Spamming and Dark Traffic

Some anti-spam vendors rely on identity analysisor reputation analysis to block spam coming from certain IP addresses. To get around this, spammers have now implemented zombie attacks or botnets (robot networks), planting spyware or Trojans on unsuspecting machines, which then work as slaves to remote machines, which then carry out a spam campaign.

Instead of one machine sending out tens of thousands of emails from a single IP address, zombie attacks can have a thousand slave PCs and a thousand different IP addresses sending out ten to twenty emails each. Effective email security requires vendors to constantly add adaptive techniques to their anti-spam systems, assuring organizations that even new threats like zombie attacks won’t get through their systems and email security professionals don’t get those angry calls or emails about unwanted messages.

Today’s enterprises expect spam filters to catch at least 95% of spam; the best spam filters catch upwards of 99% of unwanted emails. Even more importantly, however, spam filters should rarely catch a valid, wanted email and throw it out. These “false positives” have caused many arguments between companies when an expected email has been filtered out and never delivered.

Experts recommend that the false positive rate be as close to 0% as possible, since false positives can cost organizations dearly. Spam is not the only threat to email servers. While spam is unwanted and often annoying, a bigger threat to networks today is malicious and invalid email traffic, referred to as Dark Traffic, which can actually damage an email system or a network.

Dark Traffic includes viruses, worms, and Trojan horses that are sometimes attached to otherwise valid-looking emails. The directory harvest attack (dHA) is often a precursor to spam, when a corporate email server is bombarded with thousands or even millions of random name combinations in order to determine valid email addresses.

Email denial of service (doS) attacks, malformed SMTP packets, and invalid recipient addresses are other types of dark Traffic. As mentioned above, spam and dark Traffic can have a huge effect on bandwidth, often representing 70-90% of all inbound email traffic. Stopping spam and dark Traffic is essential to scaling email infrastructure accurately and keeping network performance up.