Antispam group outlines ways to block spam from botnets

A major antispam organization is pushing a set of new best practices for ISPs to stop increasing volumes of spam from botnets.

The guidelines, from the Messaging Anti-Abuse Working Group (MAAWG), were drawn up at a meeting in Germany last week and deal with forwarded e-mail and e-mail that is sent from dynamic IP addresses.

Many people forward their e-mail from one address to another, a relay that goes through their ISP's mail server. But many ISPs use automated tools that could begin blocking further e-mail to an address if a large volume of e-mail has come through. Legitimate messages would be blocked, too.

"If a spammer targets AOL, a lot of people have AOL addresses redirected somewhere else," said Richard D.G. Cox, CIO for Spamhaus, an antispam organization that's a member of MAAWG. "So if a whole lot of spam is coming out of AOL, people will block it on automated basis."

ISPs can fix this by separating the servers that receive e-mail and ones that then forward e-mail. That way, ISPs can filter out spam coming into the accounts before forwarding, taking a look at the messages and spotting which ones came from dodgy domains, Cox said.

Also, servers receiving forwarded e-mail can be confident that the server where mail was sent from is trusted and legitimate. As of now, only a few ISPs are taking steps to fix the forwarding problem, Cox said.

"This is something we need a big takeup on," Cox said. "When everyone does it, more of us will benefit as well."

MAAWG's second recommendation deals with the long-standing problem of PCs that have been infected with malicious software that send spam.

The PCs are part of botnets, or networks of computers that have been compromised by hackers. After a PC is infected, it will often start sending spam through port 25 straight onto the Internet. That contrasts with legitimate e-mail, which usually goes through the ISP's mail server first before being sent on.

Many ISPs assign a different IP address to a subscriber's PC when they connect to the Internet, known as a dynamic IP address. Those infected machines on dynamic IP addresses aren't always automatically blocked by ISPs. Other receiving e-mail servers can block the particular IP address, but many malware programs are designed to reboot a PC in order to get assigned a fresh dynamic IP address from which to continue sending spam, Cox said.

MAAWG's primary suggestion for ISPs is to block all machines on dynamic IP addresses that are sending e-mail on port 25 outside their own network unless there are special, legitimate circumstances. The idea has been "very central" to antispam fighters, Cox said.

But MAAWG said that idea may not be possible for some ISPs, and its guidelines offer another alternative: ISPs should share information about their dynamic address space. That would let other ISPs refine their spam filters.

Spamhaus publishes its own DNS Blacklist, with information on ISPs' dynamic address ranges. "Listing your addresses in a dynamic IP list makes those ranges less attractive to spammers because they know they can't deliver to many networks which use those lists," according to Spamhaus' Web site.

Those on dynamic IPs are allowed to send e-mail using port 587, which is dedicated to sending e-mail via servers that require authentication first. That's the way most employees, for example, remotely connect to their company's mail servers, Cox said.

Major ISPs such as Comcast in the United States do block unauthorized e-mail on port 25 from going straight to the Internet, but about half of other ISPs -- many located outside Western countries -- do not, Cox said.

"That's the area where we are pointing the finger at," Cox said.

Given the international scope of the spam game, spammers use the infected computers "to send their unwanted traffic to mail servers around the world," MAAWG said.