IronPort: Spam ‘n’ stuff

Hrvoje Dogan
Systems Engineer, Eastern Europe and Russia
IronPort, A Cisco Business Unit
 IronPort Gateway Security Products

Internet
Internet
IronPort
SenderBase

BLOCK Incoming Threats

APPLICATION-SPECIFIC
SECURITY GATEWAYS
ENCRYPTION EMAIL WEB
Appliance Security Appliance Security Appliance

CENTRALIZE Administration
PROTECT Corporate Assets
Data Loss Prevention
Security
MANAGEMENT
Appliance

CLIENTS

Web Security | Email Security | Security Management | Encryption

Pop quiz
First spam?

April 1994
New botnets in one day?

892,565
23 rd May 2007
New phishing sites in April 07

55,643
60% more than prev
month
Infection to sending spam?

36 seconds
 What is spam?

8
Evolution of AntiSpam Engines:
The Next Generation
Effectiveness
TODAY Where? Web Reputation
Where does the call to action take you?

Who? Email Reputation

Who is sending you this message?

How? Message Structure

How was this message constructed?
What? Message Content
What content is included in this message?

Time

ƒ Content filtering techniques alone are inadequate

ƒ Email reputation systems improved protection
ƒ Combating new attacks demands Web reputation
Spam Trends
Through Mid-July, 2007

ƒ Spam volumes ticking up

ƒ New spam trends
emerging
ƒ PDF spam
ƒ Shows that spammers
continue to develop new
techniques at a rapid pace

ƒ Several open source

blacklists under DDOS
attacks in just 4 weeks
ƒ SURBL, Spamhaus, URIBL all
affected
ƒ SenderBase not affected

Average Daily Spam Image Spam %

 The New Spam Attack Profile
2007
Spam Sent
Per Hour

“Rapid Start”
Attack Profile
2005

Regular
Attack Profile

Time
11
Spam Trends
Through October, 2007

120
Spam volumes up 108% in
100
just four months
Avg Daily Volume (billions)

80

60

40

20

0
Oct-05 Dec-05 Feb-06 Apr-06 Jun-06 Aug-06 Oct-06 Dec-06 Feb-07 Apr-07 Jun-07 Aug-07 Oct-07

Date
Spam is Harder to Catch
Image Spam Gets Sneakier

1. “Polka dots” 2. “Slice & Dice”

And it works...
And it works...

Jonathan Lebed made $850,000 from Pump & Dump

Subj: THE MOST UNDERVALUED STOCK EVER

Date: 2/03/00 3:43pm Pacific Standard Time
From: LebedTG1
FTEC is starting to break out! Next week,
this thing will EXPLODE...
Currently FTEC is trading for just $2 1/2!
I am expecting to see FTEC at $20 VERY
SOON.

The brokerage firm "Meyers Pollock Robbins"

defrauded $176 million from investors using Pump
& Dump
– CEO Michael Ploshnick served 3 years prison
Spam spreads more quickly
VCDY Stock Spam Outbreak, March 27, 2007

•Classic “pump and dump” scheme

- Stock price jumped 13% on volumes 4x normal
• Spam volume:
- Spread using over 50,000 zombie PCs in 44 different
countries
- Over 100M messages sent in less than 10 hours
• Obfuscation techniques:
- Spam used sophisticated techniques such as wavy text,
multi-color text and multi-colored background

IronPort protects against outbreak in real-time; no drop in catch-rate

VCDY spam
outbreak begins

Major Anti-Spam provider unable to

protect against outbreak; image spam
catch-rate drops for 7 hours

IronPort Catch-Rate Major Anti-Spam Provider Catch-Rate

Spam is harder to identify
Image-Link Spam - April & May 2007

• URL link references image spam

• 4% of total spam volumes in May
• Very difficult to detect:
- Legitimate domains are used – domain
blacklisting not adequate
• Web Reputation is essential
• IronPort maintains ~98% catch rate against
Image-Link spam

Click on
the link …
PDF spam on the rise

ƒ In top 10 largest outbreaks of 2007

ƒ Outbreak represented 9% of all email traffic, or over
5B messages
ƒ The outbreak was distributed by over 75K zombies
ƒ Recipients of the attack were heavily focused in
Europe.
Gif vs. PDF: Trading Places

Image Attachment Volume - June-Sept 2007

New Trials: image spam moving from Gif to PDF attachments

 Excel Spam Outbreak
July 21st, 2007

OUTBREAK DESCRIPTION EXCEL SPAM EXAMPLE

• Spam sent as text inside excel file
• First appeared July 21st, 2007
• Within hours, represented 17% of total
spam volumes
• Proves the high level of spammer
sophistication

SPAM VOLUMES BY TYPE IRONPORT PROTECTION

30%
ƒ Stopped Excel spam within minutes through
combination of several technologies
% of Total Spam

20% ƒ Reputation Filters: proactively blocked majority of

Excel spam by identifying bots sending spam

10%
ƒ IronPort Anti-Spam:
- SenderBase sees 25% of email traffic; IronPort saw
outbreak within minutes.
0% - Automated technologies and humans analyze traffic on
1-Jun 15-Jun 29-Jun 13-Jul 200 parameters; IronPort able to quickly and accurately
image PDF excel write rules to protect against outbreak
MP3 Spam Outbreak
October 17th, 2007

Outbreak Description MP3 Spam Example

• Spam sent as MP3 audio files
• files named after popular songs /
musicians to fool recipients
• files randomized by changing audio
speed and content
• represented 1% of spam volumes on
day of outbreak

Volume & Catch Rate IronPort Protection

30 100%
ƒ Stopped MP3 spam within minutes through
25
95% combination of several technologies
20
ƒ Reputation Filters: proactively blocked majority of
15 90%
MP3 spam by identifying bots sending spam
10
85% ƒ IronPort Anti-Spam: issued rules based on file
5
type, file content, message size and other information
0 80% to catch remaining spam
21:00 2:00 7:00 12:00 17:00 22:00
Time (GMT)
Volume (thousands) IronPort Catch Rate
 Attachments and URLs

Attachment Type Testing

Count of Attachment Types Seen in Spam

Rapid Onset Spam Attacks:
PDF, XLS, MP3 spam attachments

Excel Spam Magnitude

August 2007
From Images to Links
URL-only Spam is Increasing

Spam rates are rising,

but attachment spam
is dropping

Percent of Spam Containing

Spam containing URLs

continues to grow
 No
attachment
- Payload
delivered
via web

URL
Anatomy of URL Spam

“Advertisement”

Call to Action URL Advertising

Pharmaceutical Web Site

“Hashbuster” text –
from “The Hobbit”
 Like Snowflakes – Each is Unique

Call to
Action URL

“Hashbuster” text
Targeted & Blended Attack #1

Purported email from US IRS

Targeted & Blended Attack #2
IronPort Architecture for
Multi-Layered Email Security

MANAGEMENT TOOLS

SPAM VIRUS DATA LOSS EMAIL

DEFENSE DEFENSE PREVENTION ENCRYPTION

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

Multi-layer Spam Defense
Best-of-Breed Protection at the Gateway

MANAGEMENT TOOLS

SPAM VIRUS DATA LOSS EMAIL

DEFENSE DEFENSE PREVENTION ENCRYPTION

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

• IronPort Reputation Filters™: the outer layer defense

• IronPort Anti-Spam™: stops the broadest array of threats – spam, phishing,
fraud and more
IronPort’s Spam Defense Method

ƒ Multi-layer / multi-technique spam defense technologies

designed to:
Stop spam quickly
Stop spam accurately

Reputation Who? How?

Worlds first and best sender
based reputation service
- Blocks 80% of spam at gateway
- World class accuracy
What? Where?
World’s most accurate
content based spam engine
- 98% catch rate
- World class accuracy

SenderBase
IronPort Anti-
Reputation
Spam
Score
The IronPort SenderBase Network ®

Global Reach Yields Benchmark Accuracy

• 30B+ queries daily

• 150+ Email and Web
parameters
• 25% of the World’s Traffic
• Cisco Network Devices

Combines Email & Web Traffic Analysis

ƒ View into both email &
Web traffic dramatically
improves detection IronPort
ƒ 80% of spam contains SenderBase
URLs
ƒ Email is a key distribution
vector for Web-based IronPort EMAIL IronPort WEB
malware Security Appliances Security
ƒ Malware is a key Appliances
distribution vector for Spam
zombie infections
 The IronPort SenderBase Network
Data Makes the Difference

