|Avoid the blacklist – fight against outgoing spam
|Rebecca Steinberg Herson
|Vice President, Marketing
Rebecca Steinberg Herson is the Vice President of Marketing at Commtouch; she is responsible for the company’s global marketing strategy and activities. Prior to joining Commtouch, Ms. Herson served as Vice President of Marketing at Redmatch, a software start-up. Previously, she led marketing initiatives at Whale Communications (acquired in 2006 by Microsoft), Orckit Communications, and at various not-for-profit organizations. As the head of marketing for six years at Whale, an Internet security company, she was responsible for launching numerous hardware/software products. Rebecca Steinberg Herson holds a BA magna cum laude from Yale University and an MS in Management from Boston University.
Everyone is familiar with incoming spam, but outbound spam is a serious threat to carriers and service providers alike. Outbound spam is typically generated via zombie computers, compromised user accounts and spammers that knowingly abuse their accounts, and is difficult to detect and stop. Conventional anti-spam measures do not work well for outbound traffic; this significantly increases costs, damages corporate reputations and increases the amount of network traffic. Today, remedial efforts are often poor and result in disgruntled customers.
Carriers and other service providers throughout EMEA and the world constantly fight against inbound spam, phishing and email-borne malware, and are generally well equipped to cope with this; however, they also must simultaneously ensure that they are not themselves a source of malicious email. The business benefits of eliminating outbound spam include protecting service providers’ reputation, operational efficiencies, cost reductions, improved customer service, and increased customer loyalty. Outbound spam is the sort generated from within the carriers’ own networks, for delivery to the wider Internet. It consists of malware, phishing attacks, and ‘general’ spam, such as pharmaceutical sales and bogus college degrees. Outbound spam is typically generated via: 1) Zombie computers – malware-compromised computers that unknowingly send 85 per cent of all spam using port 25 (or 465). 2) Compromised user accounts – legitimate user accounts whose credentials have been stolen by spammers. 3) Spammer accounts – users knowingly abuse their own accounts. Going public on outbound spam We recently commissioned Osterman Research to perform a study about outbound spam that surveyed 100 individuals at web-hosting companies, Internet access service providers, free email service providers, other email providers, and 266 end-users about their email and Internet use. Two-thirds of email service providers and 80 per cent of end-users rated outbound spam as an important or extremely important issue. Further, 87 per cent believe it is important or extremely important for email providers to actively eliminate zombies from their networks. Key survey takeaways: • outbound spam is serious and expensive; • conventional anti-spam technologies are not effective, resulting in very high levels of false positives, disgruntled customers, and ultimately, lost business; and • preventing outbound spam can help service providers retain customers – 56 per cent of end-users whose outbound email was blocked because of providers’ outbound spam problems would probably or definitely switch to a provider who would not block innocent users. The survey says: ‘outbound spam costs credibility…and money’. Outbound spam has a significant effect on administration costs, customer service and retention: • Significantly higher costs of providing service – Outbound spam drives up the cost of customer service – technical support calls addressing false positives (emails sent by legitimate customers blocked by the service provider on their way out of the network), switching customers to new IP addresses, and anti-abuse staff time to identify and resolve outbound spam issues, including negotiating with blocklists. Sixty-eight per cent of service providers reported spending up to $100,000 in direct and indirect costs, such as help desk calls and unblocking IP addresses. Fifteen per cent spend in excess of $250,000 annually. • Corporate reputation damage – a reputation for hosting zombies or blocking legitimate outbound email damages your business. Forty-nine per cent of service providers report that outbound spam is damaging their corporate reputation. • Remedial efforts are poor, resulting in disgruntled customers – remedial efforts, like blocking port 25, irritate customers and drives them to providers using more sophisticated and granular approaches. One-third of respondents viewed outbound spam as a hindrance to their ability to win new customers. The survey asked end-users what they would do if their email provider blocked an entire IP address range in an attempt to block outbound spam: 12 per cent responded that, if possible, they would switch to a new provider who blocked only zombies, not innocent users; another 43 per cent indicated they would probably switch to a new provider. • Increases the amount of network traffic – outbound spam increases the overall network traffic service providers must support, forcing providers to add unnecessary capacity, increasing their overhead. Further consequences of ignoring outbound spam Ignoring or ineffectively preventing outbound spam creates a range of operational problems. • Blocked IP ranges – Spam is