Home / Blogs

80% of Spam Originating from Home PCs

The majority of spam — as much as 80 per cent of all unsolicited marketing messages sent — now emanates from residential ISP networks and home user PCs. This is due to the proliferation of spam trojans, bits of surreptitious malware code embedded in residential subscriber PCs by worms and spyware programs.

Worm attacks are growing in frequency because they provide a fast means of infecting a vast number of computers with spam trojans in a very short period of time. It's no surprise that many service providers report an upsurge in spam traffic immediately following a worm attack. Worms can credibly be seen as the delivery mechanism for unsolicited mass-market direct email campaigns.

The trend to automating spam by hijacking home user machines has become a significant threat to service provider business models, imposing unplanned costs, disrupting service and making them targets for large ISPs who see their smaller networks as sources of malicious traffic.

Spam is now a problem for everyone who uses or provides Internet access: ISP networks, enterprise customers and end users. In all cases the spam problem is unlikely to abate without active intervention by internet service providers.

Spam trojans exploit vulnerabilities created by worms to bypass normal email routing and use SMTP to drop spam messages directly into end user machines.


In practical terms this means large volumes of spam traffic getting past outbound spam filters and "gumming up" email servers on the inbound side. Most spam filters succeed in identifying only 90 per cent of spam — a level of effectiveness that can be overcome by the massive volume of messages spam Trojans are capable of generating.

This mushrooming volume of email is forcing ISPs to purchase additional email servers to accommodate spaminduced traffic and avoid service degradations. Anti-spam software must then be purchased and installed on each.

For small to medium sized ISPs, the proliferation of spam sent via spam trojans is also drawing the unwanted attentions of large service providers, who are coming to see smaller providers as sources of spam and other malicious traffic. Antagonisms have begun to surface and at least one major service provider is issuing 'cease & desist' letters to smaller ISP competitors, warning that their entire domain could be blacklisted if the spam emanating from their networks is not addressed.


A multi-layered approach to the spam problem is required. While spam filters on both mail servers and end user machines should continue as one line of defense against unsolicited email, the sheer volume of email traffic generated by spam trojans means additional defenses must be added to ISP network infrastructure. Traditional spam filtering techniques based on the content of messages must be augmented with techniques that recognize the unique behaviour of spam trojans on the network and take appropriate action to stop spam traffic from leaving a host network, or black-holing it — if and when it arrives from another.

By Tom Donnelly, Co-founder, VP marketing and sales

Related topics: Email, Malware, Networks, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Re: 80% of Spam Originating from Home PCs Suresh Ramasubramanian  –  Jun 21, 2004 3:18 AM PDT

A few ways to mitigate this -

* Filter inbound mail to your servers using the spamhaus XBL (exploits block list) at http://www.spamhaus.org

* ISPs - monitor XBL entries for anything in your IP space, and jump on 'em - these are usually currently emitting spam sources, so you'll be able to get all that you need to fix the spam [typically finding a user with an infected PC]

* Block port 25 outbound across your network (especially on NAT gateways for LANs - and if possible at the edge of your dialup / dhcp user pool) to prevent direct to MX emission from viruses.

* Separate your inbound and outbound mailservers.  Then make sure your MXs (inbound boxes) don't relay mail for your dialup pool.  More than one virus (sobig variants I think) have this habit of looking at the infected system's IP (from winipcfg / ipconfig), doing a reverse DNS lookup to get the domain it belongs to (foo-bar-baz.cable.example.com - gets the domain example.com) .. and then doing an mx query for example.com, then trying to relay mail out through the MX servers.

AV filtering on your outbound mailservers

Lock down the netbios / windows messenger ports if at all possible. A lot of viruses spread this way.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Defending Against Layer 7 DDoS Attacks

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic

An Update on Port25 and the Future of PowerMTA - One Year Later​

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

V12 Group Sustains Customer Satisfaction by Deploying PowerMTA for Launchpad Platform

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

PowerMTA Now Offers Scheduled Delivery Control

Data Volumes and Network Stress to Be Top IoT Concerns