Spammers try fooling filters with digital signatures
Published: 13 Oct 2003 09:40 BST
Bulk emailers are digitally signing unsolicited messages in hopes of bypassing popular filtering programs, but updated software has been modified to detect the trick.
The trick was noted on several security lists, as the number of junk email messages sporting digital signatures has apparently increased. Digital signatures are used in email to attest to the validity and integrity of an email message; any changes to the message's text break the signature and can thus be detected.
The new spam tactic was probably introduced to fool a popular open-source email filtering program known as SpamAssassin, said Rand Wacker, director of product strategy and planning for email software maker Sendmail. Wacker said the openness of the program's development allows spammers to develop tricks to fool the software.
"Since SpamAssassin is built in a very transparent way in how it does its filtering, we see a lot of spam that is directly targeted at getting past SpamAssassin," Wacker said. Sendmail's own spam program, Mailstream, wouldn't be fooled by the technique because it doesn't give better scores to signed email messages. Filters frequently use a scoring system to evaluate whether a particular message is spam or legitimate.
The attack on the software's filtering process highlights the dangers of open-source projects, but it also reinforces the ability of projects with active development teams to quickly respond to such security holes.
Security experts frequently dismiss the ability of closed-source software to make it more difficult to find flaws, saying that such "security through obscurity" does not work. Although open-source software errors are easier to find, it generally means that the programs are secured more quickly. Jim Allchin, Microsoft's senior vice president for Windows, admitted in testimony during the Microsoft trial that switching Windows from a closed-source to an open-source development process would probably lead to a host of publicised security flaws.
For SpamAssassin, the signature problem only affects the 2.5 series of the software. The trick will increase the amount of spam that gets through mail gateways that use versions prior to 2.60 of the program, said a developer.
"Older versions of SpamAssassin had a rule which would (make it more likely an email would pass), if it found something that looked like a PGP signature in the message," Theo Van Dinter, lead developer for the open-source SpamAssassin project, said in an email to CNET News.com. Van Dinter said such rules had been removed from the latest versions of the program. "So if spammers are actually trying to forge that rule, it doesn't do them any good on a properly updated machine," he said.
Spam has become a major headache for system administrators. Unsolicited bulk email likely makes up a third of the email traffic seen on the Internet; some reports put the ratio as high as 1-in-2. Some spammers apparently are resorting to spreading viruses as well: many security experts believe that the Sobig family of viruses have been spread to aid spammers.
Such tricks, and the fact that bulk email volume is increasing to offset lower success rates, show that spammers are trying hard to beat new defences, said Justin Mason, senior anti-spam software engineer for security company Network Associates. The company's own email filter software, Spam Killer, is based on SpamAssassin, but it has been changed enough to foil signed junk email; Network Associates bought the company that created SpamAssassin in January.
"A lot of their tricks don't work that well," Mason said. "There is quite a lot of desperation really."
Did you find this article useful?
51 out of 109 people found this useful
- Share this article:
Full Talkback thread
1 comment
