Your Reputation in Peril: Use Outbound Spam Filtering

Whether or not you or I believe Borderware's amazing claim that it filters 98% of spam using reputation alone, it's clear that reputation is increasingly important.

No surprise there, but what's the implication on legitimate email users?

As more and more spam filtering relies on your reputation as an email sender, your reputation gets more and more important. Lest we forget, most spam is sent by malware-infected zombies, some of which could be on your network.

That's why outbound spam filtering is increasingly important. It's not just about being a good 'net citizen -- you need it to protect your reputation.

If you don't keep a lid on spam exiting your network, your reputation will be trashed. In crude terms, your outbound IP addresses will be blacklisted, meaning your ability to send email to your legitimate business contacts will be severely limited.

If a few of your users are unwittingly sending spam, then all of your users will have serious trouble sending legitimate email.

Of course, an outbound spam filter can't, by definition, use sender reputation. It has to rely primarily on content filtering. Those that claim that reputation is the be-all-and-end-all of spam filtering are missing an important point.

With thanks to Proofpoint's Andrew Lochart and David Stanley, for a stimulating conversation last week.

BorderWare claim: Amazing Reputation Filtering (RSA)

BorderWare is making a very interesting claim. It seems to be blocking an enormous proportion of its customers' inbound spam simply using IP reputation.

While most anti-spam vendors these days talk about blocking roughly 75% of the spam using IP reputation (basically a fancy word for DNSBLs), BorderWare's quoted statistic is 98.3%. Wow, that's a lot -- especially considering that the law of diminishing returns almost certainly applies.

This is a good thing because the more spam one can identify and block by reputation, the less spam content one has to examine using techniques such as Bayesian analysis, which are computationally "expensive".

But how does the company achieve such a high figure? By slashing the time taken for new entries to be added to its centralized reputation database (BSN, or "BorderWare Security Network" -- soon to be rebranded as "Reputation Authority").

These days, new zombie spam sources don't hang around to be detected, they get sending as soon and as fast as they can -- the botmasters have realized that a fresh, undetected spam source is far more effective than an old, known source. Minutes count; in fact in the spameconomy, time is money.

Proofpoint has a Reminder: It's Still Here (RSA)

Proofpoint has a new VP of marketing, and not a moment too soon. Andrew Lochart is the first to admit that his new employer has been very quiet recently, and he aims to change that.

Aside from the recent $20 million funding round and the additional 40 employees hired already this year, he reminds us that Proofpoint recently launched a hosted email security service, Proofpoint On Demand. This means that Proofpoint now offers its technology as a service, as software, as an appliance, and as a virtual appliance (a virtual-machine image of the appliance).

Sticking with what seems to be a "hybridized" theme, customers can mix and match the different form factors, while still managing them all from a single console. Handy, that.

Trend Micro's Hybrid Hosted Service (RSA)

Trend Micro takes an unusual approach with its hosted ("managed"; "in-the-cloud") email security service. Rather than trying to do everything, it sticks to what a service is good at.

Trend is applying the Pareto principle (a.k.a. "80/20 rule"). The company promotes a "hybrid" approach, with the hosted service implementing only a first level of spam filtering based on reputation -- filtering roughly 80% of the inbound spam. The remaining email is passed on to spam filtering appliances on the customers' premises, to deal with the other 20%.

The on-premise appliance can therefore more easily be customized to conform to local policy. When it comes to filtering spam using content, it's best to have an understanding of the types of legitimate content that the organization sends and receives -- the obvious example is medical organizations, who may well expect to receive email about a certain blue pill who's name begins with 'V'.

Of course, organization-specific customization ''can'' be done in the cloud -- there's nothing intrinsic about it that forces it to be on-premise, but this split in responsibilities seems like it has merit.

Off to RSA

I'll be at the RSA conference next week, Monday-Wednesday. I'll also be doing other meetings in the SF bay area on the 3rd and 4th.

If you want to meetup or just get in touch, best bet is by email or text (+447789200701).

Spammers work for Desperate Social Networks

Hmm, email hitting spamtraps this morning for a social network called Friendsgroup.co.uk. Sounds suspicious, no?

