Way to beat spam: attack the source not the symptoms

Stan Beer
Wednesday, 28 January 2009 10:52

Business IT - Security

After years of fighting a losing battle against the growing deluge of spam swamping the net, security and law enforcement agencies finally struck their first blow of any consequence late last year when they managed to shut down the servers of a major spam hosting provider. Now authorities are looking for other ways to attack the root of the problem rather than just the symptoms.

Web security provider Marshal8e6 claims that its newly released TRACE Labs report for the second half of 2008 demonstrated that significant disruption to spam volumes can be achieved by going after the perpetrators.

Specifically, the Marshal8e6 Spam Volume Index, which tracks the volume of spam received by a representative bundle of worldwide domains, showed that spam volumes rose strongly in 2008 with global spam volume exceeding 150 billion messages per day at its peak. Then, on November 11, a Web hosting provider named McColo, which was hosting the servers that controlled several major botnets was disconnected from the Internet.

According to the report spam literally dropped by over 50% overnight as these botnets became effectively disabled. Spam volumes in mid-November were at the lowest levels seen since mid-2007. Volumes increased again in December as some botnets came back on stream and others gained extra business.

The report points out that the McColo shutdown disrupted three major botnets, Srizbi, Rustock and Mega-D. Srizbi, which was the most active at the time, has effectively remained inoperative ever since. Although spamvolumes have started to recover, they remain at a level slightly more than half of what they were prior to November.

“2008 marked a turning point in the war against spam,” said Bradley Anstis, director of technical strategy for Marshal8e6.

“By working together, Internet security and law enforcement professionals in different countries proved that when you go after the sources of the global spam scourge, spam can be beaten. With our growing dependence on email and digital communications, we have to continue to shift our strategy from simply blocking bad messages to attacking and stopping the sources of that malware.”

The global Internet names and addresses administrator ICANN obviously agrees with that sentiment because it has turned its attention on the relationship between domain names and IP addresses and how spammers manipulate to avoid detection.

A new report from ICANN on a technique called fast flux hosting, which enables web site administrators to quickly assign a new IP address to a domain name, explores the effects of stopping the practice.

Fast flux is used for legitimate purposes by administrators in cases where a server fails and a site goes down. It enables them to easily assign the domain name to a backup server at a different IP address.

The problem is that fast flux also enables spammers and other malware purveyors to hide from authorities by continually changing their IP address. As ICANN says in its report: when used by criminals, the main goal of fast-flux hosting is to prolong the period of time during which the attack continues to be effective. It is not an attack itself – it is a way foran attacker to avoid detection and frustrate the response to the attack.

As a result, ICANN is in the process of weighing up the consequences of discontinuing the use of fast flux hosting or finding ways to negate abuse of the technique by cybercriminals.

Some suggestions in the report include:

o Adopt accelerated domain suspension processing in collaboration with certified investigators / responders;

o Establish guidelines for the use of specific techniques such as very low TTL (Time to Live) values;

o Identify name servers as static or dynamic in domain registrations by the registrant;

o Charge a nominal fee for changes to static name server IP addresses;

o Allow the Internet community to mitigate fast-flux hosting in a way similar to how it addresses other abuses.

o Stronger registrant verification procedures.

Needless the ICANN report is still in a state of flux (pun intended) but many would be encouraged to see that finally a cohesive effort is underway to tackle the root source of spam.