350 likes | 571 Views
Innovative Spam Defense. Christine Drake Global Product Marketing Manager Christine_Drake@trendmicro.com. Agenda. Based on Radicati white paper: Trend Micro Anti-Spam: Innovative Defense against Evolving Spam Evolution of spam and anti-spam techniques
E N D
Innovative Spam Defense Christine Drake Global Product Marketing Manager Christine_Drake@trendmicro.com
Agenda Based on Radicati white paper: Trend Micro Anti-Spam: Innovative Defense against Evolving Spam • Evolution of spam and anti-spam techniques • Trend Micro’s anti-spam technologies and products Independent Benchmarks by Opus One • Benchmark tests of popular anti-spam solutions
Evolution of Spam Spam is very profitable • Spammers can reach a wide audience at minimal cost • They need only a marginal response to make a profit • People continue to purchase items through spam • Especially for embarrassing or private items • Spam methods are also used by criminals for fraud and theft • Spammers are willing to invest resources to bypass spam filters There is an adversarial relationship between spam and anti-spam solutions, each adapting to the other’s techniques
The Beginning of Spam • Spam started in the early 1990s • Originally, spammers sent simple emails to promote a product or service • There were no anti-spam filters, so no spam tricks were needed to get into the inbox
The Creation of Anti-Spam Filters As spam increased to an annoyance, anti-spam filters were created • Simple blacklists and whitelists • Content filtering looking for specific words • Context filtering looking for keywords within a defined context Spammers quickly adapted • Blacklists/whitelists became ineffective • Error prone when based on end-user submissions • Don’t work with zombies and botnets • Tricks were used to obscure spam words • Symbols instead of letters (vi@gra) • Spaces, dashes, etc. were put between letters (v i a g r a, v-i-a-g-r-a ) • Words were spelled out vertically • And many more…
Botnets • Zombies • Computers that are infected with bot code • Infected unbeknownst to their owners • Hijacked for the hacker’s use • Approximately 16-25% of computers are zombies1 • Botnets are a network of zombie computers • Managers of botnets are called bot herders • Can manage based on bandwidth, location, and other attributes • Why use Botnets? • Zombie machines can harvest address information as well as send out spam, DDoS attacks, more bot code, and other threats • They steal the resources of the infected computers • Can send out mass quantities of spam (approx. 80% of all spam) • They hide the true email senders 1. Source: Weber, Tim. “Criminals ‘May Overwhelm the Web‘” BBC News. 25 January 2007
Content Filtering Tricks • Simple content filtering tricks • Marks between letters in the subject line • Vertical lettering • Replacing letters with symbols
Signature Filtering Spammers Originally sent out one spam email in mass quantities Anti-spam vendors Used spam signatures or “fingerprints” to block similar copies Spammers Templates to randomize spam characteristics, making each email unique
Heuristics and Statistical Filters • Heuristics • Rule-based approach that looks for spam indicators • Not just keywords, any indicator of spam • Can look for “tricks” • Must be well written and kept up-to-date • Statistical Filters • Statistical approaches to identifying spam • Calculate an overall “score” for the email • Use datasets to “train” a filter to determine spam probability • Must be well-tuned / well-trained and based on updated datasets
Fooling Statistical Filters • Continue to obscure spam indicators • Some emails add extra text to spam to dilute the value of spam indicators
Image Spam • Conveys spam message through an image • Not text in the body of the email • Approx. 40% of all spam1 • Image spam is 10x larger than typical text email1 Source: Osterman Research. Image Spam and New Threats Summit Webinar. Conducted on 10 January 2007.
Randomized Image Spam Characteristics Spam TemplateRandomizes spam elements like background and text colors, dimensions, and other characteristics Makes each email unique
Email Reputation Services Reputation Filters • Block the IP addresses of known spammers • Do not need to analyze content • Do not need to let email onto the network to scan • Keep email threats completely off of the network Effective Reputation Services • Continually analyze sending behavior • Collect email histories and samples—auditable process • Update lists to stop zombies and restore reputation when clean • Keep the majority of spam off of the network, securing networks and saving costly network resources Critical component to combating current spam volumes
Trend Micro Anti-Spam Technologies • Email Reputation– First Line of Defense • Global and dynamic reputation services • Blocks up to 80% before entering the network, including zombies • IP Profiler – Customer-Specific Protection • Customer-specific reputation services based on company email traffic • Firewall against DHA and bounced email attacks • Anti-Spam Composite Engine – Guards Inbox • Stops any remaining spam before it enters the inbox • Integrates anti-spam technologies, including image spam detection
Email Reputation Email Reputation • Global: Verifies IP addresses against the world’s largest, most trusted reputation database (over 1.6 billion addresses) • Dynamic: Identifies new spam and phishing sources, stopping even zombies and botnets when they first emerge Fights off spam at the source • Stops spam before it enters the gateway • Threat Prevention Network assures 100% availability, millisecond responses • Uses email samples and sender histories for accurate, auditable reputations • Leaves only a small percentage of mail to be filtered by the traditional scanning • Saves bandwidth, storage, and other network resources
