Spammers are making money exploiting other people's systems and no one is immune. This article examines the implications for organizations and for Linux caused by the spam/virus convergence, and details the level of protection necessary to minimize organizational impact and risk.

The spammer's goal is simple: to make money by selling to (or defrauding) e-mail users. But as more and more organizations deploy spam-filtering solutions, accomplishing this goal has become increasingly complex.

As individual, organizational, community, and governmental efforts to block spam cut into their revenue, the spammers' response is to innovate and overwhelm: send more mail, from more locations, with more permutations, using more tricks.

With their servers and Web sites blocked at every turn, today's spammers have an insatiable demand for hijacked access to legitimate systems to act as "zombie" spam servers.

To meet that demand, spamming operations have evolved from individual efforts to an entire community, a massive underground economy powered by spammers, virus writers, and hackers, all intent on making money through unsolicited e-mail.

This underground economy results in a barrage of increasingly sophisticated spam, virus, and hacker attacks across multiple layers and platforms within an organization. Linux is a key part of this as both a platform for organizational gateway protection from spam and viruses and a potential target of virus and hacker attacks.

The Spam/Virus/Hacker Connection

Traditionally, spammers, virus writers, and hackers were distinct communities with distinct motivations, but the success of spam has brought them together in an underground economy with a single purpose: making money from unsolicited e-mail.

Each group is responsible for specific tasks:

• Hackers hijack mail servers, Web servers, and other exposed servers.
• Virus writers infect and assume control of a large numbers of machines.
• Spammers use these machines to sell products and generate revenue.

Together, these hijacked and infected systems provide a massive network for surreptitiously hosting spammer activities, such as:

• Sending spam messages
• Acting as proxies and relays to hide message routing
• Stealing the owner's credentials to bypass blacklists and whitelists
• Conducting Denial of Service attacks
• Conducting Directory Harvest attacks
• Providing temporary spam Web site hosting

Virus writing is no longer vandalism driven by ego, it is theft driven by economic benefit. Viruses, including Linux viruses, are becoming increasingly prevalent as their creators look for new ways to take and maintain system control. Slapper, Mimail, Sysbug, and other recent virus attacks have all contained machine-hijacking functionality.

In addition to the spam/virus/hacker connections, the underground economy includes providers of spammers' tools such as "ratware" (software that sends spam) and services providing lists of e-mail addresses.

Widespread availability of these tools and services drives the rapid, widespread adoption of new spamming techniques. Today's e-mail recipient faces increasingly sophisticated spam messages incorporating multiple filter avoidance techniques, such as rapid server changes, text and HTML obfuscation, randomized messages, hashbusting, "word salads," and redirected spam site addresses.

Implications for Organizations

The entire underground economy extends concerns beyond productivity, morale, and resource consumption to serious security risks at every level in an organization's infrastructure. Figure 1 illustrates some of the threats to organizations and how they may be addressed. As a result of spammer activity, organizations face significant increases to:

• Spam volume
• Coordinated virus, hacker, and spam attacks
• Sophisticated spam attacks involving changing, international spam sources
• Attacks from viruses, worms, and Trojans
• Attempts to hijack servers for their sender authentication and other purposes
• Denial of Service attacks
• Directory Harvest attacks to grow mailing lists

Protecting enterprises from these attacks is not a simple task:

• Existing systems, internal expertise, and available resources may be insufficient to keep pace with the sophistication of today's spam, virus, and hacker attacks.
• Security functions and technologies - such as network, e-mail, and antivirus protection - may not be integrated.
• Policies, processes, and systems that deal with occasional threats and outbreaks may not address the current environment of continuous attacks.
• Protections built to protect against external attacks may be unprepared to detect and isolate compromised internal systems.

Implications for Linux

The threat the underground economy presents for organizations affects Linux in two key ways - as a platform often used for organizational gateway protection from spam and viruses, and as a potential target of virus and hacker attacks.

A primary concern for Linux is that organizations often run Linux MTAs (mail transfer agents), and these MTAs are often chartered with filtering spam and viruses from e-mail, the most common delivery mechanism for both.

When deployed in the role of protecting internal systems, Linux servers form an important barrier to the spread of infectious and otherwise malicious material. For instance, organizations deploying Linux MTAs with virus, policy, and spam-filtering capabilities protecting internal Windows networks benefit from the establishment of a non-homogeneous environment, reducing the risk of transmission from the gateway to internal systems. (See the next section for selected criteria to use when evaluating filtering solutions.)

The other concern for Linux is as a potential target of virus and hacker attacks. Linux users are sometimes overconfident about virus protection. Since virus writers find the ubiquity and homogeneity of Windows systems an attractive target, the vast majority of viruses still focus on Windows. However, with organizations deploying more Linux servers at the gateway, Linux applications are being used in the ideal location for exploitation, and thus are increasingly attractive to spammers.

Recently, Slapper, Devnull, Lion, and other viruses have exploited weaknesses in Linux applications, most commonly Apache, with viruses featuring rootkits and other backdoor access features.

While virus writers are only beginning to view Linux as a key platform, hackers already consider Linux gateway servers (e-mail or Web) as an opportunity. By exploiting weaknesses in configuration and at the application layer, hackers are able to gain control of an organization's Linux servers for use as spam relays and other systems. In this situation, Linux servers face the same vulnerability issues as Windows systems: patch management, firewall concerns, user permissions, and user authentication.

