In my previous post, I noted that rustock had started sending us a whole pile of spam over the TLS protocol. The question now is why do it at all? I mentioned in my post that this is clever behavior and one of my readers posted in a comment “What makes this so clever?”
The issue of authentication, reputation and security is one that comes round and round in the world of email. Why do we authenticate? And what does it buy you? There are plenty of reasons to send authenticated mail, here are three:
None of these really fit the profile of a spammer. Why would he want to track abusive behavior? Or combat fraud? The one that does make sense is getting onto a whitelist.
To a spammer, they may believe that only good institutions authenticate their mail. And furthermore, when filters see that the mail is authenticated, they relax their settings and allow the mail to pass through to the end user. In other words, there is a hope that an authenticated connection means that the receiver assumes that the sender is a good player. Who else would take the time to authenticate their mail?
Yet this view doesn’t really hold up in real life. No one in the antispam world worth their salt believes that authenticated mail is de facto good mail. We like it when mail is authenticated, but we don’t naively believe that because it is authenticated, it is good. There is a higher probability that it is, true, but there is no guarantee. Just take a look at my other stats, we get plenty of spam from mail that is authenticated. In other words, if spammers actually think that authentication will help them, they are soundly mistaken. Authentication is used to hear from people we want to hear from, not from anyone.
There is another reason to send mail over an encrypted channel, however: for security for the spammer. Why would a spammer need to worry about security? Because their drones sending out the spam need to communicate with their command-and-control centers. If the communication is going out over an encrypted channel it means that anti-botnet activists out there cannot discern, intercept or observe what type of traffic is going out over the clear text. In other words, it makes their communication channel more resistant to tampering. Observe in the past 4 months what has happened:
By encrypting the communication channels, a botnet can make its instruction set more difficult for a security official to disrupt because obtaining proof of malicious behavior means that the observer must connect directly to the botnet C&C (or drone). They cannot sit back and intercept packets and observe what is going on.
Thus, my theory is that the rustock botnet uses TLS (or SSL, or something) as a means of disguising its behavior in an attempt to make its infrastructure more robust. It then sends email the same way but doesn’t necessarily care that it is being slowed down somewhat. It has so wide a footprint that it is able to absorb the cost of the delays introduced by sending over an encrypted channel.
It makes the task of stamping out rustock that much more difficult.
But what does TLS have to do with authentication? You aren't using client certificates with SMTP so you are not authenticating the client. I don't see how points 2 and 3 three relate to TLS. The first point is true that you can't listen to the outbound SMTP traffic.
We're seeing a lot of Rustock spam via TLS on some of the outbound traffic that we filter for major ISPs. I think that in addition to doing this with the intention of bypassing some of the spam checks at receivers, the Rustock operator is encrypting because he/she knows that this makes it impossible for someone to man-in-the-middle filter the spam out before it reaches the receiving system.
If other botnets get the idea that TLS is a good strategy, this will hurt efforts to control spam outbound by watching content as it leaves ISP's networks.
Clearly this represents another move by the spammers that requires a response...
Doesn't it just push responsibility for filtering back onto the TLS receiver which already has spam filtering? Certainly it's good if spam can be stopped before it leaves a network, but how many bots send directly vs using an ISPs outbound mail servers? Some probably do, some probably don't.
Agreed that TLS would seem to greatly complicate (outbound or) inband monitoring though. Therefore the main target of bots using TLS would seem to be bot spam detectors placed on in-transit mail flow sensors. If so, it would seem to be a small battle won, but certainly not a decisive victory for the bad guys.
They can connect to our outbounds with TLS all they want to (apart from us not supporting STARTTLS) - even if they did, our MTAs are the endpoint of that encrypted channel - and they have full-content access to the message once received. There is no effective difference to non-TLS'd mail.
Similar on the inbound side - not supported by us, but if we did support it, once it's out of the TLS decryption, we have full access to the content (and envelope data). No win for the bad guys, just more resources on our part for TLS, if we had it enabled.
If you want to anoy anyone with spam then just visit http://hacxx.byethost15.com/ and enter the respective email