SPAM email is very serious threat to be considered during modelling of security perimeter for every company. Automated solution may not always catch all the odd messages.
Some of the examples from most common SPAM specimen:
- “Please find attached your invoice which is past due…”
- “I am lawyer of your recently deceased relative and I want to send you…”
- “Your parcel is being held by DHL, please fill in the custom declaration form..”
- “Hi, I am Irina and I seek true romantic love..”
- “Do you feel sometimes that the world could be better place? “
- “Hello, I am XYZ. My beloved husband left me huge wealth.. “
In this use case, all suspicious messages were forwarded to one central directory. Then each of the emails was investigated in deep. In case email message has infected attachment, it was categorized and if needed, followed by incident response process.
This is how the high level process looks like:
Grouped edges depicts information flow between all involved parties.
Now more in detail.
First task is to pre-screen every single SPAM message in the system. Given certain tags, SPAM message is sorted and for every category, the detailed process follows.
This picture shows catalog of known SPAM domains, used as one of the categorization inputs:
And grouped by sub-categories:
Based on the catalog and also in house developed categorization, next picture shows SPAM messages clustered.
- Central component shows relation between infected attachments, malicious links, provocative emails, mass communication sent by know spambots.
- Outer circle is composed by so called Spear Phishing attacks, send only to one precisely targeted individual.
Since most of SPAM messages are generated by automated solutions, it makes sense also to analyze text in the Subject of message.
- Picture below shows analysis of frequency of the words in subject. The most frequent string was “Re:” .
Picture below shows Spam – handling as process related to every single message. Note that action taken were both reactive and proactive. In this case I used only reactive actions for better illustration. Each node stands for single malicious email address identified and blocked.
Light – attack attempt, Blue – defense: