Back to Spam

Most companies make use of some type of Spam and Virus Protection which does a remarkable job of neutralizing unsolicited and detrimental messages, so how is it that spam still exists and thrives to wreak havoc? Below are some of the five most common pitfalls that allow spam to continue, and what you can do about it:

Zombie Workstations
Either via an inbound spam message that was missed, a website exploiting a bug in a browser, or an infected file being transported onto your network by a user, workstations are very prone to being infected with malicious code in the form of a virus, malware, trojan, or the like. The source can be complicated to cure, but there's a very simple fix to save the rest of us from those machines sending us spam, and getting your public IP Blacklisted to boot.

Simply configure an outbound firewall rule to only allow outbound connections on port 25 from your in-house mail server. If you don't have a mail server, then your network shouldn't need to make outbound connections on port 25 (or inbound ones for that matter). You may need to reconfigure some Email clients who are using port 25 to connect to their SMTP server, but most servers these days have the ability to leave port 587 open for this type of connection.

By shutting down your local network from creating outbound 25 traffic, you are removing the ability for your workstations to generate a message and deliver it without going through your gateway which you as a good sys-admin monitor and control.

Servers Acting as Open Relays
The next largest source of unintentional spam are misconfigured servers or servers with accounts that have weak passwords. By not having authentication configured correctly you can allow connections from the outside to use your server to send mail. Spammers will just troll IP addresses looking for Open Relays and exploit any hole that is left open for them to use your server to send their spam. Additionally they can find the home server for an email account and attempt to authenticate as that user with a "brute force" password attack. However brute is not a fitting adjective when you let your users set up their account with their password set to "password" or "1234" or the like.

At the very least, we recommend having a good firewall in front of your mail server to look for these types of attacks. Ideally you would have either an Edge MTA which acts as a perimeter for your main mail server or employ a cloud based solution so that you can block incoming traffic against your mail server from anybody but that trusted source which has very high levels of security in place.

Clever Trickery
Spammers are tricky devils and they learn and adapt to email defense systems to break those systems or to circumvent them. One example that demonstrates the type of adaptability that Email Security professionals have to deal with is Backscatter spam. As an operator of a legitimate email server, one of the things your server does to be helpful to other servers is generate email containg error messages when messages encounter problems. For example if somebody sends you an email to an address that doesn't exist, it is helpful for your server to send the original sender a notification Non-Delivery Report (NDR) to let them know that their message wasn't delivered.
Spammers can make use of this feature in the following way: They create a message and forge the From: field to contain the email address of their intended target. Then they send this message to an email address they know doesn't exist on your server in your domain. Your server kindly sends back a notification to the person it thought sent the message. In fact you just delivered the message for the spammer from your server and IP address which they most likely trust. This type of spam is difficult to detect and block because it is technically an illegitimate notification. 
The solution to eradicate this type of spam is to perform the test to see if the user exists during the SMTP conversation. By doing that, your server is never actually accepting the message from the sender and therefore need not generate a notification message. The sending server with a legitimate message for a non-existent address is then responsible for notifying it's own user of the failure.

Malware, Trojans & Viruses
These three words strike fear into all system administrators. You know that if your workstations become infected with malware, a trojan or a virus you have hours of work ahead of you identifying and eradicating the source.

Malware spreads spam by infecting a computer by secretly accessing a computer system without the owner's informed consent. The infection can spread through several sources including computer viruses, worms, trojan horses, spyware, dishonest adware, crimeware, most rootkits, and other malicious and unwanted software. In the end you are left with a barely working machine that could be blasting out spam and spreading the infection further.

Trojans are malware that appear to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. Once executed machines are often turned into zombie bots that send out spam.

Viruses are computer programs that can copy themselves and infect computers. A virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive.

New Spam Tactics
Filter providers continue to hone their techniques in this constant game of cat and mouse. The latest trend is a shift to email worms. "The worm arrives via emails with the subject line 'Here You Have' or something similar, and the messages contain a link to a site that will download a malicious file to the victim's PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file." (Slashdot)

Wrap up
A few years ago the worse spam you saw was "image spam", this type of spam tricked the filters because it was a .jpg or .gif file that was at that time allowed by most servers as a non-threat. However, each day spam is evolving to become more aggressive and preys on your unassuming users. As well, many sources of online threats have shifted their attention from launching attacks through email systems and have targeted web browsers as an often unguarded entryway into a network. To combat all of these threats, it is highly recommended to include a Business Perimeter Security Solution in combination with Web Filtering.