RealTime IT News

Experts Clarify ISP Spam Threat

UPDATED: Spammers have put a new twist on an old problem for blasting out thousands of e-mails from zombied computers, and it takes the proxy technique one step further.

Infected computers are now used as middlemen to get at the ISPs' own e-mail servers, rather than using the zombied computer to directly send spam. But, say experts, there's no reason to fear just yet.

The one thing the experts do agree on is the need for ISPs -- from national providers like AOL and Verizon to the local ones -- to get their affairs in order.

For years spammers have taken advantage of the infected computers of Internet users, using PCs around the world as a proxy e-mail server to send out their bulk e-mail campaigns, which is a technique that helps protect spammers from detection. Rather than sending spam using their own ISP's account -- which normally ends up with the suspension of their account -- spammers use someone else's service.

The spammers' latest twist cuts down on the effectiveness of real-time black hole lists like The Spamhaus Project, which maintains a database of IP addresses that are responsible for sending spam. The lists are in turn used by ISPs to block spam from their customers.

Mark Sunner, CTO at managed e-mail security vendor MessageLabs, said the spam technique effectively negates blacklists, which are used at most ISPs, and gives spam another avenue of approach to its customer's inboxes.

"People would never blacklist ISPs' mail servers because the whole concept of e-mail and the inter-connected-ness of SMTP would start to break down," he said. "So they know that no one is ever going to blacklist ISPs wholesale in that way."

A recent surge in this type of spamming technique prompted Steve Linford, Spamhaus Project founder, to warn ISPs earlier this week. According to a report on the Spamhaus Web site, AOL is reporting that more than 90 percent of its incoming spam comes from ISP mail relays.

But Linford downplays early news reports on the subject that attribute him as saying an e-mail infrastructure meltdown is imminent, and that if spam increases at the rate it's going now, it will account for 95 percent of all e-mail traffic by 2006.

"It is very, very serious [but] it isn't going to collapse the Internet today or anything," he said. "But it is very serious and causing a very large surge in spam. Obviously there are ways to attack it with additional filters and things like that, but it is something that's going to be quite difficult to tackle.

"The problem is that if ISPs don't tackle it, then by mid-2006 we're going to have the spam levels at 95 percent of all e-mails, which is going to cause failures to occur all over the place," he added.

The recent surge can be attributed to spamware applications that aid spammers in their activities. One such application is called Send-Safe, which is advertised as a bulk e-mail software program.

Last month, the company started pitching its latest improvement to the software, Send-Safe version 2.20b, which includes a proxy feature that allows its users to send from an ISP's e-mail server.

Ruslan Ibragimov, author of the Send-Safe application and a well-known figure on Spamhaus's Register of Known Spam Operations (ROKSO), said the "Proxy Lock" feature was added to his program after receiving numerous requests from customers for its inclusion.

At the same time, he maintained his innocence by saying that the software itself doesn't do anything illegal, and that he doesn't write the Trojans that create zombie computers in the first place.

"I don't know about any special proxy/Trojans that re-direct e-mails through ISP mail servers," he said. "Send-Safe does not use these proxies. Send-Safe [tries] to use any regular proxy to mail with this method. And as I said before, we don't write Trojans and [are] trying to stay away from it."

The software puts ISPs squarely in the spotlight to improve its operations. The Spamhaus report recommends service providers limit the outgoing mail from its broadband customers, separate its incoming and outgoing SMTP servers and mandate e-mail authentication for all its customers.

However, the recommendations don't address the whole problem, said Dave Crocker, principal author of the Client SMTP Validation (CSV) e-mail authentication scheme and principal at consulting firm Brandenburg InternetWorking.

E-mail servers by definition, he said, are meant to serve e-mails; at what point do you put a stop to customers sending out e-mail? Putting a threshold on the number of messages, recipients or types of messages per day doesn't answer everything, Crocker said, though it will result in more costs to the ISP and customers who would have to pay for the additional service.

"I think that what all of this leads to is developing techniques for proving the quality of the operation of ISPs with their customers," he said. "The same issue also applies to enterprise service providers finding techniques for detecting and dealing with compromised machines."

Some ISPs have already taken those steps. EarthLink, for example, instituted "port 25" blocking five years ago. The technique, which Spamhaus strongly recommends for outgoing traffic from machines on a network not configured and maintained specifically as mailservers (and which belongs to a NAT gateway/firewall system), forces all outgoing e-mail through the ISP's servers. It gives it a better look at the e-mail spam proxies created by its customers' zombied machines, according to Tripp Cox, the service provider's CTO.

With the block in place, he said, spammers switched to spamming from EarthLink's own e-mail relays, which helped officials pinpoint which customer machines were infected and help remove the virus.

As more ISPs institute blocking, the trend in spam will shift to the ISPs' own servers, which makes it easier for officials to detect, he said. From there, ISPs can put rate limits in place or any other methods to ensure spam isn't originating from their networks.

"That [port 25] blocking is sort of that first step to take accountability of what leaves your network," Cox said. "And once you have that in place, you have the additional responsibility to enforce your policies to make sure spam is not leaving your network."

Clarifies prior reference to port 25 blocking