It has been widely estimated that nearly 80 percent of the email reaching your organisation from the internet is spam. Reliance on conventional, content-based anti-spam techniques, such as keyword searches or heuristics is not enough. These filters must be updated regularly, and are ineffective at protecting against new types of spam. The spamming community knows this, and they will circumvent them again and again by developing new methodologies. Email security vendors must enable businesses to be proactive in the spam war. Of late, spam messages often rely on images rather than on text to communicate. Containing only an embedded image and no URLs, text parts or complex HTML structures, image-based spam is a new battlefield. Phishing continues to plague inboxes as a newer weapon in the spam war, targeting your personal information. A phishing attack highlights the blurred line between spammers and hackers. Hackers have evolved from glory-seeking individuals to organised crime entities that cost businesses billions. With this change, spammers have become more of a true security threat to proprietary information and the messaging infrastructure. One approach to counter these new types of spam is to analyse the flow of incoming emails. A typical characteristic of spam is that similar emails arrive in waves. Within a particular period of time, multiple emails with similar characteristics will arrive from different senders - spam. Flow control can be used to reliably block previously unknown spam threats. While most people view spam as an annoyance and a productivity-sucker, it can actually represent a dangerous financial and intellectual property security threat. However, more dangerous by far are the malicious payloads attached to legitimate-looking email messages. For such emails, antispam alone is of no value. And unfortunately, for today's malware, traditional, signature-based anti-virus is necessary but not sufficient. A layered approach to email security is the only way to successfully address multiple threats, complementing anti-spam with behavioral anti-virus protection. Signature anti-virus, by itself, is like applying sun block to someone already bright red with sunburn. Signature anti-virus is good for stopping attacks with known signatures and for discovering and removing malware that has become known over time. However, today's email-borne malware attacks (e.g., bots, worms, trojans, serial variants, rootkits) can evade traditional anti-virus tools and drop malicious payload that can flood a network with spam, log passwords to gain access to confidential data, permanently affix themselves to the endpoint's operating system or, ironically enough, disable anti-virus tools at the email gateway, opening the floodgates to all manner of attacks. Virus attacks are becoming more sophisticated in their distribution to evade signature anti-virus technologies. For example, programming a virus to attack only a limited number of hosts for a short duration before a new variation of the virus is released is a technique hackers and spammers use to propagate without being detected by signature AV organisations. Email security requires a more proactive approach than reactive signature AV can provide. Doing behavioral analysis on attachments will stop new threats before a host (or a network) is brought to its knees by a malicious attack. As threats evolve, so should industry standards. Email administrators must insist on proactive security measures that go beyond traditional techniques. Aside from threats and annoyances inside email, the network services that email is conveyed through (e.g. SMTP) are also vulnerable to attack. What if hackers could attack your email server directly through vulnerabilities in the mail software (Exchange, SendMail, Lotus Domino, or any other mail transfer agent software, whether it is privately developed or open source)? Then they could attack your email server and take control of that system, rendering all anti-virus ineffective. Most companies do not realise that this is a potential vector of attack against their email system. This is one of the most critical layers that a company must effectively protect. By implementing an email security solution that includes intrusion prevention technology, an organisation can adequately protect this vulnerable aspect of its messaging infrastructure.
When one combines a malware-prevention system that is able to detect and block zero-day threats with state-of-the-art anti-spam and conventional anti-virus techniques, one achieves a secure, effective email filtering system that enables conscientious IT departments to stay ahead of the threat.
Carsten Dietrich is director of content security for IBM Internet Security Systems.
Take a proactive approach to email security
By Carsten Dietrich, on Nov 1, 2006 8:55PM