Enemy need to know in person. Some general information about spam.
Spam is unwanted (not ordered) correspondence, most often of a promotional nature, received by millions of email users every day. In the modern world it is difficult to find a person who knows what an e-mail is and has never encountered spam. Email and spam have become inseparable from each other.
Hint: I want to make a reservation right away that the article is not “yesterday's”, so please pay a discount for the past tense. :)
If you allow a light touch of romance, then we can safely say - the fight against spam has long acquired the character of the famous “sword and shield” confrontation. On one side of the barricades are spammers engaged in the constant collection of postal addresses of Internet users, the invention and modification of the technology for sending spam, as well as bypassing the means of blocking it. On the other side are all the other email users:
• These are simple users who daily delete from their units from hundreds to hundreds of spam messages, and more closely “friends” with the software train personal mail programs to recognize and delete messages (alternatively, mark them in a special way or isolate them in a specially assigned place) containing trash.
• These are system administrators of companies that install and train special anti-spam filters to reduce the flow of unwanted correspondence.
• These are companies and corporations that spend a lot of money on the purchase, implementation and modification of anti-spam technologies.
• These are companies - developers of various software, which to some extent reduce the millions of daily messages that fall into users' mailboxes.
The history of the development of spam technology.
The originator of spam can be considered the newsletter on May 2, 1978, when 600 spam messages were sent for invitations to the DEC presentation. From this day you can start counting the century of spam messages. On April 12, 1994, Lawrence Kanter and Martha Siegel for the first time used special software for sending spam at USENET conferences. The first spammer (at least the well-known) of our compatriots is Mikhail Armalinsky.
')
Nowadays, according to Kaspersky Lab spam analysts for 2005, spam accounts for 70-80% of the total mail traffic (we are talking about the “piece count”) of spam, which means that for every 2-3 ordinary letters 7-8. The exact figures for the daily amount of spam sent, for obvious reasons, can not be. But the figures voiced by various sources inspire fear for the future of electronic correspondence, as any large mail company is threatened with being simply buried under an unimaginable amount of postal garbage.
The history of the development of spam technology.
Transmission medium
Spam messaging technologies have evolved quite rapidly. It all started with the usual direct sending to the respondents listed in the CC and BCC fields. However, this method quickly went down in history due to its lack of efficiency.
The next step was the use of modem pools providers. The system is known to every Internet user - by providing free guest access to the provider's website, he registered an account, paid for it, and please - you can start sending as many spam as you like. Of course, the data transmission medium severely limited the possibilities of such a method, but at that time it was already more than enough for a noticeable spike in unwanted correspondence in user boxes. The amount of time required to write a complaint and its consideration by the provider was quite large. But not everyone who has received spam will become perplexed by identifying the source of spam and contacting the technical support service of the provider who “fed” the bastard. Thus, the spammer had enough time to carry out his intentions. And the reaction from the provider in the form of blocking the account was not a problem. After all, no one bothers to re-run the entire chain described above to re-gain access through the same provider or, in extreme cases, another. This problem was, in part, solved by the services of providers by installing caller ID (automatic number identifiers) on equipment serving subscribers. And in part, by introducing some restrictions on sending messages by users.
A big problem at that time was the presence of a huge number of mail servers open for uncontrolled forwarding (the so-called open relay), allowing anyone who wants to send through themselves as much as they like to any addresses. This problem arose due to the fact that initially, until the 90s, almost all servers were “open”. They allowed to transfer email messages to other servers without any restrictions on the sender. This problem was solved by a modification of the Internet mail server software. However, as shown by dry statistics, even in our time, the number of Open Relay servers in the thousands. The reasons for this are many - incorrect settings, as well as the imperfection of the software used. Yes, surprisingly, some mail servers still use services that are simply not trained to prevent their use as cash cows. Therefore, the main means of struggle, as a result, was the use of rbl-lists (Realtime Blackhole List), containing a list of identified vulnerable servers. Some lists, which are designed to keep records of such servers, know more than 225,000 vulnerable systems (of which more than 2,500 are in Russia). But nowadays such a figure is no longer considered huge and amounts to only 0.65% of the senders of the spam (according to mail.ru).
In the recent past, when using well-known and accessible rbl-lists (some of the most popular ones are listed on the rbls.org website), there were problems with mail traffic . Now the largest mail systems (such as mail.ru) use their own rbl lists, which gives them the opportunity to no longer look at the holders of any service. Of course, there are those who still prefer public resources, because you can choose the one that suits you the most (for example, only the list containing the space of modem pools of providers). Mail passing problems were caused by the fact that different mail systems could use non-identical lists of “black addresses”, although for a possible delivery failure, of course, this method was used only on the receiving system. In other words, two mail systems could be in the role of peculiar pagers, when mail from users of system A reaches system B, but in the opposite direction it no longer exists. Since system B is in some black list, according to which system A senders check senders. Moreover, the reasons why system B could appear on an arbitrarily large number of black lists was not a little. Starting from the complaint of one of the users of the rbl service, ending with checking by the service itself on the Open Relay servers that fall within the scanned range of ip addresses. That is, about the same principle as search engines scan the network. In some cases, to exclude a legal system from the black list could take from a few days to months. There are also cases when the administration of any service rbl entered into the base of “black” quite legal servers, and with the exception asked for a fee.
