Deprecated: Function create_function() is deprecated in /home/hidefide/public_html/blog/wp-content/plugins/wr-pagebuilder/core/core.php on line 127
{"id":943,"date":"2015-02-01T18:37:32","date_gmt":"2015-02-01T18:37:32","guid":{"rendered":"https:\/\/icaruspressblog.wordpress.com\/?p=943"},"modified":"2019-04-17T10:02:35","modified_gmt":"2019-04-17T10:02:35","slug":"spammers-are-avoiding-spam-filters-cisco","status":"publish","type":"post","link":"https:\/\/hidefideas.com\/blog\/2015\/02\/01\/spammers-are-avoiding-spam-filters-cisco\/","title":{"rendered":"Spammers are Avoiding Spam Filters: Cisco"},"content":{"rendered":"

$\"139-h_main-w\"$ If nothing else, spam and spam-related technologies often get really cool names. Rustock, Bagle,<\/a> Cutwail<\/a>, Zeus<\/a>, Grum, Festi,<\/a> Conficker<\/a>, spam blizzards<\/a>, Emotet<\/a>, Blackhole<\/a>, even bacon<\/a> (Yum!). The list goes on and on. It\u2019s as if a group of guys sit around in some dark, OLED-illuminated basement somewhere, listening to Iron Butterfly and passing a bong around. You can almost hear the conversation. \u201cHey, what about Grum? That\u2019s a cool-sounding name!\u201d Followed by a unified chorus of \u201cDude!\u201d If researchers and IT professionals spent as much time addressing the problem as they did trying to come up with names for the exploits they discover, perhaps we\u2019d have a leg up on the spam problem, instead of the current state of affairs. To use the leg analogy, our leg is exposed and spam is humping it ceaselessly.<\/p>\n

So if you haven\u2019t heard it yet, add a new moniker to the ever-growing database of spam nomenclature: snowshoe spam. It\u2019s a good one, too, because in the same way a snowshoe distributes weight across its base to give the wearer the ability to walk on snow, this kind of spam spreads itself across multiple IP addresses to evade spam filters. In its 2015 Annual Security Report<\/a>, networking firm Cisco reports that this new kind of spam, discovered by has many of the features of traditional spam, including the ability to drop a payload of malware through email attachments.<\/p>\n

\u201cSnowshoe spam,\u201d says Cisco, \u201cis unsolicited bulk email that is sent using a large number of IP addresses, and at a low message volume per IP address, thus preventing some spam systems from sinking the spam. In a recent snowshoe spam campaign observed by Cisco Security Research, a blitz approach was used. This means the total spam campaign took place over just three hours, but at one point accounted for 10 percent of global spam traffic.\u201d<\/p>\n

Computer Business Review<\/a> advises companies to \u201clook for other signs of spam, such as a mismatch between forward and reverse domain name systems (DNS) which is “generally considered an obvious indicator that a mail server is not legitimate.\u201d As previously stated, the snowshoe messages observed by Cisco researchers show the signs of standard spam, for example, they have \u201cmisspelled subject lines such as \u201cinovice 2921411.pdf,\u201d and include a randomly generated number. Attachments were typically PDF files containing a Trojan exploiting a vulnerability in Adobe Reader.\u201d The word \u2018invoice\u2019 is misspelled and the messages themselves have little to no content in the message body. While the From header varies, Cisco reports that they contain unusual character strings such as \u201cEOF,\u201d \u201cendobj,\u201d and \u201cendstream.\u201d The PDF file attachment was the same across all of the messages, the only difference being the name of the attachment. An analysis of the attachment yielded a \u201cTrojan exploiting CVE-2013-2729<\/a>, an integer overflow vulnerability found in Adobe Reader version families 9.x, 10.x and 11.x.\u201d<\/p>\n

Cisco discusses snowshoe spam in an August 2014<\/a> blog post. Researcher Alex Chiu points out that while neither the snowshoe method nor the PDF exploit is novel, Cisco is seeing a growing trend in the use of snowshoe spam. Anti-spam systems are very effective at identifying and isolating spam. Typically, they can have a 99.9 percent success rate, and that\u2019s an important figure for anyone interested in keeping networks, whether small or large, safe from the security threats posed by malicious email. But it\u2019s the .1 percent that worries us, and as Cisco points out, \u201cspammers try just about anything to evade spam filters. To ensure that spam reaches its intended audience, spammers are increasingly using these tactics to avoid detection by IP-based anti-spam reputation technologies.\u201d<\/p>\n

\u201cSnowshoe spam can be a challenge for some anti-spam detection techniques,\u201d Chiu writes, \u201cbecause it typically uses multiple IP addresses with very low spam volume per IP address. Depending on how an anti-spam technology works, this can cause severe problems with detection.\u201d<\/p>\n

Chiu points out that there are ways to mitigate the threat. \u201cOne of the best ways to combat snowshoe spam is to rely on more than simple reputation. While the DNS infrastructure is highly mutable \u2013 especially when using technologies like Dynamic DNS \u2013 the IP infrastructure is not. In this particular spam campaign, a large majority of the spam messages we observed came from a different IP address. Classic snowshoe spam.\u201d The post provides a link to about 250 IP addresses that Cisco observed participating in the spam campaign, and that list can be found here<\/a>.<\/p>\n

Because many of the IP addresses observed in the campaign didn\u2019t have a record of sending emails before, it\u2019s safe to assume that the offending machines have been compromised as part of a botnet.<\/p>\n

Yet another year, yet another threat of which to take note.<\/p>\n","protected":false},"excerpt":{"rendered":"