Fighting Spam at AOL: Lessons Learned and Issues Raised - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Fighting Spam at AOL: Lessons Learned and Issues Raised

Description:

Fighting Spam at AOL: Lessons Learned and Issues Raised Carl Hutzler Director of Anti-Spam Operations America Online, Inc. 12/9/2005 – PowerPoint PPT presentation

Number of Views:79
Avg rating:3.0/5.0
Slides: 16
Provided by: CarlH157
Category:

less

Transcript and Presenter's Notes

Title: Fighting Spam at AOL: Lessons Learned and Issues Raised


1
Fighting Spam at AOL Lessons Learned and Issues
Raised
  • Carl Hutzler
  • Director of Anti-Spam Operations
  • America Online, Inc.
  • 12/9/2005

2
Agenda
  • Email Identity Technologies
  • Email Forwarding
  • Email Service Provider Best Practices

3
What do Email Identity Technologies Do?
  • They provide some assurances that a domain is
    being used with permission
  • Citibank can control the use of their domain, but
    cit1bank.com will still be abused
  • Bounces can be analyzed to see if they are
    legitimate
  • Information can be analyzed on the responsible
    domain owners and their reputation/accreditation
  • But remember, email identity technologies do not
    stop spammers!
  • They only force spammers into other behaviors,
    many of which are better for enforcement and
    controls.
  • But without message providers doing their part to
    use these technologies wisely, we will be no
    better off.

4
AOL is a Crystal Ball
Report from 9/14/2004 188841 hotmail.com 64543
x-mailer.co.uk 62757 shawcable.com 46312
concentric.net 32259 cnchost.com 32022
zero.ou.edu 23557 mail.atl.earthlink.net 22837
grp.scd.yahoo.com 21005 ucla.edu 17676
oemgrp.com 16849 mail.cornell.edu 16260
dejazzd.com 15764 mta01.tie.cl 15659
mrf.mail.rcn.net 14343 urbanhomesecurity.com 14280
mail.pas.earthlink.net 14246 smtp.nextra.cz 13646
mail.yahoo.com Note1 Greyed domains have very
low spam penetration due to very large number of
emails sent which counters the total complaint
statistic. Note2 Italic domains were
whitelisted and subsequently blocked for spamming.
  • Bulk Mailers on AOLs whitelist comprise 30-50
    of our daily email volume but only 5-10 of
    complaints.
  • gt80 of AOLs spam problem comes from other
    providers main outbound MTAs and compromised web
    servers (CGI scripts)
  • AOL began seeing this shift in Sept 2003
  • The rest of the internet is beginning to see this
    now
  • We're the biggest spammer on the Internet,"
    network engineer Sean Lutner, Comcast - source
    CNET.com, May 24, 2004

5
All spam will eventually come from Email Message
Provider Networks
  • For example AOL, BlackLists, and other
    organizations are getting really fast at blocking
    zombie machines
  • BUT
  • The machines do not get un-infected
  • No SMTP AUTH
  • Most ISPs trust internal networks
  • No Outbound Spam controls
  • No Rate controls
  • Results?
  • ISP mail servers act as forwarding MTAs for a
    network of open relay Zombie machines

MyDoomd ZOMBIE PC on DSL.NET
BLOCK
outbound1.dsl.net
mx.aol.com
Hacker/Spammer
6
Will SenderID, SPF, DomainKeys, etc stop spam?
  • Simple answer, NO. Complex answer, NO.
  • Why?
  • Most AOL spam obeys sender identity technologies
    TODAY!
  • Spammers send through the local MTA and use the
    local ISPs domain as the FROM/Sender
  • Identity Technologies can allow
    blacklists/whitelists to work from DOMAINs
    instead of IP addresses
  • Good from a not blocking innocents by IP address
    standpoint
  • Reputation/Accreditation systems will be key to
    success of Email Identity technologies
  • Without SMTP Authentication, we are only
    validating the DOMAIN and not the USER portion of
    the address (user_at_domain.com)