After all the trials and adventures with rbl-services, very many mail system administrators were forced to disable the use of rbl in their systems. Users were greatly dissatisfied with the “fortune-telling”, whether their correspondence reached the recipients or not, since not everyone is able to understand the response of the recipient server about the delivery failure. And what to conceal, few people even paid attention to server reports. Often such letters were deleted without prior reading, and already after a long time, when it became known that the recipient of the letter did not receive - the “debriefing” began. As a result, and it turned out that the user received a report, but did not pay attention to it. After that, system administrators have already begun to find out the reason and contact the administrators of the desired mail system to resolve the issue of passing mail. I guess system administrators refused this (already popular) filtering method with a light heart, since it is much easier than negotiating with other sysadmins about the problems of passing mail through their systems every time. By the way, it was at that period of time, as it seems to me, that the wrong idea of ​​the fight against spam had settled in the heads of many managers. Among many leaders I know, the popular opinion is that spam filtering leads to the loss of important correspondence. For example, in one of the companies where I once worked, I did not manage to persuade the authorities to use spam filtering (just marking the message subject field as “SPAM”) despite the fact that the amount of daily unwanted correspondence received by employees exceeded the average monthly traffic of legal mail (the traffic was determined by analyzing the mail system log file). And in another company I had to turn off the filtering system immediately after being employed, as the managers literally went on strike because of the constant loss of mail in which they accused the spam defense of the company (the real cause of the losses was much more prosaic and had no relation to the filters) .
When the aforementioned tools were not as effective as the spammers would like, they found a new tool. Using your own servers. They bought servers, placed them on the provider's site and were engaged in mailings using the considerable power of telecommunications equipment. The amount of time that spammers allotted for their activities was calculated only by how much they agreed to turn a blind eye to the activities of their hosters of the service provider. Everything rested on the same complaints from users affected by the actions of spammers. But the amount of spam that was sent is very, very large. And the transfer of the server to another site was not a big difficulty. After which it was possible to engage in mailing again. However, the tightening of the policy of providing hosting providers, as well as the use of all the same rbl-sheets has led to a smooth departure from this method of sending spam.
Using stolen leased servers has proven to be a much more profitable tool for spammers. The accounts of the owners of legal resources, obtained by various means (illegal, as a rule, for example, by methods of social engineering), made it possible to use their server for a long time for black spammers. The amount of time it took to “cover up the bench” could be calculated in days or years. It depended solely on the methods of using this server - one-time mailings with long breaks in between, or multiple sendings based on maximum calculations now, and then a change of host. In the first case, the owner of the resource could remain in ignorance for a very long time, and the provider does not always respond to the first complaint that appeared.
A logical continuation of the use of "stolen" servers have become a network of "zombie computers." The rapid development of viral technologies and their merging with the technologies of spammers has created vast opportunities. The user's computer is infected, after which it establishes a connection with the irc-server and enters a special “room” (invisible in the general lists and protected with a password) created by the virus author's software. Thus, the “owner” of the zombie computers could see the number of infected machines and, accordingly, control them by giving commands. Including on updating the virus code. There is even a place for competition among spammers - when one virus finds its “colleague”, it tries to block it and transfer computer management to itself. User computers have become theaters of war for resources of unprotected systems. Interestingly, for the organization of the communication channel of viruses using publicly available resources. As far as possible (read, discoveries), the owners of Irc servers try to remove these “rooms”, however, migration to another server in a new room does not take much time. Moreover, in some cases, an Irc server can be created even on a single infected machine. The solution to this problem can be an ordinary personal firewall installed on the user's machine, blocking any unauthorized connections to the outside world. However, we all know that the picture of complete “firewalling” of all computers on the worldwide network is still very far away. The situation is exacerbated by the active implementation of high-speed access and a permanent connection to the worldwide network, which, in turn, plays into the hands of attackers.
The last thing I would like to draw attention to is social engineering. This includes all kinds of "letters of happiness" and other correspondence, the author of which will be able to convince the recipient to send this letter to others. Their distinctive feature is the small size of the initial mailing. Mass character is achieved through the efforts of the recipients themselves, who are “bought” on the offer to send a letter to the entire address book (or, alternatively, to the entire contact list of the IM pager). A striking example is the search for parents of a boy who was found in Thailand in January of this year. Fighting this type of spam with technical means is almost impossible. Who among us did not receive letters with various attachments from friends? Yes, and complain about spam from friends, users are much less willing.
Spam content
In addition to the development of the transmission medium, the content of the messages itself has changed. This mutation naturally spawned anti-spam technologies. While the filters were taught to recognize more and more types of spam messages, spammers came up with more and more new tweaks to get around these filters.
Changed the contents of the letter:
• Include the recipient's address in the message text.
• Random sequences. (Remember the messages in the form of “Hhiiii dduuuddee. Do y.ou ne.ed sommmmeeeething?”)
• Fragments of literary works, anecdotes. Inclusion of part of the poem after the price or advertising confuses filters.
• Variability of letter parts (the contents of the “useful” part of the letter and garbage, for fooling out filters, could change many times).
• Changes in the text of the letter in the course of distribution, feedback. Before spamming, it was tested on popular systems. If the system accepted the letter as normal, the distribution started. If not, the message body was modified until the servers accepted it.
Some changes in the texts of messages have even led to the fact that a certain new form of language has appeared (as in paragraph two), which many even understand. Why do I make such a conclusion? Well, people turn to companies that advertise in this way.
Do not forget the spam that occurs due to imperfect mail servers. This refers to various reports. As an example, we can cite a real boom of reports from antiviruses about a virus found in the body of a letter. Of course, we are talking about cases where the sender's field is fake and the user receives reports on letters that he did not actually send. This also includes numerous automatically generated reports about the impossibility of delivering the message to the recipient. The situation is the same - the sender's field is faked. This can be treated as necessary debugging information if you are a system administrator or are an advanced user. Or as inevitable, but from no less annoying “technical” spam, if you are a manager or manager whose mail is replete with reports about letters he did not send.
The design of spam letters has also changed:
• Similar in type, but different characters. For example, the letter "A" in the Russian and English layout.
• Invisible text in HTML.
• Pictures, noisy pictures. If at first the filters learned by the calculated amount to identify identical messages, then making minor changes that are invisible to the eye eliminates this “problem”.
• Forgery of the technical part of the letter. I think everyone at least once in his life saw a report from spamassassin in the form of a “forged outlook header”.
