innovative spam defense l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Innovative Spam Defense PowerPoint Presentation
Download Presentation
Innovative Spam Defense

Loading in 2 Seconds...

play fullscreen
1 / 35

Innovative Spam Defense - PowerPoint PPT Presentation


  • 361 Views
  • Uploaded on

Innovative Spam Defense Christine Drake Global Product Marketing Manager Christine_Drake@trendmicro.com Agenda Based on Radicati white paper: Trend Micro Anti-Spam: Innovative Defense against Evolving Spam Evolution of spam and anti-spam techniques

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Innovative Spam Defense' - Jims


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
innovative spam defense

Innovative Spam Defense

Christine Drake

Global Product Marketing Manager

Christine_Drake@trendmicro.com

agenda
Agenda

Based on Radicati white paper:

Trend Micro Anti-Spam: Innovative

Defense against Evolving Spam

  • Evolution of spam and anti-spam techniques
  • Trend Micro’s anti-spam technologies and products

Independent Benchmarks by Opus One

  • Benchmark tests of popular anti-spam solutions
evolution of spam
Evolution of Spam

Spam is very profitable

  • Spammers can reach a wide audience at minimal cost
  • They need only a marginal response to make a profit
    • People continue to purchase items through spam
    • Especially for embarrassing or private items
  • Spam methods are also used by criminals for fraud and theft
  • Spammers are willing to invest resources to bypass spam filters

There is an adversarial relationship between spam and anti-spam solutions, each adapting to the other’s techniques

the beginning of spam
The Beginning of Spam
  • Spam started in the early 1990s
  • Originally, spammers sent simple emails to promote a product or service
  • There were no anti-spam filters, so no spam tricks were needed to get into the inbox
the creation of anti spam filters
The Creation of Anti-Spam Filters

As spam increased to an annoyance, anti-spam filters were created

  • Simple blacklists and whitelists
  • Content filtering looking for specific words
  • Context filtering looking for keywords within a defined context

Spammers quickly adapted

  • Blacklists/whitelists became ineffective
    • Error prone when based on end-user submissions
    • Don’t work with zombies and botnets
  • Tricks were used to obscure spam words
    • Symbols instead of letters (vi@gra)
    • Spaces, dashes, etc. were put between letters (v i a g r a, v-i-a-g-r-a )
    • Words were spelled out vertically
    • And many more…
botnets
Botnets
  • Zombies
    • Computers that are infected with bot code
    • Infected unbeknownst to their owners
    • Hijacked for the hacker’s use
    • Approximately 16-25% of computers are zombies1
  • Botnets are a network of zombie computers
    • Managers of botnets are called bot herders
    • Can manage based on bandwidth, location, and other attributes
  • Why use Botnets?
    • Zombie machines can harvest address information as well as send out spam, DDoS attacks, more bot code, and other threats
    • They steal the resources of the infected computers
    • Can send out mass quantities of spam (approx. 80% of all spam)
    • They hide the true email senders

1. Source: Weber, Tim. “Criminals ‘May Overwhelm the Web‘” BBC News. 25 January 2007

content filtering tricks
Content Filtering Tricks
  • Simple content filtering tricks
  • Marks between letters in the subject line
  • Vertical lettering
  • Replacing letters with symbols
signature filtering
Signature Filtering

Spammers

Originally sent out one spam email in mass quantities

Anti-spam vendors

Used spam signatures or “fingerprints” to block similar copies

Spammers

Templates to randomize spam characteristics, making each email unique

heuristics and statistical filters
Heuristics and Statistical Filters
  • Heuristics
    • Rule-based approach that looks for spam indicators
      • Not just keywords, any indicator of spam
      • Can look for “tricks”
      • Must be well written and kept up-to-date
  • Statistical Filters
    • Statistical approaches to identifying spam
      • Calculate an overall “score” for the email
      • Use datasets to “train” a filter to determine spam probability
    • Must be well-tuned / well-trained and based on updated datasets
fooling statistical filters
Fooling Statistical Filters
  • Continue to obscure spam indicators
  • Some emails add extra text to spam to dilute the value of spam indicators
image spam
Image Spam
  • Conveys spam message through an image
  • Not text in the body of the email
  • Approx. 40% of all spam1
  • Image spam is 10x larger than typical text email1

