Spam Fighters Turn To Profiling As Tax Deadline Looms

It's tax day (for those not hit by this weekend's nor'easter, that is), and you know what that means -- exponentially more opportunities for law-abiding citizens to be duped by spammed e-mails directing unsuspecting tax payers to bogus online tax filing sites. While the Internal Revenue Service has already warned taxpayers of online scams to lure them into filing tax information on a site masquerading as a member of the Free File Alliance, new and increasingly more creative attempts at spam are making their way to an inbox near you.

One tactic creeping its way onto the radar screen is to avoid antispam filter detection by changing the size of the graphics in consecutive image spam messages. That way, if one message containing a .jpeg or .gif file attempting to lure to you a malware-infested site is shot down by a spam filter, the next message, whose graphic image would be a different size and located in a different place within the body of the e-mail, might not get caught. Spammers can likewise make subtle alterations to IP addresses and domain names in consecutive e-mails to attempt to fool antispam filters.

While these approaches aren't brand new, the speed with which spammers change and even combine tactics could cause problems for spam filters that rely on blacklisting to catch bogus messages.

"In the past, spammers would use one technique until it didn't work anymore," said Stephen Pao, Barracuda Networks' VP of product management. "Now, spammers have hundreds of variations of a particular e-mail that they want to go out and are blending techniques over the course of days, hours, and even minutes."

Barracuda Tuesday introduced "predictive sender profiling" capabilities as part of the firmware for its Spam Firewall appliances. Much the way some intrusion-prevention systems can block network-based attacks based upon data streams that behave abnormally, Barracuda's profiling tactic is designed to block e-mails that smell fishy but whose IP addresses or domain names haven't been blacklisted.

Barracuda's Spam Firewall appliance now looks for network addresses sending out significantly more e-mails than usual, SMTP connection attempts from e-mailers sending too many messages to invalid e-mail addresses, recently registered domains that immediately send out blast e-mail campaigns, and the use of free Internet services to redirect users to known spam domains. This is significant because spammers have learned to obfuscate their identities by registering new domains or redirecting spam Web domains through reputable sites such as Geocities or Blogspot, which wouldn't be blacklisted by spam filters.

The blacklisting approach to antispam relies on a spam filter knowing whether a particular IP address or domain name has a good or a bad reputation. If such an address or name hasn't been around long enough to make a blacklist, it's more likely to bypass a company's spam defenses. "We've seen a 10% reduction of spam e-mail that can be detected using reputation analysis," Pao said. "As 2007 has gotten underway, we've seen identity obfuscation as the newest trend in spam. We have to profile senders and predict their behavior."

Barracuda isn't the only security vendor to include proactive profiling in its antispam technology, yet it's still a relatively new approach. IronPort Systems, in the process of being acquired by Cisco, offers its Context Adaptive Scanning Engine, which examines the context of a message and combines it with the sender's known reputation before filtering spam.

Secure Computing's TrustedSource software likewise integrates and correlates signature- and content-based detection techniques within its antispam engine. Elitecore Technologies' Cyberoam appliances, Postini's e-mail security services, and other antispam technologies likewise use heuristics to monitor suspicious e-mail traffic to determine spam probability based on context, and dozens more are moving in this direction.

The problem is that catching spam will continue to be a numbers game as spamming techniques continue to evolve, said Gartner research director Peter Firstbrook. "While the most effective spam filters will catch 98% of spam, their effectiveness may drop down to 90% following a new spam campaign," he added. "The real test of a spam solution is its ability to roll with the punches over time."

This includes keeping an eye out for sneaky spammers looking to take advantage of procrastinating taxpayers. So be warned -- the IRS isn't likely to be contacting you today; that'll come later if you miss tonight's filing deadline.