MessageLabs_Spam_Spikes

WHITE PAPER Spam Spikes: A Real Risk to Your Business Dan Bleaken, Internet Data Analyst, MessageLabs Spam: The Uninvited Guest Everyone hates spam. It’s the enemy of good business. Whenever your organization receives an unsolicited email, your efficiency, productivity and profitability take a hit. Spam doesn’t just soak up staff time. It’s also an unwelcome drain on your computing resources. Valuable mail server capacity is wasted processing unwanted emails and delivering them to reluctant recipients. What’s more, this is one uninvited guest that won’t go away. Spam currently accounts for around 70% of emails heading to corporate gateways. Overall volumes are rising too, and with spammers getting more skilled at targeting specific sectors and individual organizations, the threat to your business is very real – and growing. . Many businesses that have invested heavily in anti-spam defenses, especially in-house appliance-based or software-based systems, regularly find themselves suffering from spam. Most commonly, a sudden surge in spam appears and causes real disruption – plus a major headache for IT administrators. Then the surge stops. Normality returns – until the next surge comes along and the whole business-compromising cycle starts again. So what lies behind these surges? Why can’t conventional antispam defenses cope, and what tactics are spammers adopting to achieve their objectives? Most importantly, what can you do to comprehensively and cost-effectively protect your business against spam? The information presented in this MessageLabs White Paper is based on our hands-on experience of providing proven messaging and web security management services for over 16,000 clients worldwide, with around 1.5 billion emails processed each week on their behalf. The blue line shows the overall upward trend in emails received. With legitimate email traffic remaining fairly constant, this trend was almost entirely due to an increase in unsolicited emails. What makes this particularly worrying is the fact that “spamming season” is about to start – and from a much higher base than in 2006, as the graph shows. This time of year traditionally sees companies suffering huge spam surges as spammers try to cash in on increased consumer spending in the run-up to Christmas. MessageLabs expects this year to be no exception to the rule. But even more noticeable than the blue line are the large red “spikes” in September to October and the particularly dramatic ones between November 2006 and March 2007. These spikes represent days on which spam activity was very high. The steady growth in overall email traffic from April to August 2007 was also largely due to increasing levels of spam. Indeed, across the year as a whole, domains received a huge variety of spam from a vast number of spammers located all over the world. Arriving in formats such as plain text, HTML text, images (e.g. .jpeg or .gif) and PDF documents, the types of spam included, for example: - spam selling pharmacy products (e.g. Viagra), software, watches, etc; WHITE PAPER: Spam Spikes: A Real Risk to Your Business Take a look at the following graph, which presents daily traffic data compiled by MessageLabs for a sample of five email domains, from September 2006 to August 2007: Traffic and Trends Close analysis of email traffic data reveals why conventional anti-spam defenses are struggling to combat spammers’ current tactics. A sudden surge in spam appears and causes real disruption. Even more noticeable are the dramatic spam ‘spikes’. - “advanced fee fraud” spam; - “phishing” spam aimed at gathering personal information; - casino/betting spam; - dating/sexual spam But what do individual spam spikes in the daily data actually represent? A single spam attack? Or a number of distinct attacks taking place close together? To find out, we must drill further down into the data. cope with. But the sheer volume of emails within a big spike simply overwhelms mail servers running anywhere near maximum capacity. Severe disruption inevitably results, with anti-spam defenses rendered useless. During one recent spike, the email traffic of an engineering company monitored by MessageLabs experienced a 900% increase in overall email volumes, averaged over a 24-hour period in which their domain was targeted by spammers. At the attack’s height, email volumes peaked at 25 times normal levels. For many businesses, investing in more computing capacity so it can cope with spikes of this magnitude (or greater) simply isn’t an option. Minute by Minute Only by analyzing email traffic data minute-byminute (or less), rather than daily or hourly, can the real story emerge. The next graph provides a typical example of minute-by-minute analysis for a single domain over a nine hour period: Facing Up to Events Unraveling the complexities of spam traffic, then, demands detailed analysis. Indeed, MessageLabs has found that the most productive approach, in terms of understanding spammers’ changing behavior, resources and levels of sophistication, is to analyze not just spikes but all spam “events”. An “event” is any activity above the mean email traffic level. Although a spam spike is a type of event, events caused by spam are not always obvious. Such events may only cause overall email traffic to rise a fraction above the mean level. But once spam events have been identified for a given day, each event can be measured in terms of duration, peak magnitude and volume (a prolonged event could contain more emails than a brief highmagnitude spike). Statistics can then be compiled for the entire day, quantifying maximum event duration, maximum event magnitude, maximum event volume and the mean number of events. When MessageLabs looked at such statistics for the period covered by the graph on page 4, some interesting results emerged. From November 2006 to August 2007, and particularly from April to August 2007, the mean number of events per day (see graph below) showed a strong similarity to the pattern in the overall traffic data. During one recent spam spike, email volumes peaked at 25 times normal levels. If this information were presented as aggregated daily data, it would show up as a single, very large feature. But breaking down this data minuteby-minute reveals that, in fact, there are three separate spikes. Each represents a spam attack lasting around five minutes with a magnitude 10-12 times greater than the background email traffic. Although in some cases such a pattern might be due to distinct attacks from completely different spammers, in this particular graph the three spikes almost exclusively represent separate attacks from a single spam run (a plain text