Outbound spam mitigation - lessons learned

It's been around seven or eight months since I last blogged about how to mitigate the problem of outbound spam.  Hosted email filters like ourselves, MessageLabs and Postini are all kind of in the same boat - we're not ISPS, and we're not ESPs.  Well, actually, we are kind of like ISPs except we don't provide the I-service, we only provide the E-relaying service.  We're sort of a closed relayer of mail.

We implemented a partial solution this past April and the results have been mixed.  On the one hand, it cut down on a lot of spam flowing out through our outbound servers.  On the other hand, it hasn't fixed everything.  But perhaps the key component is that it has revealed a lot about the quality of mail flowing out through us, in other words, we've been able to mine our logs to reconstruct common scenarios.

Over the past couple of weeks, I have personally been researching our outbound spam problem, along with one of my co-workers.  Here's what we have learned so far:

1. Customers get compromised routinely.

   There are a certain class of users that routinely send out spam.  Now, there are two major types - people who have their email accounts broken into so the spammer sends out spam in their name, and organizations that get hacked and send out spam but not in anyone's name in particular.  For example:

   john@example.com --> Individual user getting hacked

   qfrt@example.org
   bgft@example.org
   vbcx@example.org

   In the first example, it's a user who's credentials have been acquired by the spammer.  In the second, it's an organization that is infected, and the bot is clever enough to know what the organization is and sends out spam in their name.  We can see, however, the email addresses are quite spammy.

   It's not always the same organization, no matter how many I catch, there's going to be a new one either tomorrow or next week.

2. Customers who get compromised once before are likely to have it done to them again.

   I see this frequently as well.  If you show up once in one of my scans, I'll probably see you again sometime in the next month.

3. False positives are routine.

   I've had our client services department follow up on a lot of suspicious looking email addresses that our filters think are spam.  But in many, many cases, the messages are legitimate.  Sometimes they are newsletters, sometimes they are advertisements, sometimes they are going to foreign-language recipients and our content filter simply doesn't understand the charset as well (ie, the spam rules are intended for English language mails and "accidentally" fire).

   This doesn't come as a big surprise to me, it confirms what I always believed from the start which is why treating outbound like inbound (ie, a junk mail folder) is not a great idea.

4. If you tell a customer they are spamming, they usually respond pretty quick.
   Whenever I ask for follow up about something suspicious, I generally get action from the customer very quickly.  They either fix the problem or confirm that nothing is wrong.  Most of the time they don't push back hard.

   I've also managed to find one customer with improperly set up SPF records.  We got them to fix them so that their mail would not fail SPF checks anymore.

Those are some of the big ones.  The automation of this task is still a work in progress.