Spam fighters are losing ground

Escalating volume of spam threatens to bring the Internet to a crisis point

That's because spam does leave a trail, albeit one that's often a confusing series of hops between servers around the world. But those clues are enough to block it.

Sophos catches spam in "traps" -- abandoned e-mail addresses and domains that have been donated for the purpose of spam research. Messages sent to those addresses are invariably spam, the first clue a message is garbage.

On a recent day, Paul Baccas, a spam research analyst, pulled duty. A message entitled "Let's go" caught his attention after it landed in a spam trap of addresses monitored by Sophos that belonged to a telecommunications company that went bust six years ago.

Machine analysis ranked the message as likely being spam, but the filter let it through. Human analysis revealed it wasn't a legitimate message. Deeper investigation showed a tangle of false information peppered with international locales.

The message contained a link to a Web site selling "human growth hormone," a product advertised recently through spam aimed at U.S. users, Baccas said.

The Web site was registered with a hosting company in Hong Kong less than an hour before the spam message was received by Sophos, Baccas said. It was registered by a person in Detroit according to the whois data.

It's uncertain whether the registered name is real, according to Graham Cluley, chief technology consultant for Sophos.

The state abbreviation in the whois database, however, was incorrect. A call to the phone number listed found it disconnected. Adding to the ruse, the return address for the spam message contained a ".pl" suffix, indicating it came from Poland. But that information is also easily faked.

"Basically, he's sent an e-mail to a company that hasn't existed in six years within 45 minutes of him registering the Web site," Baccas said. "That's very suspicious."

The approach is one in a rich bag of tricks spammers employ to beat security software. Lately, analysts have noticed a sharp uptick in spam messages with images containing words, which can defeat text analysis.

Another method spammers use is adding or subtracting just a few pixels in every image, which to a computer makes the message look unique and good. To defeat optical character recognition (OCR) technology -- which can read words embedded in images -- spammers introduce colored pixels to create image noise.

Humans, for example, can make out a letter "C," but a machine begins to struggle if the technique is used, said Simon Heron, director of operations for security vendor Network Box Corp. It's the spammer equivalent of using hairspray on a license plate to confuse a speed camera, which also uses OCR, he said.

"Basically, they've got a little program which is actually able to generate a slightly different e-mail each time even though the picture to the human eye looks absolutely identical," Heron said.

But the spam fighters aren't giving up. In the next two weeks, Spamhaus is planning to roll out a new approach to halt the number of "zombie" machines sending spam.