As an Internet security strategist, I make every effort to understanding just what was installed on our network, and to gain hands-on knowledge. As a result I have installed, tweaked, and worked on Linux, FreeBSD, Mac OS X, Windows XP, Apache, Sendmail, Postfix, and just about anything that the Internet bandwidth can be consumed by. What prompted me to be so hands-on in understanding the guts of operating systems and server software when I could have been relaxing in a summer resort?
The maddening increase of malware and spam. It started as nuisance, until nuisance became threat. And it didn't stop there. Worms and Trojans that can masquerade as you can potentially damage a hard-earned reputation, especially in Asia Pacific, where reputation and business can be easily lost.
If you analyze the relay of spam- and malware-containing email circulating on the Internet purely through your mail server logs (running the Unix command "tail"), a large proportion seem to come from Asia Pacific hosts, especially those from mainland China. Therefore, many less-experienced systems administrators have simply blocked the access from subnets of Chinese or Asian origin, effectively destroying the fabric of the Internet — messaging. If administrators took pains to analyze these supposedly Asian spam messages by analyzing the full Internet headers, they would have realized that the Asian servers were merely used by the real spammers as open relays, or perhaps as zombie hosts previously infected with the mass mailing worms through the exploitation of operating system vulnerabilities.
I have consistently tried, as a good Internet citizen, to alert the administrators of these vulnerable Asia hosts and open relays of their problems, and I hope that they will patch their systems. But none seem to take my advice too seriously, or at all. So these servers continue to be exploited by many spammers operating out of the Americas, and these Asian hosts are blamed for spamming they did not commit.
If the people running the infected or affected hosts aren't bothered, why should we care? We may have little choice. These vulnerable hosts give the spammers the ability to mass-mail spam and malware-infested messages worldwide without regards to Internet bandwidth, the clogging of Internet "pipes" worldwide, the slowing down of global infrastructure, and the escalating security breaches and frustration at using the most basic and necessary Internet tool — email. But if these folks don't care, can we do something?
Short of harassing the governments to take regulatory and legislative action, which regional governments are warming to slowly, we can work more closely with blacklist services that help to provide another venue for pushing host administrators to take prompt action in patching their systems. Some governments, such as those of Singapore and Australia, are more proactive in understanding just why spam is a bad thing, and regulatory and legislative frameworks are incrementally being worked into the system.
Many spam-reporting blacklist services analyze the full mail headers and track down the sending hosts, which are often found to broadband consumer users in North America. One common "culprit" is Comcast.net which, unfortunately for legitimate Comcast users (some are business users), have been blocked out not only by blacklist services, but by corporate network administrators as well. Some administrators even go so far as to not only block the specific spamming IP addresses, but also take the easy route and blocking the entire Comcast.net domain! Such measures are too drastic and draconian, and they spell trouble for legitimate Comcast (and many hundred other hosts) users, especially small and medium-sized businesses trying to make a decent living.
For example, SpamCop's reporting service is easy to use, and its response times for unblocking erroneously blocked domains are good. You can report spam to SpamCop by attaching the full spam email and forwarding it or by pasting the entire email into the SpamCop browser-based reporting window. More and more spammers are encoding their spam messages using Base64 (which appears as gibberish unless you are reading in a rich-text-capable email client such as Outlook), and SpamCop can now handle this — using algorithms that decode obfuscated email.
As an experiment, I used a combination of Sendmail access configuration (which lists IP addresses, domains, and email addresses to block or discard) and SpamCop's DNS blacklist service, I managed to slice spam and malware down by 90%. A collective grassroots movement can make the DNS blacklist more and more sensitive and accurate. Some administrators I chatted with even configured their mail servers to use a whole spectrum of DNS blacklists to create spam blocking "redundancy." This is because the likes of DNS blacklists are always the target of spammers to bring down, and some have been consistently attacked through denial-of-service (DoS) or even distributed denial-of-service (DDoS) attacks.
Let's face it: the current antivirus solutions have largely failed. Much as the information released in the U.S. points out that even though 90% of businesses installed antivirus software, 85% of them still have ongoing virus trouble. The situation is a lot worse over in Asia Pacific, because Asia Pacific as a whole lags behind the U.S. in terms of Internet security infrastructure, end-user knowledge, security best practices, and budgets.
Why? Because antivirus software programs are largely reactive, and they respond by attempting to match known historical "patterns." If a mutant virus does not provide an exact match, the antivirus software will not be smart enough to detect the malicious code and may let it through.
This means we need another layer of protection just before traffic gets to the antivirus gateway. This is easily done by a variety of Procmail or other mail server–compatible scripts (mostly written in the English-like Perl language), to strip out banned attachments altogether. For example, commonly banned attachments such as .bat, .cmd, .com, .dll, .js, .pif, .scr, .shs, and .vbs should be automatically and categorically removed without argument. Some other banned attachments can include multimedia components, which shouldn't be allowed on limited bandwidth in Asia Pacific, including .mp3, .mov, .mpg, .swf, and so on. A related approach is the use of whitelist attachments, where only certain types of attachment, like .doc, .xls, .ppt, and .pdf, can be allowed through. This is more restrictive, but in certain organizations with limited document types used, this is a possible approach.
While governments take time and prudence to work out regulatory, legislative, and even punitive measures, we as users can surely put in some grassroots-level work and incrementally help to stabilize the Internet infrastructure again, especially for the many who rely on the Internet for survival.
By Dr. Seamus Phan, Entrepreneur & Author
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DNS Services
Neustar DDoS Protection