Dress Warmly! Spam Blizzards Are in the ForecastWritten by Malcolm James on July 8, 2013
It may be the case that the winter months are snuggling in and getting comfy south of the equator, but here in the northern hemisphere, summer’s only heating up and getting a good head of steam on as it plans to make us run for the air conditioners and cool beverages. So the idea that we should prepare for blizzard activity seems something of a paradox, but the kind of blizzard we’re speaking of has nothing to do with cold weather, snow, or parkas. Nor are they a product of good old Mother Nature. No, this type of blizzard won’t bury your car under a mountain of snow, but you may want to pay attention, because the damage it could inflict might have you running for your network security policy.
According to an article by Network World discussing a recent security report, there’s a new type of threat on the Internet landscape, and while the idea behind it is nothing new, the fact that it’s been identified in the wild recently suggests that we all need to take another look at our anti-spam policies and procedures. The attack, which Network World dubs ‘blizzards,’ is the bombardment of emails on a target, so many emails, in fact, that the target can’t keep up with the incoming spam.
“Spam attacks may last from 12 to 24 hours, it continued, and inundate an inbox with as many as 60,000 messages,” the article purports.
The report cited by the article suggests that the attacks are very targeted and very deliberate, indicating that the attackers must have somehow obtained personal information that helps them target the individuals’ or organizations’ email addresses.
So, you ask, why bother? Well, we’ve known for a long time that spammers aren’t spamming for their health, and since their cumulative IQs can be packaged up and sent packing through the eye of a needle, there must be some tangible (read: monetary) reason for the attacks. “The purpose of the assault,” Network World reports, “is to prevent a target from reading their legitimate email.” And why would you want to prevent someone from reading their legitimate messages? Well, if some of those messages were transaction confirmations – you know, the kind that confirm account transfer requests or purchases – then hiding them amid a flurry of spam emails would certainly benefit the crooks who are pilfering their targets.
“Unlike much of the malicious spam circulating on the Internet,” writes Network World, “messages in a [Distributed Spam Distraction] attack don’t contain any malicious links or attachments.”
In fact, not all spammers are as stupid as we wish they were. The idea here is to make things as innocent as possible, which might have network administrators wondering what was with all the benign emails, rather than wondering what else was going on to necessitate the flurry.
You don’t need a parka to protect yourself from blizzards
In addition, blocking these emails can be tricky when they merely contain random passages from a book or magazine, because even the best content-based algorithms won’t have anything to lock onto as the junk starts pouring in. A troublesome prospect, indeed, and one which could be disastrous, at least in the short term while the attack is occurring. Cleaning up the mess afterward would require some work, too, and care has to be made to review the messages to ensure that the real ones aren’t discarded.
Now, one obvious solution is to have rules for all the accounts that matter to you. Banks and other financial institutions will have distinctive signatures, like the originating email address and wording used to notify you of transactions. Flagging these messages and depositing them in a separate folder is just good practice, blizzard or no blizzard. For those messages that you cannot predict, perhaps personal messages from a broker notifying you that a cash transfer has been made, or a client informing you that that money order you requested has been shipped, some diligence has to be performed. Again, these should be deposited in a separate folder or given an alert rule – you’ll know who you deal with on a regular basis, so it shouldn’t be too difficult to generate a list.
If those prospects prove too prohibitive or time consuming, perhaps consider forming and training a ‘response team’ to react in the event that blizzard activity begins to appear on your mail server. Being prepared for the attack, and what to look for, may help you mitigate devastating losses.