This is the second part of a paper that I presented at Virus Bulletin.  Check out their web page here.


Outbound Mail

The basic assumption for outbound mail is that the people sending it are sending legitimate content. The problem is that this is not a valid assumption. If one customer, among hundreds or thousands, starts sending outbound spam, FOSE outbound IP addresses can get blacklisted. When that happens, recipients who use that 3rd party blacklist block the mail of our outbound IP. The net result is that customers can get blocked by receivers through no fault of their own. The actions of a couple of customers can affect everyone.

There are any number of ways that users computers can get infected with a virus that flips it into a botnet, but the net result is the same – it starts to emit spam.

 

image

image

To the outside world, the IP that is used to send out the mail looks like a spam source. However, it is not a singular source of spam because there are so many IPs hidden behind that single IP. Only a small subset of them, usually one or two, are responsible for sending out the spam. It doesn’t matter, however, because once a source IP is identified as sending out spam, it poses problems for everyone who shares that IP space.

image

FOSE’s situation is different than a service like Hotmail or Gmail, but the problem is still the same – our outbound reputation is compromised because in a shared environment with many users, the spammer hides amongst hundreds of others.

 

Impeding Mail Delivery

When one customer starts sending out spam, it often sends out spam to 3rd party operators of blocklists. When it does, that blocklist labels that outbound IP as abusive; unfortunately, other customers are also using that IP but are not using it to send out spam.

image

The net result in Figure 6 is following: It severely degrades our reputation and we have to embark on many steps to reclaim it.

  1. Frank, from All Beef Patties, wants to send mail to one of his customers, Joe, whose email is joe@joes-diner.com. He uses FOSE for outbound mail so his mail server hands off to FOSE who relays his message to the rest of the world.

  2. Meanwhile, Barry is at school downloading music illegally. He clicks on an attachment and right away, unbeknownst to him, his computer is now infected as part of a botnet and starts sending out spam. His email account is similarly compromised, so now barry@yourcollege.edu is sending out spam. He similarly hands off to FOSE who relays his message to the rest of the world.

  3. The botnet that Barry is a part of hasn’t cleaned up its email list at all. It includes the honeypot spam trap, frank@email-me-and-you-will-get-listed.com. Barry sends him email, and since Frank believes that all mail going to this account is spam[1], he looks up the IP address of the sending mail server. It is FOSE’s outbound IP, so he decides to list it.

  4. Back to Joe, Joe uses his own spam filtering service. One of the services he subscribes to is Bill’s Obscure Blacklist (mislabled as Frank above and I am too lazy right now to change it). When any incoming mail hits his servers, he looks up the sending IP to see if it is on Bill’s list. Since his supplier, Bill, is using FOSE for outbound mail, he rejects mail from Frank. Even though Frank wasn’t spamming nor doing anything wrong, he can’t get mail delivered to Joe.

  5. Frank is now furious. He calls up FOSE technical support, yelling at them how he can’t get his mail delivered to Joe (never mind the fact that Joe is free to implement any solution he so desires and has options available at his disposal). FOSE’s options are limited; Joe is not our customer so convincing him to remove us depends upon his technical expertise (and willingness to return phone calls). Frank is under no obligation to remove FOSE’s outbound IP because from his perspective, our IP is a spam source. It doesn’t matter that the volume of legitimate mail greatly exceeds the volume of spam.[2]

Our outbound IP reputation has now been severely degraded. Many customers have the potential to see their mail rejected because of the actions of a few.

We now shift our perspective in another direction: having acknowledged that outbound spam is a serious issue, what do we do? How do we handle outbound mail that we detect as spam?


[1] Sometimes this assumption is true, sometimes not. Spam traps are a good way of harvesting spam but cannot always be used with 100% reliability. They are prone to false positives.

[2] Frank also may be rather obstinate and unreasonable. Sometimes he is very difficult to get a hold of, complicating the delisting process.