One of the things that has kept me busy the past few weeks (read: months) is outbound spam – again! No matter how many mitigations we put in place, it’s never enough.
The current challenge that we are dealing with is compromised accounts. Most of the time, but not always, this happens with educational institutions. Someone gets their username and password credentials leaked to a phisher. This can happen multiple ways – phishing attack, password reuse, weakened security elsewhere or possibly even brute force. The net result is that someone other than the owner of that email account is in possession of the login credentials.
Since we are a mail filtering service that acts as a relay, we are not in command of validating login attempts. Thus, all mail going through us we have to assume is already validated upstream. However, we know that this is not the case because piles and piles of spam passes through us all the time every single day from multiple different compromised accounts. Therefore, we know we have an outbound spam problem and that we are relaying it, the problem is that we do not control the login process. I should say that more accurately that piles and piles of spam attempt to pass through us all the time. For you see, in the pass few weeks we have been experimenting with a new brand of outbound spam mitigation. It works like the following:
We have found that this process works very well for detecting and blocking the most egregious offenders. It is not perfect and it still misses some cases of accounts that are not compromised, but it is has managed to cut down a lot of our outbound spam automatically with minimal human interaction. We are still refining the process to catch other scenarios (small leaks of spam, compromised machines with malware) but we’ve made yet another good step to being a responsible email citizen.