Preventative measures against spam and viruses for wireline and wireless operators

In March of this year, service providers lined up at the doorstep of Capitol Hill ready to take action against spammers. The lawsuits were the first to seek enforcement of provisions in the national CAN-SPAM legislation, which went into effect on January 1, 2004. It is not difficult to understand why--according to Forrester Research, "ISPs are choking. Spam volume imposes millions of dollars in costs on service providers and e-mail providers for better filters, software development, bandwidth, servers and storage." To spammers and hackers, service providers are welcome targets because they are, literally, where the Internet is. That said, messaging anti-abuse for both wireless and wireline operators requires an unconventional approach with various considerations.

Legislation alone cannot solve the problem. There is no single solution that will eradicate messaging abuse. The service provider dilemma can only be solved through a combination of different avenues including collaboration, public policy and technology. 

Through collaboration, wireless and wireline operators can develop a code of conduct for accepted behavior to handle operator abuse; develop a trusted inter-operator network for messaging; and share industry-best practices for various forms of abuse including spam, viruses, denial of service attacks and undesired content. In terms of technology, it is incumbent upon the industry to develop and define a reference architecture and network standards-based technologies for combating messaging abuse including the reduction of spoofing and prevention of identity forging. Finally, public policy plays a critical role, as there needs to be effective interfaces to key standards and legislative bodies.

Created in December of 2003, The Messaging Anti-abuse Working Group (MAAWG) is a consortium of ISPs, operators and cable companies who have banded together to tackle messaging abuse head-on. The group consists of 22 service providers from North America, Latin America, Europe, Asia-Pacific and Japan, representing a total of 80 million subscribers and 40 million e-mail accounts. For operators, sharing their experiences with each other is imperative.

For example, one service provider in MAAWG was having a problem with outbound spam. They were sending tremendous amounts of messages to another service provider who made it known that they were receiving too much spam relaying out of that particular service provider's system. As a result, they were able to rectify a solution and ratchet down bad spam flow from approximately 32 million messages per day to 15,000 messages per day. 

As the image below illustrates, there are three levels of defense that service providers must address when they deploy an effective solution to fight spam, viruses and malicious attacks:

Strategically, messaging abuse is best fought at the network edge, before it gets into the system. Edge defenses monitor the connections into the service provider's messaging system identifying abusive behavior or characteristics at the connection rather than the message level. Therefore, if an abuser is detected, the connection can be immediately interrupted for further investigation or cut to prevent the message from being sent.

As an added level of protection, service providers can implement filtering solutions, both anti-virus and anti-spam filters examine individual message content to decipher abuse and weed out the infected or illegitimate messages. End users also play a part in detecting messaging abuse through end-user controls where 'allow' and 'deny' lists can be customized.

While each of these solutions is effective in its own right, it is difficult and costly to rely on only one to do the job. For example, spammers can navigate around filtering solutions by sending massive amounts of messages, creating giant spikes in the usual message traffic volume. This kind of behavior not only overwhelms the filter but also risks destabilizing the entire messaging system, creating an outage or denial of service attack. On the other hand, some spam and viruses can only be detected after they reach the server, in which case filtering solutions can detect and isolate the message. Service providers and operators need both edge defense and filtering technologies to ensure a safe environment for customers.

Operators and ISPs must choose their battles and focus on the key issues:

Real time protection. If Operator A deploys an application to make sure it doesn't send outbound spam and Operator B and Operator C both implement controls to prevent outbound spam, Operator A knows that messages coming from Operator B and Operator C are "trusted messages." Operator A sets up its system so that anytime it gets a connection from Operator B or C, it's a trusted connection. Operator A's system might not need to do any scrubbing on those connections, focusing its efforts elsewhere. But if those connections are questionable, Operator A might run a simple test to establish status: Are those connections hazardous or not? If they are, the technology hands it off, runs additional tests, and Operator A has the opportunity to rate it or adjust the sensitivity of its entire system based on the type of spam attack that has occurred. This is an important capability because the type of spam attacks change all the time. Solutions need to evolve over time, just as the nature of message abuse evolves. The key is that whatever software operators deploy needs to be able to evolve in real time.  

Identity forgery. Operators should pick a solution flexible enough so that it does not allow the system to manipulate IP addresses so there is IP address forgery, but the system knows it is a viable way that attack can flood the system.  The software needs to understand when an address tries to look like someone else.  Tests should be run to determine identity and operators should be able to accept or reject any connection based on this data. These methods consist of real-time rate-limiting, forgery prevention SMTP tests, DNSBL services and directory harvest attack prevention.

Add costs to spammers. A part of an overall operator solution is dynamically rate-limiting how many messages anyone is allowed to send at any one time. Operators need a solution that looks at outbound mail traffic from the source: If it's outside normal behavior, it slows down message processing. If the queued messages continue to pile up, for as little as a millisecond or as long as an hour, then the spammer connection adds costs and hassles to the spammers instead of the operator.

Outbound problems are the results of one of the biggest trends in spam today--the convergence of spam and viruses to create "zombies"--and are the latest challenge for service providers. Spammers can infect another user's PC with a virus that can generate massive amounts of spam. The criminal's identity is cloaked and it appears that the service provider is to blame. The problem is not just wireline-specific, but also plagues wireless operators as well. 

Traditional anti-abuse solutions offer a historical approach and focus on well-known actions and behaviors. Spammers can easily exploit IP address blocking. The average lifetime of a spammer's IP address is now less than 1200 seconds and continues to fall. The trick is using a solution that can be deployed in real time. By incorporating a voting framework that looks at IP addresses and provides a score, operators can "rank" IP addresses based on behavior within a 24-hour time period, thwarting message abuse by a vast percentage. Thus, if a message "behaves badly" yesterday, or even two hours ago, then the connection can be dropped.

An operator's anti-abuse protection should protect its broadband and mobile assets alike--e-mail, SMS and MMS. Many wireless operators want to tap into a new revenue source by enabling email users to communicate with SMS and MMS users. But these services must be complemented with an anti-abuse solution. 

A lot of operators are deploying gateways that enable value-added services like e-mail-to-SMS and e-mail-to-MMS. If operators utilize such services, they will need to protect their end users. Mobile devices are at a high risk of becoming infected with viruses, which in turn infects the address book and contact list and spreads via MMS, which imposes enormous costs on the operator and end user. Viruses have already been created to exploit vulnerabilities in mobile phones and handheld computers. In Europe there have been cases where operators have turned off their e-mail-to-handset gateway because of wireless spam. A lot of operators enable subscribers to send messages with their phone numbers, so it is very easy for spammers to get valid e-mail addresses to attack whole subscriber bases within a couple of hours. One way to avoid this is to implement an e-mail address for the handset, and select an e-mail alias that is harder to detect and easier to change. 

Many operators use Web portals to send messages, and screen-scraping is a potential source of spam for wireless operators as well as paging interfaces or paging applications that deliver messages to the handset. Then there is mobile-to-mobile spam, where a spammer can pretend to be a SMS handset. Prepaid cards with near-zero balances enable spammers to launch an attack before operators realize what has happened.

As the battle against messaging abuse continues, the industry to be as innovative and creative as the culprit in an effort to stop spammers and hackers cold in their tracks and prevent the next generation of messaging abuse.

Rich Wong is the general manager of messaging and anti-abuse at Openwave Systems. He can be reached at Richard.wong@openwave.com.

Visit Openwave Systems online.