Antispam group outlines defences to block botnet spam

Guidelines deal with forwarded email and email that is sent from dynamic IP addresses

A major antispam organisation is pushing a set of new best practices for ISPs (internet service providers) to stop increasing volumes of spam from botnets.

The guidelines, from the Messaging Anti-Abuse Working Group (MAAWG), were drawn up at a meeting in Germany last week and deal with forwarded email and email that is sent from dynamic IP (Internet Protocol) addresses.

Many people forward their email from one address to another, a relay that goes through their ISPs mail server. But many ISPs use automated tools that could begin blocking further email to an address if a large volume of email has come through. Legitimate messages would be blocked, too.

"If a spammer targets AOL, a lot of people have AOL addresses redirected somewhere else," said Richard D.G. Cox, CIO for Spamhaus, an antispam organisation that's a member of MAAWG. "So if a whole lot of spam is coming out of AOL, people will block it on automated basis."

ISPs can fix this by separating the servers that receive e-mail and ones that then forward email. That way, ISPs can filter out spam coming into the accounts before forwarding, taking a look at the messages and spotting which ones came from dodgy domains, Cox said.

Also, servers receiving forwarded email can be confident that the server where mail was sent from is trusted and legitimate. As of now, only a few ISPs are taking steps to fix the forwarding problem, Cox said.

"This is something we need a big takeup on," Cox said. "When everyone does it, more of us will benefit as well."

MAAWG's second recommendation deals with the long-standing problem of PCs that have been infected with malicious software that send spam.

The PCs are part of botnets, or networks of computers that have been compromised by hackers. After a PC is infected, it will often start sending spam through port 25 straight onto the internet. That contrasts with legitimate email, which usually goes through the ISP's mail server first before being sent on.

Many ISPs assign a different IP address to a subscriber's PC when they connect to the internet, known as a dynamic IP address. Those infected machines on dynamic IP addresses aren't always automatically blocked by ISPs. Other receiving email servers can block the particular IP address, but many malware programs are designed to reboot a PC in order to get assigned a fresh dynamic IP address from which to continue sending spam, Cox said.

MAAWG's primary suggestion for ISPs is to block all machines on dynamic IP addresses that are sending email on port 25 outside their own network unless there are special, legitimate circumstances. The idea has been "very central" to antispam fighters, Cox said.

But MAAWG said that idea may not be possible for some ISPs, and its guidelines offer another alternative: ISPs should share information about their dynamic address space. That would let other ISPs refine their spam filters.

Spamhaus publishes its own DNS Blacklist, with information on ISPs' dynamic address ranges. "Listing your addresses in a dynamic IP list makes those ranges less attractive to spammers because they know they can't deliver to many networks which use those lists," according to Spamhaus' website.

Those on dynamic IPs are allowed to send email using port 587, which is dedicated to sending email via servers that require authentication first. That's the way most employees, for example, remotely connect to their company's mail servers, Cox said.

Major ISPs such as Comcast in the US do block unauthorised email on port 25 from going straight to the internet, but about half of other ISPs — many located outside Western countries — do not, Cox said.

"That's the area where we are pointing the finger at," Cox said.

Given the international scope of the spam game, spammers use the infected computers "to send their unwanted traffic to mail servers around the world," MAAWG said.

Join the newsletter!

Error: Please check your email address.

Tags spambotnetSecurity ID

Show Comments

Market Place

[]