The vast majority of email today is unwanted; a recent Commtouch trend report measured spam and malware messages as reaching peaks of over 90 percent of all messages being sent over the Internet. This superfluous mail is more than just a productivity drain for end-users; spam consumes vast amounts of IT resources like storage and bandwidth; malware creates organization-wide vulnerabilities with the potential to lose confidential data through keystroke loggers and the like; and phishing messages can defraud users of their banking or other high-value credentials, leading to identity theft and significant financial damage. Enterprises and Service Providers alike are paying the price of the unchecked rise in these destructive unwanted email messages.
Enterprises and service providers have started protecting their networks through the use of reputation services, which enable them to eliminate the majority of unwanted email traffic at the network perimeter. A reputation service is analogous to a credit bureau for email senders. It provides a virtual snapshot of the sender based on its IP address, noting if it has sent spam, malware or phishing in the past, and how recently. It also analyzes what volume of email that IP address has sent. Has it gone from sending just a few messages a day to suddenly sending thousands? These and other elements of the sender’s “credit rating” enable the reputation service to score that sender and the likelihood that that IP address is sending spam or malware. These scores enable intelligent decision-making about how to handle that particular sender’s email; if the mail server should accept it immediately, should throttle it to slow down potential spam, or reject it outright since the sender has a poor reputation.
It may sound easy – spammer IP addresses should be blocked and regular senders should be allowed. But of course it’s much more complicated than that. Most unwanted email is sent from networks of zombie-computers, or botnets. Zombie/bots are computers that have been taken over by malicious software programs, enabling the computers' resources to be utilized without the owners' knowledge. Most zombie software programs can turn a computer into a spam-spewing machine, while others can enable the computer to engage in a whole host of other illegal activities, such as advertising click fraud, credit card fraud, even distributed denial of service attacks. Zombies have become the sender-of-choice for spammers and malware distributors, since it’s relatively straightforward for them to orchestrate large-scale outbreaks, and to bypass many types of email filtering and reputation service technologies. The reason for this is that most zombies are highly dynamic, changing their IP addresses relatively frequently, and sending just small quantities of spam/malware/phishing messages, before being deactivated, and then re-activated at a later time. The window of time in which a spam-sending bot is active can be so short that unless the reputation service works in real-time, it can miss it altogether. For example, traditional Real-time Blacklists (RBLs) which are typically compiled by receiving inputs from community members are ineffective against such dynamic threats.
In order for a reputation service to be effective against today’s zombie/botnet threats, it must work in real time, identifying and blocking these dynamic zombies as they are activated. It needs to be able to observe global sender trends and react in a flash.
Most reputation services are incorporated into a broader offering, such as a Unified Threat Management (UTM) appliance, or mail transfer agent. Messaging security solutions offered by Sendmail, 3Com, Check Point, Tumbleweed and others incorporate Commtouch’s GlobalView Reputation Service, which is a real-time service identifying and classifying bot activity as soon as zombies are activated.
Enterprises and service providers have started protecting their networks through the use of reputation services, which enable them to eliminate the majority of unwanted email traffic at the network perimeter. A reputation service is analogous to a credit bureau for email senders. It provides a virtual snapshot of the sender based on its IP address, noting if it has sent spam, malware or phishing in the past, and how recently. It also analyzes what volume of email that IP address has sent. Has it gone from sending just a few messages a day to suddenly sending thousands? These and other elements of the sender’s “credit rating” enable the reputation service to score that sender and the likelihood that that IP address is sending spam or malware. These scores enable intelligent decision-making about how to handle that particular sender’s email; if the mail server should accept it immediately, should throttle it to slow down potential spam, or reject it outright since the sender has a poor reputation.
It may sound easy – spammer IP addresses should be blocked and regular senders should be allowed. But of course it’s much more complicated than that. Most unwanted email is sent from networks of zombie-computers, or botnets. Zombie/bots are computers that have been taken over by malicious software programs, enabling the computers' resources to be utilized without the owners' knowledge. Most zombie software programs can turn a computer into a spam-spewing machine, while others can enable the computer to engage in a whole host of other illegal activities, such as advertising click fraud, credit card fraud, even distributed denial of service attacks. Zombies have become the sender-of-choice for spammers and malware distributors, since it’s relatively straightforward for them to orchestrate large-scale outbreaks, and to bypass many types of email filtering and reputation service technologies. The reason for this is that most zombies are highly dynamic, changing their IP addresses relatively frequently, and sending just small quantities of spam/malware/phishing messages, before being deactivated, and then re-activated at a later time. The window of time in which a spam-sending bot is active can be so short that unless the reputation service works in real-time, it can miss it altogether. For example, traditional Real-time Blacklists (RBLs) which are typically compiled by receiving inputs from community members are ineffective against such dynamic threats.
In order for a reputation service to be effective against today’s zombie/botnet threats, it must work in real time, identifying and blocking these dynamic zombies as they are activated. It needs to be able to observe global sender trends and react in a flash.
Most reputation services are incorporated into a broader offering, such as a Unified Threat Management (UTM) appliance, or mail transfer agent. Messaging security solutions offered by Sendmail, 3Com, Check Point, Tumbleweed and others incorporate Commtouch’s GlobalView Reputation Service, which is a real-time service identifying and classifying bot activity as soon as zombies are activated.
Comments
Write New Comment ▼
Write New Comment
Sorry! This knol's owner(s) have blocked you from editing, making suggestions, or commenting here.