The confrontation of spammers and anti-spam technology is generating more and more new tricks from the first. However, judging by information from spam analysts at Kaspersky Lab and other sources, 2005 did not provide innovative technologies to spammers. Apparently, they are quite satisfied with the currently available result.
Phishing
Speaking of spam, it’s impossible to get past the phenomenon of phishing.Phishing is fraudulent mailings (“Nigerian letters”, fake winnings, etc.). Literally, phishing can be translated as "fishing for a bait." As a rule, such letters call for doing something (for example, following the link or simply paying money), but not for something real, as in the case of advertising spam, but for something that does not exist.
The purpose of phishing mailings are the user's personal data (logins, passwords, PIN codes, credit card numbers, etc.). Further, as it is not difficult to guess, these data are used by attackers to obtain a possible profit. As a rule, phishing letters imitate very talented real messages of real-life organizations. Most often they parody different payment systems (ebay, paypal). Such letters contain a link, following which, the potential victim falls on a fake page, specially made by a fraudster. The page looks like it actually exists on the website of the company on whose behalf the letter was sent. On a fake website under one pretext or another, the victim is asked to enter his personal data for authorization. As a result - the personal information of the visitor gets into the scam database.
According to statistics from different sources, phishing is not yet an overly dangerous phenomenon. At the moment, even "letters of happiness" users receive much more than phishing messages. However, it is most likely that such a state of affairs is temporary. The phishing industry in Russia has not yet grown to such “put on the rails” mechanisms, like real spam. Now enthusiasts only run in new technologies on Runet users. But, according to mail.ru forecasts, by 2006-2007, the proportion of such spam will be at a level commensurate with the level of advertising spam. Do not forget that each phishing email is potentially capable of causing hundreds of times more damage (in the case of successful recipients) than thousands of messages of regular advertising spam.If the loss of reading advertising can be reduced to the traffic and time spent on its screening, then the loss of phishing can be truly fatal for the financial position of the “caught” user. Unfortunately, there are quite a few factors that make it difficult to combat phishing, that is, with the same permissible percentage of false positives, any modern anti-spam system will miss fewer advertising messages than phishing ones.
The history of phishing is most likely to start from the mid-90s. Then in the AOL company the messages signed by allegedly administration were strongly extended. In these messages, they offered (explaining this for various reasons) to send a password for their account, which, otherwise, threatened to close.
Of course, over time, the information was brought to the users that the passwords in the letters are not requested and not sent, so the effectiveness of this method began to tend to zero. However, a new scam trick was not long in coming. Having slightly changed the contents of the letters, they began to report about any event on the server (for example, PayPal), which required some reaction from the user. In the body of the message was a link that, as already mentioned above, led to a fake page of a legal site. Where unsuspecting users left their personal data, since few people are used to looking in the address bar of the browser. (I personally observed several times that the address bar was hidden for some users. When I asked how they work, a brilliant answer was given - I don’t type anything myself, only open the links.) At this, the possible misadventures of users could not end, because the fake page could turn out to be a Trojan, which later “sucked” all the passwords and accounts from the computer. The consequences are not difficult to imagine.
However, as time went on, users began to pay more attention to the one on whose website they are and enter personal data. Then the attackers made their way from free hosting (of the form paypal.narod.ru) to tricks with the address bar. For example, the url of the form www.paypal.com@somesite.com . Vulnerabilities of the most popular browser (Internet Explorer) also played into the hands of villains. For example, one of his versions allowed to hide the entire address after the "dog". In this case, it became much more difficult and often too late to guess the substitution. Nowadays, such addressing is prohibited in IE and causes a special warning in Mozilla Firefox.
Unfortunately, even in our time, the old tricks of the 90s are working in Russia. For example, by registering the mailing address mail.ru.admin@mail.ru and sending a couple of hundreds of messages with the suggestion “activation of the mailbox”, you can still get several answers with personal data of users. But the control over the mail provides very extensive opportunities to extract with his help and other accounts (for example, through various services to remind forgotten passwords). Of course, this will only work if the account information of the user's main mailbox is stolen.
The options for phishing are limited only by the fantasy of the attacker and the inattention of users. The expanse is huge, and the level of computer literacy still leaves much to be desired.
One of the most popular patterns of pystennichestvo were the so-called "Nigerian letters." They received their name on the first registered case in Nigeria. Their essence boils down to the fact that supposedly some high-ranking official (a prominent figure, actor, criminal figure) managed to make himself a considerable fortune, but now he is facing the problem of the export of capital from the country. For money laundering (of course, for large commissions) he needs a bank account of some kind of “burdock”. As you can guess, if the “burdock” issued the account to the “rich man”, then he had never seen his money from this account.
In Russia, members of the Yukos board, Khodorkovsky and other equally popular (and wealthy) individuals play the role of “nigirean officials”. Unfortunately, as practice shows, gullible and greedy before the freebies are.
The latest rage for spammers is fraudulent "letters of happiness." The most striking example of such spam was the recent Golden Stream epidemic. Probably everyone saw a letter that began with the words “This is NOT spam, but a really advantageous offer ...”. In the subsequent text, the simplest pyramid scheme was explained - you were asked to pay 100 rubles to the author of the letter, and then send this letter further, having received 100 rubles from each recipient. As a result, promised complete happiness and universal enrichment. The peculiarity of the mailing is the direct extortion of money and the efficiency of penetration of filters by “letters of happiness”. By the way, the distribution of "letters of happiness" did not escape and instant messaging systems like icq. Often you can find messages like “Hi. UIN such a virus sends!Do not add it to the contact list and tell all your friends !!! ”As practice shows, it remains to add a link to the message body with a text like“ Just in case, the cure for the virus is here URL. ”And please - the ground is ready for a very extensive infection . Of course, not everyone will respond to such messages, but given the wide contact lists of the modern Internet user - and 10% of the respondents will be enough to start an epidemic.
