Spammers Sidestep SMTP

 
 
By Larry Seltzer  |  Posted 2008-12-08 Print this article Print
 
 
 
 
 
 
 

We often think of fixing malicious activity in terms of systemic solutions, but spammers have moved on to private systems from which to conduct their abuse, and this makes it harder to stop.

I saw a disturbing number the other day: According to the latest MessageLabs Intelligence Report, by September of this year 25 percent of all spam originated from hosted Webmail accounts, meaning Yahoo, Hotmail, Gmail and the like. This may be a huge problem.

I've been a big fan over the years of SMTP authentication and associated reputation-based systems. The idea behind them is to identify with certainty the domain of the e-mail sender, something which the SMTP protocol does not do. Reputation systems then say whether this domain is one known to be trustworthy, untrustworthy or some unknown status. Then it's a matter of you setting policy to deal with this reputation data.

These ideas have been controversial, mostly out of obtuseness about reputation systems or a distrust of them. Personally, I think they would do a much better job than doing nothing, so I was for them. But that may all be moot.

I've been hearing for years now how large numbers of users are moving their e-mail onto Webmail systems, and the reasons are not hard to understand. You can use your mail from any computer with a Web browser, there's no local e-mail client to learn, your e-mail is not stuck on one local store, and Web 2.0 interfaces make the clients almost as rich as a real e-mail program.

But SMTP authentication is a systemic solution to the problem of SMTP e-mail abuse, and Webmail spam gets around it by bypassing the system. Recipients can no longer gauge reputation because they can't distrust huge mail senders such as Google and Microsoft. In fact, some recipients probably green-light some of this e-mail specifically because it's from well-known domains with SPF records or DomainKeys signatures.

SMTP authentication was always about identifying the domain of the sender, not the specific user. The presumption in the system was that legitimate domains are responsible for policing their users. The MessageLabs data, if it's accurate, proves what we've been supposing for a year or so now: the major Webmail services can't stop malicious actors from registering accounts automatically and using them to spam outsiders.

The MessageLabs report goes into detail on how attackers get these accounts by breaking the CAPTCHA tests. All of them can be broken with enough work, and a market exists for phony Webmail accounts. I think we can all agree now that it's overreaching to call these "Turing tests." The same basic techniques are used in spam on social networking sites such as Facebook, and they can be used as well to spread malware, as in the Koobface worm.

I said this may be a huge problem, because there are reasons to think it could be dealt with. Not that I have a solution to the porousness of CAPTCHAs, but if a more effective test were found the vendors could implement it without having to deal with standards bodies and other such time-consuming barriers. You could see the abuse stopping pretty quickly based on some technical advance. By the same logic, as a higher percentage of users have their mail on a smaller number of Webmail providers, the prospect of systemic changes to SMTP e-mail becomes more fathomable.

It's also true that Webmail systems are in a better position to monitor patterns in e-mail use and abuse. Once they detect an abusing account they can also see whether it was signed up as part of a massive scripted signup of accounts, and delete all of them. Perhaps they're just not good enough yet at detecting abusive addresses. The pattern of use of a spambot account and a legitimate account must be quite different. If 25 percent of spam is from Webmail then clearly they're not as good as they need to be at detecting these accounts.

Who would have thought a few years ago that the weakness of CAPTCHAs would cause a major shift in the generation of spam? There may be reason to hope that the problem won't last forever, but there's little that we know we can do right now to stop it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.

 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel