Monday, June 25, 2007By: J.F. Sullivan, VP Marketing
Recently, a new type of spam surfaced. The content was the same old penny stock pump and dump scam we've seen millions of times. But this time, the content was in a PDF attachment, not the body of the email.
Frankly, this was inevitable.
Spammers are going to use whatever means necessary to get their message across. The fact that they are using PDF attachments, something assumed to be innocuous and trustworthy, is no surprise. Frankly I'm astonished they haven't resorted to .PPS files to show cheap animations for their spams via PowerPoint!
Now here's a question: since the anti-spam vendors have to filter the content, why weren't they doing the same for the attachments? A few possibilities are that PDF scanning:
a) oversteps the bounds of what is considered private communications
b) makes it difficult to analyze content
c) is very, VERY costly
No doubt the truth is a combination of the aforementioned, but the last is certainly a major contributor. Consider that on a moderately configured system, spam detection and commensurate flagging of the message can reduce performance by an average of about 30 percent. What does doing this for attachments mean?
A LOT of increased processing and decreased message throughput is my guess. So perhaps the next field of battle is spammers forcing security systems to chew up so much processing time that the war of attrition moves to the equivalent of a DDoS (Distributed Denial of Service) attack?
Ugly indeed.
Seems to me, the move towards email behavior analysis and reputation systems for managing inbound mail is more important than ever. Beyond the fact that Habeas has evolved our business to be a source of reputation information - why would we argue this? Simply because the more we move away from filtering and towards an examination of the activity and behavior of a sender, the more efficient our receiving systems will be. Moreover, the more difficult it is for spammers to hide, the easier it will be for legitimate senders to reach the inbox.
After all, anything can paint itself pink and stand one leg like a flamingo. But, if it walks like a duck and quacks like a duck, you can be pretty darn sure - it's a duck!