easily traced to the sending IP range, resulting in its addition to Real-time Blackhole Lists (RBLs or IP blocklists). Other service providers use blocklists to enforce message blocking. Users within the blocked network are then unable to send legitimate emails to these domains. This inability to send emails is a significant problem for paying customers, leading to increased carrier costs: • Removing IP ranges from blocklists requires time and personnel. • The helpdesk is burdened with calls about denials. • Continued frustration contributes to higher customer churn. • Potential legal liability – Recipients of spam, scam or phishing emails may hold the service provider responsible and pursue legal action. Additionally, service providers may be exposed to legal action as a result of blocking emails from paying users (false positives). • Non-compliance with legislation – governments and service provider bodies are proposing legislation or codes of conduct requiring proactive measures against zombies and other spam sources. Currently, few service providers would be able to comply. Current piecemeal approaches to outbound spam The diagram Outbound Email Sources illustrates the sources of outbound email and current partial solutions. • Blocking port 25 stops zombie-generated spam while disrupting legitimate usage and companies with their own mail gateways without preventing spam from compromised accounts or other spam-delivery techniques. Allowing port 25 usage case-by-case and using white-lists creates unnecessary management overhead. • ‘Reversed’ inbound anti-spam filters are less effective against outbound spam as the spam hides within legitimate email generated by the carrier’s user-base. Inbound spam filters create the following problems: • Ineffective locally – although local or regional spam may not be produced in enough numbers to be noticed by global collection systems, including those using community; reputation or open-source rule-based systems, they are enough to damage the service provider’s reputation; • Slow response – community reputation or rule-based anti-spam products leave a window of 15-60 minutes before identifying an attack, allowing a spammer to send thousands of emails, severely damaging the service provider’s reputation; • Provides spammers with a ‘test-bed’ to send out test messages to check if they can bypass the outbound filter. They can then perfect their message and send it out en masse; • No spamming source identification – inbound filters deal only with symptoms instead of the root causes, resulting in continual outbreaks; • Costly false positives – A single user sending a single email about a health/shopping issue may get blocked by a rule engine looking for keywords. In this case a service provider blocks its own customers who are paying for service; • Throttling (setting limits on emails per time period) – Spammers can send below these levels to avoid showing up on the radar while still sending enough to create blocklist issues. Throttling does not consider content and requires threshold management per user type, for example, customers with higher sending limits to send newsletters; and • IP Analysis – this approach targets senders from outside the service provider’s geographic region, such as North America, or known spam-sending areas but does not detect spam from within the service provider’s network. Solving the outbound spam problem Many types and sources of outbound spam exceed the capabilities of traditional detection methods; using traditional methods also increases false positives and results in greater customer dissatisfaction. A single, complete solution must handle all of the following issues: • Detect ‘local’ and ‘global’ spam – the most effective engine will stop spam from all internal sources, such as zombie-generated spam or spam from within the service provider’s network; • Language agnostic – spammers will not limit themselves to the languages of EMEA; a Chinese or Russian spammer may compromise a European server, so the outbound spam detection system must be able to detect spam in any language; • Block all sources – zombies, compromised accounts, and spammer accounts should all be detected, since any of these could be responsible; • Real-time detection – spam and spammers must be detected within seconds of an outbreak to avoid damage to a service provider’s reputation and the risk of being put on a blocklist; • Spammer identification – actively identify the spamming source, enabling the service provider to take protective measures to defend its users from being abused. They can then use this information to sell value-added services, such as PC cleaning; • Reduced false positives – carriers shouldn’t block legitimate paying users. A complete solution tracks the spammers, classifies spam and spammers only when users send more than a specified number of spam emails, and eliminates most false positives; • Prevent reverse engineering – algorithms must include pattern as well as volume tracking-rendering spammer ‘test-mailings’ ineffective; and • Carrier control – administrative tools should let providers fine tune the technology to their specific environments and service level agreements, such as thresholds defining the amount of emails that constitute spam as well as exception lists specifying senders with unique privileges. Carriers must now fight outbound spam as vigilantly as they already fight inbound spam. It is critical to protecting their networks and customer relationships.