Like previous efforts to get people to secure their open email relays, the move is essentially a gently persuasive letter-writing campaign, albeit with the weight of government agencies from 26 countries behind it.
Under Operation Spam Zombies, over 3,000 ISPs around the world will be urged to block TCP port 25, used for SMTP email, and to implement rate limiting on outbound email from their end users, the FTC said.
We encourage you to implement these voluntary anti-zombie measures if you are not already doing so, the English version of the letter reads.
The letter adds that a second phase of the scheme will involve identifying individual zombie PCs and contacting the ISP responsible to ask them to remediate the problem.
Zombies are PCs that have been compromised by malicious hackers in order to, among other things, send spam. Clustered into botnets, which aggregate the bandwidth and processing power of thousands of boxes, they can be a powerful tool for mischief.
Some ISPs in the US have started blocking port 25 from their subscribers’ machines, on the basis that few of them have a legitimate need to be accessing that port. Others are regulating how many emails a single subscriber can send in a given period.
The idea is that if Old Aunt Margaret is sending out 1,000 emails a second, the ISP doesn’t have to check to see if they’re advertising Viagra in order to figure out she’s been turned into a spam-spewing zombie, and that they should throttle her output.
Email security vendor Tumbleweed Communications Corp calls the combination of spam, directory harvest attacks, email denial of service attacks, malformed SMTP packets, and invalid recipient addresses dark traffic.
Dark traffic is almost all from DSL lines and cable modems, said Tumbleweed CTO John Thielens. We can tell from the dynamic IP addresses that these are mostly home computers. Spammers don’t have this big ‘spam-cannon’ connected to the internet.
Thielens said that many US ISPs have already implemented the FTC recommendations. This has caused many sites associated with phishing attacks, which are also often hosted on zombies, to move overseas, especially to China, he said.
According to Symantec Corp’s Internet Security Threat Report for the second half of 2004, 25.2% of botted PCs were in the UK. That put Britain ahead of the US (24.6%), China (7.8%), Canada (4.9%) and Spain (3.8%), Symantec said.
What was conspicuous by its absence in terms of best practices, was telling ISPs to use really good virus filtering, so their users don’t become zombies in the first place, said Andrew Lochart, senior director of marketing at anti-spam player Postini Inc. Maybe it was just too obvious for the FTC to bring it up.
While the FTC made the announcement yesterday, the initiative came out of a partnership of 27 agencies known as the London Action Plan, which formed last October at a meeting held by the UK Office of Fair Trading, which is a part of Operation Spam Zombies.
Several ISPs issued statements saying they supported the initiative. The operation follows the recent publication of a set of best practices guidelines by the Messaging Anti-Abuse Working Group, which most of the major ISPs are members of.
MAAWG said ISPs should publish and enforce Acceptable Use Policies, and that patterns of abuse that emanate from an operator’s network should be a concern to that operator and its customer(s) to resolve in a timely manner.
MAAWG also said that downstream providers have the right to implement protective measures to prevent or reduce access to abusive networks based on evaluating the need to protect those resources with the desire to deliver quality messaging service.
