Last month, I stumbled upon SpamRankings.net and was surprised to discover that Microsoft was listed as the #1 spam source according to SpamRankings.net:
Curious, I did some digging into the methodology. Although the methodology currently says that the data comes from the CBL blocklist, at the time I inquired they were pulling data from the PSBL.
The PSBL is the passive spam blocklist and the reason that IPs end up there is because mail was from that IP delivered into one of its spam traps.
Here are the Top Ten Organizations for July:
- Quality Technology Services
- Axciom Digital, Inc.
- Internap Network Services Corporation
- Limelight Networks
- Sago Networks
- AT&T Internet Services
- AOL Transit Data Network
- Level 3 Communications
- DoD Network Information Center
Organizations 2, 4, 5, 6, 7, 8 and 9 are all services that provide hosting to customers. #3 provides services for email communication, and I checked out all of Microsoft’s IP addresses (I asked for them) and the majority of them belong to Hotmail.
What do all of these services have in common?
They all use shared IP address space to send outbound mail. For the hosting providers, they sign up a bunch of customers and those customers use them to send and receive email. However, they only have so many IP addresses and therefore some of them must share outbound IP space. When one (or many) of those customers gets compromised, they can degrade the IP reputation of the rest of the customer base. I speak from experience because this is exactly the same thing that happens to our customer base.
Microsoft/Hotmail is the same. It is a free service and it has many legitimate users. But it also has spammers signing up for the service, (ab)using it to send spam. This ends up polluting the outbound IP reputation of all of Hotmail even though spammers (as individuals) only account for a small minority of their user base.
I’m not on the Hotmail team, but I have a basic familiarity with how they control outbound spam:
- Live everyone else, they have a CAPTCHA for their sign up process. That’s not perfect, but it’s a start.
- They use outbound filtering to look for patterns of spam.
- They use reputation and look for fraud patterns during the sign up process.
- They use rate limiting, especially for new accounts. A spammer, or anyone, cannot just sign up and send as much mail as they want. New users are hit with throttles as to how much mail they can send per day, and it isn’t very high.
Unfortunately, spammers know what these limits are. They sign up, spam, and then discard the account even though those limits are very low.
They have put a lot of effort into combatting fraud, unfortunately, spammers are equally determined to get through. Even in our own environment, we have seen spammers send spam from compromised accounts to test accounts at free webmail providers (the big three) to see if their spam gets through. They then send a flood of spam once they see that it does.
Thus, even though big providers have outbound antispam controls, spammers are actively deconstructing those controls in an attempt to evade them. It’s very difficult for shared services to completely eliminate their outbound spam because they partially rely upon the security of their downstream customer base.
This also represents an emerging challenge for IP blocklists. Whereas in the good old days (90’s and early-to-mid 2000’s), IP addresses could be associated with a particular domain or organization (or shouldn’t be sending mail at all, as is the case of IPs on the PBL), one shift has been towards hosted email and shared IP space, and therefore shared reputation.
IP blocklists need to be aware that doing a block on an IP with shared IP space will end up causing false positives – you block the small amount of spam but block the large amount of good mail.
The problem is still under control for the time being, but it’s something to be aware of.