Until now, most spammers sent their stuff through open relays — Internet-connected computers that were either unprotected, or else had been compromised by viruses or trojans into sending the spam without the owner being aware. But that is changing, says AppRiver, and it has big implications for how spammers work and may render useless today’s big thing: email authentication.
Up until now, AppRiver says, ISPs could presume that if they forced a system to authenticate their message before sending it, they could be trusted because spammers couldn’t have access to the authentication mechanism. Authenticating a message basically means you must use a password to send an email as well as to receive it. Before, so long as you knew the correct server for your ISP, you didn’t need a password.
What the bad guys are doing now, AppRiver says, is hacking into the ISPs, figuring out those passwords, and then sending their email through those compromised accounts. This is not only a security risk, it increases the chance for the spammer that those emails will now get through, since they come from what are called “trusted systems” — email servers that require authentication. A survey in April by the Email Sender and Provider Coalition found that 16 of the 18 top U.S. ISPs were applying applying authentication to outgoing e-mails, and eight of those ISPs were also checking for inbound authenticated e-mail and applying some sort of filter to the mail as a result, according to ClickZ News.
AppRiver’s Chief Science Officer, Peter McNeil, predicts that as this tactic becomes widepsread, sender reputation services touted by the big boys — Microsoft’s Sender ID, for example — would effectively wither on the vine. In the meantime, it’s going to mean that for those spammers who have perfected this new art, their junk is more likely to get through than other junk because it appears to be authenticated. (More on all this at SearchSecurity.com, which wrote a piece on it while I was still trying to figure it out.
This is not a new trend at all. I’ve noticed already at least two years ago, that there were attempts to supply logins and passwords (dictionary attacks) to my small, home SMTP server.