email advertising male enlargement products). This run accounted for 95% of emails in the first and last spikes, and 97% in the middle spike. Lasting anytime up to two hours, spam spikes occur when spammers try a new tactic, e.g. releasing more spam than usual or utilizing increased bandwidth due to large attachments in the spam. At other times, by contrast, they restrict their output to avoid drawing attention to themselves. Take away the large spikes and a background haze of emails remains, including spam that conventional in-house defenses might be able to The inevitable conclusion was that the periods of 2 WHITE PAPER: Spam Spikes: A Real Risk to Your Business intense spam activity from November 2006 to March 2007, and spam’s steady increase from April to August 2007, were both probably due to an increase in the frequency of spam attacks. But, from late September to early October 2006, something different was happening. Although event duration, magnitude and volume all showed a strong resemblance to the overall traffic data, the mean number of events per day did not. This indicated that the driving force for this spam surge was not an increase in the frequency of spam attacks, but rather an increase in their size. Large volumes of emails were being sent over an increased length of time. spikes from overwhelming mail servers and breaking through your defenses. MessageLabs Anti-Spam Service, for instance, is underpinned by massive global infrastructure comprising 14 state-of-the-art data centers capable of processing literally billions of messages and web requests. Crucially, the fact that we plan for a maximum 40% load across this infrastructure means we can just soak up spam attacks, however huge, intensive or targeted they may be. Moreover, our expert understanding of changing spam trends and characteristics, based on the kind of close statistical analysis described in this White Paper, feeds directly into our development and deployment of leading-edge technologies that keep spam away from our clients’ networks. Our detailed knowledge of spammers’ tactics is channeled into our careful tuning and monitoring of spam filters and our ongoing development of diagnostic tools that aid the precise definition of anti-spam rules. As a result, MessageLabs’ Anti-Spam Service achieves industryleading success rates in blocking both new types of spam and new variants of existing types. The following graph shows the remarkable results achieved: The driving force for this spam surge was not an increase in the frequency of spam attacks, but an increase in their size. The Spammers’ Toolkit Close statistical analysis, then, reveals that spam traffic changes in nature. In some cases, there are short, sharp, frequent blasts of spam activity; in others, massive volumes of spam are transmitted over more extended periods. But the aim is the always the same – to penetrate anti-spam defenses. The evidence seems to suggest that, as spammers probe for weaknesses in corporate defenses, they are adjusting their tactics to launch more varied attacks. They also appear to be becoming more efficient, experienced and confident, which is encouraging them to increase the volume of spam they are sending, turn spam campaigns round more quickly and juggle more campaigns simultaneously. It also seems that more resources (especially botnets – “zombie armies” of Internet computers that, unknown to their users, have been taken over to forward spam) are now available to spammers. Perhaps, too, new spammers are finding it easier to join the circuit, leading to a growth in the number of attacks. The implications for your organization are obvious. As the amount of spam grows and the “art of spam” becomes more sophisticated, businesses without effective protection – particularly against spam spikes – will pay a heavy price. Spam traffic changes as spammers probe for weaknesses in corporate defenses. A Secure Solution Outsourcing to a managed anti-spam service can provide the most cost-effective way of protecting your business against all spam threats. Taking this option means you no longer need to rely on inhouse appliance-based or software-based solutions that are especially vulnerable to spikes targeting your domain. Nor do you need to invest in massive extensions to your computing capacity to prevent In this minute-by-minute analysis of email traffic reaching a company’s domain, the black arrow indicates the point when our service became active. Mean email traffic was instantly reduced by 78%, and virtually all spam spikes and other spam events were eliminated. Our client’s regular non-spam email activity accounted for the remaining 22% of traffic. So you can make sure you refuse entry to this uninvited guest. It is possible to stop almost every unsolicited email from reaching your network. And this will boost your bottom line by freeing up valuable computing resources and liberating your staff from the time-wasting, frustration-fuelling, morale-sapping scourge of spam. It is possible to stop spam reaching your network. WHITE PAPER: Spam Spikes: A Real Risk to Your Business 3 Americas AMERICAS HEADQUARTERS 512 Seventh Avenue 6th Floor New York, NY 10018 USA T +1 646 519 8100 F +1 646 452 6570 CENTRAL REGION 7760 France Avenue South Suite 1100 Bloomington, MN 55435 USA T +1 952 830 1000 F +1 952 831 8118 Asia Pacific HONG KONG 1601 Tower II 89 Queensway Admiralty Hong Kong T +852 2111 3650 F +852 2111 9061 AUSTRALIA Level 14 90 Arthur Street North Sydney NSW 2060 Australia T +61 2 9409 4360 F +61 2 9955 5458 SINGAPORE Level 14 Prudential Tower 30 Cecil Street Singapore 049712 T +65 6232 2855 F +65 6232 2300 Europe HEADQUARTERS 1270 Lansdowne Court Gloucester Business Park Gloucester, GL3 4AB United Kingdom T +44 (0) 1452 627 627 F +44 (0) 1452 627 628 LONDON 3rd Floor 1 Great Portland Street London, W1W 8PZ United Kingdom T +44 (0) 207 291 1960 F +44 (0) 207 291 1937 NETHERLANDS Teleport Towers Kingsfordweg 151 1043 GR Amsterdam Netherlands T +31 (0) 20 491 9600 F +31 (0) 20 491 7354 BELGIUM / LUXEMBOURG Culliganlaan 1B B-1831 Diegem Belgium T +32 (0) 2 403 12 61 F +32 (0) 2 403 12 12 DACH Feringastraße 9 85774 Unterföhring Munich Germany T +49 (0) 89 189 43 990 F +49 (0) 89 189 43 999 www.messagelabs.com info@messagelabs.com © MessageLabs 2007 ©2007 MessageLabs Inc. All Rights Reserved. MessageLabs and the MessageLabs logo are registered trademarks and Be certain is a trademark of MessageLabs Ltd. and its affi liates in the United States and/or other countries. Other products, brands, registered trademarks and trademarks are property of their respective owners/companies. WP_SPAMSPIKES1007 WHITE PAPER: Spam Spikes: A Real Risk to Your Business