Rochak Gupta et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 2 (4) , 2011, 1529-1536 The Current State of Battle against Spam Rochak Gupta, K Vinay Kumar Department of Computer Science and Engineering, National Institute of Technology Karnataka Surathkal, India Abstract— the growth of Spam over the years suggests that Table 1: Spam is no longer simply a threat but a large scale network CATEGORIES OF SPAM problem today. The battle between spammers and anti- spamming techniques has been going on for many years. Many anti-spam techniques are currently employed to filter spam e- mails, however spam is still able to attack many email users. This paper provides an overview of available spam filtering approaches and their drawbacks. We also describe the common spammers’ tricks that spammers use to bypass the currently available spam filters. The paper primarily focuses to throw some light on root causes of the spam growth. Keywords— Spam, Tricks, Spam filter, Email, Email server, Network bandwidth I. INTRODUCTION 1.1. Categories of Spam E-mail has become an easy means to distribute a huge amount of unsolicited mails to a large of users with very low cost. These unwanted bulk mails or unsolicited mails are called Spam mails. As shown in Table 1, the majority of Spam messages that has been reported recently are unsolicited commercials including pharmaceutical, newsletters, gambling, watches, jobs, sexual/dating, softwares etc [12]. They also include annoying content such pornographic images and can be used as well for spreading rumours and other fraudulent advertisements. Spam software can also be used to distribute harmful content such as viruses, Trojan horses, malwares, worms and other malicious codes. It can be a means for phishing attacks as well. 1.2. Why Spam is a problem? Spam has been growing rapidly over the years. As shown in Figure 1, in 2010, the average global Spam rate for the year was 89.1%, an increase of 1.4% compared with 2009 [12]. The growth of Spam over the years suggests that Spam Figure 1: Rate of Spam is no longer simply a threat but a large scale network problem today. II. THE SOURCE OF SPAM The key reason for the growth of spam is the fact that it There are three primary sources of Spam in service costs nothing to send an email; since all of the costs are paid provider networks: by the carriers and the email servers. Furthermore there is a level of annoyance at receiving a lot of Spam. Email Spam 2.1. Botnets affects the recipient; their time and resources are wasted A botnet is a network of infected computers that have dealing with Spam emails. It also affects the performance of been taken over by Spammers and are used to send bulk email servers which process huge amount of emails sent by Spam E-mails. The number of bots in botnets depends on the Spammers. profit desired by the spammer. Botnets might have a few 1529 Rochak Gupta et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 2 (4) , 2011, 1529-1536 thousand computers, but others might have lacks of infected 2.1.5. Mega-D computers. In most of the cases even owner of computers does not know that their computers are infected. Mega-Ds Spam is mainly responsible for advertising an The proportion of Spam sent by botnets was much higher online pharmacy. At its peak was responsible for almost 18% for 2010, approximately 88.2% of all Spam. However, the of global Spam. In November 2010 the Federal Bureau of average number of Spam emails sent from each bot fell at the Investigation arrested mastermind of Mega-D botnet. end of 2010 [12]. This led to a decrease in the total amount of global Spam in circulation toward the end of 2010. But many 2.1.6. Bagle/Beagle/Mitglieder/Lodeight of the experts predict that e-mail will remain the primary, preferred medium for sending Spam. As the year progresses, Spam volume has declined in March 2011 after the researchers expect Spam volumes to match or exceed takedown of the Rustock botnet, but Bagle botnet is taking its previous levels. place. Bagle is famous for spreading pharmacy spam and at Following botnets were the active Spam botnets of 2010: its peak was responsible for 17.2% of the total global spam volume. It is more powerful than Rustock because it 2.1.1. Rustock maintains high profit with less number of infected computers. Rustock was the one of the most dominant botnet in last 2.2. Compromised accounts few years. Rustock has been an important member of the botnets since January 2006. It was responsible for massive The accounts that are accessed by someone who is amount of Spam production worldwide. It was capable of unauthorized