ITU WSIS Thematic Meeting on Countering Spam: The Scope of the problem Mark Sunner, Chief Technical Officer MessageLabs 6th July 2004 MessageLabs MessageLabs protects businesses worldwide against email threats reaching their networks. Over 8,700 Business Customers Globally More than 2.5 million End Users 400 Global Enterprises With Over 2,500 Employees Over 55 Million Business Emails Scanned Per Day 99% Customer Retention Rate Sole Focus On Business Enterprise Market Dynamic Global Platform • • • • • Secure email management service Globally distributed architecture 24/7 threat monitoring and response Provisioning and supporting clients 24/7 - globally Instant scanning over 55 million business emails a day Operating at the Internet Level Client Simply Points MX (Mail Exchange) Record to MessageLabs Email is Scanned and Handed to Client Mail Server – Protected & Controlled All Threats are Kept AWAY from the Client Network Skeptic™ Predictive Technology Predictive technology identifies unknown and dynamic threats 6+ years R&D 2Gb+ self learning rules knowledge base: – Virus & Spam “DNA” – Thousands of Heuristic Rules – Known Security Vulnerabilities Analysis of traffic patterns Thresholds are dynamic & action taken accordingly Scale only possible at internet level Global Spam Patterns and Trends Spam to Mail Ratio Mail Received Spam Received Percentage of Email Ratio Trend 100.0% 1000.0m 900.0m 76.1% 800.0m 67.6% 62.7%63.0% 59.9% 600.0m 38.5% 35.7% 400.0m 17.5% 16.4% 17.2% 300.0m 0.8% 0.8% 0.8% 0.8% 6.7% 4.6% 60.0% 52.8% 50.5% 43.7% 43.5% 500.0m 55.1% 52.6% 51.0% 40.0% 24.4%25.6% 21.3% 20.0% 9.4% 0.1% 0.0% 100.0m 2002 2003 2004 May April March February January December November October September August July June May April March February January December November October September August July June May April March -20.0% February 0.0m Ratio in Mail 55.6% January Mail/Spam Volume 700.0m 200.0m 80.0% Global Email Patterns and Trends Email is now considered a business-critical application (Gartner Sept 2003) Email is also considered a legal document and industry is required to treat it as such June 2004: 1 in 10.8 (9.3%) emails contained viruses; equivalent to 37.6 virus borne emails every second June 2004: Spam accounted for 85.3% of email traffic; equivalent to 305.5 spam messages per second – US >80%, UK 50-60%, Germany 40%, Australia 30%, Netherlands 30%, Hong Kong 25% Convergence Recent viruses contain Remote Access Trojan (RAT) component – Fizzer, Sobig, MyDoom, Sober – Spyware: leaking information to spammers Case study: Sobig.F – Sobig.F was the fastest spreading email worm in the past 4 years – It generated over 200 million infected email messages during its first week of activity – Staged deployment of WinGate Proxy software Currently 70% of spam intercepted by MessageLabs is sent via open proxies – Spammers will portscan for open proxies – Some Ratware comes with pre-set lists or daily updated lists – This leads to 50,000 new zombies appearing each week – Traded online as potential open proxies for the spammers or as hosts for everything from paedophile images, DDoS attacks (distributed denial of service) to Phishing scams – Some estimates suggest that15% to 25% of the Internet may be controlled by spammers or criminal gangs The “Bot-net” Phenomenon Around 70% of all spam is sent via an open proxy 75% of which originated from virus infected domains Heuristic IP in blacklist Sender in blackhole Sender in blacklist EML/Worm.SM TrojanDropper.JS.Mimail.b JS/Fortnight.A-m EML/Worm.VW W32/Ganda.A-mm W32/Lovgate.f-m W32/Sobig.D-mm Troj/CasinoSpam W32/BugBear.A-mm W32/Heloc-mm Early example of trojan with spam connections W32/Sobig.A-mm W32/CIH.1003.A EML/WinCritUpd Troj/JS-Seeker.T W32/Klez.H-mm Troj/Backdoor.AVF W32/Sobig.C-mm W32/Sobig.E-mm W32/BugBear.B-mm W32/Fizzer.A-mm 0 100,000 200,000 300,000 400,000 Mail/Virus Volume Spam Volume 500,000 600,000 700,000 MyDoom.A: window of vulnerability Case Study: MyDoom.A Window of Vulnerability: 9 hours, 58 minutes Growth of Open Proxies The Impact of Spam Legislation New EU spam legislation enacted in December 2003 – In December 2003, 62.7% of email scanned was spam, rising to 63.0% in January 2004 – >70% of spam sent to UK in January originated in the US • Figure set to rise to >80% by July 2004 – Open to interpretation – Jurisdiction not clearly defined EU/US legislation unlikely to ease spam epidemic – CAN-SPAM opt-out vs. opt-in – Majority of CAN-SPAM compliant spam is “dressed-up” to appear legitimate – Regulation for a previously ungoverned industry Corporate governance (e.g. Sarbanes-Oxley, Basel-2) – Email archiving policies – Risk Management Tackling Spam Legal framework is only part of an overall solution – Less appealing – Difficult to operate and be profitable – “Locks” vs. “Laws” Need a technology based solution as well – – – – – – – – IP Block-listing / Permitted sender lists Fingerprints / Signatures Collaborative filtering Heuristics Statistical methods, e.g. Bayes Sender Warranted Email, e.g. Habeas haiku Open Proxy detection URL signatures Phishing and Identity Theft Phishing emails intercepted by MessageLabs Phishing: A Global Problem Worldwide Phishing Questions & Answers Any Questions? www.messagelabs.com/intelligence