Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

new spam types

Hi - are other people seeing two new types of spam which are currently evading Brightmail?

The first is usually pushing stocks - it consists of a standard subject, a random haiku of words and a GIF image with a randomised filename. Despite getting heaps of these into our probe accounts Brightmail is yet to positively identify it as spam (although it is labelled as suspect). They are usually botnet spammed at about 1 message per IP per hour.

This one is quite scary in that all the info is contained in the GIF. I'm not sure whether there are any serious anti-spam filters that look inside GIF images. Luckily they weren't very smart and the GIF image appears to be identical - if they were smarter, they would use a JPEG and randomise the compression to make each message fully unique. IP reputation doesn't hinder it as they slow spam them with a large number of IPs - nor does DHAP prevention.

The second is usually watches or online pharmacy - the email is crafted to look like a reply or a forward from someone else "who" recommends the product in question. The words are usually spammily mispelt.

25 REPLIES
Community Member

Re: new spam types

The first is usually pushing stocks - it consists of a standard subject, a random haiku of words and a GIF image with a randomised filename.


I'm seeing lots of these, too. I'm quite disappointed that these are getting past Brightmail.

I've noticed that the GIF images look like faxes with the original inserted at an angle, so the text lines are all slanted slightly. I suppose this is an anti-OCR measure, but I don't know if anyone is actually trying to use OCR to detect spam images.

Community Member

Re: new spam types

Yeah, we're seeing them too. Although, they seem to have slowed down for me. They were really bad in Nov/Dec of '05.

Community Member

Re: new spam types

I've not been happy with Brightmail's spam filtering, period. We run all mail that makes it past our IronPort Gateway through another box that runs it through SpamAssassin. Not only does this catch messages like those, but it also allows us to include secondary virus scanning with clamAV which identifies phishing attempts. Because SpamAssassin is not the "black box" that Brightmail is, we are able to tailor the filters to our needs and wind up blocking thousands of additional messages every day that aren't even flagged as "supected spam" by Brightmail.

Often the crap that makes it past Brightmail is suprising - but of course there is no way to tell what criteria it used to determine its spam score, so there's no way to "tweak" it.

Community Member

Re: new spam types

Often the crap that makes it past Brightmail is suprising - but of course there is no way to tell what criteria it used to determine its spam score, so there's no way to "tweak" it.


I have to defend Brightmail on this one. Keeping their rules secret is part of their defense. Spammers know how SpamAssassin works, and have been in a constant arms race against it since day one. And because spammers know how SA works, they can tailor their messages to play to its weaknesses. The fact that Bm's rules are secret means the spammers have a much harder time trying to game them.

Another point is that Bm is deliberately hands-off as a selling point: "We worry about tweaking the rules so you don't have to." That's one of the things that sold us on Bm in the first place: we don't have to devote nearly as much manpower to the spam wars. Essentially, we've outsourced that task to Bm. I just wish they'd pick up the slack a little.

Community Member

Re: new spam types

I can definitely understand their thinking on that, but you'd think they'd actually be better at blocking spam than Spamassassin then - this has not been my experience. I've found SA to have a much better track record of false-positives and a much better track record of catching spam - including phishing emails that have not been added to the clamAV signature database yet.

Of course, this is not with the "stock" SA configuration, I've sellected other addons from the community which allow it to more accurately reflect our environment. We catch a lot of those "gif" spams that the GP was complaining about in SA - they ALL made it through BM.

I agree that as a spammer, I'd rather be up against a system that I can see the rules so that I can learn to game them, but it would be nice if BM actually used their "closed" nature more to their advantage because SA seems to still come out way ahead. Although, to be fair it only has to work on messages that made it through BM. If SA was exposed to the entire load of spam - It's results may be entirely different.

I'm happy using both, as they give me the best of both worlds - heck, I'd throw a third one in there if I thought it would help ;-). Right now, if you disregard internal email, we average about 97% spam from the outside world - which we block - and I still get complaints from my users about "so much spam" :?

Community Member

Re: new spam types

I can definitely understand their thinking on that, but you'd think they'd actually be better at blocking spam than Spamassassin then


Brightmail also has their "one in a million" false positive promise to worry about. That makes the more conservative.

Community Member

Re: new spam types

I can see about keeping the rules a secret; however, if they get a false positive and they refuse to adjust their rules or tell you what is causing the problem then I have an issue. We recently had an issue where official company mail got marked as suspect spam and many at the company thought it was an insult that it got marked as suspect spam. At first we were told a reason why that I could not bring to my management and eventually they did change the rule set; however, it wasn't easy convincing them that they needed to make a change.