150 Parameters

• Complaint Reports
THREAT PREVENTION IN REAL TIME
• Spam Traps
• Message
Composition Data
• Global Volume Data
• URL Lists
Data Analysis/ SenderBase
SenderBase Reputation Scores
• Compromised Data Security Modeling
Host Lists -10 to +10
• Web Crawlers
• IP Blacklists
& Whitelists
• Additional Data
 IronPort Anti-Spam
Accuracy Powered By Context Adaptive Scanning Engine

HOW?
• Message leaves trace
of spamware tool

WHAT? WHO?
• All text inside an image • IP address recently
• Random dots appear started sending email
within the message • Message originated
• Nearly identical color from dial-up IP address
scheme in 100,000’s • Sending IP address
spamtrap msgs located in Russia

WHERE?
Verdict
BLOCK
BLOCK
Multi-layer Virus Defense
Best-of-Breed Protection at the Gateway

MANAGEMENT TOOLS

SPAM VIRUS DATA LOSS EMAIL

DEFENSE DEFENSE PREVENTION ENCRYPTION

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

• IronPort Virus Outbreak Filters™: stop outbreaks 13 hours ahead of traditional signatures
• McAfee and Sophos Anti-Virus: signature-based solutions with industry leading accuracy
IronPort Data Loss Prevention
Inbound/Outbound Policy Enforcement

MANAGEMENT TOOLS

SPAM VIRUS DATA LOSS EMAIL

DEFENSE DEFENSE PREVENTION ENCRYPTION

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

• Flexible Policy Engine for protection of Intellectual Property and enforcing acceptable use policies
• Regulatory Compliance Solutions are built in and provide real-time remediation
• On-box Encryption keeps communications private and secure
IronPort Email Encryption™
Don’t Remediate…Accelerate

MANAGEMENT TOOLS

SPAM VIRUS DATA LOSS EMAIL

DEFENSE DEFENSE PREVENTION ENCRYPTION

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

 IronPort Gateway Security Products

Internet
Internet
IronPort
SenderBase

BLOCK Incoming Threats

APPLICATION-SPECIFIC
SECURITY GATEWAYS
ENCRYPTION EMAIL WEB
Appliance Security Appliance Security Appliance

CENTRALIZE Administration
PROTECT Corporate Assets
Data Loss Prevention
Security
MANAGEMENT
Appliance

CLIENTS

Web Security | Email Security | Security Management | Encryption

IronPort + Cisco
Extending Market Leadership

ƒ Customer Leadership
ƒ Over 6,000 customers globally
ƒ 99% customer retention rate

ƒ Technology Leadership
ƒ Industry leading email and
Web security applications
and management tools

ƒ Global Leadership
ƒ Worldwide operations and
infrastructure
 IronPort Consolidates the
Network Perimeter
For Security, Reliability and Lower Maintenance
Before IronPort After IronPort
Internet Internet

Firewall Firewall

Encryption Platform DLP

MTA Scanner

Anti-Spam

Anti-Virus IronPort Email Security Appliance

DLP Policy
Manager
Policy Enforcement

Mail Routing

Groupware Groupware

Users Users
Next Generation Secure Web Gateway
Before IronPort After IronPort

Internet Internet

Firewall Firewall

Web Proxy & Caching

Anti-Spyware

Anti-Virus

IronPort S-Series
Anti-Phishing

URL Filtering

Policy Management

Users Users
IronPort + Cisco
Extending Technology Leadership

ƒ Substantial growth in bookings Staying Ahead Requires

Higher Investment in
ƒ Market growth rate = 50% Technical Resources

ƒ IronPort growth rate = 100%

100%

ƒ Significant investment in

Accuracy (%)
security technology
ƒ R&D resources increased by 35%
in 2007
ƒ Employee base increased by 50%
Technical Resources ($)
ƒ Unparalleled access to data
ƒ Cisco network devices contribute
to IronPort’s SenderBase data
IronPort: Spam ‘n’ stuff

Hrvoje Dogan
Systems Engineer, Eastern Europe and Russia
IronPort, A Cisco Business Unit