The development of anti-spam technology.
Of course, at a time when spammers were inventing more and more new opportunities to deceive users and program filters of mail systems, anti-spammers also did not sit idle. A significant path has been traveled from the banal limitation of uncontrolled forwarding mail through any server to installing clever systems for analyzing and filtering message content.
Modern anti-spam systems use comprehensive tools for eliminating spam without compromising normal mail. This includes blacklisting of networks in which, as is well known, there can be no legal mail servers (for example, dial-up and dsl ip address ranges of providers), and bayes-technologies, and whitelists that work on the principle of repetition of postal addresses . It is believed that if a letter arrives from an address in the recipient’s address book or an address to which the recipient has sent several emails himself - it cannot be spam. And other new technologies that appear, if not every month, then every six months or a year for sure. In any case, they are presented as new.
But not all tricks can be found technological admin. If the same "Nigerian letters" can be filtered by known means with very great success (using the entire arsenal - from blacklists, linguistic analysis to comparison with known samples), getting a good dropout rate as a result. That with the "letters of happiness" is not so simple. The same whitelists mentioned above begin to play "against" anti-spam systems. The reasons, I think, are clear. Problems arise from the purely technical to the moral and ethical. For example, it is impossible to put in the black list the address of the sender who sent a letter of happiness only on this basis, because he writes a normal correspondence. In such cases, only active carrying out of educational program helps, but who will do this? Within the same organization, it can be realand within mail.ru, yandex.ru, gmail.com?
Different anti-spam systems have a different approach and their technical solutions, but their description took several more bands and is beyond the scope of the article.
Spam status for 2005.
According to information from spam analysts at Kaspersky Lab, 2005 brought stabilization of spam in terms of the volume of mailings and income received from spam advertising. However, the growth rate is still 5-6% per year. The stabilization of the volume of spam is due to its proximity to the border, beyond which the expediency of using e-mail as a means of communication is in doubt. Increasingly, the sender of the message has to notify the recipient of the fact of sending or control the process of delivering the message, since throwing out the necessary letter that was lost in fifty spam messages is not difficult.
The economic efficiency of email is reduced because spam causes significant damage to mail users. It is easy to imagine an employee receiving mail without first filtering it and spending half a day to view it. This means a decrease in employee productivity and losses for the employer. Not to mention the fact that, given the cost of traffic in the regions, some companies have to endure large financial losses due to essentially useless traffic generated by spam messages.
At the conference “The Problem of Spam and Its Solutions” the main trends in spam in 2005 were:
• Stabilization of the number and topics of spam.
• Thematic and technical separation of spam into different geo-zones of the Internet. (Runet and "Western" Internet).
• Criminalization of spam.
• The use of spam as a tool of information and political wars.
This year the leaders in spam emails were:
• Invitations to seminars and courses (14%).
• Offers “for adults” (12%).
• Computer fraud (11%).
• Supply of drugs (9%).
• Cheap software (7%).
In 2005, there was a clear distinction between spam for Western recipients and Russian speakers. Spam for Russians evolved from direct imitation to Western "colleagues" and adapted to runet. Spammers began to actively offer real estate services, printing products and services, large household appliances, and various other services (for example, services of movers). There are practically no such offers in Western spam, as they do not find a response from the audience.
The apparent criminalization of spam is alarming. More and more fraudulent offers fall into user boxes. The most famous and currently discussed types are phishing and pharming. (The essence of pharming is reduced to automatic redirection of users to fake websites. Unlike phishing, the new method of data theft almost does not require the participation of a potential victim.) Obviously, spam as a business is criminalized. This is evidenced by the merger of spam and hacker technologies. Modern spammer software includes special modules that allow mailing through users' machines infected with Trojans, that is, it was originally designed to interact with the Trojan part.
Over the past two years, we have had the opportunity to make sure that spam is becoming a powerful weapon of political games and an instrument of influence on the public consciousness. In terms of “coverage” and effectiveness, spam is quite comparable to television advertising, however, it costs much less. Of course, provided that such spam bypassed anti-spam filters. Campaign flyers are no longer limited to their paper carriers and have migrated to the digital world.
In 2005, the Kaspersky lab recorded a new type of “political” spam. We are talking about spam campaigns aimed at forming the necessary public opinion on the issues of the internal policy of the state. These spam attacks are well planned. An example of such an information campaign can serve as spam with links to the notorious Kavkaz Center website, which Russian special services often call the mouthpiece of world terrorism.
Forecasts for the future.
In 2006, it is expected, first of all, the subsequent increase in the number of spam. Spammers are likely to become smarter. Since now there is a widespread failure of mail servers to accept mail from DSL pools of providers, the use of zombie machines to send messages directly to the servers will become ineffective. Instead, smtp providers configured by users of infected machines will most likely be used.
An increase in the share of “manual” spam is also expected due to the growing popularity of phishing and through the use of the same technology of “letters of happiness” in advertising spam. “Manual” spam got its name from the method of sending it “manually” without using specialized spam software.
Technology refusal of messages from DSL-blocks will become ubiquitous. According to forecasts, the era of such spam will end in 2006-2007.
The use of smtp viruses by providers configured by users is likely to, in turn, tighten the policy of providers to send messages to users. It is possible that providers will decide on the installation of content filtering, since in case of inactivity they risk to appear in the black lists of most systems, which is unlikely to please the users.
Further development of spam business can end up as you like. Up to the fact that at some point it will be decided to pay for each e-mail (in the style of paper mail stamps) or impose a requirement on postal correspondence with its total control. It is possible that this will be the decline of e-mail, as the main means of communication on the Internet. There are other factors, such as the criminalization and politicization of the spam industry and the outweighing of the criminal part of spam compared to its advertising component.
In preparing the article used materials from the conference "Problems of spam and its solutions."
akeeper Korshunov Alexey.
First published in the journal "System Administrator".
Hint: I want to make a reservation right away that the article is not “yesterday's”, so please pay a discount for the past tense. :)
If you allow a light touch of romance, then we can safely say - the fight against spam has long acquired the character of the famous “sword and shield” confrontation. On one side of the barricades are spammers engaged in the constant collection of postal addresses of Internet users, the invention and modification of the technology for sending spam, as well as bypassing the means of blocking it. On the other side are all the other email users:
• These are simple users who daily delete from their units from hundreds to hundreds of spam messages, and more closely “friends” with the software train personal mail programs to recognize and delete messages (alternatively, mark them in a special way or isolate them in a specially assigned place) containing trash.
• These are system administrators of companies that install and train special anti-spam filters to reduce the flow of unwanted correspondence.
• These are companies and corporations that spend a lot of money on the purchase, implementation and modification of anti-spam technologies.
• These are companies - developers of various software, which to some extent reduce the millions of daily messages that fall into users' mailboxes.
The history of the development of spam technology.
The originator of spam can be considered the newsletter on May 2, 1978, when 600 spam messages were sent for invitations to the DEC presentation. From this day you can start counting the century of spam messages. On April 12, 1994, Lawrence Kanter and Martha Siegel for the first time used special software for sending spam at USENET conferences. The first spammer (at least the well-known) of our compatriots is Mikhail Armalinsky.
')
Nowadays, according to Kaspersky Lab spam analysts for 2005, spam accounts for 70-80% of the total mail traffic (we are talking about the “piece count”) of spam, which means that for every 2-3 ordinary letters 7-8. The exact figures for the daily amount of spam sent, for obvious reasons, can not be. But the figures voiced by various sources inspire fear for the future of electronic correspondence, as any large mail company is threatened with being simply buried under an unimaginable amount of postal garbage.
The history of the development of spam technology.
Transmission medium
Spam messaging technologies have evolved quite rapidly. It all started with the usual direct sending to the respondents listed in the CC and BCC fields. However, this method quickly went down in history due to its lack of efficiency.
The next step was the use of modem pools providers. The system is known to every Internet user - by providing free guest access to the provider's website, he registered an account, paid for it, and please - you can start sending as many spam as you like. Of course, the data transmission medium severely limited the possibilities of such a method, but at that time it was already more than enough for a noticeable spike in unwanted correspondence in user boxes. The amount of time required to write a complaint and its consideration by the provider was quite large. But not everyone who has received spam will become perplexed by identifying the source of spam and contacting the technical support service of the provider who “fed” the bastard. Thus, the spammer had enough time to carry out his intentions. And the reaction from the provider in the form of blocking the account was not a problem. After all, no one bothers to re-run the entire chain described above to re-gain access through the same provider or, in extreme cases, another. This problem was, in part, solved by the services of providers by installing caller ID (automatic number identifiers) on equipment serving subscribers. And in part, by introducing some restrictions on sending messages by users.
A big problem at that time was the presence of a huge number of mail servers open for uncontrolled forwarding (the so-called open relay), allowing anyone who wants to send through themselves as much as they like to any addresses. This problem arose due to the fact that initially, until the 90s, almost all servers were “open”. They allowed to transfer email messages to other servers without any restrictions on the sender. This problem was solved by a modification of the Internet mail server software. However, as shown by dry statistics, even in our time, the number of Open Relay servers in the thousands. The reasons for this are many - incorrect settings, as well as the imperfection of the software used. Yes, surprisingly, some mail servers still use services that are simply not trained to prevent their use as cash cows. Therefore, the main means of struggle, as a result, was the use of rbl-lists (Realtime Blackhole List), containing a list of identified vulnerable servers. Some lists, which are designed to keep records of such servers, know more than 225,000 vulnerable systems (of which more than 2,500 are in Russia). But nowadays such a figure is no longer considered huge and amounts to only 0.65% of the senders of the spam (according to mail.ru).
In the recent past, when using well-known and accessible rbl-lists (some of the most popular ones are listed on the rbls.org website), there were problems with mail traffic . Now the largest mail systems (such as mail.ru) use their own rbl lists, which gives them the opportunity to no longer look at the holders of any service. Of course, there are those who still prefer public resources, because you can choose the one that suits you the most (for example, only the list containing the space of modem pools of providers). Mail passing problems were caused by the fact that different mail systems could use non-identical lists of “black addresses”, although for a possible delivery failure, of course, this method was used only on the receiving system. In other words, two mail systems could be in the role of peculiar pagers, when mail from users of system A reaches system B, but in the opposite direction it no longer exists. Since system B is in some black list, according to which system A senders check senders. Moreover, the reasons why system B could appear on an arbitrarily large number of black lists was not a little. Starting from the complaint of one of the users of the rbl service, ending with checking by the service itself on the Open Relay servers that fall within the scanned range of ip addresses. That is, about the same principle as search engines scan the network. In some cases, to exclude a legal system from the black list could take from a few days to months. There are also cases when the administration of any service rbl entered into the base of “black” quite legal servers, and with the exception asked for a fee.
