Why Bad is Good in Spam (February 2nd, 2005)

While perusing the news, I came across a rather interestingly titled article at CNET: “Zombie trick expected to send spam sky-high”. As many other spam-related stories, this one had an apocalyptic feel to it as well:

According to the SpamHaus Project–a U.K.-based antispam compiler of blacklists that block 8 billion messages a day–a new piece of malicious software has been created that takes over a PC. This “zombie” computer is then used to send spam via the mail server of that PC’s Internet service provider. This means the junk mail appears to come from the ISP, making it very hard for an antispam blacklist to block it. Previously, zombie PCs have been used as mail servers themselves, sending spam e-mails directly to recipients.

This will cause serious problems for the e-mail infrastructure, as it is impractical to block mail with domain names from large ISPs. Linford predicts that ISPs will see a growth in the volume of bulk mail they send and receive over the next two months, with spam levels rising from 75 percent of all e-mail to around 95 percent within a year.

“The e-mail infrastructure is beginning to fail,” Linford warned. “You’ll see huge delays in e-mail and servers collapsing. It’s the beginning of the e-mail meltdown.”

Oh no, the email infrustructure “is beginning to fail”, its a “meldown”! Man the deck, close the hatches, the spammers are coming! Seriously, this is probably a thousand times this has been said and email is still standing. Quite the contrary, this development is not the beginning of a spam meltdown but rather the beginning of the end for the spam plague in general. Why do I think so? Lets sit down, analyze the fact and think for ourselves.

A lot of spam these days is being sent via infected broadband machines known as “zombies” in the trade. The various blacklists including Mr. Linford’s own SpamHaus seek to address the issue of zombies (among other things) by maintaing lists of IP addresses known to send spam. Of course, unlike what some blacklist proponents like us to believe, the use of blacklists is not all fun and games. Now what has happened? Instead of relying on zombies which are being increasingly blocked at higher rates, the spamware being described in the article is using the ISP’s outbound email server instead. So now instead of hundreds of zombies sending spam individually from multiple IP addresses, they are sending it all through a very small set of addresses, i.e. the ISP’s servers. So instead of hunting down thousands of invidual zombie computers, instead there is a very small range of stuff to deal with. Logically speaking, reducing the playing field should help fight spam, not make it harder. But according to Mr. Linford the problem is that:

This means the junk mail appears to come from the ISP, making it very hard for an antispam blacklist to block it.

Aha, so the problem is not the fact that more spam is coming, rather that blacklists cannot be used to block ISP servers since that will cause too much legitimate mail being blocked. However, two solutions that have been suggested by AOL to ISPs all along are outbound port 25 blocking and rate limiting. The net effect of port 25 blocking is forcing mail through the ISP’s mail server where step 2, outbound rate limiting and filtering, kicks in. Ironically enough, the spammers themselves are alievating the need for port blocking (if this article is true) by sending the mail through the ISP’s server all by themselves. Now the question is whether ISPs will be willing to start rate limiting and outbound filtering. The article agrees with this conclusion:

“It will put more pressure on ISPs to take greater interest in the traffic they carry and filter at source.”

Going back to AOL’s Carl Hutzler, the key to fixing the spam problem is as follows:

So What we need is for providers to do BOTH. You have to implement better filters to survive (we sure do), but we all also have to fix our sources of spam that clog other networks. Eventually as providers do BOTH actions, the problem will go away and everyone will be able to remove the BANDAIDS from the spam wound as we won’t need filters and blacklists as much in the future.

Of course it is hard to do that:

Everything that Carl says is, largely self-evidently, true. What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?

Ah, but now the spammers are doing it for us! By forcing email through ISP’s servers they are forcing the ISPs to take responsibility for their own customers. Now, the ISPs cannot claim that its too expensive to block port 25 or police zombies since this junk is flowing directly through their own servers. Of course, the darker side of the coin is that now blocking might take down entire ISPs instead of individual zombies. But hey, if that’s what it takes to get ISPs to take responsibility, it might be worth it.

Comments?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s