The the growing problem of outbound spam

Two-thirds of email service providers consider dealing with outbound spam to be an important or extremely important issue for them in 2010. Outbound spam is also a high priority issue for end users: when asked about their preference for email providers that actively ensure that spam is not sent out from their networks, 80% believe that this is important or extremely important. Further, 87% believe it is important or extremely important for email providers to actively eliminate zombies – a primary source of outbound spam – from their networks.

WHAT EXACTLY IS “OUTBOUND SPAM”?
Although first sent as far back as 1978, inbound spam has been a top-of-mind problem for about the past nine years. For example, in 2001, spam represented roughly one in six email messages sent across the Internet; today, spam represents upwards of 80% of
all email. However, this masks the rapidly increasing absolute volume of spam, which doubles roughly every 12-18 months. Although inbound spam is a serious and perennial problem, outbound spam is a more rapidly growing problem, primarily for service providers who act as the unwilling hosts of this content. Outbound spam – that content sent from Web hosting companies, SaaS email providers, Internet access service providers, free email service providers, and onsite email managed service providers – creates enormous problems on a number of levels, as discussed later in this report. For example, more than two in five service providers surveyed for this white paper report that outbound spam is a problem – 15% report that it is a “serious” or “critical” problem. Further, nearly 40% of the service providers we surveyed reported that their IPs have been blocked or blacklisted at some point during just the past 12 months.

THE SOURCE OF THE PROBLEM
There are three primary sources of outbound spam in service provider networks:

• Zombies: One of the more common sources of outbound spam is “zombies” that reside on a service provider’s network. A zombie is an individual home- or business-based computer, such as one on an Internet Service Provider’s (ISP’s) network that has been infected by malware specifically designed for control by a remote party. That party can control many thousands of computers for the purpose of sending spam, phishing attempts, malware and other unwanted content. Service providers report that 11.2% of their users’ accounts are currently part of a botnet that is being used for sending out spam—86% of service providers report that they are actively battling
zombies in their networks.

• Compromised accounts: These are accounts that have in some way been compromised other than by malware, such as through the theft of access credentials, that has enabled spammers to use them to send outbound spam. Service providers reported that 12.6% of their users have had their credentials stolen for the purpose of sending outbound spam.

• Malicious use of email accounts: Another source of outbound spam is the creation and use of email accounts by spammers specifically for the purpose of sending unwanted content. The service providers we queried reported that one in eight users’ accounts are openly sending out spam and/or malware.

Spammers of all three types may make efforts to stay “under the radar” by sending hundreds of emails per day or “testing” before sending large volumes. Clearly, the problem of outbound spam has not been lost on service providers – among those we surveyed, 69% consider dealing with outbound spam to be a priority over the next 12 months.

CURRENT SOLUTIONS ARE NOT EFFECTIVE
Many service providers, faced with the growing problem of outbound spam, use a variety of conventional techniques and technologies to address the problem. However, most of these solutions are not satisfactory:

• Use of standard inbound spam technologies in reverse: Because many spam detection technologies have a high spam capture rate for content sent into a service providers’ networks, many assume that simply using these technologies for email sent out of the same networks will be effective. Unfortunately, practice has demonstrated that this approach can result in unacceptably high levels of false positives, resulting in a large proportion of valid outbound email being identified as spam and subsequently blocked.

• Blocking of Port 25 for outbound email: Blocking Port 25 is unacceptable in many cases because it blocks legitimate email along with outbound spam, again resulting in a very high level of false positives. For example, if a customer of an ISP needs to send legitimate email through a server other than the one provided by their ISP, blocking Port 25 prevents this from
happening.

• Blocking entire ranges of IP addresses: Some service providers, in an attempt to block outbound spam from a single IP address, will block a range of IP addresses that may be used by the offending sender. This results in email for legitimate senders being blocked.

• Manual handling by the abuse team: Our research also found that 30% of service providers use manual methods to address outbound spam, such as deleting accounts that have been compromised. This can be a slow and ineffective method of dealing with the problem given the large number of compromised accounts hosted by many service providers.

The r esearch supports four basic conclusions:
• Outbound spam is a serious issue today and the problem is getting worse.
• Conventional remediation efforts and technologies focused on outbound spam are
not adequate to fully solve the problem.
• New technologies and approaches are necessary to ensure that outbound spam is
minimized in service provider networks.
• Many customers will switch to service providers that address the outbound spam
problem in a granular way.

Download and read the full report here.