RealTime IT News

Interop: How Comcast, Verizon Fight Spam

IBM LTO

LAS VEGAS -- At a show focused on networking, the topic of spam may seem out of place. But when you consider that a large volume of the overall traffic reaching national carriers is spam, the problem becomes one that affects the network as well.

In a session at the Interop conference here on how to keep track of the bad guys, executives from Verizon Communications (NYSE: VZ) and Comcast (NASDAQ: CMCSA) detailed some of the issues they see in terms of bad traffic and what they are doing about it.

Michael O'Reirdan, distinguished engineer at Comcast, noted that the company gets a billion connections a day to its mail servers -- more than 90 percent of those connections are spam. That's 900 million spam connections per day.

Comcast does not, however, pass on the bulk of those 900 million spam messages to its users, but instead uses a DNS approach to help weed out the bad traffic.

O'Reirdan noted that Comcast uses something called a DNSBL , a DNS blacklist that provides updated information to Comcast about where bad traffic is coming from, so that Comcast can block it.

"Over 70 percent of the bad traffic Comcast receives is discarded using DNSBLs," O'Reirdan told the audience.

The DNSBL approach used by Comcast is also extremely efficient in terms of the processing power it requires. O'Reirdan said that the DNSBLs consume only 5 percent of the CPU cycles on Comcast's mail servers.

"DNS is the tool to run blacklists," O'Reirdan said. "It's fast, economical from a systems point of view and it's easily understood."

According to O'Reirdan, for those that believe they are unfairly blocked, Comcast directs blocked senders to the specific DNSBL that was used to block them. There is then a facility to allow people to attempt to self-remediate and get unblocked.

While DNSBLs work well for Comcast today, O'Reirdan noted that a very big challenge is on the horizon with IPv6. The next generation of IP has more address that IPv4 and as such there is likely to be a lot of bad IPs for spam.

"We know spammers will get allocations of addresses," O'Reirdan said.

O'Reirdan shared the stage at Interop with Marcus Sachs, executive director of government affairs and national security policy at Verizon.

Sachs, however, did not provide much detail on what Verizon specifically is doing but rather focuses his discussion on his efforts with the Internet Storm Center at SANS (ISC). Sachs is an active member of the ISC, a nonprofit group that provides a weather report for Internet security.

What the ISC does is collect data from volunteers who run sensors on their networks. The sensor technology is called DShield and provides ISC with a view of when unexpected traffic comes into a network.

[cob:Special_Report]"We get about a half billion log lines per month," Sachs said, adding that a log line is an "unexpected inbound packet stream" received by a sensor.

All those log lines allow the ISC to correlate and analyze data to see if an Internet security storm is under way. It also provides some insight into just how much bad traffic is on the Internet today and how fast it can hit users.

One of the most interesting data points for Sachs is one that tracks how quickly a new computer logging on to the Internet for the first time will see some form of bad traffic.

"It now only takes four of five minutes from the time you first connect until you get evil," Sachs said. "That's scary -- a year or two ago it used to be in the 20-minute era."