|
By Simon Heron, CISSP Internet Security Analyst
2008 was a record year for spam and viruses.
Our estimations are that an average business in the UK had to block 1.2 million spam messages and resist 6.3 million attacks to its firewall.
The figures are astounding. And yet, spam continues.
The only reason this can be is that some people, somewhere, respond to it - they trust the sender, or they are still unaware of the risks it poses.
2009 will be an interesting year in the fight against spam. We're seeing a game-changing shift in the way spam is identified, and therefore blocked.
The only really effective way to combat spam is to render it useless to spammers.
We've been developing a way of detecting and blocking spam that analyses not just content and IP address, but by applying learning from email user behavior and relationships, to understand which emails the recipient actually wants, and which are spam.
At the moment, there are three main ways to protect against spam:
- analyze the message content;
- assess the reputation of the sender; and
- apply challenge response (putting the onus onto the email sender to accept a challenge from the recipient, to prove who they are).
None of these are 100 per cent effective, and challenge response used on its own has been unsuccessful because senders don't go through the authentication process.
But analyzing and learning from the behavior of both the sender and recipient of the email is a really interesting development in the fight against spam.
One thing that is obvious is that with the vast majority of spam, there is no relationship between the real sender and the recipient.
If you can deduce that, then spammers have to create a relationship and that changes the game.
So if you understand behavior of the sender and recipient, you can apply that understanding to assess whether an email is spam.
There are a number of ways to understand behavior:
1. Maintain a central database to store existing email accounts. This means that genuine email from the user's address book are white-listed, assuming they pass the usual tests of content and sender's reputation. This records and analyses historical information about the relationship and queries new or 'odd' behavior. So, for example, if a contact usually based in Hong Kong suddenly starts sending emails from Russia, it may be queried.
2. All relationships are defined using a score based on sender + recipient + attributes analysis, and given a score based on the trust and strength of the relationship.
3. The system also learns from user behavior. For example, if the email user A sends an email to email user B, then the system understands that user A trusts user B, and therefore will strengthen the score of trust in that relationship.
4. If an email relationship is scored as low, then there are number of options open to the system, depending on its configuration. It can quarantine the email and notify the recipient (it can be released with a single click from the recipient if required); challenge the sender to confirm their identity; or defer the email.
These techniques, combined with existing analysis techniques, could herald the real breakthrough we've been waiting for in the fight against spam.
Copyright © 2008 To Present—Information-Security-Resources.com
Follow Simon and Network Box on Twitter
Simon Heron has over 19 years experience in the IT industry, including nine years experience in Internet security. During this time he has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs. Simon has an MSc (attained with Distinction) in Microprocessor Technology and Applications, and a BSc (Hons) in Naval Architecture and Shipbuilding and is a CISSP (Certified Information Systems Security Professional). Prior to Net Caboose, Simon co-founded Network Box Corporation (UK) Ltd and was Managing Director, finally merging this franchise with the parent company in 2006. Before Network Box, Simon co-founded and was Technical Director of Cresco Technologies Ltd, a network design and simulation solution company with customers in the USA, Europe and China. Simon started his security career when he worked for Microsystems Engineering Ltd, as a Project Manager, where he implemented network security for the company. Simon began his career as a digital hardware and software engineer, developing pioneering speech recognition technology before moving on to work for the British Antarctic Survey (B.A.S.) as science project leader. While at the B.A.S. he spent two Antarctic winters at the research station Halley in the Antarctic, developing and enhancing graphical technologies in the harshest of conditions. Simon also has a company called Net Caboose which deals with Identity and Access Management and is also development house.
Network Box Limited (NBL) is an international managed security services company, specialising in unified threat management (UTM). It continuously defends the networks of its customers using PUSH technology to instantaneously update protection, from 12 Security Operations Centers spread around the globe. NBL's customers in Asia, Australia, North America and Europe include companies such as BMW, Nintendo and Toyota, as well as banks, utilities companies and government organizations.
Only registered users can write comments.
Please login or register. |
