A clarion call to de-silo and take the offensive

* * *

The historical development of spam fighting is allowing computer-aware criminals to take the upper hand in the fight against what has now evolved into a completely technologically and organizationally merged threat to public safety. If we do not change our strategic approach immediately, the battle, indeed even the war may be all but lost.

How we got here

In 1995 the anti-spam community coalesced as spam became more prevalent. Over the years it evolved from a grass roots effort to make the shift to several mostly-independent streams of attack: the professionals: Anti-spam technical services, lawyers, governments and NGOs, industry coalitions such as Messaging Anti-Abuse Working Group (MAAWG), the Anti-Phishing Working Group (APWG) The Anti-Spyware Coalition (ASC), and the volunteer 'amateurs' such as The SPAMHAUS Project and CAUCE (the Coalition Against Unsolicited Commercial Email) who continue to contribute immensely valuable services to the goal of mitigating spam.

Additionally, the independent streams of anti-virus technologists and companies, and those focused on spyware have developed and flourished.

Spam, too has gone from amateur to professional in nature; when initially sent by individuals from their own email accounts, direct to unwilling recipients, blocking junk email was fairly easy. By filtering on a specific sender name or email account, receiving sites could refuse mail.

Formative public blacklists had lists of sender addresses and sites known to be a source of spam. I helped write and maintain one of the very first of these for Concordia University in Montreal, Canada. Deceptive techniques immediately arose to circumvent these blocks, by forging sending addresses, and then by making use of machines, which would freely transfer mail from anybody to anybody - so-called 'open relays'. A campaign to shut down open relays evolved into additional blacklists.

Blacklists and spam-blocking programs had already evolved to cover content as well, and so too the spammers adjusted, by obfuscating words they knew to be blocked, including paragraphs of randomly generated nonsense text to create a series of unique messages. The foundation was laid for the era of 'false positives', legitimate email flagged as spam.

Starting in mid-2001 the spammers evolved again, with the creation, distribution and use of virus programs which would install a mailer or 'open proxy' on infected machines, allowing them to send mail via desktop computers, unbeknownst to the owner of the machine. Again, blacklists adjusted, by listing IP addresses from which mail might never legitimately come (often times best-guess estimates of dynamic address ranges at ISPs, companies and institutions). The arms race between spammers' and anti-spamming technologies was full on.

This era also marked the first collaborative efforts between spammer and virus makers. The latter were to this point mostly mischievous hackers doing fairly benign and easily detectable infection runs, and affecting a handful of high-profile attacks on online sites, government system probes and the like. Viruses tended to operate by planting an enticingly (deceptively)-named program on a website, and infecting the rubes who downloaded and ran it. Self-replication began to be seen more frequently around this time - viruses would begin to mail themselves using resident address books of infected computers.

Plainly, putting the ability to infect massive numbers of computers by way of spam into the hands of virus makers, and the ability to send mail from millions of infected computers into the hands of the spammers was a natural synergistic relationship. A marriage born in hell, some would say.

The blended criminal threat: where we are today

Penny stocks are chump change: Of late, much has been said in the popular and computer press about a vector that is annoying, but hardly critical in nature: 'Image spam'.

Spammers have jumped on the new technology of 'image-only' payloads, which morph one pixel per message, rendering them unique, and traditional check-sum blocking strategies ineffective. Image spam is entirely useless for payloads requiring a user to click through to a payload website, because the URLs underlying these clicks can only morph slowly, and the high degree of effectiveness of blacklists such as SURBL remain the best line of defense to deal with that. In practice what this means is that so-called 'image spam' tends to be touting penny stocks that the spammers pump and dump, with mention in the graphic of the stock symbol.

Fortunately this fraudulent stock-touting scheme leaves a paper trail that has allowed for some successful prosecutions in the latter half of the year. Stock spamming, while popular at present time is likely to decline as legal actions increase.

Phishers now trawl netting: Far more serious, phishing is the vastly popular newish-kid on the block:

Netcraft saw 41,000 different phishing and malware URLs submitted in 2005. In 2006 that number soared to 609,000, going from a maximum of 20,000 reported per month to 45,000 in October, 135,000 in November, and 277,000 in December. Sophistication in phishing techniques grew as well

Symantec now see 900 unique phishing URLs daily

Phishtank saw over 21,000 discrete submissions in December 2006

The Anti-Phishing Working Group saw a six-fold increase to 38,000 phish in October 2006 from the year previous.