Reputation Services – Administrative Console Industry-leading insight and control • Global spam update • Spam reports • Spam volume for 100 top ISPs • Block lists by country or ISP using easy drop-down menus
IP Profiler Customer-Specific Reputation Services Spam Virus DHA Attacks Bounced Mail Customers set thresholds: • Duration monitored • Percentage of email threat • Total mails for a relevant sample • Triggering actions – what happens when these thresholds are met (block temporarily or block permanently) Provides customer-specific reputation services by blocking IP addresses that exceed set thresholds—also keeps threats completely off the network
IP Profiler Firewall against DHA and Bounced Mail Attacks IP Profiler applies additional information to block DHAs • Number of recipients that can be listed in an email • Number of non-existing recipients (This technology is LDAP integrated) IP Profiler also conducts other behavioral analysis to create the firewall
IP Profiler – How It Works • Records all inbound and outbound SMTP traffic • Reports records on email traffic from each IP address to a database • The emails are scanned by the anti-spam composite engine • The results of the scanning engine are reported to the database • The traffic from the IP address is profiled by cross referencing the recorded traffic with the scanned results For example, total messaging from the IP address vs. spam messages from the IP address • This outcome is compared against the user thresholds • If the outcome exceeds the thresholds, the trigger action is applied Block Permanently (SMTP 5xx) or Block Temporarily (SMTP 4xx)
IP Profiler Management Manage currently monitored IP Addresses Display Logs • Total spam emails • Total malicious attempts • Total connections • Percentage of malicious attempts in the overall # of connections Select IP addresses and permanently or temporarily block them Create global white/black lists for IP/Domains Will apply to both NRS and IP Profiler
Trend Micro Anti-Spam Engine Trend Micro anti-spam composite engine Uses a “cocktail” approach to block both spam and phishing emails • Statistical Analysis • Advanced Heuristics • Signature Filtering • Whitelists/Blacklists • Detection for Multi-Languages • Patent-Pending Image Spam Detection Technology Industry Proven Technology Install base of over 25 million seats over the past four years
Image Spam Detection Patent-PendingImage Spam Detection Boils down to the core of the email—for example, strips out background and text colors, dimensions, and other randomized elements Enables just a few main signatures to stop all of the numerous variations
Embedded URL Filtering Blocks Emails with Dangerous URLs Threats span across email and the Web Emails can contain links to • Spam sites • Phishing sites • Sites with dangerous downloads Trend Micro leverages its expertise in reputation services • Emails with links to “bad” sites are blocked • Prevents employees from clicking on links and falling victim to Web threats
Small-Medium Business Gateway Protection Worry-free protection • InterScan Gateway Security Appliance • InterScan VirusWall, software solution All-in-one gateway security Email and Web protection • Anti-spam • Antivirus • Anti-spyware • Anti-phishing • Content filtering • Web filtering • Anti-spam technologies • Email Reputation • Trend Micro anti-spam composite engine
InterScan Messaging Security Solutions Enterprise gateway email security • InterScan Messaging Security Suite • InterScan Messaging Security Appliance • InterScan Messaging Hosted Security All three solutions provide comprehensive email security: • Anti-spam • Antivirus • Anti-spyware • Anti-phishing • Content filtering • InterScan Messaging Security Solutions • Use all 3 Trend Micro anti-spam technologies • Email Reputation • IP Profiler • Trend Micro anti-spam composite engine
ScanMail Protection for Mail Servers Mail Server Protection • ScanMail for Microsoft Exchange • ScanMail for Lotus Domino Comprehensive email and mail store protection • Anti-spam • Antivirus • Anti-spyware • Anti-phishing • Content filtering • Anti-spam technologies • Trend Micro anti-spam composite engine
Email Reputation Services Standalone Reputation Services • Email Reputation Services Standard (global database) • Email Reputation Services Advanced (global and dynamic) • Email Reputation Services Hosted (global and dynamic) • First line of defense • Can be purchased separately • Compatible with nearly all popular MTAs • Can be deployed with numerous solutions
Enforce security policy on every network device Monitor network and Internet for potential threats Customized and comprehensive centralized management Recover via automated cleanup of viruses, worms, Trojans, and spyware Prevent damage by stopping threats Trend Micro Enterprise Protection Strategy – A Complete Network Security Framework Trend Micro Control Manager
Gateway Anti-Spam Benchmarks Independent Anti-Spam Benchmarks • Trend Micro #1 in Anti-Spam Effectiveness • Highest catch rate and a competitive false positive rate at gateway • IP Profiler will increase the effectiveness even further Based on independent anti-spam benchmark tests conducted by Opus One, Inc. Testing methodology can be retrieved from: http://www.opus1.com/www/whitepapers/antispamfeb2007.pdf
Standalone Reputation Services Benchmarks • Trend Micro #1 in Catch Rate for Standalone Reputation Services • Advanced has the highest catch rate • Standard has a competitive catch rate with zero false positives Independent Anti-Spam Benchmarks Based on independent anti-spam benchmark tests conducted by Opus One, Inc. Testing methodology can be retrieved from: http://www.opus1.com/www/whitepapers/antispamfeb2007.pdf
Join Our Messaging Community Trend Micro’s Messaging Site: http://messagingsecurity.trendmicro.com • White papers • Pod casts • Blogs • Opportunity to comment