Innovative Spam Defense

1
Innovative Spam Defense

• Christine Drake
• Global Product Marketing Manager
• Christine_Drake_at_trendmicro.com

2
Agenda

• Based on Radicati white paper
• Trend Micro Anti-Spam Innovative
• Defense against Evolving Spam
• Evolution of spam and anti-spam techniques
• Trend Micros anti-spam technologies and
  products
• Independent Benchmarks by Opus One
• Benchmark tests of popular anti-spam solutions

3
Evolution of Spam and Anti-Spam Techniques
4
Evolution of Spam

• Spam is very profitable
• Spammers can reach a wide audience at minimal
  cost
• They need only a marginal response to make a
  profit
• People continue to purchase items through spam
• Especially for embarrassing or private items
• Spam methods are also used by criminals for fraud
  and theft
• Spammers are willing to invest resources to
  bypass spam filters
• There is an adversarial relationship between
  spam and anti-spam solutions, each adapting to
  the others techniques

5
The Beginning of Spam

• Spam started in the early 1990s
• Originally, spammers sent simple emails to
  promote a product or service
• There were no anti-spam filters, so no spam
  tricks were needed to get into the inbox

6
The Creation of Anti-Spam Filters

• As spam increased to an annoyance, anti-spam
  filters were created
• Simple blacklists and whitelists
• Content filtering looking for specific words
• Context filtering looking for keywords within a
  defined context
• Spammers quickly adapted
• Blacklists/whitelists became ineffective
• Error prone when based on end-user submissions
• Dont work with zombies and botnets
• Tricks were used to obscure spam words
• Symbols instead of letters (vi_at_gra)
• Spaces, dashes, etc. were put between letters
  (v i a g r a, v-i-a-g-r-a )
• Words were spelled out vertically
• And many more

7
Botnets

• Zombies
• Computers that are infected with bot code
• Infected unbeknownst to their owners
• Hijacked for the hackers use
• Approximately 16-25 of computers are zombies1
• Botnets are a network of zombie computers
• Managers of botnets are called bot herders
• Can manage based on bandwidth, location, and
  other attributes
• Why use Botnets?
• Zombie machines can harvest address information
  as well as send out spam, DDoS attacks, more bot
  code, and other threats
• They steal the resources of the infected
  computers
• Can send out mass quantities of spam (approx. 80
  of all spam)
• They hide the true email senders

1. Source Weber, Tim. Criminals May Overwhelm
the Web BBC News. 25 January 2007
8
Content Filtering Tricks

• Simple content filtering tricks
• Marks between letters in the subject line
• Vertical lettering
• Replacing letters with symbols

9
Signature Filtering

• Spammers
• Originally sent out one spam email in mass
  quantities
• Anti-spam vendors
• Used spam signatures or fingerprints to block
  similar copies
• Spammers
• Templates to randomize spam characteristics,
  making each email unique

10
Heuristics and Statistical Filters

• Heuristics
• Rule-based approach that looks for spam
  indicators
• Not just keywords, any indicator of spam
• Can look for tricks
• Must be well written and kept up-to-date
• Statistical Filters
• Statistical approaches to identifying spam
• Calculate an overall score for the email
• Use datasets to train a filter to determine
  spam probability
• Must be well-tuned / well-trained and based on
  updated datasets

11
Fooling Statistical Filters

• Continue to obscure spam indicators
• Some emails add extra text to spam to dilute the
  value of spam indicators

12
Image Spam

• Conveys spam message through an image
• Not text in the body of the email
• Approx. 40 of all spam1
• Image spam is 10x larger than typical text email1

Source Osterman Research. Image Spam and New
Threats Summit Webinar. Conducted on 10 January
2007.
13
Randomized Image Spam Characteristics
Spam TemplateRandomizes spam elements like
background and text colors, dimensions, and other
characteristics Makes each email unique
14
Email Reputation Services

• Reputation Filters
• Block the IP addresses of known spammers
• Do not need to analyze content
• Do not need to let email onto the network to scan
• Keep email threats completely off of the network
• Effective Reputation Services
• Continually analyze sending behavior
• Collect email histories and samplesauditable
  process
• Update lists to stop zombies and restore
  reputation when clean
• Keep the majority of spam off of the network,
  securing networks and saving costly network
  resources
• Critical component to combating current spam
  volumes

15
Trend Micro Anti-Spam Technologies
16
Trend Micro Anti-Spam Technologies

• Email Reputation First Line of Defense
• Global and dynamic reputation services
• Blocks up to 80 before entering the network,
  including zombies
• IP Profiler Customer-Specific Protection
• Customer-specific reputation services based on
  company email traffic
• Firewall against DHA and bounced email attacks
• Anti-Spam Composite Engine Guards Inbox
• Stops any remaining spam before it enters the
  inbox
• Integrates anti-spam technologies, including
  image spam detection

17
Email Reputation

• Email Reputation
• Global Verifies IP addresses against the worlds
  largest, most trusted reputation database (over
  1.6 billion addresses)
• Dynamic Identifies new spam and phishing
  sources, stopping even zombies and botnets when
  they first emerge
• Fights off spam at the source
• Stops spam before it enters the gateway
• Threat Prevention Network assures 100
  availability, millisecond responses
• Uses email samples and sender histories for
  accurate, auditable reputations
• Leaves only a small percentage of mail to be
  filtered by the traditional scanning
• Saves bandwidth, storage, and other network
  resources

18
Reputation Services Administrative Console

• Industry-leading insight and control
• Global spam update
• Spam reports
• Spam volume for 100 top ISPs
• Block lists by country or ISP using easy
  drop-down menus

