IBM Embraces Bold Method To Trap Spam
Warriors in the battle against junk e-mail are adopting a contentious tactic: Spam the spammers.
The most-common spam defense used to date -- software filters that attempt to identify and block out the unwanted messages -- hasn't stopped the flood of Viagra pitches, cut-rate mortgage offers, and solicitations for foolproof investment schemes swamping many inboxes. Some recent studies say 50% to 75% of e-mails carried over the Internet are spam.
An alternate approach -- counterattacking, in effect -- has been available for some time to users of open-source software, for which code is posted free of charge on the Internet. But adoption in corporate offices has been slow, partly because of fears of exposing companies to certain liabilities -- especially if a target is actually innocent of spamming.
But now the practice is going mainstream. International Business Machines Corp. is expected to unveil today its first major foray into the anti-spam market with a service, based on a new IBM technology called FairUCE, that uses a giant database to identify computers that are sending spam. One key feature: E-mails coming from a computer on the spam list are sent directly back to the machine, not just the e-mail account, that sent them. The more spam that comes out, the more vigorous the response.
"We're doing it to shut this guy down," says Stuart McIrvine , IBM's director of corporate security strategy. "Every time he tries to send, he gets slammed again."
The IBM move follows security giant Symantec Corp., which released a new product in January that uses a similar technology called "traffic shaping" to slow connections from suspected spam computers.
Trapping spammers is sometimes called "teergrubing," from the German word for "tar pit" -- as in, spammers get stuck. It is the equivalent of answering a telemarketer's phone call, "saying 'Hi, how are you,' and setting the phone down and seeing how long he'll talk before realizing there's no one on the other end," says Tom Liston, a computer-security expert.
Teergrubes exploit some convenient features of the Internet, which was designed to be a polite method of communication. Computers -- including e-mail servers -- that chat back and forth in the Internet's electronic protocol will courteously wait to see that their data has been received before sending more. Typically, such acknowledgments come in a matter of milliseconds. A computer set up to teergrube will languorously stretch its responses out to minutes -- effectively tying up the spamming machine and reducing its ability to pump out messages.
How to handle spam -- or, indeed, any other form of unwanted electronic traffic -- is a tricky issue in security circles. Gaining unauthorized entry to a remote system, even in order to stop it from harming yours, is generally illegal under anti-hacking laws. The aggressive new products from IBM and others don't violate those rules, but they can increase the amount of network traffic. Unnecessary traffic increases are generally frowned upon.
But proponents of aggressive antispam tactics say something needs to be done to choke off the supply; simply turning the other cheek and trying to discard spam as quickly as possible isn't enough. IBM says in a new report that in February 76% of all e-mails were spam, down from a summer 2004 peak of nearly 95%, but still well above levels at the same time last year.
"Yes, we are adding more traffic to the network, but it is in an effort to cut down the longer-term traffic," says IBM's Mr. McIrvine. Brian Czarny, vice president of marketing for MessageLabs Ltd., which uses the Symantec product, says traffic shaping doesn't constitute a potentially illegal "denial of service" attack because it is responding to connections made by another computer, and because the volume is dependant on how much junk is originating from spammers. "They are just getting things thrown back to them that they were sending to us," says MessageLabs' Mr. Czarny.
Still, not turning the other cheek has its caveats. Mr. Liston, the security expert, is the author of an open-source program called LaBrea that sets up such electronic tar pits to trap computers sending out worms. But he stopped distributing LaBrea in 2003 after concerns that it ran afoul of an Illinois state computer law. Mr. Liston says the law was so broadly written that he worried that if his program crashed a worm-sending computer, he could be held liable under it. IBM says its program isn't designed to overwhelm systems to the point of crashing.
IBM's offering works by examining the incoming data packets that carry e-mail and checking their origin against IBM's continually updated database of known spam machines to see if it appears to come from a legitimate address. If it is listed as a spamming computer, the data gets directed right back to the machine across the network. The system allows for fine tuning: Incoming data packets that come from a computer likely but not assuredly spamming might get delayed instead of rejected outright. A legitimate e-mail system is likely to hang on through any delay; a spammer is likely to move on to another victim.
Symantec's traffic shaping technology works like a throttle on the streams of data arriving at a e-mail server. (E-mail servers are like corporate mailrooms -- everything comes in there before being distributed to users' individual mailboxes.) If one stream appears to be coming from a spammer, the throttle narrows the aperture so data can only come in slowly.
Carlin Wiegner, director of product management for e-mail at Symantec, says that the company's product, based on technology it acquired last year, works by controlling the spammers' incentives. It's designed to "slow them down so much that it is more interesting for them to spam some small business or some other country," he says. The Symantec product, like IBM's, is aimed at large companies who have enough e-mail traffic to be able to reap significant savings from cutting down on spam.
Mr. Wiegner notes that many large companies, particularly those in the financial services industry, are required by regulators to archive all incoming e-mail. Cutting it off before it ever arrives means there's less junk that needs to be stored.
Mr. Czarny of MessagesLabs, which acts as a spam-filtering outsourcer for business customers, says his company's incoming traffic is reduced by 30% with the program in place. "We're able to lop off a very large chunk," he says.
IBM采用大胆方法对付垃圾邮件
同垃圾邮件作战的斗士们正在采用一种有争议的策略:以恶治恶。
迄今为止使用最为广泛的垃圾邮件防御工具是试图识别和封杀人们不想收到的讯息的软件过滤器,但这并没有阻止诸如万艾可(Viagra, 又名:伟哥)的推销广告、低息抵押贷款服务、傻瓜式投资计划的招揽信息等垃圾邮件涌入许多收件箱。最近的一些研究表明,通过互联网传输的电子邮件中有50%-70%都是垃圾邮件。
另一种手段是反击,实际上,这种方法对于开放源代码的软件用户来说已经存在一段时间了。但企业办公室接纳这种方式的进程一直颇为缓慢,一定程度上是出于对公司可能承担某些责任的担忧,尤其是如果某个目标实际上并没有发送垃圾邮件。
但如今,这种防御垃圾邮件的方法正逐渐形成主流。国际商业机器公司(International Business Machines Corp.)预计将于周二推出基于一项新IBM技术的服务,以此首度大举进军反垃圾邮件市场。这种被称为FairUCE的新技术利用一个庞大的数据库来识别正在发送垃圾邮件的电脑。其一个核心的特点是:垃圾邮件寄发名单上的电脑发送的电子邮件将被直接发回到发送这些垃圾邮件的这台电脑上、而不仅仅是电子邮箱中。电脑发送的垃圾邮件越多,得到的反应就越激烈。
IBM公司安全战略主管Stuart McIrvine称,新技术的目的在于封杀垃圾邮件制造者,令其无计可施。
IBM此举紧随电脑安全巨头赛门铁克(Symantec Corp.)的步伐,后者曾于1月份推出一项新产品,使用了一种被称为“流量控制”('traffic shaping')的类似技术,以此来减慢与被怀疑在发送垃圾邮件的电脑的连接。
困住垃圾虫有时候被称为“焦油坑”('teergrubing'),此词源自tar pit的德文,寓意将垃圾虫困在里面。电脑安全专家Tom Liston称,这就如同接听推销电话,上来先进行问候,“喂,你好!”,然后放下电话,看看在对方意识到另一端没有人之前会说多久。
“焦油坑”策略利用了互联网的一些便利特点,互联网的设计本意是创造一种彬彬有礼的交流方式。通过互联网上进行交流的电脑、包括电子邮件伺服器在发送更多讯息之前都会很有礼貌地等待,以便观察它们的数据是否被接收。通常来说,作出这样的确认只是几毫秒的问题。而用作焦油坑的电脑将把反应的时间延长至几分钟,从而有效地困住垃圾邮件发送者,并降低其发送讯息的能力。
如何处理垃圾邮件,或者说如何处理人们不想收到的任何其他形式的电子信息,这在安全领域是一个棘手的问题。根据反黑客法律,未经授权便进入一个远程系统,即便是出于阻止它损害你自己的系统的目的,通常来说也是违法行为。IBM和其他公司推出的这些进攻型新产品并没有违反有关规定,但它们可能会增加网络信息流量。而不需要的信息的增加一般来说都会令人不快。
但进攻型反垃圾邮件策略的支持者则表示,必须做点什么来阻塞信息的流入;仅仅是容忍并努力尽快删除垃圾邮件还不够。IBM在一份新的报告中表示,2月份,所有电子邮件中有76%为垃圾邮件,较2004年高峰期的近95%有所下降,但仍远远高于去年同期的水平。
IBM的McIrvine表示,的确,新方法将增加网络信息流量,但它是为了减少长期的流量。MessageLabs Ltd.的营销部副总裁Brian Czarny表示,流量控制策略并不构成违法的阻绝服务攻击(denial of service)行为,因为它是在针对另一台电脑建立的连接作出反应,而且流量取决于源自垃圾邮件制造者的垃圾邮件有多少。MessageLabs现在使用的即是赛门铁克的流量控制技术。Czarny称,这只是一种以牙还牙的技术。
尽管如此,这种决不容忍的态度也面临法律方面的问题。安全专家Liston是一个名为LaBrea的开放源代码程序的作者。LaBrea设置此类陷阱以困住发送蠕虫病毒的电脑。由于担心此举违反了伊利诺伊州的电脑法律,他于2003年停止发放LaBrea。Liston称,这条法律的涉及面如此之广泛,以致于他担心如果他的程序摧毁了一台发送蠕虫病毒的电脑,他可能要为此负法律责任。IBM称,其程序并非以将系统打击到瘫痪的地步为目的。
IBM的新服务通过检查携带电子邮件的数据包,并根据IBM不断更新的已知垃圾邮件电脑数据库来检查这些数据包的来源,以判断它是否来自一个合法地址。如果属于垃圾邮件电脑,数据将通过网络直接被返回到这台电脑。该系统可以进行微调:来自一台可能是、但并不确定是垃圾邮件电脑的数据包可能被延迟、而不是直接被拒绝。一个合法的电子邮件系统可能在出现任何延迟的情况下都不会挂断;而垃圾邮件可能很快会转向另一个受害者。
赛门铁克的流量控制技术如同在达到电子邮件伺服器的数据流中加入一个节流阀。(电子邮件伺服器就像公司邮件收发室,所有的信息首先集聚在此,然后再被分配到用户的个人邮箱。)如果一个数据流看似来自一个垃圾邮件电脑,节流阀将收窄口径,数据只能缓慢进来。
赛门铁克电子邮件产品管理部门主管Carlin Wiegner称,公司的产品基于去年收购的技术而开发,通过控制垃圾邮件制造者的动机来发挥作用。它旨在大幅减慢垃圾邮件的速度,使其转而去攻击其他小企业或其他一些国家。像IBM的FairUCE一样,赛门铁克产品的目标客户是拥有足够电子邮件流量、能够通过堵截垃圾邮件大幅降低成本的大公司。
Wiegner指出,许多大公司,尤其是金融服务行业的大公司在监管机构的要求下需要对所有进来的电子邮件进行存档。在垃圾邮件到来前对之进行堵截意味著需要被存档的垃圾邮件将有所减少。
MessagesLabs的Czarny表示,他的公司在运用赛门铁克的程序后电子邮件的流量下降了30%。“我们能够砍掉一大块垃圾邮件。”MessagesLabs是企业客户垃圾邮件过滤业务的外包商。