With less professional guidance and certification available from service providers, Linux server administrators must educate themselves on how to properly secure their systems from intrusion. Similarly, without direct vendor support, administrators may be unaware of available updates, resulting in older versions of applications remaining unpatched and open to exploitation.

The fact that hackers are increasingly targeting Linux servers also means Linux application developers must keep up-to-date on security and potential vulnerabilities, such as unvalidated input, broken access control, and broken authentication and session management - the top three vulnerabilities for 2004, according to the open Web application security project (www.owasp.org).

Recommendations for Organizations

To minimize risk, organizations need a consolidated approach to protection against spam and spammer activity, including a multi-faceted approach to educate users, protect against viruses, filter spam messages, enforce policies, and harden e-mail systems. Initiatives should include:

• Ongoing user education on how to avoid purchasing from spammers and becoming a victim of e-mail threats such as viruses, spam, and phishing (sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft)
• Gateway and desktop antivirus protection to prevent system infection and hijacking
• Gateway spam filtering to prevent spam from entering the mail system
• E-mail policy enforcement to prevent the receipt and distribution of inappropriate content and potentially infectious files
• Mail server hardening to prevent abuse by spammers, including the extension of gateway and desktop firewalls to remote users in order to protect internal systems from infiltration and infection
• Implementation of sender authentication standards to help reduce address spoofing
• Patch management processes to minimize zero-day threats by updating systems when vulnerabilities are patched

User Education

One of the most effective mechanisms for protecting an organization is user education. Employees should receive guidance on:

• Avoiding becoming a victim of phishing and other scams
• Avoiding receiving more spam
• Avoiding inadvertently purchasing as a result of spam
• Avoiding virus infection
• Interacting with the organization's spam filter
• Using e-mail appropriately and in accordance with company policy

Virus Protection

Combined gateway and desktop virus protection are essential to ensuring that the organization does not inadvertently become a spam host. As e-mail and downloaded files at work or from home are the number one and two virus infection paths, both gateway and desktop virus protection are necessary and should be extended to include mobile and home users. Outbound spam and virus filtering should also monitor for the activity generated by infected internal systems.

Gateway Spam Filtering

Deploying an e-mail filter is the only effective way to prevent spam, scams, viruses, and other e-mail-borne threats from entering the organization's mailstream. For organizations, the best solutions are deployed at the e-mail gateway, where the filter can see all inbound messages and keep the junk mail out of the downstream servers while providing a centrally managed system that is faster, easier, and more efficient to update and manage than the alternatives.

To achieve high capture rates on an ongoing basis, employing an advanced, proven spam filter at the gateway is a critical step, as simple filters rely on only one or two antispam techniques and are insufficient when faced with modern spam campaigns. In the same way that virus protection requires vendor support, spam detection demands an expert operations team and frequent updates for organizations to maintain effective protection.

E-mail Policy Enforcement

In addition to virus delivery, e-mail worms and other virus outbreaks often trigger sudden blooms of rejected messages and other side effects that clog e-mail servers. E-mail policy filtering enables organizations to enforce specific policies regarding the acceptable use of e-mail. At a minimum, organizations should implement e-mail policy filtering to prevent suspicious executable attachments from delivery and enable administrators to block virus-related e-mail blooms.

Mail Server Hardening

Mail server hardening should include both mail and operating systems. Exploitable e-mail server practices, such as un-authenticated non-delivery bounces, and e-mail relaying, including SMTP-authenticated relaying, should be turned off.

Most organizations prevent the use of mail servers as open relays, but continue to allow authenticated users to relay messages through their servers. Doing so exposes the server to SMTP-auth attacks, enabling hackers to gain access to the mail server and use it as a relay. Preventing all relaying by discontinuing this practice will protect an organization's reputation as a legitimate sender.

Organizations should also implement proper operating system-level server hardening. All non-e-mail or administrative ports should be closed, and exploitable services removed. Organizations should be wary of supposedly secure appliances and other black-box security, and ensure they have their own controls in the event that vendor protections fail.

Firewalls

Firewalls help prevent unwanted access to networked computers and are needed at both the corporate gateway and on individual computers.

The corporate firewall protects internal servers and desktops from hackers, but with the increasing use of portable computing devices outside the network, and the potential for infected computers within the network to transmit infection, it is essential that every machine that connects to the network also be protected by its own firewall.

Sender Authentication

To help fight phishing attempts, spam, and viruses that often spoof the sending address/domain, all organizations should implement some form of sender authentication. Sender Policy Framework (SPF) is a simple sender authentication mechanism that enables administrators to declare the specific server addresses used to deliver mail. By checking mail routing against this information, other organizations can validate its source and block mail coming from unofficial sources. For more information, see http://spf.pobox.com.

Patch Management

As new security issues are discovered, tracking required patches can present challenges. This is especially true for Linux users due to the number of sources, even for common applications. However, it is also an important protection process as hackers monitor patch sources and deliberately exploit patched security threats, knowing that the bulk of users are slow to install patches. These are often referred to as zero-day threats, as the vulnerability is often exploited immediately after its discovery. At a minimum, organizations need policies and processes to monitor patch availability and update users as soon as security related patches are available.

Conclusion

To summarize, the convergence of the spam, virus, and hacker communities motivated by spam revenue is driving innovation and resulting in aggressive and sophisticated attacks against organizational infrastructure. To protect themselves, organizations need to educate users; deploy spam, virus, and policy filtering at the gateway; deploy virus protection on servers and desktops; and protect their systems against hackers.

• Figure 1