In terms of efficiency of sheer revenue generation, it makes sense for the spammers to have embraced phishing. After all, why inundate users with advertisements for entirely useless body-part enhancement or reduction potations with hopes that a tiny percentage of the recipients will actually make a purchase, when you can trick end-users into revealing personal information allowing you to reach into their bank account and clean it out?

Personal Information is the currency used between criminals on the net. An entire life's aggregation of data (name, address, phone numbers, credit cards, social insurance number, driver's license, and so on) generally brings the depressingly low prices (so-called CC Full - A credit card number with billing address sells for $2-$5), and a shockingly high price tag to the person whose ID is sold (2006 saw the proliferation of Personal ID Insurance and credit bureau reporting services. Reports of the ineffectiveness of these approaches to ID theft mitigation surfaced towards the end of the year).

Of course, this does take one a few steps up the criminal food-chain, from 'high volume email deployment' service provider to spammer school operator like one certain court-rendered judgment-neutered 'former' spammer, to conman, to bank robber.

Chicken Little comes home to roost

The effects of all these disparate but related and coordinated threats are definitely being felt. End-user confidence in e-commerce is already taking a massive hit. Michael Binder, Assistant Deputy to the Canadian Minister of Industry gave a remarkable presentation making specific note of the precipitous drop in consumer confidence at the Anti-Spyware Coalition meeting in Ottawa in May, 2006

What is marked about the drop in confidence noted by Binder is that it all predates the current levels of phishing and online fraud. The latest studies show that as many as 90% of consumers polled expressed deep skepticism in their ability to conduct business safely online, yet paradoxically the rate of growth of online commerce continues apace.

It is safe to say that the growth has been attenuated to a degree, and as consumers increasingly know victims personally, they will back away from online purchases and return to traditional retail outlets.

A cataclysmic failure of a major online financial service could hasten this process. For example, DNS poisoning of an ISP's servers to divert users to fraudulent banking sites would need no overt prompting from a phish email, and the number of victims would be far higher than from a phish mail run. That would make for massive and quite possibly irrecoverable damage to the reputation of not only the firm affected, but all online financial service providers.

To date, banks have been making goodwill compensatory gestures to cover consumer loses due to phishing. It remains to be seen if that will happen when the losses add up to a significant amount; legally most financial institutions are not obliged to do so under the terms of typical client service agreements.

However, shaken consumer confidence in online commerce is only a canary in the coalmine.

There is no greater calamity than to under-estimate the strength of your enemy - Lao Tzu

From a technical viewpoint, spam and spammers have quickly evolved from porn and penis-pills to phishing, and the use of viruses, worms, Trojans, and spyware to deliver more of the same. Spam infects computers, which then become part of botnets, which are used to disseminate more spam, spyware, and viruses. And round and round it goes ...

There is clear indication that organizationally the walls between the virus-makers, hackers, spyware creators and botnet herders controlling vast networks of zombie'd home and business desktop computers numbering in the hundreds of millions have long been broken down.

There is now full integration with the bad-guy technologists and sophisticated groups of computer-aware criminals bearing absolutely no conceivable relation to the too-often touted cliché of a 'teenager in his parent's basement hacking into government computers' the press frustratingly loves to put forth as the cause of present-day computer problems. That may have been the case in the 1980s and 90s, but no longer.

This stereotype has to be a source of much mirth for those behind the blended threat, as they are often associates or members of traditional organized crime gangs. As big money began to be made with spam, it attracted the usual suspects. All the big players are involved now, the Russian Mob, Italian Mafia, Hell's Angels, and of course Colombian drug-dealing cartels.

There have been some mentions in the press of late that organized crime in eastern Europe is now paying the way for promising young programmers to attend computer science programs in American universities. The under-written graduates are then set to work doing the bidding of those to whom they are beholden. It is quite true, indeed this has been happening for years.

What the future holds

The latest spam/malware threat that has a name, SpamThru, has only been used to a tiny percentage of its capacity, and questions arise whether spam is indeed the end game, or rather merely a way to test the implementation of a monstrous creation which will be put to other use as time goes on.

