{"id":6638,"date":"2017-03-10T17:05:07","date_gmt":"2017-03-10T22:05:07","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=6638"},"modified":"2019-11-15T06:49:38","modified_gmt":"2019-11-15T11:49:38","slug":"humachine-intelligence-antispam","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/humachine-intelligence-antispam\/6638\/","title":{"rendered":"HuMachine intelligence fighting snow shoes"},"content":{"rendered":"

Of course, I\u2019m bound to get a lot of spam in my inbox \u2013 probably more than most. Decades of giving out my business card left, right and center; our domain included on presentation slides, in publications and catalogs and so on. Then there\u2019s my email address\u2019s simplicity. Sometimes employees\u2019 blown email addresses we \u2018leave out in the cold\u2019 as spam honeypots while setting up new, slightly amended email addresses for the employee. But we can\u2019t have that for me now can we? No. Because \u2013 first \u2013 I need to keep track of precisely who the enemy is, and \u2013 second \u2013 I want to personally be able to monitor the quality of our antispam protection<\/a>. And I also don\u2019t mind a few extra laughs<\/a> now and again.<\/p>\n

Much like entomologists with their butterflies, I file all incoming spam in a separate folder, check out the verdicts, and determine tendencies and false positives, while I forward missed samples to our antispam lab.<\/p>\n

Curiously, since the beginning of the year the amount of spam has gone through the roof! And after studying its structure and style, it looks like most of it comes from one (1) source! Almost all the messages were in English (with just two in Japanese), and \u2013 main thing \u2013 100% of this spam was detected by our products<\/a>!<\/strong> I turned to our specialists\u2026 \u2013 and it was confirmed: it was a huge tsunami-like wave of a specific type of spam \u2013 snowshoe spam<\/em>. This is unusual as normally around New Year spam activity falls in volume.<\/p>\n

\"Humachine<\/a><\/p>\n

* Data for 1-10 January<\/i><\/p>\n

And here\u2019s the data on how the share of snowshoe spam changed on the most active day \u2013 January 7 \u2013 in the inboxes of our corporate domain:<\/p>\n

\"\"<\/p>\n

So just what is this snowshoe when it\u2019s at home, and how can it be protected against?<\/p>\n

The snowshoe method isn\u2019t new at all; we first detected it in early 2012. But ever since then it\u2019s been getting bigger and bigger, because it easily fools idiotic spam filters that don\u2019t do multi-level analysis. It does this by being sent not from just one or two IP addresses, but a great many of them, thus getting round IP-address filtration based on reputation. Incidentally, this is where it gets its name from: the weight of a person wearing snow shoes gets distributed evenly over the whole \u2013 wide \u2013 area of the shoes and causes the person not to slip into the snow. Well, the same principle applies to this spam, kinda: spam distributed widely across many IP addresses causes the spam to not get caught up in filters.<\/p>\n

\"Humachine<\/p>\n

For the spammers, using multiple IP addresses is more complicated, but it gets them the result they want. They have to constantly use auto-generated domains and their providers (usually using a dictionary) and shut down blown hosting and spam proxies. Yes, the fiddles are many and complex, but, like I say, for the spammers it\u2019s worth it.<\/p>\n

Once the spam gets to its recipients, social engineering takes over. This starts out with an eye-catching subject text, while in the body of the email there\u2019s a redirect to a site where the respective super-essential product or service is hawked, which you simply cannot let pass you by \u2013 and whose sale price ends tomorrow. Miracle cures, once-in-a-lifetime discounts on insurance, impotence pills, utility bills\u2026 you name it. All sprinkled with a healthy dose of classic con tricks: sob stories (I\u2019m very sick, and have no money), happy endings (I tried this pill here priced at $29.99, and all my symptoms disappeared in a flash!), and so on.<\/p>\n

The redirects take you to a site depending on your region. For example, if a user turns up from a very poor country, they simply get redirected to, say, Google. But if a user turns up from a developed country, say, in Europe or North America, then the scam-resource goes into overdrive and comes up with all manner of tales about\u2026 the medicinal heritage of the Apache, or Tesla\u2019s mysteries.<\/p>\n

But it\u2019s not only crafty social engineering that\u2019s used. This kind of spam can also bring malware along for the ride\u2026<\/p>\n

So what about protection?<\/p>\n

From the technical standpoint, snowshoe, of course, isn\u2019t all that sophisticated. But that doesn\u2019t mean it shouldn\u2019t be taken seriously. Simple filters unable to adapt to the polymorphism of the spam simply let it through. And there\u2019s no single technology that\u2019s able to deal with snowshoe once and for all. We fight snowshoe with multi-level protection, with first fiddle being played by machine learning<\/a>. This is logical, since tackling the high volumes of snowshoe spam manually would be simply unrealistic; far better for experts to spend their time on something more useful. And that \u2018something more useful\u2019 happens to be creating<\/em> smart machines, which in turn automatically<\/em> and extremely accurately<\/em> and reliably <\/em>analyse spam and create countermeasure algorithms. For example, thanks to machine learning our products automatically recognize and block new spammer domains, IP addresses and subnetworks, and conduct content-analysis based on various attributes. And they do all of it, as already mentioned, very successfully.<\/p>\n

In fact, the war between cyber-good and cyber-evil long ago turned into a war of algorithms. The bad guys learned how to skillfully disguise and alter the appearance\/nature of their cyberattacks, and this itself is increasingly done automatically too, resulting in attacks carried out as per complex logic. But for every algorithm, there\u2019s a counter-algorithm, what\u2019s more \u2013 a longer one. Today, effectiveness depends on the flexibility and reliability of the self-learning systems created by experts. And success goes to those able to provide a combination of (i) the mathematical abilities of man, and (ii) complex infrastructure that permits developing new algorithms. And we call that combination Humachine Intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

The war with cyber-evil long ago turned into a war of algorithms. And effectiveness depends on the flexibility and reliability of the self-learning systems. <\/p>\n","protected":false},"author":13,"featured_media":15233,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2318,2486,240],"class_list":{"0":"post-6638","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-antispam","10":"tag-humachine","11":"tag-spam"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/humachine-intelligence-antispam\/6638\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/humachine-intelligence-antispam\/15068\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/humachine-intelligence-antispam\/6638\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/humachine-intelligence-antispam\/6638\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/humachine\/","name":"HuMachine"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/6638","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=6638"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/6638\/revisions"}],"predecessor-version":[{"id":30030,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/6638\/revisions\/30030"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15233"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=6638"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=6638"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=6638"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}