Its 6pm, Time for Your Daily Dose of Spam!

Spammers are not troubled by such legal impediments. It is simply too easy for a spammer to acquire everything needed to promote their schemes (scams?) outside of the recipients' legal jurisdiction. Even if the sender is in the same jurisdiction, law enforcement is so under-funded and under-resourced that the successful prosecution of a spammer is still a newsworthy event.

Just as you expect antivirus vendors to stay on top of the latest attack vectors, antispam companies expend significant resources analyzing spam attacks and developing defenses against them. One of the more interesting attacks we've witnessed recently is persistent nightly spamming. Spammers have adopted this strategy because:

• Targets are less likely to have people on staff after hours; so spammers need only overcome automated defenses
• Users clearing their in-basket in the morning are more likely to read suspect messages and fall victim to their scams

A 7-day activity graph for a site that was methodically attacked by a spammer attempting to overwhelm, and thereby defeat, e-mail defenses illustrates this style of attack: Figure 1 - Persistent nightly attacks. Green/Yellow - wanted mail. Red/Blue - unwanted mail.

The nature and size of the attack clearly displays the spammer's intentions. Using a coordinated effort from hundreds of spam sources, the spammer:

1. Attacks at the end of the day when staff is either busiest, or has left for the day
2. Raises spam traffic (red, blue) by 5-7+ times legitimate mail volumes in an attempt to overwhelm antispam defenses
3. Evades detection by not attacking during the day, even on weekends!

Spammers know that many antispam products simply cannot handle a 5-10 fold increase in e-mail volume. They also know that, because e-mail is so critical, customers usually configure antispam products to allow all e-mail through if a filter fails.

Why do spammers employ directed spam attacks? Simple, these attacks work. If you've ever experienced elevated spam volumes, congested e-mail servers or significant delays in forwarding mail, then you've likely fallen victim to a directed spam attack.

E-mail server products (such as MS Exchange™ Novell GroupWise™ or Lotus Domino™) do not provide comprehensive antispam protection and traffic analysis tools, so administrators cannot use these products to analyze spam attacks. To provide effective protection from spam attacks, organizations must supplement their e-mail infrastructure with antispam defenses that can:

• Withstanding large, sustained, spikes in e-mail traffic
• Provide protection without delaying legitimate e-mail traffic (so important mail doesn't languish in a queue)
• Monitor and display activity in real time
• Chart attack patterns and progress
• Maintain filter accuracy and consistency so that unwanted e-mail doesn't pass through the filter

Because spam volumes vary so widely, it is critical that you test drive any potential antispam solution before you buy. You should ask your supplier for a free 30-day trial period (if asked, reputable vendors will comply). Have your administrator monitor the product during the trial, looking for spikes in e-mail volume. If you experience unexpected traffic patterns, and you will, check to see if your filter handles them gracefully. Did the product:

• Perceptibly delay e-mail delivery during spikes or extended queues?
• Experience contention on any of CPU, memory or disk such as running at 100% utilization that might lead to delays?
• Fail, stop or reboot at any time which is a sure sign of overloading?
• Loose any e-mail due to stress?
• Suffer a reduction in filter effectiveness during the spike?

If the answer to any of these questions is yes, you should consider a larger appliance or another product. Don't play into the spammers' hand by deploying or keeping an under-sized antispam solution that can't reliably withstand the stress of a concerted spam attack.

________________

I hope you found this article useful. My intent is to help organizations understand, assess and effectively defend against e-mail threats. I would like to receive your thoughts on this article. Please direct your comments by e-mail to Larry Karnis.

© 2006 by Larry Karnis and XPMsoftware. All rights reserved. Permission is hereby granted to quote from this article in whole or in part, or to reproduce this article by any means as long as the the author and XPMsoftware receive appropriate attribution.

About the Author

Comments on this article should be directed to lkarnis@xpmsoftware.com.