New spammer scheme uses ISPs to get around blacklists, leading one expert to predict "e-mail meltdown."
Spam levels are about to skyrocket, according to experts who warned this week that spammers have developed a new way of delivering their wares.
According to the SpamHaus Project—a U.K.-based antispam compiler of blacklists that block 8 billion messages a day—a new piece of malicious software has been created that takes over a PC. This "zombie" computer is then used to send spam via the mail server of that PC's Internet service provider. This means the junk mail appears to come from the ISP, making it very hard for an antispam blacklist to block it.
Previously, zombie PCs have been used as mail servers themselves, sending spam e-mails directly to recipients.
"The Trojan is able to order proxies to send spam upstream to the ISP," said Steve Linford, director of SpamHaus.
Linford believes that this Trojan horse was created by the same people who write spamming software.
ISPs in the United States may have already been hit. "We've seen a surge in spam coming from major ISPs. Now all of the ISPs are having large amounts of spam going out from their mail servers," Linford said.
This will cause serious problems for the e-mail infrastructure, as it is impractical to block mail with domain names from large ISPs. Linford predicts that ISPs will see a growth in the volume of bulk mail they send and receive over the next two months, with spam levels rising from 75 percent of all e-mail to around 95 percent within a year.
"The e-mail infrastructure is beginning to fail," Linford warned. "You'll see huge delays in e-mail and servers collapsing. It's the beginning of the e-mail meltdown."
Linford said that ISPs need to act fast to take control of the problem. "They've got to throttle the number of e-mails coming from ADSL accounts. They are going to have to act quickly to clean incoming viruses. ISPs have so much spam—they are too understaffed to call people up and tell them they have Trojans on their machines. And no one would know what you're talking about."
Antispam company MessageLabs confirmed Linford's findings.
"This ups the ante in the need for filters," said Mark Sunner, chief technology officer for MessageLabs. "It makes it more difficult for people who compile blacklists, which is why spammers are doing this. It will put more pressure on ISPs to take greater interest in the traffic they carry and filter at source."
The Information Commissioner's Office, the United Kingdom's point-of-call to report spam, said it had received no complaints of bulk spam from ISPs.
Some U.S.-based ISPs contacted by News.com said an e-mail meltdown has yet to arrive. But technicians at some of the largest Internet providers have acknowledged the issue and similar exploits in the past. Many, but not all, U.S. ISPs have blocked open relay ports, such as port 25, to shut out spammers from disseminating messages from home-operated servers. The block has helped some broadband ISPs limit the output of zombie spam, and some have noticed the new form of malware taking shape.
Time Warner Cable, the nation's second largest cable company, said it had become aware of this spam "vector," as it calls it, and has mechanisms to control it, according to company spokesman Keith Cocozza. He noted that the company's ISP, called Road Runner, has outgoing e-mail limits in place, but declined to elaborate on how the company monitors and responds to this malware issue.
Earthlink, which runs a dial-up and broadband service, said it noticed a gradual increase in spam volume coming from its legitimate mail servers since the beginning of 2004. The company claims it has implemented safeguards, such as authenticated SMTP servers and re-routing of legitimate e-mail, to cut down the flow.
"Overall we've been able to greatly reduce the amount of spam from our network by routing activities and applying chokepoints," said Trip Cox, Earthlink's chief technology officer. Cox added that the measure have reduced spam from 30 percent of the ISP's total e-mail volume to 2 percent.
Dan Ilett of ZDNet UK reported from London.