The NewScientist has an article on an interesting new antispam technique. Here’s an excerpt:
SPAMMERS’ own trickery has been used to develop an "effectively perfect" method for blocking the most common kind of spam, a team of computer scientists claims.
Most of the billions of spam messages sent each day originate in networks of compromised computers, called botnets. Unbeknown to their owners, the machines quietly run malicious software in the background that pumps out spam.
Researchers have now come up with a system that deciphers the templates a botnet is using to create spam. These templates are then used to teach spam filters what to look for.
The system, developed by a team at the International Computer Science Institute in Berkeley, California, and the University of California, San Diego, works by exploiting a trick that spammers use to defeat email filters. As spam is churned out, subtle changes are typically incorporated into the messages to confound spam filters. Each message is generated from a template that specifies the message content and how it should be varied. The team reasoned that analysing such messages could reveal the template that created them. And since the spam template describes the entire range of the emails a bot will send, possessing it might provide a watertight method of blocking spam from that bot.
To test their idea, the team installed a previously captured software bot onto a machine. After analysing 1000 emails generated by this compromised machine – less than 10 minutes’ work for most bots – the researchers were able to reverse-engineer the template. Knowledge of that template then enabled filters to block further spam from that bot with 100 per cent accuracy.
Knowledge of the spam template enabled filters to block further spam with 100 per cent accuracy.
High accuracy can be achieved by existing spam filters, but sometimes at the cost of blocking legitimate mail. The new system did not produce a single false positive when tested against more than a million genuine messages, says Andreas Pitsillidis, one of the team: "The biggest advantage is this false positive rate."
So, to summarize, a team of researchers downloaded and installed some software that flips a computer into a botnet. This bot then started spewing out spam and the team was able to capture the spam, analyze, and then write spam rules in order to 100% target the spam run.
All you have to do is download the malware, capture the spam traffic, and then use the traffic to build an antispam corpus of rules. In other words, it’s the next step in doing what antispam vendors have been doing since 2002.
In case you can’t tell, I’m not really all that impressed with this spam solution. Yes, it does have a 100% accuracy rate with no false positives. But how practical is it in real life?
- You have to capture malware from every botnet – There are lots of different botnets out there, not just one. In order for this solution to be effective at stopping all spam, you would need to capture each type of malware and analyze the spam traffic from all of the botnets, not just a single one. Different botnets have different spam signatures.
- You have to capture multiple versions – Malware from botnets, the more intelligent ones, are auto-updating. They periodically phone home and upgrade themselves. And they may not send out traffic in the same ways. You would have to ensure that the software that you have intercepted is capable of analyzing traffic from versions of botnets that send out spam differently.
- Botnets do not just send out spam by themselves – Not all botnets spam. Some of them break CAPTCHA’s set up by Windows Live (Hotmail), Yahoo and Gmail. And then, they send out instructions using those compromised accounts to spam from them. Thus, even if these botnets were intercepted in terms of traffic, they wouldn’t solve the spam problem since botnets have multiple uses.
- Botnet software is competitive – Some pieces of malware will erase other pieces of malware in an attempt to monopolize the botnet space. So, if you have installed one piece of malware, another piece can come and erase it. You’ll be attempting to capture traffic that doesn’t exist.
Still, this technique is a viable antispam measure if you can capture malware and install it; however, one would need to understand that it is but one tool in the antispam arsenal. It would have to be supplemented with other techniques like IP reputation and sender reputation. As to how practical it is, well, I can’t comment on that because I don’t understand botnet malware very well. But the idea is interesting.