Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Preventing Outbound Spam and Blacklisting

Blocked IP ranges resulting in customer loss, operational cost increases, brand damage and even potential lawsuits are potential negative consequences service providers face as a result of spam, phishing and malware emails emanating from their networks.

But where does outbound spam come from? Outbound spam emails coming from service provider networks typically originate from several sources:

Source Method
Zombie computers User computers are compromised with malware and added to spam-sending botnets. They send spam directly to the Internet using port 25 (or 465). Zombies are responsible for sending around 85% of all unwanted email messages. Zombie activity is not constant, which complicates their detection.
Compromised user account Legitimate user accounts that have been compromised send spam via the service provider’s MTA.
Spammer accounts Users knowingly abuse their accounts to send spam and phishing emails.
Webmail accounts Spammers create accounts at free webmail services and use these to send spam. Multiple accounts may be created after defeating CAPTCHA mechanisms.
Service Provider MTA Spammers exploit vulnerabilities in the service provider MTA (Message Transfer Agent/Mail server) to send spam.
Customer MTAs Spam is sent from within the service provider’s IP ranges by MTAs operated by customers of the service provider (such as enterprises or secondary service providers).

Problems caused by outbound spam

Service providers may face a number of issues impacting their infrastructure, cost of business operations, and users’ level of satisfaction as a result of outbound spam. For example, nearly 40% of service providers report that their IPs have been blocked or blacklisted at some point during just the past 12 months. The main problems caused by outbound spam are:

  • Blocked IP ranges: Spam is easily traced to the sending IP range resulting in the addition of this range to Realtime Blackhole Lists (RBLs or IP blocklists). Other service providers use these blocklists to enforce message blocking rules. Users within the blocked network are then unable to send legitimate emails to these domains. This inability to send emails is a significant problem for paying customers that in turn leads to increased costs for the service provider.
  • Potential legal liability: recipients of spam, scam or phishing emails may hold the service provider responsible and pursue legal actions. Additionally, service providers may be exposed to legal action as a result of mistakenly blocking valid emails from paying users (false positives).
  • Non-compliance with legislation: Governments and service provider bodies are proposing legislation or codes of conduct requiring service providers to proactively deal with zombie computers and other spam sources within their networks. A majority of service providers would not be able to comply with such legislation using their current solutions.

Essential capabilities of an outbound spam solution

As the scale and scope of the outbound spam problem increases, many service providers have taken steps in an attempt to prevent these emails. Some of these methods only deal with certain aspects of the issue but do not address the entire problem or minimize any potential negative impact on users.

The current approaches to outbound spam cannot deal with the range of potential sources and also cannot detect certain types of outbound spam. In addition, detection – if provided – is too slow to prevent the majority of an outbreak. Finally, the increased false positives generated by these options will likely cause customer dissatisfaction. A complete solution must therefore incorporate all of the following capabilities:

  • Detecting both “local” and “global” spam: A complete solution must detect outbound spam that may be part of a coordinated global attack or may be sent by a local spammer i.e., from within the service provider’s network.
  • Block all sources: zombies, compromised accounts, and spammer accounts should all be detected by the single solution, since any of these could be responsible for the outbound spam.
  • Real-time detection: spam and spammers must be detected within seconds of an outbreak. A delay of several minutes increases the chance that a service provider’s IP reputation will be affected.
  • Spammer identification: Blocking the spam emails only handles the symptoms but not the root of the problem. A complete solution must actively identify the spamming source in addition to blocking the spam. This approach is different from that of inbound anti-spam mechanisms that focus on unwanted email blocking and not source identification. Once identified, the service provider must be notified and provided with the identification of the spammer as well as email samples to allow verification of the type of spam email being sent. This information enables the service provider to take protective measures, up-sell value-added services, defend its users from being abused, etc. A complete solution should deal equally well with identifying zombie computers, compromised accounts, spammer accounts and webmail spammers.
  • Reduced False Positives: The issue of false positives is critical since this means that the service provider would be blocking paying users. A single suspect email, or even a few of them, does not necessarily indicate that the sender is a spammer. Single emails pose little threat to the service provider’s reputation. An ideal solution should track the spammers, only classifying spam and spammers once users send more than a specified number of spam emails. A user-centric solution such as this would eliminate most false positives.
  • Prevent reverse engineering: The algorithms used should include pattern as well as volume tracking of email considered spam – making spammer “test-mailings” ineffective.
  • Service Provider control: A service provider must be given the control to match their solution to their specific environment and SLAs. These include thresholds defining the amount of emails that constitute spam as well as exception lists specifying senders with unique privileges.

Commtouch’s Outbound Spam Protection

Commtouch provides a solution enabling service providers to identify and block outbound spam caused by compromised user accounts, malicious users, and zombie computers. Commtouch’s Outbound Spam Protection (OSP) solution relies on patented Recurrent Pattern Detection™ (RPD™) technology, which analyzes billions of messages per day to identify outbreaks the moment they occur. The OSP solution includes local RPD technology to block locally-generated spam unique to each service provider in real-time, as well as to provide the identity of the spammer to the service providers’ abuse teams.

Outbound email is scanned by OSP for globally recurring spam patterns, and locally recurring spam patterns. This spam pattern information is correlated with a sender’s traffic statistics, such as messages per period of time and spam/ham ratio. Once a sender reaches a certain threshold set by the service provider, the Commtouch solution can block the spam and alert the service provider with the sender address. Samples of the blocked emails can also be provided for analysis.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...