Relying solely on reputation analysis is no longer enough to efficiently prevent today’s sophisticated spam attacks. The industry-leading Predictive Sender Profiling probes deeper into sent email to identify bad sender behavior and block identity obfuscation techniques, despite a sender’s lack of prior spamming history. As the next generation of anti-spam technology, Predictive Sender Profiling reinforces the superior 95 percent spam accuracy rate of the Barracuda Spam & Virus Firewall.
Reputation vs. Profiling Techniques
Traditionally, the purpose of reputation techniques is to combat spammers by profiling the sender’s history. Barracuda Networks utilizes a two-fold approach in determining an email sender’s reputation: Barracuda Reputation Analysis and Intent Analysis. Both Reputation and Intent Analysis, like many traditional reputation techniques, enable the Barracuda Spam & Virus Firewall to block spam efficiently by doing a simple database lookup.
However, as spammers become more organized and more creative in their tactics, they have resorted to obfuscating their identities more systematically, rendering reputation data less effective on its own. Blocking these new forms of spam email requires the use of techniques that can profile the behavior of the sender and identify any uncharacteristic activity. Profiling techniques such as Barracuda Networks Predictive Sender Profiling are designed to look beyond the apparent reputation of the sender and dig deeper into the campaign itself to identify anomalous activity.
Reputation Alone Falls Short Against Botnets and Zombies
Sender identity obfuscation techniques often involve spammers taking control of networks of computers infected with malware (also called “botnetsâ€), and sending email from diverse sources throughout the Internet. In doing so, the spammer effectively hides their own identity from traditional reputation checks that profile sender network addresses.
For example, in illustrations A, B, and C below, the spammer attempts to hide their identity by sending out virtually the same message from different addresses around the world. In illustration A, the message is detected as originating from an IP address in Germany, One day later, in illustration B the same message is picked up in as coming from the UK and by the third day of the campaign, Barracuda Central had identified the message again, this time coming from Spain. Clearly, in this example, the spammer had overtaken a series of computers (botnets) and used them for this particular campaign pushing Viagra and Cialis.
In addition to sending from different IP addresses, these sample emails all used different embedded URLs in an attempt to bypass Intent Analysis. In Illustration A, the URL points to http://joecalvin.info, in Illustration B, the URL points to http://www.wwuau.info, and in Illustration C, the URL points to http://shjindaio.info. Just as botnets have enabled spammers to send from many sender IP addresses, cheap domain registrations have enabled spammers to create new domain identities quickly and inexpensively.
Illustration A: IP Address: 84.163.90.168 (Deutsche Telekom, Germany)
Illustration B: IP Address: 84.13.58.219 (Opal Telecom, UK)
Illustration C: 217.125.88.118 (Telefonica-Data-Espana, Spain)
Despite the inability to utilize traditional reputation techniques on these emails, the Barracuda Spam Firewall, blocked these messages by profiling the sender’s behavior and predicting new instances of this email. In this case, the profiled behavior was derived from the need to provide domain name services (DNS) for all of the new domains. By recognizing that the spammer configured all of the new domains with the similar DNS settings as their known spam domains, the Barracuda Spam & Virus Firewall was able to block all instances of these emails using its Real-time Intent Analysis capabilities.
Hiding Behind the “Good Guyâ€
By registering new domains or by redirecting to spam Web domains through reputable blogs, free Web site providers, or URL redirection services, spammers have also learned to hide their identity from traditional reputation checks that profile spam Web domains.
Illustrations D and E below show two separate spamming campaigns that were recently detected by Barracuda Central in which the spammers attempt to hide their identity by using URLs referencing reputable Web domains, Geocities and Blogspot. Often these URLs contain either redirections or simple Web links to known spammer Web sites.
Illustration D: Geocities redirect to sexdatesearch.com – known spammer
Illustration E: Blogspot redirect to known spammer IP (211.93.46.38)
Despite these attempts to hide behind a “good†identity, the Barracuda Spam & Virus Firewall profiled this campaign behavior of placing redirections or Web links to known spam sites behind popular Web providers. The Barracuda Spam & Virus Firewall was able to block these messages through Multi-level Intent Analysis by following the embedded URLs as a Web browser would and inspecting the resulting contents.
Sample Behaviors and Countermeasures
When spammers obfuscate their identities, the Barracuda Spam & Virus Firewall can use Predictive Sender Profiling the Barracuda Spam & Virus Firewall to identify behaviors of all senders and apply the applicable Barracuda Spam & Virus Firewall defense tactic. Examples include:
| Sample behaviors | Countermeasures |
| Sending too many emails from a single network address. Automated spam software can be used to send large amounts of email from a single email server. | Rate Control. To protect the email infrastructure from these flood-based attacks, the Barracuda Spam & Virus Firewall counts the number of incoming connections from a particular IP address and throttles the connections once a particular threshold is exceeded. |
| Attempting to send to too many invalid recipients. Many spammers attack email infrastructures by harvesting email addresses. | Recipient Verification. The Barracuda Spam Firewall automatically rejects SMTP connection attempts from email senders that attempt to send to too many invalid recipients, a behavior indicative of directory harvest or dictionary attacks. |
| Registering new domains for spam campaigns. Because registering new domain names is fast and inexpensive, many spammers switch domain names used in a campaign. | Real-time Intent Analysis. Used for new domain names that may come into use, real-time intent analysis involves performing DNS lookups and comparing DNS configuration of new domains against the DNS configurations of known spammer domains. |
| Using free Internet services to redirect to known spam domains. Use of free Web sites to redirect to known spammer Web sites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. | Multilevel Intent Analysis. Multilevel intent analysis involves inspecting the results of Web queries to URLs of well-known free Web sites for redirections to known spammer sites. |