The Messaging Anti-Abuse Working Group, a special interest group focused on lowering the negative impact of spam and e-mail/IM-borne malware (in particular botnets) on the entire electronic communications ecosystem, has released a new set of best practices to help ISPs and network operators deal with the ubiquitous problems.
Better known as MAAWG, the consortium of ISPs and net ops — which claims to represent almost 1 billion electronic mailboxes — dropped two new advisories addressing techniques that it claims will help stop the scourge of botnet-induced spam and speed the process of delivering legitimate messages.
The individual papers are aimed at the issues of sharing IP address space and e-mail forwarding, respectively, and were approved at a MAAWG meeting held the week of June 16 in Heidelberg, Germany.
The first of the advisories is meant to cut at the spread of botnets via dynamic e-mail addresses and the second aims to help ISPs “distinguish legitimate consumers using a forwarding service from spammers,” the organization said.
The address-sharing recommendations (PDF) were specifically developed to assist mailbox providers that do not accept e-mail sent from dynamic IP addresses, the group said.
“While most consumers connect to the Web through modems using a dynamic address, their e-mail is usually funneled through their ISP’s mail server, which has a static (non-changing) IP address. But when a bot invades a consumer’s computer, it often bypasses the ISP’s mail server so that the resulting spam comes directly from the user’s dynamic address,” the group elaborated.
By more clearly “identifying the ranges of network addresses that each ISP has assigned as dynamic addresses,” mailbox hosts should be able to ID and block greater levels of botnet-induced spam, MAAWG said in a press release.
“There have been industry discussions about sharing dynamic IP addresses for years, and even some proposals, but this paper represents the first time a sizeable group of ISPs have come together to agree on how to do it. The recommendations are another necessary step toward helping mailbox providers eliminate spam originating from botnets before it hits users’ inboxes,” J.D. Falk, an MAAWG board member, said in the statement.
The forwarding best practices (PDF) also aim to provide technical recommendations to improve communications between sending and receiving entities.
“Many mailbox providers and institutions offer consumers either a permanent e-mail address or a short-lived, temporary address set up so that messages are forwarded to consumers’ underlying ISP account. Over time, these addresses may receive and forward a significant volume of junk mail, causing the user’s ISP to conclude that the forwarding service is a spam source and block all incoming mail from that service,” the group said.
The MAAWG paper specifically outlines actions that it said bulk forwarders should adopt to improve deliverability and speed problem resolutions — such as separating sending and forwarding server functions.
Among the practices that MAAWG recommends for receivers are for the companies to include posting policies on the Web and recognizing IP space designated for forwarding.
“Any address will attract some spam and incoming traffic from a forwarded account that has been in use for years can look like a deluge of spam, causing an ISP to block it,” Jordan Rosenwald, co-editor of the forwarding paper and Comcast manager of anti-abuse technologies, said in a statement.
“Spammers also are developing new ways to use forwarded e-mail to their advantage, so the steps outlined in this paper will provide savings for both forwarders and receivers, but more importantly, can help protect consumers from being unnecessarily and unintentionally blocked,” Rosenwald continued.
The group said the recommendations were finalized at its 13th General Meeting, which it said was attended by over 230 abuse and privacy professionals from ISPs, e-mail providers and vendors from 18 different countries.
MAAWG will next meet again in late September 2008 to further discuss botnets and hopes for greater “worldwide anti-abuse cooperation.”
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.