What is spam and phishing?

Spamming is the use of messaging systems to send an unsolicited message (spam) to large numbers of recipients for the purpose of commercial advertising, for the purpose of non-commercial proselytizing, or for any prohibited purpose (especially the fraudulent purpose of phishing). [https://en.wikipedia.org/wiki/Spamming]

Most email spam messages are commercial in nature. Whether commercial or not, many are not only annoying, but also dangerous because they may contain links that lead to phishing web sites or sites that are hosting malware - or include malware as file attachments. [https://en.wikipedia.org/wiki/Email_spam]

Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic. Since the expense of the spam is borne mostly by the recipient, it is effectively postage due advertising. [https://en.wikipedia.org/wiki/Email_spam]

Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

Phishing is an example of social engineering techniques used to deceive users. Users are lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, colleagues, executives, online payment processors or IT administrators. [https://en.wikipedia.org/wiki/Phishing]

Phishing –being potentially harmful unsolicited messages– can be seen as a subset of spamming.

Multi-layer anti-spam and anti-phishing approach

Applying multiple layers in protection is a widely adopted approach in information security in general. As phishing is one of the most severe threat vectors today, Email Gateway Security applies the same approach against it.

If a spam or phishing email can get through the previous layer, then the next, even more stringent layer is there to counter it.

Overview

Update workflow

1. Spammers start a new campaign updating their botnet with new spam templates.

2. The army of zombie machines starts sending spam.

3. Our system gathers millions of unsolicited emails daily through

   1. Spam traps,

   2. Honeypots and

   3. External spam feeds.

4. Every spam is processed and sent to automated training systems.

5. The filters are updated.

Filters with proactive detection

Filters based on machine learning algorithms have proactive detection and do not need updates for every new spam campaign.

Text fingerprint filter

The text fingerprint filters are based on the text that is present in the email’s From and Subject headers and in the email body. The filter creates an extract from these parts of the email, and creates a hash fingerprint.

The hashing algorithm is designed to generate very similar fingerprints for similar pieces of text. This way we can counter the spam technique when spammers apply slight modifications to the text to circumvent anti-spam technologies. If a new fingerprint is similar to a previously known spam fingerprint, then the new fingerprint belongs to spam as well with a good chance.

IP reputation filter

IP reputation checking is a traditional method to counter spam. Known spam senders are listed on blocklists, and if the sending IP of the email is on the blocklist, then the email is categorized as spam.

The IP reputation system used by Email Gateway Security is based on own and external spam and threat intelligence feeds and reports from the wild. Additional techniques, as reverse DNS lookups and passive DNS can also help to associate IPs and domains and to build detection patterns.

The IP detection is not directly related to the type of the spam campaign, IPs of spammers are on the blocklist irrelevant of the kind of their activity.

URL and domain reputation filter

This filter checks the reputation of the URLs in the email body and the reputation of the domains of these URLs. Similarly to IP reputation, URL reputation data comes from own and external spam and threat intelligence feeds and reports from the wild.

Attachment filter

The attachment spam filter is something similar to what traditional anti malware does. In addition to traditional anti-malware, attachment filter is also prepared to specific phishing cases, as it can detect HTML bank forms for example. The attachment filter can unpack archives and inspect archived files.

Email address filter

Initially created for Nigerian and lottery scams, now very useful in detecting other kind of spam, e.g. : fake sales, spear phishing, dating, employment, loan, etc.

The email addresses are extracted from the body of the message and from the Reply-To and From headers of the email (it is a common phishing technique to redirect replies using the Reply-To header).

Using machine learning, heuristics and clustering methods waves using spammer addresses are identified and the proper email addresses are blacklisted.

Image filter

It is a common technique to send the whole spam email as a single image. This way it is much harder for anti-spam technologies to find out the contents and to classify an email as a spam.

Also, in spam and phishing messages there are recurring image contents that when can be detected, it is easier to classify an email as spam or phishing.

Blacklisting methods are based on image characteristics, for example size, resolution, color distribution, compression, etc.

Our technologies include:

• Optical character recognition (OCR): this technology can extract text from images. Useful in detecting stock, extortion, pharmacy, advertising spam, etc.

• Similar image detection: based on color histogram, similar, but not identical images can be detected and classified as spam or phishing
  For example it is a common spam technique to make the spam image blurry or add color pixels to it (while it is still readable) to make its detection difficult.
  

  [https://www.nirsoft.net/articles/spam/viagra_spam.html]

  [https://www.nirsoft.net/articles/spam/viagra_spam.html]

• Face detection and recognition: combined with other, specific email characteristics this technology can help to classify attached images and detect spam campaigns like Russian brides scams

• Logo recognition: this technique can prevent image false-positives, and can be used to identify phishing scams.
  For example it is a common technique to send phishing emails on behalf of a well known service provider, like eFax.
  

  [https://threatpost.com/microsoft-office-365-credentials-attack-fax/162232/]

Phone number filter

In nature similar to IP and domain blocklists, this is a blacklist of phone numbers used mostly in Russian and Asian spam. These numbers are usually extremely obfuscated and need special regular expressions to be extracted from emails.

There is also a database of prefixes and telecom operators for targeted countries.

Cryptocurrency filter

Cryptocurrency wallet addresses are frequently used in scam emails. The victims are usually instructed to make the payments to these wallet addresses. Cryptocurrency wallets are typical in extortion spam, a very aggressive, new type that evolved from sextortion to even bomb threats.

Hyperlink reference listing

Using Deep CDR, this technique gathers all the hyperlink references (visible and invisible ones - e.g. those that are hidden behind an image) within the email body, and displays them together in one place.

The benefit is that the user can review the real hyperlink references, can spot the potentially malicious ones, and can make an informed decision about the risk level of clicking any of them.

The drawback of this technique is that the links are still clickable - accidentally or deliberately - within the email body.

Hyperlink reference removal

Using Deep CDR, this technique removes all the hyperlink references (visible and invisible ones - e.g. those that are hidden behind an image) within the email body, and adds the hyperlink reference as text.

The benefit is that the user can review the real hyperlink references, can spot the potentially malicious ones, and can make an informed decision about the risk level of visiting the referenced pages. It is also a benefit, that the links can not be clicked.

The drawback of this technique is that the links are not clickable, if the user wants to visit a referenced page, the reference must be copied to a browser.

Attachment disarm & reconstruction

Some phishing attacks use attached documents as weaponized content instead of hyperlinks.

Email Gateway Security splits an email to separate files of:

• the header,

• the body (for each of the text and HTML rendition in case of HTML formatted emails), and

• the attachments.

These files are then sent to Deep CDR for processing. Deep CDR assumes all the headers, body and attachments are malicious and sanitizes and rebuilds each file ensuring full usability with safe content. When the email recipient opens the attached document, is is safe already.