Spammers use new technique to evade filters

Spammers have stepped up efforts to use encrypted attachments to evade filtering systems, service provider Email Systems has reported.

The technique relies on the fact that many spam systems can't scan inside e-mails containing encrypted or password-protected attachment, and work out that they are not legitimate. Without a rule to block such attachments, most systems will pass on the e-mail to recipients, handing spammers an important victory in the battle to get spam through.

In recent weeks, Email Systems detected a small but steady stream of such spam emanating from bot-compromised hosts, containing a zipped-up version of the pervasive 'Storm' bot-loading Trojan that plagued Internet users in January.

Recipients would have been able to inadvertently unzip the Trojan using an embedded password, after being attracted by a number of eye-catching subject lines, including 'Worm Detected!', 'Virus Detected!', 'Spyware Alert!' and 'Warning!'

Although the technique has been around for some months, spammers appear to be stepping up their attempts to use it, said Greg Miller of Email Systems. The company had quarantined hundreds of thousands of copies of attachment spam, up from levels a tenth this volume some months ago.

"We have moved on from spam being just a guy sending out huge amounts of spam," said Miller. The vast bulk of spam was now automated via bots, and this made finding new infection methods even more critical to the spam economy. "Every six months or so we see a new attack that is very successful," he said.

As anti-spam systems adapted to popular techniques such as image spam, criminals were having to look further to engineer spam stealthiness.

The easiest means of detecting the current encrypted file attacks would be the attachment's filesize, 77KB, but this could be varied in future attacks quite easily. The best approach was simply to disallow encrypted e-mails to pass through the system at all.