We often think of fixing malicious activity in terms of systemic solutions, but spammers have moved on to private systems from which to conduct their abuse, and this makes it harder to stop.
I saw a disturbing number the other day: According to the latest MessageLabs Intelligence Report
by September of this year 25 percent of all spam originated from hosted
Webmail accounts, meaning Yahoo, Hotmail, Gmail and the like. This may
be a huge problem.
I've been a big fan over the years of SMTP authentication and
associated reputation-based systems. The idea behind them is to
identify with certainty the domain of the e-mail sender, something
which the SMTP protocol does not do. Reputation systems then say
whether this domain is one known to be trustworthy, untrustworthy or
some unknown status. Then it's a matter of you setting policy to deal
with this reputation data.
These ideas have been controversial, mostly out of obtuseness about
reputation systems or a distrust of them. Personally, I think they
would do a much better job than doing nothing, so I was for them. But
that may all be moot.
I've been hearing for years now how large numbers of users are
moving their e-mail onto Webmail systems, and the reasons are not hard
to understand. You can use your mail from any computer with a Web
browser, there's no local e-mail client to learn, your e-mail is not
stuck on one local store, and Web 2.0 interfaces make the clients
almost as rich as a real e-mail program.
But SMTP authentication is a systemic solution to the problem of
SMTP e-mail abuse, and Webmail spam gets around it by bypassing the
system. Recipients can no longer gauge reputation because they can't
distrust huge mail senders such as Google and Microsoft. In fact, some
recipients probably green-light some of this e-mail specifically
because it's from well-known domains with SPF records or DomainKeys
SMTP authentication was always about identifying the domain of the sender
not the specific user. The presumption in the system was that
legitimate domains are responsible for policing their users. The
MessageLabs data, if it's accurate, proves what we've been supposing
for a year or so now: the major Webmail services can't stop malicious
actors from registering accounts automatically and using them to spam
The MessageLabs report goes into detail on how attackers get these
accounts by breaking the CAPTCHA tests. All of them can be broken with
enough work, and a market exists for phony Webmail accounts. I think we
can all agree now that it's overreaching to call these "Turing tests."
The same basic techniques are used in spam on social networking sites
such as Facebook, and they can be used as well to spread malware, as in the Koobface worm
I said this may
be a huge problem, because there are reasons to think it could be dealt with. Not that I have a solution to the porousness of CAPTCHAs
but if a more effective test were found the vendors could implement it
without having to deal with standards bodies and other such
time-consuming barriers. You could see the abuse stopping pretty
quickly based on some technical advance. By the same logic, as a higher
percentage of users have their mail on a smaller number of Webmail
providers, the prospect of systemic changes to SMTP e-mail becomes more
It's also true that Webmail systems are in a better position to
monitor patterns in e-mail use and abuse. Once they detect an abusing
account they can also see whether it was signed up as part of a massive
scripted signup of accounts, and delete all of them. Perhaps they're
just not good enough yet at detecting abusive addresses. The pattern of
use of a spambot account and a legitimate account must be quite
different. If 25 percent of spam is from Webmail then clearly they're
not as good as they need to be at detecting these accounts.
Who would have thought a few years ago that the weakness of CAPTCHAs
would cause a major shift in the generation of spam? There may be
reason to hope that the problem won't last forever, but there's little
that we know we can do right now to stop it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.