Many ISPs, small and medium enterprises (SMEs) and universities are becoming acutely aware of the problems associated with spam emanating from within their networks. Just about anyone who manages on-premise email services understands the necessity of filtering inbound email to remove spam and other annoying or harmful content.
Outbound mail is another animal, and easily overlooked by many organizations –until it bites. All it takes is a single virus outbreak on your network or compromised email account. Even a few hours of worth of spam egress can add up to days or weeks of damage control for smaller organizations.
If your early warning system consists of a sudden influx of abuse reports, or discovery of an abnormal number of destination mail servers suddenly rejecting your mail, you’ll soon find yourself engaged in the unpleasant task of de-listing your MTAs from a litany of independently controlled blacklists, each with different and sometimes complex removal requirements. Adding insult to the injury of your now tarnished reputation are the headaches and confusion users suffer when their mail is unexpectedly delayed or outright discarded.
But before you can even begin to unknot the problems caused by an outbound spam leak, you first need to identify the source of the breach. This is not often an easy or a straightforward process. Should another wave of spam emanate from your infrastructure, many blacklist operators will be less forgiving the second time around.
Hijacking Methods Abound
There are many ways spammers can hijack an organization to perform their dirty work. For example, targeted attacks like spear phishing, commonly directed at universities, ISPs and ESPs can net a surprisingly high response rate. This gives spammers a foothold into the network where they can then authenticate as legitimate users.
Other methods involve compromised machines infected with Trojans and in some cases, spam can be sent unchecked through corporate borders simply because the traffic originates from a workstation turned zombie inside the DMZ.
Naive Assumptions About Inbound Solutions
The outbound spam problem differs considerably from inbound spam. But many people, IT staff included, are unaware of the challenges of stopping outbound spam even if they are well versed in techniques that prevent inbound spam. A common, yet naïve assumption that simply reversing an inbound solution will suffice for filtering the outbound stream can quickly lead to unhappy users; the problem is not symmetric.
Look at it this way: For inbound mail, almost every connection made to your filter is a spammer, but for outbound, almost every connection is legitimate. This asymmetry is an important observation because many of the assumptions about inbound mail filtering don’t apply to outbound filtering.
In fact, gray listing (in-session defenses), IP/sender reputation (RBLs, black/white lists), and knowledge of valid recipients are the primary front-line defenses utilized by nearly all inbound spam filters. Yet these make less sense and are less effective, and can even cause problems for legitimate mail when applied to the outbound stream.
Not being able to rely on these mainstay techniques to remove the bulk of outbound spam requires fresh thinking on how to distinguish good messages from bad. What is needed is behavioral modeling, accurate content filtering and sensible application of throttling mechanisms, and a healthy dose of security awareness.
Frustrating Game of Whack-a-Mole
Deliverability is always a concern for spammers, and so is the overhead incurred from blasting out their messages. ISPs are a great target because their reputation can be hijacked, resulting in less delays and increased success in message acceptance at the destination. ISPs with poor outbound protection are also much less likely to even notice an outbound spam problem until the damage is already done.
As for SMEs and universities, they often don’t have the staff required to ensure their systems are secure, or to track down the source of a breach once it has occurred. The task of identifying compromised accounts can become a frustrating game of whack-a-mole while the scammers are busy leveraging the institution’s computational horse-power and bandwidth for their own ends.
