ITU WSIS Thematic Meeting on Countering Spam: MessageLabs

advertisement
ITU WSIS Thematic Meeting on Countering Spam:
The Scope of the problem
Mark Sunner, Chief Technical Officer
MessageLabs
ƒ6th July 2004
MessageLabs
MessageLabs protects businesses worldwide
against email threats reaching their networks.
ƒ Over 8,700 Business Customers Globally
ƒ More than 2.5 million End Users
ƒ 400 Global Enterprises With Over 2,500
Employees
ƒ Over 55 Million Business Emails Scanned Per
Day
ƒ 99% Customer Retention Rate
ƒ Sole Focus On Business Enterprise Market
Dynamic Global Platform
•
•
•
•
•
Secure email management service
Globally distributed architecture
24/7 threat monitoring and response
Provisioning and supporting clients 24/7 - globally
Instant scanning over 55 million business emails a day
Operating at the Internet Level
ƒ Client Simply Points MX (Mail Exchange) Record to MessageLabs
ƒ Email is Scanned and Handed to Client Mail Server – Protected &
Controlled
ƒ All Threats are Kept AWAY from the Client Network
Skeptic™ Predictive Technology
ƒ
ƒ
Predictive technology identifies unknown and dynamic threats
6+ years R&D
ƒ
2Gb+ self learning rules
knowledge base:
– Virus & Spam “DNA”
– Thousands of Heuristic
Rules
– Known Security
Vulnerabilities
ƒ
Analysis of traffic patterns
ƒ
Thresholds are dynamic &
action taken accordingly
Scale only possible at internet level
Global Spam Patterns and Trends
Spam to Mail Ratio
Mail Received
Spam Received
Percentage of Email
Ratio Trend
100.0%
1000.0m
900.0m
76.1%
800.0m
67.6%
62.7%63.0%
59.9%
600.0m
38.5%
35.7%
400.0m
17.5% 16.4% 17.2%
300.0m
0.8% 0.8% 0.8% 0.8%
6.7%
4.6%
60.0%
52.8%
50.5%
43.7%
43.5%
500.0m
55.1%
52.6%
51.0%
40.0%
24.4%25.6%
21.3%
20.0%
9.4%
0.1%
0.0%
100.0m
2002
2003
2004
May
April
March
February
January
December
November
October
September
August
July
June
May
April
March
February
January
December
November
October
September
August
July
June
May
April
March
-20.0%
February
0.0m
Ratio in Mail
55.6%
January
Mail/Spam Volume
700.0m
200.0m
80.0%
Global Email Patterns and Trends
ƒ Email is now considered a business-critical
application (Gartner Sept 2003)
ƒ Email is also considered a legal document and
industry is required to treat it as such
ƒ June 2004: 1 in 10.8 (9.3%) emails contained
viruses; equivalent to 37.6 virus borne emails
every second
ƒ June 2004: Spam accounted for 85.3% of email
traffic; equivalent to 305.5 spam messages per
second
– US >80%, UK 50-60%, Germany 40%, Australia 30%, Netherlands
30%, Hong Kong 25%
Convergence
ƒ
Recent viruses contain Remote Access Trojan (RAT) component
– Fizzer, Sobig, MyDoom, Sober
– Spyware: leaking information to spammers
ƒ
Case study: Sobig.F
– Sobig.F was the fastest spreading email worm in the past 4 years
– It generated over 200 million infected email messages during its first week of
activity
– Staged deployment of WinGate Proxy software
ƒ
Currently 70% of spam intercepted by MessageLabs is sent via open proxies
– Spammers will portscan for open proxies
– Some Ratware comes with pre-set lists or daily updated lists
– This leads to 50,000 new zombies appearing each week
– Traded online as potential open proxies for the spammers or as hosts for
everything from paedophile images, DDoS attacks (distributed denial of service) to
Phishing scams
– Some estimates suggest that15% to 25% of the Internet may be controlled by
spammers or criminal gangs
The “Bot-net” Phenomenon
ƒAround 70% of all spam is sent via an open proxy
ƒ75% of which originated from virus infected domains
Heuristic
IP in blacklist
Sender in blackhole
Sender in blacklist
EML/Worm.SM
TrojanDropper.JS.Mimail.b
JS/Fortnight.A-m
EML/Worm.VW
W32/Ganda.A-mm
W32/Lovgate.f-m
W32/Sobig.D-mm
Troj/CasinoSpam
W32/BugBear.A-mm
W32/Heloc-mm
Early example of trojan with spam connections
W32/Sobig.A-mm
W32/CIH.1003.A
EML/WinCritUpd
Troj/JS-Seeker.T
W32/Klez.H-mm
Troj/Backdoor.AVF
W32/Sobig.C-mm
W32/Sobig.E-mm
W32/BugBear.B-mm
W32/Fizzer.A-mm
0
100,000
200,000
300,000
400,000
Mail/Virus Volume
Spam Volume
500,000
600,000
700,000
MyDoom.A: window of vulnerability
ƒ Case Study: MyDoom.A
Window of Vulnerability:
9 hours, 58 minutes
Growth of Open Proxies
The Impact of Spam Legislation
ƒ New EU spam legislation enacted in December 2003
– In December 2003, 62.7% of email scanned was spam, rising to
63.0% in January 2004
– >70% of spam sent to UK in January originated in the US
• Figure set to rise to >80% by July 2004
– Open to interpretation
– Jurisdiction not clearly defined
ƒ EU/US legislation unlikely to ease spam epidemic
– CAN-SPAM opt-out vs. opt-in
– Majority of CAN-SPAM compliant spam is “dressed-up” to appear
legitimate
– Regulation for a previously ungoverned industry
ƒ Corporate governance (e.g. Sarbanes-Oxley, Basel-2)
– Email archiving policies
– Risk Management
Tackling Spam
ƒ Legal framework is only part of an overall solution
– Less appealing
– Difficult to operate and be profitable
– “Locks” vs. “Laws”
ƒ Need a technology based solution as well
–
–
–
–
–
–
–
–
IP Block-listing / Permitted sender lists
Fingerprints / Signatures
Collaborative filtering
Heuristics
Statistical methods, e.g. Bayes
Sender Warranted Email, e.g. Habeas haiku
Open Proxy detection
URL signatures
Phishing and Identity Theft
ƒ Phishing emails intercepted by MessageLabs
Phishing: A Global Problem
ƒ Worldwide Phishing
Questions & Answers
Any Questions?
www.messagelabs.com/intelligence
Download