We saw some techniques spammers use to try to evade Bayesian spam filters and how the use of this techniques is making spam a bit less effective and, sometimes, even more easy to detect.
But spammers know this and they wont’ allow their business to go down so easily. So what is the future of filter evasion? I have been thinking about some techniques which would probably evade most of current filters and perhaps it’s time to prepare against them before it’s too late.
The idea for this list came from a post by Vivek Jishtu where he explains how a spammer is using the Yahoo greeting cards to send his messages without being detected by filters. This service allows anyone to send a card to someone, who will be notified by e-mail and will receive a link to go to a site to view the card. In this card, the spammer can include arbitrary content so he can put his spam message there and as this will not pass through any filter it won’t be detected. So, if the user receiving the card visits the link he will see this (translated from Chinese by Google Translator):
With another link to the site the spammer is promoting. This is a neat trick and a difficult one to avoid. The only solution is to educate to user not to follow links coming in unexpected mails or from unknown sources.
But there are also other methods that spammers might use now or in the future (I’m not aware any of this is currently in use, but you never know).
The first technique is copied from viruses or worms which have used this for a long time. Instead of sending the content of the spam in the main body of the message, a ZIP file can be attached containing a text file with the advertisement from the spammer. If this becomes popular, Bayesian spam filters might be unable to detect it as the analyzed content can have no malicious word and can look innocuous. To be able to analyze the spam, the filter should decompress the ZIP file and search for text files inside it. This also can be avoided with another technique coming from the virus world, the use of ZIP files protected with a password, like the Bagle-J virus did. The user is told to open the ZIP file using a password contained in the main body, so the filter won’t be able to decompress the file but the user will.
Another technique, similar to the use of images instead of text, is sending their advertisements in attached files in some popular file format, like PDF or Microsoft Word files. Again, the content of the main body might be totally innocuous, asking the user to open the attached file. The filter will need to understand the file format to be able to extract the text and analyze it, which will consume resources from the computer, something sometimes not feasible in servers with lots of users.
These two techniques can be stopped by disallowing the use of attached files or, at least, restricting the formats accepted, as some servers already do to prevent the reception of viruses. We also can educate the users not to open attached files coming from unkown sources, although I doubt this will work as we can see with the expansion of some viruses which work this way.
Spammers could even do another loop and send their spam inside a PDF file compressed in a ZIP file protected by a password… OK, enough, enough,…
I don’t know if any of these or similar techniques will be used by spammers in a near future. If they do use them it will be harder to filter the spam but, at the same time, will mean we are winning a battle in this war against spam. We should better be prepared before it’s too late.
Of course, Bayesian filtering is not the only way to detect spam, although we have been concentrating on it. There are other techniques currently in use, which probably might be more effective against these new attacks and we’ll see them in another post.
0 Responses to “E-mail security: detecting spam (V)”