Let's see:

• Spam sent to email addresses that only exist to trap spam? CHECK
• Spam comes from dynamic consumer ISP space? CHECK
• Envelope sender forged? CHECK
  
• Date: header a couple of hours in the future? CHECK
  
• "Content-Transfer-Encoding: 7bit" but includes 8-bit characters? CHECK
  
• Text mentions "double opt-in" CHECK
  
• Spamvertized website operates out of Latvia, not the UK? CHECK

Update: I only had a quick look and can't see anything obviously dodgy with the site itself. My suspicion is that it exists to spread malware -- either by exploiting browser vulnerabilities or by making people download Trojans when they register.

It could alternatively be a come-on for a Russian Brides style scam.

Is Spam Blocking at Odds with Common Carrier Status?

ISPs in many countries, including the U.S. enjoy a legal status often known as "Common Carrier." Simply put, this absolves the ISP of responsibility if it assists in the transfer of illegal materials, such as copyrighted works or child pornography. The philosophy is that as long as the ISP simply moves data from one place to another -- not making any judgment or discrimination about whether to move one type of data or another -- the ISP should enjoy a "safe harbour."

From time to time, some wag gets the idea that email filtering of spam and viruses would cause ISPs to lose this legal protection. In other words, if an ISP chooses not to deliver a message because it's "spam," the ISP is discriminating based on the content or source, which may remove the safe harbour. When one thinks about it, this is complete nonsense, but stranger things have happened in various legal systems around the world.

This debate is happening again. Thanks to the good work done by MAAWG and others, ISPs are being encouraged to set up outbound spam filtering, to prevent zombified PCs sending spam from their networks, and to encourage users to clean their infected machines with walled gardens. Naturally, some are expressing concern that such discrimination would count as another chink in their common carrier armour.

It's time for the FCC and similar regulators in other countries to step up and make it clear that such genuinely useful -- some would say essential -- discrimination would not affect an ISP's common carrier status.

BTW, sorry for the long hiatus. Call it Blogger's Block. Thanks to Kevin Soo Hoo for helping break it.

Srizbi Spam Bot is Nastier than we Thought

According to Symantec's Kaoru Hayashi, last month's Srizbi Trojan is nastier than it at first appeared. It could be a peek at things to come in the world of spam-sending bots.

Naturally, as a malware geek, Hayashi doesn't call it "nasty" -- he says "really interesting":

Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.

Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam ... The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode.
...
We think this sample is still in a “beta” stage and it’s not finished yet.

The implication being that, if a future version of Srizbi fixes the problems that currently make it visible, detection gets a lot harder. Needless to say, that may well cause more spam to get sent before an infection could be detected and remediated.

I especially liked this bit:

[It] seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.

Classy.

The DHS is a Wonderful Organization

So I hear the U.S. Department of Homeland security has been having one or two problems with its computer security:

A subcommittee of the Committee on Homeland Security ... expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency.

The security issues ... included one in which a password dumping utility was found on two DHS servers. In addition, Trojans and other malicious programs were found on numerous agency servers, and classified mail was found to have been sent out over insecure networks.

Trojans? Unencrypted sensitive email? Oh, big fat hairy deal. C'mon, this is nothing that you couldn't find in most organizations of that size. It's hardly DHS's fault.

Give them a break. In fact, give them all a big pay rise -- especially those nice officers who work the immigration and customs desks at America's fine airports (and the ones who sit in Canada, too). I do like them a lot, and look forward to my time chatting with them every time I visit the U.S.

They are all, without exception, wonderful people, and anyone who says otherwise is probably some sort of terrorist.

Weird Story in Computerworld

Greetings from Vegas.

My chums at Computerworld have put up a very oddly-written story today. It seems that Kingfisher Bay, an Australian resort, was using an "aging" version of Symantec's spam filter. Surprise-surprise, old versions of spam filters don't work very well, letting through a lot of spam.

In fact, it turns out that the resort wasn't using the Symantec Brightmail technology at all. It was still using the old, pre-Brightmail engine. Oddly, Symantec still sells this -- can't see why that's a good idea.

Anyway, it sounds to me like the company decided it wanted to use a managed service, rather than an in-house solution. Many smaller organizations are making this choice. Their obvious targets are MessageLabs, Postini, Microsoft (née FrontBridge), or a bunch of smaller/regional providers.

In the end, they chose MessageLabs. Naturally, MessageLabs is crowing to the press about how it's gained a customer from Symantec.

But hang on, doesn't MessageLabs use Symantec Brightmail anti-spam for its service? How ironic...