ISPs could cut spam easily, says expert
Try port 25 blocking, says Trend
By John E. Dunn | Techworld | Published: 16:56, 18 January 2010
Two simple techniques could be used to strangle botnets, a security expert has claimed. First, block email port 25 by default. Second, tell users when they are spewing spam from compromised PCs.
According to Trend Micro's CTO, Dave Rand, who is leading a campaign to reform the way ISPs approach the matter of botnets and spam, the two countries that adopted such techniques, The Netherlands and Turkey, have seen a huge reduction in the numbers of botnetted PCs.
According to his own figures and analysis, Turkey went from having around 1.7 million compromised PCs per month to only 35,000 after implementing techniques through its major ISP, Turk Telekom.
"They went from the number one spam source in the world to off the charts, said Rand. "They don't appear in the top 50 now."
The Netherlands used similar techniques - including recently mandating that ISPs must inform users when their PCs are suspected of sending spam - and now has one of the lowest botnet infection levels in Western Europe, said Rand.
In the UK, Rand estimated that there were 3-4 million spam zombies, not including business PCs hidden from statistic-gatherers by NAT firewalls. Blocking port 25 and contacting compromised subscribers in the country would reduce the volume of spam by around 20 million spam messages per month, which sounds modest when you consider that the total volume for an average ISP is perhaps 1 billion bogus emails.
Most spam through UK ISPs still comes from countries. According to Rand, the real benefit would only start to show itself when implemented on a global scale.
So why don't ISP's embrace such simple reforms? "It's the fear that it will collapse. Guess what? Nobody complained," said Rand of the experiments with the approach to date.
Port 25 is useful if you happen to be connecting to a remote email server, but would not apply to the vast majority of an ISP's own users who connect to mail servers on internal ports, and would not be affected by such blocking. Meanwhile, the spammers who thrive on port 25 by hijacking PCs which are then used to send out huge amounts of spam through it would find their preferred channel cut off.
One problem is that having migrated from fixed servers to open relays and proxies and then to compromised botnet PCs, spammers have spotted some of this coming. A common technique is to create bogus webmail accounts on hosted services such as Google, which exist only as long as needed to send out spam. Once the ISP closes these down, new ones are created to replace them.
Rand remains convinced, however, that cleansing the millions upon millions of infected PCs would pay back in terms of the wider security of those machines, not just their use as spam sending bots.
He believed that in the UK there should be a specific regulation forcing "ISPs to notify customers that they are compromised," something that was trivial to determine from traffic patterns. "If the ISP doesn't back responsibility, we are never going to solve this," he said.
He predicted that such techniques would become established practice by 2013, and knew of unnamed ISPs that were looking at port 25 blocking in the near future.