Source: Osterman Research. Image Spam and New Threats Summit Webinar. Conducted on 10 January 2007.

randomized image spam characteristics
Randomized Image Spam Characteristics

Spam TemplateRandomizes spam elements like background and text colors, dimensions, and other characteristics

Makes each email unique

email reputation services
Email Reputation Services

Reputation Filters

  • Block the IP addresses of known spammers
  • Do not need to analyze content
  • Do not need to let email onto the network to scan
  • Keep email threats completely off of the network

Effective Reputation Services

  • Continually analyze sending behavior
  • Collect email histories and samples—auditable process
  • Update lists to stop zombies and restore reputation when clean
  • Keep the majority of spam off of the network, securing networks and saving costly network resources

Critical component to combating current spam volumes

trend micro anti spam technologies16
Trend Micro Anti-Spam Technologies
  • Email Reputation– First Line of Defense
    • Global and dynamic reputation services
    • Blocks up to 80% before entering the network, including zombies
  • IP Profiler – Customer-Specific Protection
    • Customer-specific reputation services based on company email traffic
    • Firewall against DHA and bounced email attacks
  • Anti-Spam Composite Engine – Guards Inbox
    • Stops any remaining spam before it enters the inbox
    • Integrates anti-spam technologies, including image spam detection
email reputation
Email Reputation

Email Reputation

  • Global: Verifies IP addresses against the world’s largest, most trusted reputation database (over 1.6 billion addresses)
  • Dynamic: Identifies new spam and phishing sources, stopping even zombies and botnets when they first emerge

Fights off spam at the source

  • Stops spam before it enters the gateway
  • Threat Prevention Network assures 100% availability, millisecond responses
  • Uses email samples and sender histories for accurate, auditable reputations
  • Leaves only a small percentage of mail to be filtered by the traditional scanning
  • Saves bandwidth, storage, and other network resources
reputation services administrative console
Reputation Services – Administrative Console

Industry-leading insight and control

  • Global spam update
  • Spam reports
  • Spam volume for 100 top ISPs
  • Block lists by country or ISP using easy drop-down menus
ip profiler
IP Profiler

Customer-Specific

Reputation Services

Spam

Virus

DHA Attacks

Bounced Mail

Customers set thresholds:

  • Duration monitored
  • Percentage of email threat
  • Total mails for a relevant sample
  • Triggering actions – what happens when these thresholds are met (block temporarily or block permanently)

Provides customer-specific reputation services by blocking IP addresses that exceed set thresholds—also keeps threats completely off the network

ip profiler20
IP Profiler

Firewall against DHA and Bounced Mail Attacks

IP Profiler applies additional information to block DHAs

  • Number of recipients that can be listed in an email
  • Number of non-existing recipients (This technology is LDAP integrated)

IP Profiler also conducts

other behavioral analysis

to create the firewall

ip profiler how it works
IP Profiler – How It Works
  • Records all inbound and outbound SMTP traffic
  • Reports records on email traffic from each IP address to a database
  • The emails are scanned by the anti-spam composite engine
  • The results of the scanning engine are reported to the database
  • The traffic from the IP address is profiled by cross referencing the recorded traffic with the scanned results

For example, total messaging from the IP address vs. spam messages from the IP address

  • This outcome is compared against the user thresholds
  • If the outcome exceeds the thresholds, the trigger action is applied Block Permanently (SMTP 5xx) or Block Temporarily (SMTP 4xx)
ip profiler management
IP Profiler Management

Manage currently monitored

IP Addresses

Display Logs

  • Total spam emails
  • Total malicious attempts
  • Total connections
  • Percentage of malicious attempts in the overall # of connections

Select IP addresses and permanently or temporarily block them

Create global white/black lists for IP/Domains Will apply to both NRS and IP Profiler

trend micro anti spam engine
Trend Micro Anti-Spam Engine

Trend Micro anti-spam composite engine

Uses a “cocktail” approach to block both spam and phishing emails

  • Statistical Analysis
  • Advanced Heuristics
  • Signature Filtering
  • Whitelists/Blacklists
  • Detection for Multi-Languages
  • Patent-Pending Image Spam Detection Technology

