This article describes Cloudmark's reputation-based approach to fighting spam using Cloudmark's Collaborative Security Network™ (CCSN). The goal is to distribute the identification of spam across a wide network of real users, thus increasing overall filtering accuracy. The fundamental idea is to allow the first few recipients to identify spam messages and inform the rest, so that the spam can be filtered out before the rest of the recipient community receives and reads it. At the core of the CCSN is a reputation metric analyzer, the Trust Evaluation System™ (TeS). TeS ensures the integrity, or "reputation" of spam reporters by tracking how often the larger recipient community agrees or disagrees with their assessment of the message as spam. In Cloudmark's reputation-based system, a high trust rating is hard to gain and easy to lose. In addition, Cloudmark uses algorithms which reduce each message to a fingerprint. Message fingerprinting algorithms maintain the privacy of the content and reduce the amount of data to be analyzed. Once a message is identified as spam by a group of highly-trusted users, the fingerprint is cataloged in Cloudmark's security network and all future messages that match that fingerprint are automatically moved to a user's spam folder. Some messages, such as mailing lists — which some individuals want, while others do not — are listed as contested, allowing individual systems to customize spam filtering. Cloudmark's collaborative approach — with its additional attribute of "reputation", or "trust," added to a community of real users who identify, report, and corroborate suspect messages in real time — has proven more effective and faster than traditional blocking or filtering methods. Because a reputation-based collaborative system does not draw blanket conclusions about terms, hosts, or people, it has proven to increase accuracy, particularly as it relates to false positives and false criticals, while simultaneously decreasing administration costs.
Phishing is a relatively new and sophisticated messaging security threat. Typically, phish- ers impersonate known and trusted financial institutions and organizations to access a user's personal account information. Phishers target qualified mailing lists, keep their attacks short lived, and quickly move among hosting sites. They also exploit software vulnerabilities to fool filtering software. For all of these reasons, traditional techniques such as Bayesian filters, IP-based black lists, and URL-based filters are not effective in stopping or filtering phishing attacks. Cloudmark uses a fingerprinting algorithm to identify each message in its system, which has proven to be particularly effective against phishing because it does not make any assumptions about the nature of the underlying message. The Cloudmark Collaborative Security NetworkTM (CCSN) consists of real-time users, who are themselves targets, who can distinguish a phishing attack, and mark it as such. Once enough users confirm it is an attack, any message with a matching fingerprint is moved into every user's spam folder. One fingerprint is enough to match all messages generated from the same phisher — even new generations of the same attack that may have been cosmetically altered—allowing Cloudmark to provide zero-time protection against most phishing attacks.
Conventional anti-virus software relies on a staff of researchers to isolate and analyze viruses, identify them with a fingerprint, and then write and test code and rules to block them. This process takes up to 24 hours and often blindly blocks many legitimate messages with attached executable code. In contrast, Cloudmark's Collaborative Security Network™ (CCSN) uses a fingerprinting algorithm to identify each incoming message, combined with a reputation-based, trusted community of real-time users to identify malicious viruses. Using the Cloudmark Trust Evaluation System™ (TeS), Cloudmark is able to let trustworthy, credible users identify viruses. Cloudmark's virus fingerprinting algorithm automates the time-intensive "reverse engineering" analysis of conventional technologies allowing its system to identify and squelch new worms and virus strains in real time. The Cloudmark technology is language-agnostic, format-agnostic, representa-tion-agnostic, and protocol-agnostic — making it particularly suited to combat all forms of malicious content.
Viruses and spam are both threats to productivity, but the techniques developed to combat them, like the abuse itself, differs radically. Consider that the skills required to create and generate a virus message are advanced, while the skills required to generate spam are minimal — which is why there's so much of it. Conventional anti-virus software is created by company researchers who must first isolate a virus and then generate a fingerprint of the virus that can be checked against a database of known viruses. This methodology is effective only at a small scale and with infrequent variations in viruses. Spam mutation, on the other hand, appears more frequently, almost constantly. Since it would be infeasible to update anti-spam software manually with every variation, it must be automated. Conventional anti-spam software looks at patterns, such as words found in the message, or the route the message took. Cloudmark, however, uses a collaborative filtering-based, anti-spam solution, at the heart of which is the Cloudmark Collaborative Security Network™. This solution relies on a large pool of email readers to distinguish what is, and is not, spam. All messages are reduced to a fingerprint, and once enough readers identify a message as spam, that fingerprint is labeled as spam. All messages associated with that fingerprint, as well as specific variants of the message, are filtered into the spam folder. This technique not only works for spam, but has also proven to be extremely effective against viruses, phishing, and spyware — and at real-world speeds much faster than conventional anti-virus products.
Phishing has been defined as the fraudulent acquisition of personal information by trick- ing an individual into believing the attacker is a trustworthy entity1. Phishing attacks are becoming more sophisticated and are on the rise. In order to develop effective strate- gies and solutions to combat the phishing problem, one needs to understand the infra- structure in which phishing economies thrive. We have conducted extensive research to uncover phishing networks. The result is de- tailed analysis from 3,900,000 phishing e–mails, 220,000 messages collected from 13 key phishing–related chat rooms, 13,000 chat rooms and 48,000 users, which were spidered across six chat networks and 4,400 compromised hosts used in botnets. This paper presents the findings from this research as well as an analysis of the phishing infrastructure.
Cloudmark Network Feedback System™ is an automated mechanism that enables Cloudmark ISP and enterprise customers to become members of the Cloudmark Collaborative Network and submit feedback of misclassified messages to Cloudmark as a method to improve filtering accuracy.
Cloudmark Network Feedback System Reporting Interface offers a suite of reports that would provide system administrators with statistics and in-depth information on the message feed- back your customers have submitted into the Cloudmark Network Feedback System. System administrators can more proactively and appropriately address accuracy issues by examining the feedback reporting trends and behavior of each of their CNFS reporters.