After all the trials and adventures with rbl-services, very many mail system administrators were forced to disable the use of rbl in their systems. Users were greatly dissatisfied with the “fortune-telling”, whether their correspondence reached the recipients or not, since not everyone is able to understand the response of the recipient server about the delivery failure. And what to conceal, few people even paid attention to server reports. Often such letters were deleted without prior reading, and already after a long time, when it became known that the recipient of the letter did not receive - the “debriefing” began. As a result, and it turned out that the user received a report, but did not pay attention to it. After that, system administrators have already begun to find out the reason and contact the administrators of the desired mail system to resolve the issue of passing mail. I guess system administrators refused this (already popular) filtering method with a light heart, since it is much easier than negotiating with other sysadmins about the problems of passing mail through their systems every time. By the way, it was at that period of time, as it seems to me, that the wrong idea of ​​the fight against spam had settled in the heads of many managers. Among many leaders I know, the popular opinion is that spam filtering leads to the loss of important correspondence. For example, in one of the companies where I once worked, I did not manage to persuade the authorities to use spam filtering (just marking the message subject field as “SPAM”) despite the fact that the amount of daily unwanted correspondence received by employees exceeded the average monthly traffic of legal mail (the traffic was determined by analyzing the mail system log file). And in another company I had to turn off the filtering system immediately after being employed, as the managers literally went on strike because of the constant loss of mail in which they accused the spam defense of the company (the real cause of the losses was much more prosaic and had no relation to the filters) .
When the aforementioned tools were not as effective as the spammers would like, they found a new tool. Using your own servers. They bought servers, placed them on the provider's site and were engaged in mailings using the considerable power of telecommunications equipment. The amount of time that spammers allotted for their activities was calculated only by how much they agreed to turn a blind eye to the activities of their hosters of the service provider. Everything rested on the same complaints from users affected by the actions of spammers. But the amount of spam that was sent is very, very large. And the transfer of the server to another site was not a big difficulty. After which it was possible to engage in mailing again. However, the tightening of the policy of providing hosting providers, as well as the use of all the same rbl-sheets has led to a smooth departure from this method of sending spam.
Using stolen leased servers has proven to be a much more profitable tool for spammers. The accounts of the owners of legal resources, obtained by various means (illegal, as a rule, for example, by methods of social engineering), made it possible to use their server for a long time for black spammers. The amount of time it took to “cover up the bench” could be calculated in days or years. It depended solely on the methods of using this server - one-time mailings with long breaks in between, or multiple sendings based on maximum calculations now, and then a change of host. In the first case, the owner of the resource could remain in ignorance for a very long time, and the provider does not always respond to the first complaint that appeared.
A logical continuation of the use of "stolen" servers have become a network of "zombie computers." The rapid development of viral technologies and their merging with the technologies of spammers has created vast opportunities. The user's computer is infected, after which it establishes a connection with the irc-server and enters a special “room” (invisible in the general lists and protected with a password) created by the virus author's software. Thus, the “owner” of the zombie computers could see the number of infected machines and, accordingly, control them by giving commands. Including on updating the virus code. There is even a place for competition among spammers - when one virus finds its “colleague”, it tries to block it and transfer computer management to itself. User computers have become theaters of war for resources of unprotected systems. Interestingly, for the organization of the communication channel of viruses using publicly available resources. As far as possible (read, discoveries), the owners of Irc servers try to remove these “rooms”, however, migration to another server in a new room does not take much time. Moreover, in some cases, an Irc server can be created even on a single infected machine. The solution to this problem can be an ordinary personal firewall installed on the user's machine, blocking any unauthorized connections to the outside world. However, we all know that the picture of complete “firewalling” of all computers on the worldwide network is still very far away. The situation is exacerbated by the active implementation of high-speed access and a permanent connection to the worldwide network, which, in turn, plays into the hands of attackers.
The last thing I would like to draw attention to is social engineering. This includes all kinds of "letters of happiness" and other correspondence, the author of which will be able to convince the recipient to send this letter to others. Their distinctive feature is the small size of the initial mailing. Mass character is achieved through the efforts of the recipients themselves, who are “bought” on the offer to send a letter to the entire address book (or, alternatively, to the entire contact list of the IM pager). A striking example is the search for parents of a boy who was found in Thailand in January of this year. Fighting this type of spam with technical means is almost impossible. Who among us did not receive letters with various attachments from friends? Yes, and complain about spam from friends, users are much less willing.
Spam content
In addition to the development of the transmission medium, the content of the messages itself has changed. This mutation naturally spawned anti-spam technologies. While the filters were taught to recognize more and more types of spam messages, spammers came up with more and more new tweaks to get around these filters.
Changed the contents of the letter:
• Include the recipient's address in the message text.
• Random sequences. (Remember the messages in the form of “Hhiiii dduuuddee. Do y.ou ne.ed sommmmeeeething?”)
• Fragments of literary works, anecdotes. Inclusion of part of the poem after the price or advertising confuses filters.
• Variability of letter parts (the contents of the “useful” part of the letter and garbage, for fooling out filters, could change many times).
• Changes in the text of the letter in the course of distribution, feedback. Before spamming, it was tested on popular systems. If the system accepted the letter as normal, the distribution started. If not, the message body was modified until the servers accepted it.
Some changes in the texts of messages have even led to the fact that a certain new form of language has appeared (as in paragraph two), which many even understand. Why do I make such a conclusion? Well, people turn to companies that advertise in this way.
Do not forget the spam that occurs due to imperfect mail servers. This refers to various reports. As an example, we can cite a real boom of reports from antiviruses about a virus found in the body of a letter. Of course, we are talking about cases where the sender's field is fake and the user receives reports on letters that he did not actually send. This also includes numerous automatically generated reports about the impossibility of delivering the message to the recipient. The situation is the same - the sender's field is faked. This can be treated as necessary debugging information if you are a system administrator or are an advanced user. Or as inevitable, but from no less annoying “technical” spam, if you are a manager or manager whose mail is replete with reports about letters he did not send.
The design of spam letters has also changed:
• Similar in type, but different characters. For example, the letter "A" in the Russian and English layout.
• Invisible text in HTML.
• Pictures, noisy pictures. If at first the filters learned by the calculated amount to identify identical messages, then making minor changes that are invisible to the eye eliminates this “problem”.
• Forgery of the technical part of the letter. I think everyone at least once in his life saw a report from spamassassin in the form of a “forged outlook header”.
