Experts Clarify ISP Spam Threat

UPDATED: Spammers have put a new twist on an old problem for blasting out thousands
of e-mails from zombied computers, and it takes the proxy technique one step further.

Infected computers are now used as middlemen to get at the ISPs’ own e-mail servers, rather than using the zombied computer to directly send spam. But, say experts, there’s no reason to fear just yet.

The one thing the experts do agree on is the need for ISPs — from
national providers like AOL and Verizon to
the local ones — to get their affairs in order.

For years spammers have taken advantage of the infected computers of
Internet users, using PCs around the world as a proxy
e-mail server to send out their bulk e-mail campaigns, which is a technique that
helps protect spammers from detection. Rather than sending spam using their
own ISP’s account — which normally ends up with the suspension of their
account — spammers use someone else’s service.

The spammers’ latest twist cuts down on the effectiveness of real-time black hole lists
like The Spamhaus Project, which maintains a database of IP
addresses that are responsible for sending spam. The lists are in turn used by
ISPs to block spam from their customers.

Mark Sunner, CTO at managed e-mail security vendor MessageLabs, said the
spam technique effectively negates blacklists, which are used at most ISPs,
and gives spam another avenue of approach to its customer’s inboxes.

“People would never blacklist ISPs’ mail servers because the whole concept of
e-mail and the inter-connected-ness of SMTP would start to
break down,” he said. “So they know that no one is ever going to blacklist
ISPs wholesale in that way.”

A recent surge in this type of spamming technique prompted Steve Linford,
Spamhaus Project founder, to warn ISPs earlier this week. According to a
report on the Spamhaus Web site, AOL is reporting that more than 90 percent
of its incoming spam comes from ISP mail relays.

But Linford downplays early news reports on the subject that attribute him
as saying an e-mail infrastructure meltdown is imminent, and that if spam increases at the rate it’s going now, it will account for 95 percent
of all e-mail traffic by 2006.

“It is very, very serious [but] it isn’t going to collapse the Internet
today or anything,” he said. “But it is very serious and causing a very
large surge in spam. Obviously there are ways to attack it with additional
filters and things like that, but it is something that’s going to be quite
difficult to tackle.

“The problem is that if ISPs don’t tackle it, then by mid-2006 we’re going
to have the spam levels at 95 percent of all e-mails, which is going to
cause failures to occur all over the place,” he added.

The recent surge can be attributed to spamware applications that aid
spammers in their activities. One such application is called Send-Safe, which is advertised as a bulk e-mail software program.

Last month, the company started pitching its latest
improvement to the software, Send-Safe version 2.20b, which includes a proxy
feature that allows its users to send from an ISP’s e-mail server.

Ruslan Ibragimov, author of the Send-Safe application and a well-known
figure on Spamhaus’s Register of Known Spam Operations (ROKSO), said the
“Proxy Lock” feature was added to his program after receiving numerous
requests from customers for its inclusion.

At the same time, he maintained
his innocence by saying that the software itself doesn’t do anything illegal,
and that he doesn’t write the Trojans that create
zombie computers in the first place.

“I don’t know about any special proxy/Trojans that re-direct e-mails through
ISP mail servers,” he said. “Send-Safe does not use these proxies.
Send-Safe [tries] to use any regular proxy to mail with this method. And as
I said before, we don’t write Trojans and [are] trying to stay away from it.”

The software puts ISPs squarely in the spotlight to improve its operations.
The Spamhaus report recommends service providers limit the outgoing mail
from its broadband customers, separate its incoming and outgoing SMTP
servers and mandate e-mail authentication for all its customers.

However, the recommendations don’t address the whole problem, said Dave
Crocker, principal author of the Client SMTP Validation (CSV) e-mail
authentication scheme and principal at consulting firm Brandenburg

E-mail servers by definition, he said, are meant to serve e-mails; at what
point do you put a stop to customers sending out e-mail? Putting a
threshold on the number of messages, recipients or types of messages per day
doesn’t answer everything, Crocker said, though it will result in more costs
to the ISP and customers who would have to pay for the additional service.

“I think that what all of this leads to is developing techniques for proving
the quality of the operation of ISPs with their customers,” he said. “The
same issue also applies to enterprise service providers finding techniques
for detecting and dealing with compromised machines.”

Some ISPs have already taken those steps. EarthLink, for example,
instituted “port 25” blocking five years ago. The technique, which Spamhaus strongly recommends for outgoing traffic from machines on a network not configured and maintained specifically as mailservers (and which belongs to a NAT gateway/firewall system), forces all outgoing e-mail through the ISP’s servers. It gives it a better look at the e-mail spam proxies created by its customers’ zombied machines,
according to Tripp Cox, the service provider’s CTO.

With the block in
place, he said, spammers switched to spamming from EarthLink’s own e-mail
relays, which helped officials pinpoint which customer machines were
infected and help remove the virus.

As more ISPs institute blocking, the trend in spam will shift
to the ISPs’ own servers, which makes it easier for officials to detect, he
said. From there, ISPs can put rate limits in place or any other methods to
ensure spam isn’t originating from their networks.

“That [port 25] blocking is sort of that first step to take accountability of what
leaves your network,” Cox said. “And once you have that in place, you have the additional responsibility to enforce your policies to make sure spam is not leaving your network.”

Clarifies prior reference to port 25 blocking

News Around the Web