Industry Proven Technology

Install base of over 25 million seats over the past four years

image spam detection
Image Spam Detection

Patent-PendingImage Spam Detection

Boils down to the core of the email—for example, strips out background and text colors, dimensions, and other randomized elements

Enables just a few main signatures to stop all of the numerous variations

embedded url filtering
Embedded URL Filtering

Blocks Emails with Dangerous URLs

Threats span across email and the Web

Emails can contain links to

  • Spam sites
  • Phishing sites
  • Sites with dangerous downloads

Trend Micro leverages its expertise in reputation services

  • Emails with links to “bad” sites are blocked
  • Prevents employees from clicking on links and falling victim to Web threats
small medium business gateway protection
Small-Medium Business Gateway Protection

Worry-free protection

  • InterScan Gateway Security Appliance
  • InterScan VirusWall, software solution

All-in-one gateway security

Email and Web protection

  • Anti-spam
  • Antivirus
  • Anti-spyware
  • Anti-phishing
  • Content filtering
  • Web filtering
  • Anti-spam technologies
    • Email Reputation
    • Trend Micro anti-spam composite engine
slide28

InterScan Messaging Security Solutions

Enterprise gateway email security

  • InterScan Messaging Security Suite
  • InterScan Messaging Security Appliance
  • InterScan Messaging Hosted Security

All three solutions provide

comprehensive email security:

  • Anti-spam
  • Antivirus
  • Anti-spyware
  • Anti-phishing
  • Content filtering
  • InterScan Messaging Security Solutions
  • Use all 3 Trend Micro anti-spam technologies
    • Email Reputation
    • IP Profiler
    • Trend Micro anti-spam composite engine
scanmail protection for mail servers
ScanMail Protection for Mail Servers

Mail Server Protection

  • ScanMail for Microsoft Exchange
  • ScanMail for Lotus Domino

Comprehensive email and

mail store protection

  • Anti-spam
  • Antivirus
  • Anti-spyware
  • Anti-phishing
  • Content filtering
  • Anti-spam technologies
    • Trend Micro anti-spam composite engine
email reputation services30
Email Reputation Services

Standalone Reputation Services

  • Email Reputation Services Standard (global database)
  • Email Reputation Services Advanced (global and dynamic)
  • Email Reputation Services Hosted (global and dynamic)
  • First line of defense
  • Can be purchased separately
  • Compatible with nearly all popular MTAs
  • Can be deployed with numerous solutions
slide31

Enforce security

policy on every

network device

Monitor network

and Internet for potential threats

Customized and comprehensive centralized management

Recover via automated cleanup of viruses, worms, Trojans, and spyware

Prevent damage by stopping threats

Trend Micro Enterprise Protection Strategy – A Complete Network Security Framework

Trend Micro Control Manager

gateway anti spam benchmarks
Gateway Anti-Spam Benchmarks

Independent Anti-Spam Benchmarks

  • Trend Micro #1 in Anti-Spam Effectiveness
    • Highest catch rate and a competitive false positive rate at gateway
    • IP Profiler will increase the effectiveness even further

Based on independent anti-spam benchmark tests conducted by Opus One, Inc. Testing methodology can be retrieved from: http://www.opus1.com/www/whitepapers/antispamfeb2007.pdf

standalone reputation services benchmarks
Standalone Reputation Services Benchmarks
  • Trend Micro #1 in Catch Rate for Standalone Reputation Services
    • Advanced has the highest catch rate
    • Standard has a competitive catch rate with zero false positives

Independent Anti-Spam Benchmarks

Based on independent anti-spam benchmark tests conducted by Opus One, Inc. Testing methodology can be retrieved from: http://www.opus1.com/www/whitepapers/antispamfeb2007.pdf

join our messaging community
Join Our Messaging Community

Trend Micro’s Messaging Site:

http://messagingsecurity.trendmicro.com

  • White papers
  • Pod casts
  • Blogs
  • Opportunity to comment