It’s been crazy busy around here the past few days dealing with a ton of stuff, not the least of which is related to outbound spam.

We’ve actually got a good handle on outbound spam, or at least we did.  Currently, we are dealing with two issues:

  1. One of the service offerings that Microsoft has is Office 365.  The part that we are involved with is that Microsoft will host your email (for small business) and provide you with a mailbox and the inbound mail flows through us.  However, so does the outbound mail.

    Microsoft has a beta offering of this, and has had it for a year.  Well, just this past week a spammer has figured out how to use the service to send out spam over and over again (hasn’t he read the Terms of Use? That’s forbidden!).  This spammer fits the profile of a typical spammer who signs up for an account, sends out spam, gets blocked and then ditches it.  He then repeats the same pattern over and over again.

    This illustrates one of the problems that large corporations have when dealing with the problem of abuse.  There are multiple divisions here with many different teams implementing features.  Hotmail has the LiveID sign up, the team known as Business Productivity Online Service (BPOS) handles the hosted mail boxes and the mail filtering team (us) handles mail flow.  That means that multiple groups of people must co-ordinate across multiple buildings and multiple data sets in order to come up with a strategy to block this one guy.  That takes time and effort and diverts resources away from the things that matter and makes deadlines slip.

    When large companies go out and sue spammers, I wonder if there is a little bit of a personal vendetta against the spammers?  Personally, if I made it my life’s mission to track this particular guy down and sue him into oblivion (read: collect all sorts of evidence and testify against him), I would count my life a success.  Because you know, we do have better things to do than clean up the mess that this guy is creating.

  2. The flip side of the malicious user, described above, is the compromised customer.  As I have iterated in the past, education institutions are notorious for becoming compromised.  We have historically had some companies that are worse than others, but recently another one has darted to the top of the list.  Now, we know that some of their users give out their credentials.  We see this all the time when we have to shut down 7 or 8 in the spam of a couple of days.  But what we see spammers doing is sending out a phish campaign, stealing all sorts of credentials and using them to spam.  This is hardly news to anyone.

    But they then hold a couple of accounts in reserve.  When the other accounts have been reset or blocked, they then send around another phishing blitz from the ones they didn’t use and reharvest a whole bunch more accounts.  When I first saw this, I kind of shook my head at myself for not seeing this strategy earlier; it’s a clever trick.  The end result is the same – piles and piles of spam attempts to relay through us and we have to take action to shut down the accounts (thankfully, most of this work is automated).

    We haven’t been entirely successful in getting this education institute to improve its security policies such as issuing mass password resets.  On the other hand, one can only imagine what the underpaid IT admins on their side have to go through, and what they had to go through when they outsourced all of their outbound spam problems to us.  I’ll bet they couldn’t send to anyone on the Internet due to being blocklisted so often!  We’re in better shape because we monitor this stuff very closely.  Still, sometimes things leak out and we can have delivery issues as well.

So, that’s where I have been.