A cunning technique used by spammers to hide the origin of their messages underscores the need for a multi-tiered approach to tackling the plague of unsolicited email, security experts said this week.
Spammers have traditionally used software to route their messages through a mass of "zombie machines" to reach recipients. Zombies are computers connected to the Internet that have been infected with malicious programs that give hackers control over the machines.
However, an increasing amount of spam is being sent to zombie machines and then passed through servers at the zombie machines' ISPs (Internet service providers) before reaching recipients, security experts at The Spamhaus Project and MessageLabs warned.
This technique makes blocking spam more tricky, they said.
By routing their messages through ISPs, the spammers make it more difficult to block spam using "blacklists," or addresses of known spammers. Blacklists are often used for filtering spam, but if the messages appear to be coming from an ISP, then the lists become useless in targeting the real culprits, according to some security experts.
"No blacklist can block a whole ISP or e-mail itself would start to crumble," said MessageLabs' Chief Technology Officer (CTO) Mark Sunner.
Security experts have recently brought the issue to light although the technique is not new, they say.
While the delivery method is problematic when using blacklists, many systems for filtering spam do not rely on blacklists alone. Filters often employ other means such as scanning subject headers or entire messages to detect unsolicited mail.
ISP routing does not spell "gloom and doom" for blocking spam, but emphasizes the need to take a multi-layered approach to filtering, Sunner said.
Graham Cluley, security technology consultant at Sophos, agreed, saying that antispam filters that use a "cocktail" approach and don't rely on one or two filtering methods will suffer less from spammers' shifting strategies.
The technique puts the onus on ISPs to monitor their outgoing mail carefully, however, and make sure they aren't being used as a proxy for spammers, according to Sunner.
"At the end of the day there is increased pressure on ISPs," Sunner said.
Routing spam through ISPs could potentially give them more visibility and control over spam, Cluley said, but they need to revisit their policies for filtering outbound, and run the risk of being put on blacklists if they send out spam directly.
Spamhaus estimates that as much as 75 percent of the traffic arriving at most ISPs is unsolicited commercial email. Some ISPs already monitor their outbound mail. The UK ISP Wanadoo, for instance, introduced new spam filers last year to prevent its users from sending and receiving spam, a representative for the company said Tuesday.
ISP organization the London Internet Exchange has also moved to prevent ISPs being used as proxies for sending spam. The group issued a list of best practices in August stating that ISPs should identify and be able to trace the source of all the e-mail passing through their systems.
"It's a cat and mouse game," Sunner noted.