E-mail filters not fooled by signed spam

Bulk e-mailers are digitally signing unsolicited messages in hopes of bypassing popular filtering programs, but updated software has been modified to detect the trick, experts said this week.

The trick was noted on several security lists, as the number of junk e-mail messages sporting digital signatures has apparently increased. Digital signatures are used in e-mail to attest to the validity and integrity of an e-mail message;

		Get Up to Speed on... Open source Get the latest headlines and company-specific news in our expanded GUTS section.

any changes to the message's text break the signature and can thus be detected.

The new spam tactic was likely introduced to fool a popular open-source e-mail filtering program known as SpamAssassin, said Rand Wacker, director of product strategy and planning for e-mail software maker Sendmail. Wacker said the openness of the program's development allows spammers to develop tricks to fool the software.

"Since SpamAssassin is built in a very transparent way in how it does its filtering, we see a lot of spam that is directly targeted at getting past SpamAssassin," Wacker said. Sendmail's own spam program, Mailstream, wouldn't be fooled by the technique because it doesn't give better scores to signed e-mail messages. Filters frequently use a scoring system to evaluate whether a particular message is spam or legitimate.

The attack on the software's filtering process highlights the dangers of open-source projects, but it also reinforces the ability of projects with active development teams to quickly respond to such security holes.

Security experts frequently dismiss the ability of closed-source software to make it more difficult to find flaws, saying that such "security through obscurity" does not work. Although open-source software errors are easier to find, it generally means that the programs are secured more quickly. Jim Allchin, Microsoft's senior vice president for Windows, admitted in testimony during the Microsoft trial that switching Windows from a closed-source to an open-source development process would likely lead to a host of publicized security flaws.

For SpamAssassin, the signature problem only affects the 2.5 series of the software. The trick will increase the amount of spam that gets through mail gateways that use versions prior to 2.60 of the program, said a developer.

"Older versions of SpamAssassin had a rule which would (make it more likely an e-mail would pass), if it found something that looked like a PGP signature in the message," Theo Van Dinter, lead developer for the open-source SpamAssassin project, said in an e-mail to CNET News.com. Van Dinter said such rules had been removed from the latest versions of the program. "So if spammers are actually trying to forge that rule, it doesn't do them any good on a properly updated machine," he said.

Spam has become a major headache for system administrators. Unsolicited bulk e-mail likely makes up a third of the e-mail traffic seen on the Internet; some reports put the ratio as high as 1-in-2. Some spammers apparently are resorting to spreading viruses as well: Many security experts believe that the Sobig family of viruses have been spread to aid spammers.

Such tricks, and the fact that bulk e-mail volume is increasing to offset lower success rates, show that spammers are trying hard to beat new defenses, said Justin Mason, senior antispam software engineer for security company Network Associates. The company's own e-mail filter software, Spam Killer, is based on SpamAssassin, but it has been changed enough to foil signed junk e-mail; Network Associates bought the company that created SpamAssassin in January.

"A lot of their tricks don't work that well," Mason said. "There is quite a lot of desperation really."