Spammers' use of AI only just begun

Security industry experts: Image spam tip of iceberg; tech, enterprise must target roots of problem, rather than individual campaigns, to drive back new forms

Though security industry experts were openly referring to the death of spam several years ago, the arrival of image-based attacks has resulted in a stunning renaissance in the volumes of unwanted e-mail reaching end-users' inboxes.

And while filtering technologies have improved significantly and can thwart the ability of most image spam to force its way onto corporate networks today, some experts believe that the fight against the use of such AI (artificial intelligence) tactics on the part of spammers is only just getting underway.

In a new report published on May 30, analysts at Cambridge, Mass.-based Forrester Research extrapolate on their theory that image spam is merely the tip of the iceberg when it comes to spammers' use of AI.

The only way to prevent a repeat of the image spam surge as new models using AI come to light, Forrester analysts said, will be for technology vendors and enterprise customers to abandon their current approach of trying to filter out every type of campaign that the mass-mailers conceive and instead battle the roots of the problem.

Just as Web sites and anti-spam providers have utilized techniques such a CAPTCHA -- the challenge response tests found in many different online applications that ask users to input characters planted into obfuscated image files -- to beat back unwanted bot-driven activity, so too will spammers utilize AI to create seemingly endless variations on their message campaigns to circumvent the latest filtering tools, the experts said in their report.

CAPTCHA is an acronym for "completely automated public Turing test to tell computers and humans apart," a concept named after Alan Turing, the English mathematician referred to by some as the father of modern computer science.

"The notion with CAPTCHA is that computer bots and other programs can't efficiently process the image, that they can't deduce the words in the image, and that's the same thing that spammers are doing today to defeat traditional filters," said Dr. Chenxi Wang, one of the analysts who authored the research.

"People have devised new filters that use technologies such as optical character recognition that has curtailed the spread of image spam," said Wang. "Unfortunately image spam is only one type of AI problem, and spammers have many they will use in the future; this only the beginning of an arms race."

Just as CAPTCHA has largely foiled the ability of scammers to game online registration and transactional systems, spammers will be able to use a nearly endless variety of techniques to avoid the latest and greatest message filtering tools, the analyst said.

Without a major breakthrough in AI research, Wang said, there is "no way we can bridge the gap" with the number of methods that spammers will be able to use to keep their schemes humming along.

Among the types of methods that spammers are already employing to beat existing image-filtering tools are spam campaigns that use distorted and obfuscated text images, graphic pictures, and audio and video files.

To fight spammers over each type of content will be a losing battle, Wang said, recommending that customers and technology providers instead focus on monitoring messages for fundamental properties exhibited by each flavor, such as the links to malware sites that most of the e-mails carry.

"Vendors should look through brouhaha calling for them to defend against each type of image spam and build products that attempt to capture the fundamental properties of spam," said Wang. "They can use techniques such as intent analysis and URL reputation analysis; those factors won't change with each new type of campaign that's being invented."

While conceding that the fight against spammers isn't one that will ever likely draw to a close, companies such as ISPs that are working harder than ever to keep unwanted e-mail from reaching their customers say that progress is being made.

Stephen Currie, director of product management for e-mail, at Atlanta-based ISP EarthLink, which reported 2006 revenues of more than $1.3 billion, said that his company has been able to reduce the amount of spam reaching its customers by 80 percent in the last 18 months.

Using filtering tools sourced from San Francisco-based software maker Cloudmark and its internally developed Scamblocker.com anti-phishing resource, along with a heavy dose of input from its users, has allowed the firm to turn up the heat on image spam and other AI campaigns, he said.

"The message content fingerprinting technologies from Cloudmark allow us to understand message contents without ever opening them up, and it doesn't require as much CPU power on our end as it would have even several years ago," Currie said. "But the real key has been to become very aggressive about using the feedback we get from end-users to stop spam that initially finds a way through."

Just as CAPTCHA relies on human interaction to defeat automated input, the approach of using customer feedback to identify and block spam sources is one that has trumped technological means, the executive said.

"Once we determine the root source of a campaign using these types of methods, we can block a lot of the IP addresses being used to stop it from sending additional mail to our servers," Currie said. "Although we're getting shipped more spam than ever, customers are telling us that they're now getting less than over the last several years, but we absolutely expect new things to come along and challenge us; it's the proverbial cat-and-mouse game."

In addition to utilizing human and technological means to stop spam, EarthLink is also involved in the Messaging Anti-Abuse Working Group (MAAWG), a global ISP initiative aimed at improving the current state of electronic messaging.

In mid-May, the group released its latest Sender Best Communications Practices (BCP), a set of best practices for e-mail technologies and subscription methods meant to improve deliverability rates for legitimate newsletter and marketing messages.

Officials with San Carlos, Calif.-based e-mail security service provider Postini -- which claims to process more than 1 billion messages per day for more than 35,000 organizations -- said that spam levels continue to set new records and that unwanted e-mails currently account for roughly 90 percent of all traffic it monitors, with 40 percent of those messages containing image spam.

In addition to high levels of image spam, the company is also tracking developments such as an increase in the volume of messages that appear to be meant to harvest e-mail addresses for subsequent malware attacks, including botnet threats.

Other recent trends under investigation by the firm include spam that attempts to evade filtering tools by using strings of gibberish to confuse content scanning technologies.

The company maintains that its products can help customers catch up to 99 percent of all spam if they are willing to employ the most aggressive settings available, but Postini executives said that users' fear of missing legitimate messages forces most companies to seek a balance between warding off unwanted e-mail and toning down the possibility for false positives.

"Because the overall volume of spam continues to increase, clients are seeing a few more messages per day sneaking in, and it does tend to be image spam, but progress is being made," said Adam Swidler, Postini's senior manager of solutions marketing. "It's probably naive to think that this fight will ever end as long as there is a monetary driver for the bad guys, but we do think that we can help get to a place where spam is only a minor nuisance."

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies