Large enterprises still serving up spam

Despite lots of security measures, major corporations are still having internal IP addresses hijacked by spammers

Well-known enterprise companies are still having their IT systems hijacked by spammers despite investing in many different types of technologies aimed at stopping the problem.

Last week, researchers at network security company Support Intelligence isolated an IP address within insurance giant Aflac that was being used by spammers to distribute mass amounts of e-mail messages, most of which were related to erectile dysfunction.

Over the course of a 24-hour period beginning on April 10, researchers at Support Intelligence and the SenderBase project estimated the volume of spam being distributed from the affected Web server, much of which included a pharming attack, jumped by more than 750 percent.

Once informed of the problem, representatives at Aflac said they began work to shut down the rogue spam source, but researchers said that the incident further illustrates the problems that many enterprises are still facing in battling spam.

As spammers have begun tapping into botnets controlled by other parties and found new methods for distributing their work via hijacked computers, the issue has only intensified, said Rick Wesson, chief executive of Support Analysis.

In the last month alone, Wesson's company has publicly detailed similar waves of spam emanating from a list of high-profile businesses, including 3M, AIG, and Thomson Financial, and the executive claims to have found similar campaigns coming from within blue chip companies, including Best Buy, HP, Intel, and Toshiba.

No matter how large the company and how much it has spent on anti-spam tools, he said, the issue remains a daily struggle.

"These companies are spending tons of money on security, but it shows that like some diseases within the human population, spam has become something that cannot be stamped out completely," said Wesson. "Companies shouldn't be ashamed about talking about it because it is happening to everyone; the financial models and the channels into IT operations for spammers are established, and it's not a problem that is going away."

The dilemma isn't that businesses aren't doing enough to fight spam, according to the security expert, but rather that the technology products they use include so many hidden code vulnerabilities that allow the spammers and botnet operators to sneak in.

The best examples of this problem are the handful of unpatched zero-day vulnerabilities that have been reported in Microsoft products in the last several months, according to Wesson. Spammers simply wait for new flaws to be exposed in popular products and begin assailing organizations with new threats that allow them to gain control of affected systems, he said.

After that it's simply a matter of using any compromised hosts to send out e-mail.

"What this says to me is that when large national insurance companies are still having this problem, all of Middle America does too," said Wesson. "If big business is not capable of beating this problem, SMBs must be getting absolutely killed by it."

Reached for comment, Aflac representatives indicated that they had not been made aware of the reported spam campaign before hearing about the event from researchers.

Company officials declined to comment further on the issue of spambots in their midst but said the incident has not led to any more serious security problems, such as a customer data breach.

"Protecting the integrity of our clients' data is one of our top priorities, and we want to assure everyone that no personal data was comprised," Alflac media representatives said in a statement. "We have identified the source of the spam, and are working to rectify the situation."

Other companies admit that the spam problem can take off quickly even when solid protections are in place.

Security leaders with Steelcase, a publicly-traded office furniture manufacture, said that despite using technologies from Postini and WebSense, among others, to defend its 13,000 employees and IT systems from unwanted e-mail and other attacks, a single incident can quickly land your company's name on spammer blacklists.

Roughly a year ago, a visitor to the company connected an infected device to its network, which led to Steelcase unknowingly becoming a conduit for spam and become included by security researchers on the lists of suspicious IP addresses they advise people to block.

"In effect we ended up looking like a spam source because of one person, and we ended up on several blacklists, which caused problems for people trying to reach us because they subscribed to those lists," said Stuart Berman, security architect at Steelcase. "It really doesn't take much to put you in a painful position."

Spam also remains a serious headache on the incoming side, according to the security specialist. While Steelcase said that the technologies it has employed to filter e-mail, in particular Postini's outsourced message scanning service, have proven very effective, the sheer volume of unwanted e-mail that attempts to land on its servers is staggering.

Berman said that Postini, blocked more than 127 million spam messages before they could land in Steelcase employee's inboxes in 2006, compared to only 30 million legitimate e-mails that were allowed in. Based on those figures, roughly 80 to 90 percent of all e-mails sent to the firm are identified as spam, he said.

"We took action to look at all internal mail avenues and who is allowed to send mail out, and we can control that far more effectively today," said Berman. "We needed to do that because we want to keep our identity clean. It's important to protect your company's overall reputation in the outside world, and no one wants to be known as a spammer."

Some researchers maintain that it isn't just software vulnerabilities that are leaving the door open for spammers at large enterprises, but also a lack of understanding of the problem.

While most large enterprises have made significant investments in anti-spam technologies, some fail to follow very basic recommendations for battling spam, such as blocking unauthorized e-mail from being sent out of their systems at their network gateways, said Matt Sergeant, senior anti-spam technologist at software maker MessageLabs.

Another problem is that the advanced malware programs being used to hijack PCs and set up spambots are frequently circumventing anti-virus systems and other security products, he said.

"Anybody who thought that they had the spam problem under control in the past is probably kicking themselves today, and many corporations are struggling to protect their networks," Sergeant said. "The spammers are on top of the technology in terms of how to get malware onto desktops in such a way that anti-virus doesn't catch it, and companies need to do a better job of making sure their anti-spam policies are being enforced."