Spammers Sidestep SMTP

We often think of fixing malicious activity in terms of systemic solutions, but spammers have moved on to private systems from which to conduct their abuse, and this makes it harder to stop.

I saw a disturbing number the other day: According to the latest MessageLabs Intelligence Report, by September of this year 25 percent of all spam originated from hosted Webmail accounts, meaning Yahoo, Hotmail, Gmail and the like. This may be a huge problem.

I've been a big fan over the years of SMTP authentication and associated reputation-based systems. The idea behind them is to identify with certainty the domain of the e-mail sender, something which the SMTP protocol does not do. Reputation systems then say whether this domain is one known to be trustworthy, untrustworthy or some unknown status. Then it's a matter of you setting policy to deal with this reputation data.

These ideas have been controversial, mostly out of obtuseness about reputation systems or a distrust of them. Personally, I think they would do a much better job than doing nothing, so I was for them. But that may all be moot.

I've been hearing for years now how large numbers of users are moving their e-mail onto Webmail systems, and the reasons are not hard to understand. You can use your mail from any computer with a Web browser, there's no local e-mail client to learn, your e-mail is not stuck on one local store, and Web 2.0 interfaces make the clients almost as rich as a real e-mail program.

But SMTP authentication is a systemic solution to the problem of SMTP e-mail abuse, and Webmail spam gets around it by bypassing the system. Recipients can no longer gauge reputation because they can't distrust huge mail senders such as Google and Microsoft. In fact, some recipients probably green-light some of this e-mail specifically because it's from well-known domains with SPF records or DomainKeys signatures.

SMTP authentication was always about identifying the domain of the sender, not the specific user. The presumption in the system was that legitimate domains are responsible for policing their users. The MessageLabs data, if it's accurate, proves what we've been supposing for a year or so now: the major Webmail services can't stop malicious actors from registering accounts automatically and using them to spam outsiders.

The MessageLabs report goes into detail on how attackers get these accounts by breaking the CAPTCHA tests. All of them can be broken with enough work, and a market exists for phony Webmail accounts. I think we can all agree now that it's overreaching to call these "Turing tests." The same basic techniques are used in spam on social networking sites such as Facebook, and they can be used as well to spread malware, as in the Koobface worm.

I said this may be a huge problem, because there are reasons to think it could be dealt with. Not that I have a solution to the porousness of CAPTCHAs, but if a more effective test were found the vendors could implement it without having to deal with standards bodies and other such time-consuming barriers. You could see the abuse stopping pretty quickly based on some technical advance. By the same logic, as a higher percentage of users have their mail on a smaller number of Webmail providers, the prospect of systemic changes to SMTP e-mail becomes more fathomable.

It's also true that Webmail systems are in a better position to monitor patterns in e-mail use and abuse. Once they detect an abusing account they can also see whether it was signed up as part of a massive scripted signup of accounts, and delete all of them. Perhaps they're just not good enough yet at detecting abusive addresses. The pattern of use of a spambot account and a legitimate account must be quite different. If 25 percent of spam is from Webmail then clearly they're not as good as they need to be at detecting these accounts.

Who would have thought a few years ago that the weakness of CAPTCHAs would cause a major shift in the generation of spam? There may be reason to hope that the problem won't last forever, but there's little that we know we can do right now to stop it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.