The confrontation of spammers and anti-spam technology is generating more and more new tricks from the first. However, judging by information from spam analysts at Kaspersky Lab and other sources, 2005 did not provide innovative technologies to spammers. Apparently, they are quite satisfied with the currently available result.
Phishing
Speaking of spam, it’s impossible to get past the phenomenon of phishing.Phishing is fraudulent mailings (“Nigerian letters”, fake winnings, etc.). Literally, phishing can be translated as "fishing for a bait." As a rule, such letters call for doing something (for example, following the link or simply paying money), but not for something real, as in the case of advertising spam, but for something that does not exist.
The purpose of phishing mailings are the user's personal data (logins, passwords, PIN codes, credit card numbers, etc.). Further, as it is not difficult to guess, these data are used by attackers to obtain a possible profit. As a rule, phishing letters imitate very talented real messages of real-life organizations. Most often they parody different payment systems (ebay, paypal). Such letters contain a link, following which, the potential victim falls on a fake page, specially made by a fraudster. The page looks like it actually exists on the website of the company on whose behalf the letter was sent. On a fake website under one pretext or another, the victim is asked to enter his personal data for authorization. As a result - the personal information of the visitor gets into the scam database.
According to statistics from different sources, phishing is not yet an overly dangerous phenomenon. At the moment, even "letters of happiness" users receive much more than phishing messages. However, it is most likely that such a state of affairs is temporary. The phishing industry in Russia has not yet grown to such “put on the rails” mechanisms, like real spam. Now enthusiasts only run in new technologies on Runet users. But, according to mail.ru forecasts, by 2006-2007, the proportion of such spam will be at a level commensurate with the level of advertising spam. Do not forget that each phishing email is potentially capable of causing hundreds of times more damage (in the case of successful recipients) than thousands of messages of regular advertising spam.If the loss of reading advertising can be reduced to the traffic and time spent on its screening, then the loss of phishing can be truly fatal for the financial position of the “caught” user. Unfortunately, there are quite a few factors that make it difficult to combat phishing, that is, with the same permissible percentage of false positives, any modern anti-spam system will miss fewer advertising messages than phishing ones.
The history of phishing is most likely to start from the mid-90s. Then in the AOL company the messages signed by allegedly administration were strongly extended. In these messages, they offered (explaining this for various reasons) to send a password for their account, which, otherwise, threatened to close.
Of course, over time, the information was brought to the users that the passwords in the letters are not requested and not sent, so the effectiveness of this method began to tend to zero. However, a new scam trick was not long in coming. Having slightly changed the contents of the letters, they began to report about any event on the server (for example, PayPal), which required some reaction from the user. In the body of the message was a link that, as already mentioned above, led to a fake page of a legal site. Where unsuspecting users left their personal data, since few people are used to looking in the address bar of the browser. (I personally observed several times that the address bar was hidden for some users. When I asked how they work, a brilliant answer was given - I don’t type anything myself, only open the links.) At this, the possible misadventures of users could not end, because the fake page could turn out to be a Trojan, which later “sucked” all the passwords and accounts from the computer. The consequences are not difficult to imagine.
However, as time went on, users began to pay more attention to the one on whose website they are and enter personal data. Then the attackers made their way from free hosting (of the form paypal.narod.ru) to tricks with the address bar. For example, the url of the form www.paypal.com@somesite.com . Vulnerabilities of the most popular browser (Internet Explorer) also played into the hands of villains. For example, one of his versions allowed to hide the entire address after the "dog". In this case, it became much more difficult and often too late to guess the substitution. Nowadays, such addressing is prohibited in IE and causes a special warning in Mozilla Firefox.
Unfortunately, even in our time, the old tricks of the 90s are working in Russia. For example, by registering the mailing address mail.ru.admin@mail.ru and sending a couple of hundreds of messages with the suggestion “activation of the mailbox”, you can still get several answers with personal data of users. But the control over the mail provides very extensive opportunities to extract with his help and other accounts (for example, through various services to remind forgotten passwords). Of course, this will only work if the account information of the user's main mailbox is stolen.
The options for phishing are limited only by the fantasy of the attacker and the inattention of users. The expanse is huge, and the level of computer literacy still leaves much to be desired.
One of the most popular patterns of pystennichestvo were the so-called "Nigerian letters." They received their name on the first registered case in Nigeria. Their essence boils down to the fact that supposedly some high-ranking official (a prominent figure, actor, criminal figure) managed to make himself a considerable fortune, but now he is facing the problem of the export of capital from the country. For money laundering (of course, for large commissions) he needs a bank account of some kind of “burdock”. As you can guess, if the “burdock” issued the account to the “rich man”, then he had never seen his money from this account.
In Russia, members of the Yukos board, Khodorkovsky and other equally popular (and wealthy) individuals play the role of “nigirean officials”. Unfortunately, as practice shows, gullible and greedy before the freebies are.
The latest rage for spammers is fraudulent "letters of happiness." The most striking example of such spam was the recent Golden Stream epidemic. Probably everyone saw a letter that began with the words “This is NOT spam, but a really advantageous offer ...”. In the subsequent text, the simplest pyramid scheme was explained - you were asked to pay 100 rubles to the author of the letter, and then send this letter further, having received 100 rubles from each recipient. As a result, promised complete happiness and universal enrichment. The peculiarity of the mailing is the direct extortion of money and the efficiency of penetration of filters by “letters of happiness”. By the way, the distribution of "letters of happiness" did not escape and instant messaging systems like icq. Often you can find messages like “Hi. UIN such a virus sends!Do not add it to the contact list and tell all your friends !!! ”As practice shows, it remains to add a link to the message body with a text like“ Just in case, the cure for the virus is here URL. ”And please - the ground is ready for a very extensive infection . Of course, not everyone will respond to such messages, but given the wide contact lists of the modern Internet user - and 10% of the respondents will be enough to start an epidemic.
The development of anti-spam technology.
Of course, at a time when spammers were inventing more and more new opportunities to deceive users and program filters of mail systems, anti-spammers also did not sit idle. A significant path has been traveled from the banal limitation of uncontrolled forwarding mail through any server to installing clever systems for analyzing and filtering message content.
Modern anti-spam systems use comprehensive tools for eliminating spam without compromising normal mail. This includes blacklisting of networks in which, as is well known, there can be no legal mail servers (for example, dial-up and dsl ip address ranges of providers), and bayes-technologies, and whitelists that work on the principle of repetition of postal addresses . It is believed that if a letter arrives from an address in the recipient’s address book or an address to which the recipient has sent several emails himself - it cannot be spam. And other new technologies that appear, if not every month, then every six months or a year for sure. In any case, they are presented as new.
But not all tricks can be found technological admin. If the same "Nigerian letters" can be filtered by known means with very great success (using the entire arsenal - from blacklists, linguistic analysis to comparison with known samples), getting a good dropout rate as a result. That with the "letters of happiness" is not so simple. The same whitelists mentioned above begin to play "against" anti-spam systems. The reasons, I think, are clear. Problems arise from the purely technical to the moral and ethical. For example, it is impossible to put in the black list the address of the sender who sent a letter of happiness only on this basis, because he writes a normal correspondence. In such cases, only active carrying out of educational program helps, but who will do this? Within the same organization, it can be realand within mail.ru, yandex.ru, gmail.com?
Different anti-spam systems have a different approach and their technical solutions, but their description took several more bands and is beyond the scope of the article.
Spam status for 2005.
According to information from spam analysts at Kaspersky Lab, 2005 brought stabilization of spam in terms of the volume of mailings and income received from spam advertising. However, the growth rate is still 5-6% per year. The stabilization of the volume of spam is due to its proximity to the border, beyond which the expediency of using e-mail as a means of communication is in doubt. Increasingly, the sender of the message has to notify the recipient of the fact of sending or control the process of delivering the message, since throwing out the necessary letter that was lost in fifty spam messages is not difficult.
The economic efficiency of email is reduced because spam causes significant damage to mail users. It is easy to imagine an employee receiving mail without first filtering it and spending half a day to view it. This means a decrease in employee productivity and losses for the employer. Not to mention the fact that, given the cost of traffic in the regions, some companies have to endure large financial losses due to essentially useless traffic generated by spam messages.
At the conference “The Problem of Spam and Its Solutions” the main trends in spam in 2005 were:
• Stabilization of the number and topics of spam.
• Thematic and technical separation of spam into different geo-zones of the Internet. (Runet and "Western" Internet).
• Criminalization of spam.
• The use of spam as a tool of information and political wars.
This year the leaders in spam emails were:
• Invitations to seminars and courses (14%).
• Offers “for adults” (12%).
• Computer fraud (11%).
• Supply of drugs (9%).
• Cheap software (7%).
In 2005, there was a clear distinction between spam for Western recipients and Russian speakers. Spam for Russians evolved from direct imitation to Western "colleagues" and adapted to runet. Spammers began to actively offer real estate services, printing products and services, large household appliances, and various other services (for example, services of movers). There are practically no such offers in Western spam, as they do not find a response from the audience.
The apparent criminalization of spam is alarming. More and more fraudulent offers fall into user boxes. The most famous and currently discussed types are phishing and pharming. (The essence of pharming is reduced to automatic redirection of users to fake websites. Unlike phishing, the new method of data theft almost does not require the participation of a potential victim.) Obviously, spam as a business is criminalized. This is evidenced by the merger of spam and hacker technologies. Modern spammer software includes special modules that allow mailing through users' machines infected with Trojans, that is, it was originally designed to interact with the Trojan part.
Over the past two years, we have had the opportunity to make sure that spam is becoming a powerful weapon of political games and an instrument of influence on the public consciousness. In terms of “coverage” and effectiveness, spam is quite comparable to television advertising, however, it costs much less. Of course, provided that such spam bypassed anti-spam filters. Campaign flyers are no longer limited to their paper carriers and have migrated to the digital world.
In 2005, the Kaspersky lab recorded a new type of “political” spam. We are talking about spam campaigns aimed at forming the necessary public opinion on the issues of the internal policy of the state. These spam attacks are well planned. An example of such an information campaign can serve as spam with links to the notorious Kavkaz Center website, which Russian special services often call the mouthpiece of world terrorism.
Forecasts for the future.
In 2006, it is expected, first of all, the subsequent increase in the number of spam. Spammers are likely to become smarter. Since now there is a widespread failure of mail servers to accept mail from DSL pools of providers, the use of zombie machines to send messages directly to the servers will become ineffective. Instead, smtp providers configured by users of infected machines will most likely be used.
An increase in the share of “manual” spam is also expected due to the growing popularity of phishing and through the use of the same technology of “letters of happiness” in advertising spam. “Manual” spam got its name from the method of sending it “manually” without using specialized spam software.
Technology refusal of messages from DSL-blocks will become ubiquitous. According to forecasts, the era of such spam will end in 2006-2007.
The use of smtp viruses by providers configured by users is likely to, in turn, tighten the policy of providers to send messages to users. It is possible that providers will decide on the installation of content filtering, since in case of inactivity they risk to appear in the black lists of most systems, which is unlikely to please the users.
Further development of spam business can end up as you like. Up to the fact that at some point it will be decided to pay for each e-mail (in the style of paper mail stamps) or impose a requirement on postal correspondence with its total control. It is possible that this will be the decline of e-mail, as the main means of communication on the Internet. There are other factors, such as the criminalization and politicization of the spam industry and the outweighing of the criminal part of spam compared to its advertising component.
In preparing the article used materials from the conference "Problems of spam and its solutions."
akeeper Korshunov Alexey.
First published in the journal "System Administrator".
Source: https://habr.com/ru/post/5667/
All Articles