Often the crap that makes it past Brightmail is suprising - but of course there is no way to tell what criteria it used to determine its spam score, so there's no way to "tweak" it.


I have to defend Brightmail on this one. Keeping their rules secret is part of their defense. Spammers know how SpamAssassin works, and have been in a constant arms race against it since day one. And because spammers know how SA works, they can tailor their messages to play to its weaknesses. The fact that Bm's rules are secret means the spammers have a much harder time trying to game them.

Another point is that Bm is deliberately hands-off as a selling point: "We worry about tweaking the rules so you don't have to." That's one of the things that sold us on Bm in the first place: we don't have to devote nearly as much manpower to the spam wars. Essentially, we've outsourced that task to Bm. I just wish they'd pick up the slack a little.

Community Member

Re: new spam types

We really haven't seen many false positive issues. In over two years I can still count them on one hand. I don't consider "suspect spam" to be a false positive, mainly because we don't use it very aggressively - almost not at all.

One of my concerns it the fact BM seems to be getting weaker at catching spam and slower at creating new rule sets. I mean the cycle time from when a new spam variant hits until they have new rules, seems over 5 days when it used to be under 2.

A second concern is every new BM engine upgrade really brings a lot more system load. I don't know exactly how much 6.0.2 added, but it noticeably lowered our overall through put. Now 6.0.3 clams to be adding 20% additional system load! This kind of lack of performance tuning on Symantec's part will drive us to spend the time to really compare IronPort's Anti-Spam engine. In two years with IronPorts in our environment the worst critical impact I've had to email delivery was directly due to a Brightmail definition which apparently did not get performance checked and caused a HUGE processing delay on all emails until they got the definition removed. (NOTE: This was back in May of 2004).

Overall I am still pleased with the Brightmail product, but the past 6 months my impression of it has gone down. And the idea of no tracking on missed spam or false positive submissions is just inexcusable.

Community Member

Re: new spam types

I totally agree with Erich. The performance of brightmail has steadily declined to a critical point.

In our environment we are looking at alternatives as well. We are very happy with Ironport, but the Antispam process is eating to much CPU... causing mail delays.

Community Member

Re: new spam types

Does CPU usage improve when Suspect Spam detection is turned off?

We don't have much throughput (about 6000/hour per C60) so our CPU is about 20% with 6.0.3

Community Member

Re: new spam types

Does CPU usage improve when Suspect Spam detection is turned off?


Someone from IronPort will correct me if I'm wrong, but I'm 99% sure the answer is "no." Brightmail assigns a score 1 - 100 to a message. Anything >= 90 is definitely spam. You get to set the threshold for suspected spam. Since the message is already scored, you're not going to save any significant resources by turning this off.

Community Member

Re: new spam types

I also agree with Erich. We hardly use the Suspect Spam piece at all. We're also seeing a decline in Brightmail's shine that we used to like so much about it. The one thing that I would like to add is that reputation filtering is key to us. It's where we block most of our SPAM/malware. By the time our Brightmail license runs out, the IronPort AntiSPAM engine should be a bit more mature. We'll certainly give it a good look at that time.

Community Member

Re: new spam types

We're also seeing a decline in Brightmail's shine that we used to like so much about it.

Same here. I have to wonder if the acquisition by Symantec had anything to do with it?

By the time our Brightmail license runs out, the IronPort AntiSPAM engine should be a bit more mature. We'll certainly give it a good look at that time.

I'm already talking with my superiors about scheduling a field test.

Community Member

From the symantec knowledge base (Note: Ironport uses 6.0.x)

An increase of large messages results in an unexpected decrease in scanner performance

Situation:

An influx of messages scanned by the Symantec Brightmail product very slowly. The messages are large and some and a check reveals some are not valid email. The scanner becomes backed up. The messages are queued for processing or pass through unfiltered.

One of the following versions is installed:
--Symantec Brightmail AntiSpam 6.0.x
--Symantec Brightmail 6.0
--Brightmail 5.5
--Brightmail 4.0


Solution:
This mostly affects Windows and Openwave mail transport authorities (MTA's), as sendmail and postfix both have an MTA limitation that prevents this from happening. What is occurring is that a sender is sending a message with an extremely large number of headers-- 1000's of them. This could be a spammer attempting a denial of service (DoS) attack. The Scanner software attempts to scan all of the headers and takes a long time doing so, tying up the CPU.

Symantec is working on this problem. Patches will be made available for Brightmail 4.0 and Symantec Brightmail AntiSpam 6.0.x.

Workaround
When you can determine where the messages are coming from, block the sender of any email that is not legitimate.

518
Views
0
Helpful
25
Replies
CreatePlease to create content