News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Amir Lev's picture
Amir Lev

Security Levity

More posts | Read bio

October 21, 2009 - 8:09 A.M.

Spammer trick of the month: Delayed DNS

8 comments

Each month, I'll talk about a particular spammer trick; spammers employ a number of sneaky tricks to avoid spam filters, and they're always inventing new ones. This week on Security Levity... the delayed DNS hack.

Spammers and botnet developers are an ingenious bunch. If spam wasn't so obnoxious and criminal, it would be easy to be impressed by some of their imaginative technical solutions. I want to talk about a recent innovation that spammers have developed to thwart spam filters that use link inspection techniques.

First, some background. Link inspection filtering works by inspecting the links within a suspect email message: by looking at the content of the linked-to Web page, and/or by accessing a reputation centralized service. These techniques help a spam filter decide whether or not the message is spam.

What some spammers have been doing recently is to control where their links point to, changing the location at a critical moment. They do this to try and thwart spam filters. They deliberately make the links point to a benign page during the time that filters are scanning the message. But then they switch it to a spam site, in time for when the users will be reading the message.

Spammers do this by a combination of careful timing and manipulation of the DNS. First, they make sure they send the spam during the night (based on the timezones of the targeted recipients). During this time, they ensure the DNS hostname for the link resolves to a legitimate site, or perhaps to nowhere at all. This of course prevents the spam filter from discovering a malicious link.

Later, once the spam messages have been delivered, the spammers switch the DNS to point to their spammy site. They need to make sure they do this in time before the recipients wake up and start reading their email.

This is a technique that can confuse spam filters that use link inspection in a naïve way. The arms race between spammers and spam filter technologists continues, as ever.

 
This has been the first in a monthly series of posts about spammer tactics. If there's a particular tactic you'd like to see explained, please let me know.

I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!

 
When he's not dowsing the DNS, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...

What People Are Saying

Add new comment

This mean links must be with

Submitted by shyam ramesh on January 7, 2010 - 7:54 A.M.

This mean links must be with ipaddress instead of hostname.

SpamFilters treats ipaddress in link as SPAM.

How do they evade that?

Reply | Report this comment

Ironport

Submitted by gmyhre on December 3, 2009 - 2:39 P.M.

If Ironport does link filtering it must be inactivated on ours. I receive more spam than I can count. Besides, link filtering is only as good as the authoritative filter mechanism is. There are hundreds of this links coming in in e-mails daily and the filter can not keep up. Just avoid clicking on any link in e-mails from unknown or suspect senders and use common sense.

Reply | Report this comment

Where is our anonymous flame-friend?

Submitted by Anonymous on October 22, 2009 - 9:27 A.M.

I see Amir said spam is obnoxious and criminal.

I wonder if our anonymous friend will reappear this week? Will s/he be pleased to hear Amir say so? Or will s/he take a few more words out of context and rant on and on and on?

Reply | Report this comment

good stuff

Submitted by sittnduck on October 21, 2009 - 2:54 P.M.

This is the kind of series that has actual value, please keep it coming!

Reply | Report this comment

Thanks

Submitted by Amir Lev on October 27, 2009 - 8:09 A.M.

Thanks for the feedback. Are there any particular tactics that you're curious about?

Reply | Report this comment

cool

Submitted by Angelus on October 21, 2009 - 12:33 P.M.

now this is cool Amir do you know if Ironport uses link inpection filters?

Reply | Report this comment

I believe they do

Submitted by Amir on October 21, 2009 - 2:16 P.M.

Either in the end point or in their data processing centers or in both.

Reply | Report this comment

thanks

Submitted by Angelus on October 22, 2009 - 9:42 A.M.

Thanks probably on their SBRS

Reply | Report this comment

Related Posts

Snarky replies to spammers and scammers
Spam culture, part 2: Russia
Domain registration fraud spam
Ask Amir: How do spammers send from my email address?

Editor's Picks

Users dispute Microsoft's account of battery problems

Review: 3 encryption apps keep your data safe

Judge dismisses Windows anti-piracy software lawsuit

Microsoft e-health research taps Xbox, mobile phones

Startup opens offshoring alternative in distressed Michigan

Toyota to recall Prius hybrids over ABS software

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.