19
IP Profiler

• Customer-Specific
• Reputation Services
• Spam
• Virus
• DHA Attacks
• Bounced Mail
• Customers set thresholds
• Duration monitored
• Percentage of email threat
• Total mails for a relevant sample
• Triggering actions what happens when these
  thresholds are met (block temporarily or block
  permanently)
• Provides customer-specific reputation services
  by blocking IP addresses that exceed set
  thresholdsalso keeps threats completely off the
  network

20
IP Profiler

• Firewall against DHA and Bounced Mail Attacks
• IP Profiler applies additional information to
  block DHAs
• Number of recipients that can be listed in an
  email
• Number of non-existing recipients (This
  technology is LDAP integrated)
• IP Profiler also conducts
• other behavioral analysis
• to create the firewall

21
IP Profiler How It Works

• Records all inbound and outbound SMTP traffic
• Reports records on email traffic from each IP
  address to a database
• The emails are scanned by the anti-spam composite
  engine
• The results of the scanning engine are reported
  to the database
• The traffic from the IP address is profiled by
  cross referencing the recorded traffic with the
  scanned results
• For example, total messaging from the IP address
  vs. spam messages from the IP address
• This outcome is compared against the user
  thresholds
• If the outcome exceeds the thresholds, the
  trigger action is applied Block Permanently (SMTP
  5xx) or Block Temporarily (SMTP 4xx)

22
IP Profiler Management

• Manage currently monitored
• IP Addresses
• Display Logs
• Total spam emails
• Total malicious attempts
• Total connections
• Percentage of malicious attempts in the overall
  of connections

Select IP addresses and permanently or
temporarily block them Create global white/black
lists for IP/Domains Will apply to both NRS and
IP Profiler
23
Trend Micro Anti-Spam Engine

• Trend Micro anti-spam composite engine
• Uses a cocktail approach to block both spam and
  phishing emails
• Statistical Analysis
• Advanced Heuristics
• Signature Filtering
• Whitelists/Blacklists
• Detection for Multi-Languages
• Patent-Pending Image Spam Detection Technology
• Industry Proven Technology
• Install base of over 25 million seats over the
  past four years

24
Image Spam Detection
Patent-PendingImage Spam Detection Boils down to
the core of the emailfor example, strips out
background and text colors, dimensions, and other
randomized elements Enables just a few main
signatures to stop all of the numerous variations
25
Embedded URL Filtering

• Blocks Emails with Dangerous URLs
• Threats span across email and the Web
• Emails can contain links to
• Spam sites
• Phishing sites
• Sites with dangerous downloads
• Trend Micro leverages its expertise in reputation
  services
• Emails with links to bad sites are blocked
• Prevents employees from clicking on links and
  falling victim to Web threats

26
Trend Micro Anti-Spam Solutions
27
Small-Medium Business Gateway Protection

• Worry-free protection
• InterScan Gateway Security Appliance
• InterScan VirusWall, software solution
• All-in-one gateway security
• Email and Web protection
• Anti-spam
• Antivirus
• Anti-spyware
• Anti-phishing
• Content filtering
• Web filtering

• Anti-spam technologies
• Email Reputation
• Trend Micro anti-spam composite engine

28
InterScan Messaging Security Solutions

• Enterprise gateway email security
• InterScan Messaging Security Suite
• InterScan Messaging Security Appliance
• InterScan Messaging Hosted Security
• All three solutions provide
• comprehensive email security
• Anti-spam
• Antivirus
• Anti-spyware
• Anti-phishing
• Content filtering

• InterScan Messaging Security Solutions
• Use all 3 Trend Micro anti-spam technologies
• Email Reputation
• IP Profiler
• Trend Micro anti-spam composite engine

29
ScanMail Protection for Mail Servers

• Mail Server Protection
• ScanMail for Microsoft Exchange
• ScanMail for Lotus Domino
• Comprehensive email and
• mail store protection
• Anti-spam
• Antivirus
• Anti-spyware
• Anti-phishing
• Content filtering

• Anti-spam technologies
• Trend Micro anti-spam composite engine

30
Email Reputation Services

• Standalone Reputation Services
• Email Reputation Services Standard (global
  database)
• Email Reputation Services Advanced (global and
  dynamic)
• Email Reputation Services Hosted (global and
  dynamic)
• First line of defense
• Can be purchased separately
• Compatible with nearly all popular MTAs
• Can be deployed with numerous solutions

31
Trend Micro Enterprise Protection Strategy A
Complete Network Security Framework
Trend Micro Control Manager
32
Competitive Anti-Spam Benchmarks
33
Gateway Anti-Spam Benchmarks
Independent Anti-Spam Benchmarks

• Trend Micro 1 in Anti-Spam Effectiveness
• Highest catch rate and a competitive false
  positive rate at gateway
• IP Profiler will increase the effectiveness even
  further

Based on independent anti-spam benchmark tests
conducted by Opus One, Inc. Testing methodology
can be retrieved from http//www.opus1.com/www/wh
itepapers/antispamfeb2007.pdf
34
Standalone Reputation Services Benchmarks
Independent Anti-Spam Benchmarks

• Trend Micro 1 in Catch Rate for Standalone
  Reputation Services
• Advanced has the highest catch rate
• Standard has a competitive catch rate with zero
  false positives

Based on independent anti-spam benchmark tests
conducted by Opus One, Inc. Testing methodology
can be retrieved from http//www.opus1.com/www/wh
itepapers/antispamfeb2007.pdf
35
Join Our Messaging Community

• Trend Micros Messaging Site
• http//messagingsecurity.trendmicro.com
• White papers
• Pod casts
• Blogs
• Opportunity to comment