SpamThru has driven the spam volumes through the proverbial roof, some sites noting an 80% increase in the last 3 months alone. Forensic analysis of this mechanism shows that it attaches itself to a so-called 'stud', a small and difficult-to-detect mechanism previously distributed. When a removal program is run against SpamThru, it kills the active malware, but leaves the stud able to download SpamThru II or any other new malware the criminals tell it to. Highly placed technologists feel that SpamThru-infected machines are being used at 20% of their capacity.

Other technologies currently in common use are polymorphic 'Queen bots', which change profile and do various things at different points in time to control subservient zombies computers, and 'fast-flux dns' which is a DNS server hosted on an infected machine which resolves human- recognizable URLs, for example, http://phishingvictim.ca to a multitude of similarly infected machines. If an anti-spam researcher files a complaint for take-down of http://phishingvictim.ca residing on IP address 1.2.3.4 there maybe dozens more sites also (unknowingly) hosting the site - 2.3.4.5, 3.4.5.6, and so on

Several things come into play here. Anti-spam technologies have become quite effective at blocking spam at the inbox level, though there is a cost in resources to ensure the machines and staff to maintain them do not become overwhelmed, and the spam is blocked at the periphery of a given network.

Data point: AOL reported that they blocked half a trillion spam emails at the entrances to their network in 2005.

Data point: Ironport noted spam volumes doubled from the year previous, seeing an estimated average of 63 billion sent daily in October, 2006. In November they measures two daily mega-spikes hitting 85 billion.

Data point: Major receiving sites (corporate, ISP and freemail) have said privately that their systems are all but overwhelmed by the new levels of spam.

Medium, Small and regional ISPs, which traditionally have thin financial margins are beginning to incur disproportionately difficult expenses as they hire new staff, increase their hardware budgets and pay for additional out-sourced anti-spam products and services.

Ironically, the spammers might have inadvertently invented a 100% effective solution to spam, as they devastate and overwhelm systems, networks, one-another, and more. Dead systems tell no SMTP.

Spam can easily expand and increase in a number of ways:

More messages (increased message count)

Larger messages (on a per-message basis)

More senders (in rotation over the course of a day)

More concurrent parallel senders

More targeted sending (e.g., instead of sending a little to everyone, sending twice as much to half the number of targets)

How much worse can it get? (it's not merely about the email)

"The Internet is down!": Although not inevitable, the complete obliteration of the continued, secure operation of electronic communication, e-commerce other legitimate end services looms close enough for the utmost degree of concern. It is now well the within the capacity of botnet operators ("herders") to attack any site, network, even an entire country and severely degrade operations, even to the extend of driving them off-line. If the current trends continue apace, the ability to use the email and even the Internet itself may indeed be 'not at all'.

Virtual attacks on the real world: Botnets can be used for many things, and have been:

An attack that interfered with the computerized functions of intensive care facilities at a Seattle, Washington hospital saw the sociopath behind that insane action face swift and severe justice earlier this year. The botnet related to this attack was being used to install adware in an attempt to generate revenues for the criminal.

In 2002, a 9-1-1 emergency system in the American state of Washington was disabled with a botnet.

Major airlines, banks, large parts of the U.S. military, railways and nuclear plants infected (a depressingly-dated article from three and a half years ago lays out many of the scenarios which have now come to pass with nothing being done to mitigate the potential for real-world, bricks and mortar disaster).

How long until Al Queda makes good on their threat to launch a computer attack the American financial system? The United States' Department of Homeland Security deemed it a credible enough threat to issue a public statement dismissing it as incredible, and assuring the public 'everything was fine, nothing to look at, go back to your homes'. Was this burp in the credit card processing and money transfer system part of the attack?

The good guys: Moving from Keystone Cops to U.S. Navy SEALs

It became painfully evident during the many conferences I attended this fall1 that presenters and attendees universally agree we are losing the war, and to my mind the losses are mostly due to the good guys being disjointed and disorganized; the criminals take full advantage of this fact.

There is an immeasurable amount of hard work by some of the smartest, most creative talented people on the planet undertaken to fight on-line attacks. But it is uncoordinated. The criminals don't have to be politic or polite nor do they have to respect co-workers feelings, or intra-governmental diplomatic considerations, or the institutional ego manifest in marketing and public relations considerations; they operate on a plane well beyond the constraints we deal with daily.