Bottom Line If ISPs dont get smart soon and
control the sources of spam on their networks,
the reputation for their domain (e.g.,
comcast.net) will be so poor that they will not
have connectivity to other ISPs
7
Email Forwarding
8
Forwarding Spam to AOL Customers
  • AOL can only trust the IP address of the client
    MTA that connects to an AOL server
  • No other headers can be trusted as they are all
    forgeable
  • This is why internet whitelist/blacklists are all
    done by IP address.
  • AOL has no way to no that a message is simply a
    forwarded email
  • Does this even matter?

9
So what happens when a University FORWARDS Spam?
  • Generally, if AOL gets enough complaints from our
    members, we block or temp fail the IP address
  • Is this the members fault?
  • No, as there is nothing in the email that shows
    it is from their forwarded account
  • AOL members do not read headers, nor should they
    be expected to.

10
Possible Solutions?
  • Dedicate an IP address to handle forwarded mail
    and tell AOL about it.
  • Do better spam filtering inbound to your network.
  • Spam filter the outbound traffic and insert a
    spamassassin x-header that identifies a message
    as spam. AOL will spam folder it.
  • Change the headers of forwarded mail to identify
    the situation to final recipient.
  • From ForwardedEmail_at_university.com
  • Subject FORWARD Original Subject
  • ReplyTo originalsender_at_originaldomain.com

Bottom Line Forwarding spam to someones inbox
innocently or intentionally still creates a bad
experience for the final recipient. Port25 is
your responsibility.
11
Mail Service Provider Best Practices
12
Message Provider Code of ConductTake
Responsibility for outbound Port 25
  • ISPs must take full responsibility for all
    traffic/messages emanating from their network on
    port25.
  • Port25 traffic is always Unauthenticated traffic
    and as such must be accepted by server MTAs.
  • Abuse issues are always the responsibility of the
    sending/client MTA

13
How does a Message Provider like AOL control
outbound port25 traffic?
  • Hijack all direct port25 connections from dynamic
    IP space to other ISP mail servers and process it
    for viruses/spam.
  • Other providers block port 25
  • Still others use a mail proxy to detect SMTP
    authentication credentials and only allow
    authenticated SMTP traffic on port25
  • Some simply rate limit how much a single IP can
    send if their IP space is rather static or they
    can tie an IP to a customer account
  • Rate limit all customers through outbound,
    authenticated MTAs. Rate limits per hour and per
    day work well.
  • Monitor complaints about customers via the SCOMP
    Feedback Loop system
  • URL blocking for known spammer URLs
  • Secure accounts that are spamming - thousands
    daily

14
Summary What technologies will stop spam?
  • ISPs and Network Providers waking up and
    working together to cut off the spammers oxygen
    supply
  • Spammers need connectivity
  • Spammers need large numbers of high throughput IP
    addresses
  • So what is the formula for success?
  • ISPs should monitor their networks for sources of
    spam LEAVING their network
  • Port25 is always the responsibility of the
    originating ISP
  • Shift some of the resources from inbound
    filtering to OUTBOUND Controls
  • Enforce strong authentication to authorize use of
    an ISPs MTAs
  • Monitor customer sending patterns like a credit
    company monitors fraudulent charges
  • Monitor/Sign-up to receive complaints from AOL
    and other sources (spamcop, abuse_at_, etc)
  • Remove sources of spam within minutes (Zombie
    machines, insecure CGI scripts, bad customers,
    etc)

15
Thank you!
  • For more information, contact Carl Hutzler
  • cdhutzler_at_aol.com
  • Delivery issues to AOL?
  • See if your network is a source of spam
  • http//postmaster.aol.com/
  • Click on the Feedback Loop Button
  • Contact the AOL Postmaster 24x7
  • 1.888.212.5537
Write a Comment
User Comments (0)
About PowerShow.com