The battle against spam (an internal perspective)
A quick history of Spam…the 70’s
In the early days of the internet, email was a safe and trusted messaging system. Sending an email to someone you did not know or have business with was almost unheard of. Email protocols were developed in a trusting environment and very little was written into the protocol as far as security and verification were concerned.
The first attempt at unsolicited email was by Gary Thuerk, a marketer of DEC on 1 May 1978. He sent an advertisement for a presentation by DEC to around 600 users on ARPANET. This was met with extremely negative feedback, and for a long time, no one else tried to send unsolicited emails.
Spam since then…..
Moving forward, unsolicited or “junk” email was now called “spam”. This term was first used on USENET for junk postings to Bulletin Boards in 1993 and was later applied to email. In the 1990’s, DNS blocking servers or RBL’s were developed to combat rising spam quantities. MAPS and ORBS where some of the earliest.
Spam started becoming a serious problem from the year 2000 onwards. Everyone had recovered from fears of the “Millenium Bug” and the internet was growing as never before. Spamassassin was one of the first spam filtering systems and was made available in April 2001.
Current trends and issues
Spam prevention has become a big business in its own right but preventing spam without stopping valid email (false positives) is still a core issue. More complex email heuristic engines such as BitDefender Anti-Spam have been making progress in the accuracy of spam detection. One of the main issues facing ISP’s and MSP’s today is the increase in “internal” spam.
When hosting clients have their email or hosting accounts compromised through lack of updates, weak passwords or weak programming practices, these accounts are used as spam gateways. Spammers get to send thousands of emails at someone else’s expense. As a bonus, this extra hop makes it hard to track the original spammer. Typical targets for spammers are email accounts, cPanel and WordPress accounts as these are often set up by people with no experience and little concept of proper password construction. We often hear people object to stricter and stronger password with the excuse that they have nothing of value to “hack”. Wrong! Your account is of great value to a spammer, even if he or she only makes 5 cents from it.
From the Hosting provider’s side, it presents a huge challenge. The negative effects of spam originating from your own network are:
- Blacklisting: This is when one or more of your IP addresses are added to a Real-time Blocking List (RBL) and mail from these addresses gets refused by other providers.
- IP Reputation weakened: Your IP addresses get marked with a bad reputation and once again, email from your IP addresses has a good chance of being rejected.
- Customers Upset: As a result of the above factors, clients can no longer freely send email to their friends or customers who host at other providers. This can cause customers to leave and result in a loss of revenue.
The Problems in dealing with internal spam
It is very hard (for software) to tell the difference between a newsletter sent from a customer to a few hundred clients and junk mail sent out from a compromised customer account. Any countermeasures are always a compromise. One thing that is reasonably effective is monitoring of mail sending rates. A normal customer would most likely not send out mail at a rate of 60 or more emails per minute. Thus providers may use this as one of the many checks and may also limit mail to a sane rate. The industry accepted rates are usually around 5 emails per minute maximum. Some clever software allows for bursting rates which allows clients to send small batches of high volume mail at say, the end of the month.
Outbound spam checks
Checking outbound mail for trigger content is also becoming the norm. The following are some examples of trigger content (content which will trigger the anti-spam software to mark the email as junk):
- High usage of CAPITALS
- Frequent mentions of financial rewards, investments or prizes
- Too much emphasis on bargains, prices or availability
- Any mention of drugs, especially ED (ie viagra) drugs
- Improperly constructed emails with non-standard headers
- Mail containing IP addresses of known spam sources
- Mail containing URL links, especially those with strange characters
Once again, the main challenge is to detect spam as early as possible. Many engineers are now working on co-ordinated systems where the mail gateway can communicate back to the source server and verify accounts as well as freeze accounts suspected of sending unsolicited bulk mail. All in all, it is a challenging problem that can take a long time to sort out effectively.