Spam Daily News | DARK TRAFFIC -- the hidden email threat

From Spam Daily News

Most Read Stories
DARK TRAFFIC -- the hidden email threat
Posted on March 22, 2005

Dark Traffic is made up of spam, Directory Harvest Attacks (DHA), email Denial of Service (DoS) attacks, malformed SMTP packets, invalid recipient addresses, and other requests and communications unrelated to the delivery of valid email messages.

Tumbleweed Communications Corp. released the "Dark Traffic Report" for Q1, 2005, which examines email traffic composition from a network perspective. The Dark Traffic Report includes data on the prevalence of network-level threats to email infrastructures, the impact to organizations, and the current alternatives for solving the problem.

Dark Traffic is made up of spam, Directory Harvest Attacks (DHA), email Denial of Service (DoS) attacks, malformed SMTP packets, invalid recipient addresses, and other requests and communications unrelated to the delivery of valid email messages. The Dark Traffic Report defines and analyzes email security information gathered through a combination of research interviews with enterprise IT and email administrators, and taps of raw email network data aggregated from traffic monitors positioned in top enterprises throughout the US.

Within the general email network traffic volume, the percentage considered to be legitimate business communications has been steadily shrinking.

Spam, phishing attacks, and email borne viruses have generally been identified as the culprits based on information gleaned from anti-spam and anti-virus solutions, which usually focus on filtering and analyzing email message content. "Dark Traffic" by contrast, is measured at the network and application level, and currently represents up to 70% of total inbound email packets. Because this kind of invalid SMTP traffic may appear legitimate to network firewalls and content-centric email security solutions, it is passed on to an organization's corporate email servers for processing. The result -- organizations are over-resourcing their email infrastructure by more than 50% to handle traffic that does not belong on their network.

In a survey of over 100 top enterprise IT and email administrators in the US, over 50% of organizations recognized that they had been hit by an email denial-of-service attack, over 40% recognized that they had been the victim of a directory harvest attack, and a significant percentage had email intercepted or their email servers hacked in the preceding 12 months.

Although just over half of all IT and email administrators are aware that they have suffered one or more specific network-level attacks which caused slowdowns or failures, many lack the tools to do much more than ride them out. The most common solution in a known attack is to manually block the source IP address, closely followed by "hope it goes away." Better defenses are available at low cost, however. The introduction of a low-cost application-aware network-layer solution at the edge of the network could increase messaging performance, increase uptime, and reduce capital expenditures on email server and hygiene infrastructure which are due to volume limitations.

When we first began to closely examine email traffic composition at the network level, we were caught off guard by the volumes of hidden traffic flowing into the enterprise under the radar," said John Thielens, CTO of Tumbleweed Communications. "It was clear that incorporating a network-layer solution into a security infrastructure would be key for comprehensive threat prevention."

Dark traffic is a hidden problem

Dark traffic currently represents up to two thirds of all inbound port 25 traffic, but many email administrators don’t know when they’ve been hit with directory harvest attacks or email denial of service attacks, and those that do have few tools to stop them. This is significant, given the threat to email security, performance and reliability that dark traffic poses.

Dark traffic creates real and significant costs

There are two primary impacts of dark traffic to the enterprise:

Traffic Spikes

Spike-based degradation of messaging infrastructure performance leads to IT personnel overtime costs and system downtime

Overinvestment in Email Infrastructure

The need to process an extra 200% of email traffic leads to unnecessary infrastructure upgrades and expansion to support increased capacity of content-centric email security gateways and corporate email servers. This includes anti-spam and anti-virus gateways, as well as corporate email servers

Content filters are inappropriate for network level threats

While just over half of all IT and email administrators are aware that they have suffered one or more specific network-level attacks which caused slowdowns or failures, they lack the tools to do much more than ride them out. Standard firewalls are not application-aware and pass all packets directly to the messaging infrastructure, where they bog down message servers and email hygiene solutions. The most common solution in a known attack is to manually block the source IP address, closely followed by 'hope it goes away'.

Enterprises are spending more than they need to

Most email administrators lack insight into the composition of inbound port 25 traffic and therefore the ability to shape it. Once email traffic processing capacity is reached, most enterprises today add additional messaging servers and hygiene solutions to handle increased traffic loads. In general, the biggest bottleneck in an organization’s email infrastructure is the anti-spam and anti-virus gateway that needs to decompose and filter email message content to identify threats.

The introduction of a low-cost application-aware network-layer solution at the edge of the network could increase messaging performance, increase uptime, and reduce capital expenditures on email server and hygiene infrastructure which are due to volume limitations.

Email attacks can compromise network and information security.

With the rise of Active Directory and single sign-on technologies, the network login credentials and email address are often configured to be the same. As a result, email application security is critical to prevent directory loss, which can deliver thousands of usernames to outsiders, allowing them to focus cracking efforts on the exact username list with the goal of breaching the network itself. This puts confidential operational and customer data at risk of compromise.
SOURCE: Tumbleweed Communications Corp.