Major companies and governments send entirely different teams to various industry functions (spam, virus, spyware, network security), from entirely separate departments or divisions that rarely, if ever, provide proper reporting let-alone in-depth briefing to one-another.

As well, limited resources, and other factors leads to sending staff who are ill-suited to participate and properly contribute to specific industry coalitions. Sometimes decisions are driven by concerns concentrated on public image rather than on effective participation; top-management unawareness of the opportunities being missed may well end up in a catastrophe.

An alphabet soup of industry groups all fighting a unified enemy pell-mell is an entirely inefficient way to deal with a problem more urgent than ever; off the top of my head, OECD, LAP, CSNA, MAAWG, APWG, ICANN, IETF, IRTF, ITU, ASC, APECTEL, CERTs, ESPC, DMA, CMA, SANS, and countless other marketing, anti-spam, virus, spyware and security organizations meet, discuss, and plan independently.

Participation by all stakeholders: technical, legal and government relations representatives, marketing, and mid- and executive-level administration staff members is critical to success. As well all sectors - government (policy and law enforcement), educational, infrastructure operators (DNS, domain and connectivity providers), financial institutions, and numerous associated areas must not only be consulted but solicited to actively participate in coordinated efforts towards a solution.

Happily, there is newly founded current trend to send a representative or two intra-group, or hold joint meetings. Sadly, that falls well short of what we need.

Take back the net

The fight against computer-aware criminals is now at a critical juncture demanding we de-silo the false barriers between types of threats and the people who deal with them, because the nature, power and scope of the blended attack (spyware, spam, viruses, phish and bots) that currently exists is actively threatening the very foundational infrastructure and continued viability of the entire Internet. We, like our opponents have done, must break down the walls between industry groups and stakeholders and take a coordinated approach, beyond that, the approach has to be entirely proactive, not meekly reactive as it has been in the past: We must work towards the active prosecution of computer-aware criminals and aggressive mitigation of their on-line activities in all manners at the disposal of the keepers of the net.

Initially what is needed is the organization of a series of meta conferences presenting legal, international cooperation, and technological tracks attended by rain-makers and decision-makers, and highly-informed experts from the trenches to help those people operating at more ethereal levels to hear what is happening, and give these latter their marching orders. This is likely going to have to take place under the auspices of the United Nations or another organization of similar scope.

At such an event there be frank, open discussions about the scope of the problem as it exists, and the somewhat unpalatable steps we need to consider to deal with the problem at hand.

Such an approach will require other organizations to scale back on the frequency of their meetings at least for a short while, to allow their invaluable member participants, already over-taxed by the cost, time and energy expenditure of numerous business trips to countless other conferences to devote time and energy to a united front.

The ineffective reactive stance traditionally taken has been 'things are this bad, we need to do something'. Targeted goals need be set, monitored and administered.

Governments (and private industry) must allocate staff and financial resources to attain these goals. Governments in particular cannot push more responsibilities onto over-worked, under-trained policy, investigative and prosecutorial staff with no legislative tools at hand. They must address and resolve their shortcomings, or bear the responsibility for their inaction.

It is my fervent hope is that the blended threat is dealt with in the manner suggested above, and well in advance of what indeed faces us; to avoid reactionary changes likely to be taken after a disastrous Titanic moment. The Titanic, you see, was the catalyst for the imposition of regulation in the radio industry in North America. Until the inability to find open radio trasnmission frequencies hindered rescue operations radio was as free form and anarchistic as the Internet. We have seen what pap radio has become, I would bemoan such a fate befalling the Internet in that the free and open network is the creative grist for the mill we all enjoy so much.

The author wishes to effusively thank DJSS, who wishes to remain low-key but whose invaluable input to, and review of the above scrawling was top-notch, and John Levine's eagle eye helped to smooth out some rough grammatical and syntactical patches.

1 Conferences, meetings and gatherings I've attended late this year:

• Presentation to CIPPIC at University of Ottawa Law School, Ottawa Ontario August 2006

• Anti-Spyware Coalition Workshop - Seattle, Washington September 2006

• Messaging Anti-abuse Working Group Conference - Toronto, Ontario October 2006

• Virus Bulletin - Montreal, Quebec October 2006

• London Action Plan / EU Contact Network of Spam Authorities, Brussels Belgium December 2006

