• E-mail
• Print
• Comment
• Font Size
• Digg
• del.icio.us
• Discuss article

MX Logic 2005 Email Threat Wrap-Up: Spam Accounts for 68 Percent of Year's Email; Sober.Z Mass-Mailing Worm to Blame for Year's Biggest Outbreak

Posted on: Tuesday, 13 December 2005, 09:00 CST

Marginal CAN-SPAM Compliance Persists; Phishing Attacks Increase in Volume and Sophistication

MX Logic Inc., a leading provider of innovative email defense solutions that ensure email protection and security for businesses, service providers, government organizations, resellers and their customers, reported that on average, spam accounted for 68 percent of all email traffic through the MX Logic(R) Threat Center in 2005. This compares to 77 percent in 2004.

Peaking at 78 percent in November, spam dropped to its lowest volume, 60 percent, in May.

"Predictions of the impending death of spam are premature," said Scott Chasin, chief technology officer, MX Logic. "While significant advances in anti-spam technology have made it possible to relieve email users of unwanted commercial email before it hits their inboxes, spam still makes up the majority of all email traffic -- imposing a significant burden on the Internet and on the effectiveness of email."

2005: After Two Years, CAN-SPAM Compliance Remains Low

MX Logic also reported that on average, only 4 percent of unsolicited commercial email complied with the Controlling the Assault of Non-Solicited Pornography and Marketing Act, the nearly 2-year-old federal anti-spam law. This compares with 3 percent in 2004.

"Despite the consistently low levels of compliance, the CAN-SPAM Act has been fundamental in allowing the government and ISPs to take action against some of the top spammers," Chasin said.

In 2005 the CAN-SPAM Act enabled federal and state agencies, as well as Internet service providers (ISPs), to put several high-profile spammers out of business. A list of some of the high-profile enforcement action against spammers and a graph depicting 2005 monthly spam volumes and CAN-SPAM compliance rates is available online at http://www.mxlogic.com/PDFs/2005CAN-SPAM.pdf.

"The CAN-SPAM Act can only go so far in stopping spam," Chasin said. "The law's real value is in enforcement, and it may also serve as a litmus test for future legislative efforts to govern the misuse of technology."

MX Logic has tracked compliance with the CAN-SPAM Act since the law went into force on Jan. 1, 2004, by examining a random sample of 10,000 unsolicited commercial emails each week. In determining whether an unsolicited email complies with the law, MX Logic verifies that the messages meet the following criteria:

-- Subject line is consistent with the body of the message;

-- The email contains a postal address;

-- The email includes an unsubscribe mechanism; and

-- In the case of adult-oriented email, the message bears the FTC-mandated "SEXUALLY EXPLICIT" label in the subject line.

2005: Phishing Attacks Increase in Volume and Sophistication

As predicted by MX Logic at the beginning of the year, phishing attacks increased in frequency and sophistication in 2005. In recent months, the MX Logic Threat Center saw a monthly increase in phishing emails of 14 percent. According to a survey earlier this year by the PEW Internet & American Life Project, 35 percent of email users now report they have received unsolicited email requesting personal financial information.

Phishing attacks have moved beyond mass emails that spoof the email address of a bank or other online commerce site asking the recipient to verify passwords, account numbers or other personal financial information. Over the past year the MX Logic Threat Center has reported several new types of phishing attacks and fraud including:

-- Spear Phishing: Rather than casting a wide net, the phisher sends spoofed email to a targeted group of recipients. For example, a spear phisher will target employees of an organization by sending an email that purports to be from the IT department and requests usernames, passwords and other confidential information.

-- Malware Injection: The phisher uses social engineering to convince a recipient to open an email attachment or download a file, which includes malware such as keyloggers, session hijackers, Web Trojans and malware that poisons the host file.

-- Content Injection Phishing: Hackers compromise a server, leveraging an existing security vulnerability to alter the legitimate content on the site. This recently happened when illegitimate content was inserted into a federal government Web site. A phishing email was then sent out, claiming to be from the Internal Revenue Service and informing recipients that they could claim a tax refund by completing online forms on the www.govbenefits.gov site.

-- Man-in-the-Middle Phishing: Using proxy services, phishers position themselves between the user and the legitimate online commerce site and invisibly intercept financial data.

-- Pharming: Users are maliciously re-directed to spoofed sites while surfing the Web. Unlike phishing, pharming does not require an email with a URL to a phony Web site to lure a user into divulging personal financial information. Pharming can be the result of malware injection or DNS cache poisoning.

Phishing attacks, malware injection and pharming attacks will continue in 2006, putting more urgency on the need for effective email authentication; Web defense technology; the deployment of multi-factor authentication by banking and online commerce sites; and end-user education.

2005: Efforts to Block Port 25 and Implement Email Authentication Continue

"Beyond enforceable anti-spam laws and continued technology innovation, effectively stopping spam and fraudulent email will require continued efforts to develop and implement an industry-wide email authentication protocol and more aggressive and comprehensive blocking of port 25 by ISPs," Chasin said.

