam Gets Smarter
"Through the processing of billions of email messages, IronPort is able to identify anomalies in email,” said Tom Gillis, Senior Vice President, Worldwide Marketing at IronPort. “With image-based spam techniques, spammers are using sophisticated methods of varying each image slightly with each spam attack – changes that are imperceptible to end-users and invisible to signature-based filters. It is similar to snowflakes in a blizzard – billions are sent but no two look exactly alike.”
Traditional anti-spam technology relies on analyzing the words in a message and, by using a variety of complicated scoring mechanisms, tries to determine if these messages are spam or not. If the message contains the words “Viagra,” “herbal” and “free,” –then it must be spam. The problem with this approach is that it is very easy for spammers to disguise the words to get around these simple filters. These filters periodically delete legitimate messages, a situation that is unacceptable to most users. An enhancement to content-based filters is signature analysis – looking at the data patterns of a message deemed to be spam and filtering any messages that match this fingerprint. Leading spam filters rely on both content analysis and signature analysis in varying forms.
Spam Gets Faster
Another technique used by spammers is dramatically increased speed of “hit and run” tactics. More than 80 percent of spam now comes from a “zombie” – an infected PC, typically in a consumer broadband network, that has been hijacked by spammers. Spammers now rotate through zombie networks every few hours, constantly changing the IP address of the source of the spam. At the same time, the spam that they send contains Web links or URLs that rotate at the same frequency. In June 2005, the average length that a domain was advertised in a “spam” URL was 48 hours – allowing enough time for static URL “blacklists” to identify and block messages that contain these bogus Web links. Just one year later, the average duration of a spam URL has dropped to less than 4 hours. This means that by the time traditional block lists have identified and listed a bad URL, the spam message has already reached its targets and the spammer has moved on to sending spam using a new domain.
Spam Gets Bigger
In late 2005, spam volumes were still increasing, but the growth rate began to decline from the 100 percent + growth rates that spam volumes have sustained for the two previous years. But this respite was brief. Over the last six months, spam volumes have resumed their hyper growth rates. From April 2006 to June 2006 – just two months – spam volumes have surged 40 percent worldwide. At the same time, spammers are focusing the intensity of their attacks. When the sophisticated spammers launch a new wave of randomized image spam, they will typically target a specific geographical area, an ISP or even an enterprise. More than 25 percent of IronPort’s Global 2000 customer base has been hit by a targeted spam attack. When this happens, as much as 50 percent of the incoming spam at a corporation is image-based. If the filter protecting that corporation is not equipped to detect and block these highly sophisticated attacks, end-users are deluged with spam for the duration of the attack, causing sever communication disruptions and major productivity losses.
Spammers are also exploiting the domain name registration system by registering domains for a short period of time and then letting them expire before ever paying for them. In April there were over 35 million domains registered, 32 million of which were never paid for and expired after five days. This effectively brings the cost of registering a domain to zero for spammers, while overwhelming traditional URL blacklists that can’t update their lists fast enough to keep up with the surge in new domains. A summary of these trends is given below:
| Parameter | June 2005 | June 2006 | Change |
|---|---|---|---|
| Image Spam Prevalence | 1% | 12% | 12x increase |
| Duration of Spam URL | 48 hours | 4 hours | 12x faster |
| Volume of Spam | 30 billion | 55 billion | 83% higher |
Spam Gets Crushed
IronPort has invested heavily in cutting edge technology that stays in front of advanced spam tactics, resulting in the industry’s most accurate spam filter. The IronPort appliance has architectural advantages that make it highly effective against image-based spam. IronPort’s Context Adaptive Scanning Engine™ (CASE) looks at the full context of a message – analyzing “Who” the message is sent from, “Where” the message is directing end-users, “How” the message is constructed (a particularly effective technique against image spam), and “What” the message contains. In simplistic terms, a message that contains no text, uses an HTML encoding associated with spam, and is coming from an IP that is in a known consumer broadband network that has only been sending mail for 30 minutes is probably not a message an end-user wants to receive.
“IronPort's approach is to use what it calls Context Adaptive Scanning –basically, profiling image spam to look for patterns across the message, the reputation of the sender, whether or not a dynamic IP address is used, how the message is constructed and other information,” said Michael Osterman of Osterman Research. “IronPort's approach is unique—it also looks for color patterns within an image that can identify the presence of text within an image, since the vast majority of valid images sent through email rarely contain a substantial quantity of text. Using these techniques, IronPort is currently able to stop about 98% of image-based spam and still maintain the industry’s lowest false positive rate.
True Reputation, Not a Blacklist
A key component of IronPort’s success is the investment IronPort has made in both email and web reputation systems. IronPort’s reputation database has information and a “reputation score” for every active web and email server on the Internet. This allows the IronPort appliance to analyze the trustworthiness of a given sender before they have been classified for certain as either spam or not spam. This technique allows the IronPort to effectively deal with ambiguity – blocking new threats based on the reputation of the sender not simply on the signature or contents of the message.
Cutting Through the Clutter
Nearly every vendor of spam and virus filtering have emulated IronPort and claimed to have a “reputation” system, when most are simply using blacklists. The difference comes down to accuracy. The accuracy of the IronPort appliances have lead to IronPort’s adoption at more than 250 Million email boxes around the world – far more than any other independent email security company.
About SenderBase
SenderBase is the world's first and largest email traffic monitoring service. SenderBase collects data from more than 100,000 ISPs, universities, and corporations around the world. SenderBase measures more than 110 different parameters for any email server on the Internet. This massive database receives more than 5 billion queries per day, with real-time data streaming in from every continent and network providers large and small. SenderBase has the most accurate view of the sending patterns of any given mail sender because of the size of the database, and conversely the database is the world's largest because of the accuracy of the data. IronPort licenses SenderBase data to the open-source community and other institutions that are participating in the fight against spam.
About IronPort Systems
IronPort Systems is the leading security gateway provider for organizations ranging from small businesses to the Global 2000. The company has developed a family of security gateway appliances, including the IronPort C-Series™ email security appliance, the IronPort S-Series web security appliance, and the IronPort M-Series security management appliance. All IronPort security gateway appliances offer breakthrough performance, unprecedented ease of use, and reduced total cost of ownership. IronPort is driving new standards and providing innovative products for those faced with the monumental task of managing, protecting, and growing mission-critical email and web systems. For more information on IronPort products and services, visit: http://www.ironport.com/.
Press / Analysts
If you are a reporter or analyst and want more information on IronPort Systems please contact:
David Oro at (707) 558-8585 or david@orogroup.com
Suzanne Matik at (831) 479-1888 or smatick@earthlink.com