are called compromised accounts. Spammers sending up to 25,000 Spam messages per hour from an use these accounts to send Spam. infected computer. It was a botnet of around 2 million bots capable of sending out 30 billion Spam emails per day. 2.3. Malicious use of email accounts Microsoft’s Digital Crimes Unit, working with federal law enforcement agents, has brought down the world’s largest Another way that spammer can use to send the spam is by Spam network, Rustock in March 2011. Global Spam drops creating email accounts and uses them for the purpose of by huge amount as Rustock Botnet is Dismantled [1]. sending unwanted content. As reported that one in eight users’ accounts is openly sending out Spam and/or malware. 2.1.2. Grum III. COMMON SPAMMER TRICKS Grum is the future for Spam botnets. It’s a kernel-mode As Spam filters are becoming better and better, they rootkit and hence it is difficult to detect and remove it. Grum pressurise Spammers to evolve new tactics to bypass the is mainly involved in sending pharmaceutical Spam e-mails. filters. We present some of the most common tricks applied It consists of around 560,000 - 840,000 Grum root-kit by Spammers to circumvent available Spam filtering infected computers. It was one of the most active Spam- solutions. sending botnets at the end of 2010 and was responsible for approximately 9% of botnet Spam. [12]. 3.1. How to Get More Victims: Email Address Harvesting 2.1.3. Cutwail 3.1.1. Dictionary attacks The Cutwail botnet has been active since 2007. It is The dictionary attack is one of the most popular mainly involved in DDoS attacks and sending Spam e-mails. techniques among Spammers who wish to evolve or keep It was responsible for approximately 6% of global Spam in accounts of recipient addresses. To collect accounts of year 2010. The number of active bots has increased by working email addresses, a spammer send vestigial mails to approximately 16%, compared with the number of bots under email accounts. A normal user who receives such mails with its control at the end of 2009 [12]. The Pushdo/Cutwail no body and subject line may be weird, but for a spammer it botnet spreads Spam including online casinos is a way to collect the working email accounts. pharmaceuticals, phishing, and links to Web sites which contain malwares. 3.1.2. From posts to UseNet 2.1.4. Maazben Spammers use readymade softwares to continuously scan UseNet for email address. Some software might be designed Maazben botnet is mainly responsible for spreading to just look at posts headers which contain email address, Casino Spam. To keeps the Spam source hidden, Spammers while other softwares might be designed to check the posts prefer proxy-based bots. But proxy-based bots do not work if bodies. These softwares looks at signatures, through the infected computer is behind a NAT device [9]. Maazben programs that collect everything that contain a ‘@’ character is one of the fastest-growing botnet and was responsible for and attempt to demunge munged email addresses. over 5.2% of global Spam in year 2010. The number of active It is also observed that if people stop posting on the bots under Maazbens control has increased by more than UseNet then frequency of Spam mails decreased sharply in 1,000% since March 2010, to between 510,000 and 770,000 their email accounts. The obvious reason is that Spammers bots worldwide [12]. 1530 Rochak Gupta et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 2 (4) , 2011, 1529-1536 always look for active addresses; this technique seems to be code. But this is not a popular tactic among Spammers the primary source of email addresses for Spammers. nowadays. For example, 3.1.3. From mailing lists HTML: Ma<!- - 63 - ->ke mon <! - - adf - ->ey f<!- - sdf - - >a<! - Spammers repeatedly try to obtain the lists of subscribers - e - ->st to mailing lists. When mail servers are designed to deny such Would be rendered as “Make money fast” in an email requests, Spammers might send an email to the mailing list client. with the headers Return-Receipt-To: or X- Confirm-Reading- To:. A different technique used by Spammers is to request a 3.3.3. Attachments mailing lists server to give him the list of all mailing lists it carries, and then send the Spam to the mailing lists address, One can send the spam message as an attachment of mail leaving the server to do the hard work of forwarding a copy to avoid contents analysis performed by Spam filters. On the to each subscribed email address [13]. other hand, the curious recipient may open the attachment, which usually contains neither body text nor subject line in 3.1.4.