In May 2005 the FTC, along with 35 government partners from over 20 countries, unveiled "Operation Spam Zombies," an international campaign designed to educate ISPs and other Internet-connectivity providers about zombie PCs -- neglected, "always-connected" broadband PCs that spammers hijack by installing a spam Trojan. Once infected with a spam Trojan, zombie PCs provide worm authors with remote command-and-control spam-distribution capabilities, allowing them to create a legion of zombie computers that can pump out unwanted email and initiate Denial of Service (DoS) attacks.

Operation Spam Zombies includes encouraging ISPs to block port 25 -- an Internet gateway that is used for sending email traffic on the Internet -- for inappropriate use, and identifying and quarantining customers with suspicious emailing patterns.

In 2005, the MX Logic Threat Center reported that on average, 51 percent of all spam was sent from zombie PCs.

In 2005, the MX Logic Threat Center also gathered statistics surrounding adoption rates of two email authentication protocols -- Sender Policy Framework (SPF) and Sender ID. In a sample of more than 17.6 million unique email messages that passed through the MX Logic Threat Center from Nov. 13 through Nov. 19, 2005, MX Logic found that:

-- 8.4 percent were from domains that had published an SPF record, 84 percent of which were spam-sending domains; and

-- 0.10 percent were from domains that had published a Sender ID record, 86 percent of which were spam-sending domains.

"Active industry discussion around domain-level email authentication has yet to promote mass implementation," Chasin said. "I am hopeful that continued industry cooperation on this front will yield more progress in 2006."

2005: A Sobering Year

The MX Logic Threat Center also reported that there were over 17,000 new viruses or variants discovered in 2005 and that, on average, one in 38 of all email messages it filtered was infected with a virus or worm. The prolific Sober mass-mailing worm was responsible for the biggest outbreaks of the year. The largest outbreak of the year was W32/Sober.Z (a.k.a. W32.Sober.X@mm, W32/Sober@MM!M681, WORM_SOBER.AG, Sober.Y, and W32/Sober-{X, Z}), which at its height infected one in eight messages that passed through the MX Logic Threat Center.

"Without question, 2005 was the year of the Sober worm, with the most recent variant, Sober.Z, quickly becoming the biggest mass-mailing worm that our Threat Center has ever seen," Chasin said. "The Sober worm author or authors now have an extensive army of infected PCs with command-and-control capabilities."

The 2005 Sober outbreaks were not motivated by economic profit, but by ego and, in some instances, by a Neo-Nazi political agenda. This is contrary to the bulk of malware, which is largely motivated by economic gain.

In total, there have been over 30 variants of the Sober worm. The most notorious variants of 2005 included:

-- W32/Sober.N (a.k.a. W32/Sober.P, W32/Sober.P@mm, W.32/Sober.O@mm, and W.32/Sober.S@mm), May 4: Inboxes were flooded with messages indicating that the recipient had won tickets to the 2006 World Cup, thereby enticing the recipient to open the attachment.

-- W32/Sober.Q, May 14: Leveraged PCs infected by Sober.N to send out spam messages that contained URLs to Web sites with right-wing, German nationalistic content. One of the URLs pointed to the home page of Germany's right-wing National Democratic Party (NPD).

-- W32/Sober.Z, Nov. 21: Sober.Z spoofed email addresses to suggest that the message was sent by the FBI or CIA and requested that the attachment be opened to verify charges brought against the email recipient. Sober.Z accounted for 51 percent of all worm-infected messages in November. As a result of the Sober.Z outbreak, the MX Logic Threat Center saw a 275 percent increase in worm-infected email compared to the average for the three months prior. Additionally, Sober.Z traffic remained high well after the initial days of the outbreak. Sixteen days after initially identifying and blocking the worm, the MX Logic Threat Center reported that 60 percent of all messages it filtered were infected with the worm.

"At the end of the day, these worms spread because end users continue to fall victim to social-engineering tactics and because not enough is being done to identify and shut down zombie PCs," Chasin said. "As a result, I fully anticipate that there will be more variants of the Sober worm in 2006."

About MX Logic

MX Logic Inc. provides innovative email defense solutions that ensure email protection and security for businesses, service providers, government organizations, and resellers and their customers. The company's feature-rich solution suite is the industry's most comprehensive, flexible and easy to use.

Founded by messaging industry pioneers, MX Logic has delivered numerous industry firsts to the enterprise spam market, including becoming the first managed service provider to: leverage Bayesian Statistical Classification; provide spam beacon ("Web bug") blocking; offer quarantine management via email; provide corporate-level quarantine release reports that help reduce inappropriate email while decreasing corporate liability; and deliver a solution for tracking URL click-throughs from email to the Web, providing increased corporate control and security.

MX Logic processes billions of messages each month for over 6,900 organizations worldwide, including EnCana, Hyundai Motor America, ServiceMaster, The Sports Authority, Verio Inc., and YMCA. In addition, MX Logic is the only email defense company to offer both a managed service and a turnkey, carrier-grade software solution for service providers. For more information, visit www.mxlogic.com.

Source: Business Wire

More News in this Category