Blocking Outbound Spam: Your Options

Brian Wood Blog

Just say no to spam. Here’s how.

By Avi Turiel in The Whir.

Emphasis in red added by me.

Brian Wood, VP Marketing


The Options for Blocking Outbound Spam: The Status Quo

In a previous post the author discussed some of the problems that outbound spam causes for service providers, such as blacklisting and the related efforts to unblock mail queues and calm upset customers.

The sources of outbound spam are varied and depend on the type of service provider:

Source Method
Zombie Computers User computers are compromised with malware and added to spam-sending botnets. They send spam directly to the Internet using port 25 (or 465). Zombies are responsible for sending around 85 percent of all unwanted email messages. Zombie activity is not constant, which complicates its detection.
Compromised User Account Legitimate user accounts that have been compromised send spam via the service provider’s MTA (Message Transfer Agent/Mail server).
Spammer Accounts Users knowingly abuse their accounts to send spam and phishing emails.
Web Mail Accounts Spammers create accounts at free Web mail services and use these to send spam. Multiple accounts may be created after defeating CAPTCHA mechanisms.
Service Provider MTA Spammers exploit vulnerabilities in the service provider MTA to send spam.
Customer MTAs Spam is sent from within the service provider’s IP ranges by MTAs operated by customers of the service provider (such as enterprises or secondary service providers).

The approaches taken to combat outbound spam are varied and each has advantages and disadvantages. All the mechanisms described here do block outbound spam with varying degrees of success – but often with unwanted side effects:

  • Blocking Port 25 – This method is aimed at blocking rogue MTAs such as zombies. The trouble with this approach is that it disrupts legitimate usage by users or companies with their own mail gateways. In addition, it does not provide a solution to compromised accounts or other techniques that exploit the service provider’s MTA. Allowing port 25 usage on a case-by-case basis (using whitelists) creates unnecessary management overhead.
  • “Reversed” Inbound Anti-Spam Filters – A simple and easily available solution, inbound spam filters are designed to target unwanted emails from a generally unknown source. They are therefore less suited to dealing with outbound spam emails which hide within large amounts of legitimate email generated from the hosting provider’s known user-base.
  • Inbound spam filters create the following problems:
  • Ineffective at the local and regional level – local or regional spam may not be produced in enough numbers to be noticed by global collection systems, including community reputation or open-source rule-based systems. The numbers are enough, however, to damage the service provider’s reputation.
  • Slow response to new outbreaks – community reputation or open-source rule-based inbound anti-spam products leave a window of 15-60 minutes before an attack is identified. In this time an outbound spammer can send thousands of emails and severely damage the service provider’s IP reputation.
  • Provides spammers with a “test-bed” for their messages – spammers often will send out test messages to check if they can bypass the service provider’s outbound filter. They will use this method to perfect their message, and then send it out en masse.
  • No identification of the spamming source – Inbound filters deal only with symptoms (spam emails) instead of the root cause (zombies or spammers) which can result in repeated outbreaks.
    • Throttling (setting limits on the emails sent per time period or the number of recipients) – Spammers can keep sending below these levels and not exceed the limit. The emails that they do send are enough, however, to create blocklist issues. A further drawback of throttling is that it does not consider email content and therefore requires management, by the service provider, of categories of users, for example, organizations that have negotiated higher sending limits in order to send newsletters.
    • IP Analysis – This approach targets users with authorized credentials or Web mail accounts that access them from suspicious foreign IP addresses.  These might originate from countries not usually served by the service provider or that are known spam-sending regions. This method will not detect spammers generating spam from within the service provider network or from regions considered safe.

In the next post we will look at approaches that hosters can take to more successfully combat outbound spam.