DHS: key to detecting malicious email

It's a very useful tool, says Mark Richardson

Spam, viruses and phishing attacks are a serious threat to your company’s security and your customers’ privacy. The most effective attacks are precisely targeted using traffic analysis, bulk message delivery, compromised web hosts, surreptitiously installed key loggers and large doses of social engineering.

To date, email filtering has taken a conservative stance on identifying unwanted messages, by accepting more unwanted messages for fear of losing real wanted messages. But this practice opens up a significant security hole. With the increasing volume and sophistication of email-borne attacks, allowing any suspicious messages to reach downstream systems increases the risk to those systems.

In a typical enterprise configuration, email passes through several layers on its way to the desktop — the perimeter system, the content-filtering layer and an antivirus layer.

This model is dictated by the structure of email inflows. The perimeter faces the largest volume of messages and traffic, as much as 90% of which is malicious, so filtering methods closest to the perimeter must be the fastest. Traffic-shaping can identify unwanted traffic quickly while operating at or near wire speeds.

Virus-filtering requires a complex scan of each message, searching for malicious code hidden in multiple message parts. Because it is computationally expensive, it should be done after the other layers have removed everything they can.

The outermost system can remove 50% of unwanted traffic, and content analysis can remove as much as 80% of the remainder, which leaves 10% of the original malicious traffic reaching anti-virus and groupware systems.

Malicious email is distinctive; it almost always involves criminal behaviour and it is sent in bulk. Senders of malicious email obscure their true routing path and origin of their messages to protect their criminal enterprises. Virus writers use the same obscurity techniques because the simpler the infection vector, the easier it is for companies to identify and eliminate the threat. Viruses must also use deceptive header information to infect machines successfully.

As a deceptive message is moved from its launch point through various email servers to finally reach a victim’s email server, it accumulates message headers that tell which tools were used to create the message, the route the message took and more. Content analysis techniques can review message headers for suspicious words and phrases, but they cannot correlate the evidence found. Thus content analysis techniques can be misled by malicious email, which often includes headers crafted specifically to fool content-analysis checks.

This is where Deceptive Header Screening (DHS) comes into play. Message headers, or lack thereof, and their content tell a story about the life of a message that is not based on its user content.

Instead, DHS uses an expert system to glean facts about the message and compare them with each other, and with information about the internet. It uses this information to identify the panoply of tricks that malicious email uses to disguise itself, such as forged hosts, faked header information, phony senders and masqueraded recipients. It can identify messages created by bulk mailer software, phishing attacks that lie about coming from trusted institutions, and a multitude of messages coming from compromised user PCs connected to consumer-grade broadband.

Because DHS uses the part of the message that the malicious senders have the least control over, the message headers, it catches their antics, regardless of content, language or presentation tricks.

Because DHS scans a bounded fraction of each message, it can operate very quickly, regardless of message size. Without lies to slow them down, valid messages are generally processed faster than malicious ones, effectively giving them preferential processing treatment. A relatively inexpensive server can screen 75 message headers per second for signs of deception.

Finally, DHS requires far less maintenance than other tools because of the constancy of deception in malicious email.

DHS supplies the missing piece in the puzzle of traditional filtering: the email protocol layer. By understanding the structure of email messages and separating the deceptive from the truthful, DHS can almost eliminate the remaining email-borne threats to an enterprise.

With this level of protection the load on antivirus servers drops by nearly half, and the risks to desktop systems, and their users, are dramatically reduced.

Join the newsletter!

Error: Please check your email address.

Tags emailDHSNetworking & Telecomms ID

Show Comments
[]