Bot Wars: The Spam Bots Strike Back

By Todd Wasserman

Email is an indispensable tool for most organizations, but it's also the source of more and more headaches for CIOs as spammers continue to up the ante with new technologies.

Analysts who study email and spam agree there's nothing that can be done to block 100% of all spam. Instead, spam might be likened to diabetes, a chronic condition that can be managed but not eradicated. However, spam is not only dangerous because it can result in the transmission of viruses, worms and other threats, but it also diverts essential computing power. And the advent of new types of spam -- including image spam and botnet spam -- is now slowing down the Internet connections upon which organizations have come to rely.

"We're continuing to hear that around 90 to 95% of email is spam and the spammers are using a bunch of new techniques to break in," says Arabella Hallawell, a vice president of research for Gartner. "It's really slowing connections and eating up a lot of bandwidth."

New flavors of spam
One reason for the increase in spam is botnets, which are ordinary desktop computers that are taken over by a virus that churns out spam. Vint Cerf, one of the co-developers of the Internet protocol standards, estimates that between 100 million to 150 million of the world's 600 million or so PCs are part of botnets. Most organizations don't even realize their computers may be part of botnets. That's troublesome because a concentrated botnet denial-of-service (DoS) attack can cripple a network by flooding it with data and preventing legitimate network traffic.

The other major email threat is image spam, which was devised to foil filters looking for specific spam keywords. But when such text is presented in a JPEG or PDF format, such text-seeking filters are rendered useless.

One way to battle image spam has been to look for "signatures" like a certain color scheme, but spammers have gotten wise to that tactic and have created "snowflake spam," in which every image is unique, at least from a spam filter's viewpoint. Thanks to its ability to confound filters, image spam has grown in popularity. Some firms estimate that up to 30% of all spam today is image spam.

Ways to limit image spam and botnets
What can a CIO do to limit image spam and exposure to botnets? Analysts suggest the following methods:

• Block all image-based spam, except those that come from pre-approved email addresses. This method is likely the most effective, although it may be too extreme for many organizations. The danger of using such a blunt instrument is that legitimate emails will inevitably be trashed along with the spam. "That's really kind of a hammer to crack a nut," says Natalie Lambert, a senior analyst with Forrester Research. One variant on this is greylisting, where a software system flags potential spam and lets users determine if it should be blacklisted.
• Use reputation analysis, a technique that traces the source of the spam and creates a blacklist of spam addresses. Reputation analysis is considered to be a CIO's best weapon against spammers. Instead of looking for keywords or signatures, reputation analysis programs map out the route an email travels by assessing the IP address of the connecting host and the emailer's address. Hallawell says reputation analysis or "reputation management" is one of the most effective ways to fight spam: "You can block 30 to 70% of spam just like that."
• Limit the server's exposure to email. Another way of reducing the spam threat is by denying direct access to an email server. That can be done with a firewall or an email appliance, which is a hardware device used to handle emails.
• Outsource all email functions. In some cases, it might make sense to outsource email, the argument being that spam has grown too complex for most IT departments. There are two downsides to this approach, though: cost and privacy. Outsourcing email can cost thousands of dollars a month, but privacy may ultimately be a bigger concern. "This is one of the areas that can very easily be outsourced," Lambert says. "But some organizations don't want that email to hit anyone but themselves."

Whatever method of fighting the new strains of spam that a CIO decides is best for the organization, analysts note that it is important to address the threats now.

"The sheer magnitude of what botnets can do is frightening," Lambert says. "They are often the source of a big phishing or spam attack."

Todd Wasserman has more than 15 years' experience writing for The New York Times, The Industry Standard and Business 2.0, among other publications. He is currently news editor for Brandweek magazine.