This week on Security Levity, I want to talk about a recent trend in spamming and spam filtering, which has important implications for people who run email networks -- be they corporate or consumer.
In summary: it's now critical for networks to block outbound spam.
Increasingly, spam filters are blocking large ranges of IP addresses. This can be for one of several reasons:
- The IP address range belongs to an ISP and is assigned to its consumer customers, either dynamically or statically. (Under normal circumstances, computers at these IP addresses have no business making direct SMTP connections on port 25 to arbitrary email servers.)
- The IP range is so-called "pink contract" space: if an ISP knowingly harbors spammers, it will often assign IP addresses to these customers from a different range, separate from the addresses used by its legitimate customers.
- The range has a history of being used by "snowshoe" spammers. These spammers will either buy pink contract space or acquire IP space in some other underhand way. They then send spam from a range of IP addresses, hopping from address to address, so that no single address can be identified as a spam source.
In other words, these IP address ranges will get a very poor sender reputation, thus thwarting spammers' ability to spam -- either from botnets or from dedicated spam servers.
How are spammers reacting to this trend? Of course, there's an increasing desire to send from addresses with a good reputation, so spammers are trying aggressively to break into email systems, so they can send from "proper" email servers, rather than botnets of compromised PCs.
One key target is free email: Hotmail, Gmail, and so on. Spammers will either try to create new accounts in bulk, or steal the credentials of existing accounts.
Automatically creating new accounts is theoretically difficult, thanks to the roadblocks thrown up by the service providers. Chief amongst these is CAPTCHA, which essentially says to the account creator, "Are you a spammer? If not, please type in these squiggly letters to prove you're a real person." Sadly, spammers are now able to automatically break many of the simpler forms of CAPTCHA. Where they're unable to break it, offshore workers can solve the puzzles for low or no wages.
Spammers can steal existing accounts using social engineering techniques. This is basically a form of phishing, which tricks end-users into providing their email usernames and passwords. Typically, they send email to users, pretending to be the email administrator, pointing them to a malicious password change web page.
Once a spammer has control of some email accounts on systems with good reputation, they're unlikely to encounter reputation-based blocking. Few anti-spam systems are prepared to block all email from Gmail, for example.
Compromised email networks may suffer a damaged reputation as a result of spammers using them to send spam. So, if you're responsible for an email network at a service provider, corporate entity or other organization, it's more important than ever to be aware of what sort of email is exiting your network. If spam filters see spam coming from your IP address ranges, they'll think you're a spammer.
So it's now extraordinarily important for you to be blocking outbound spam, because otherwise your legitimate email may go unread. How good is your outbound spam protection?
I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!