The Spamhaus Project


Increasing Spam Threat from Proxy Hijackers

by The Spamhaus TeamFebruary 03, 20053 minutes reading time

Spam, now at 75% of all email traffic arriving at most ISPs mail servers, has come mainly from two types of source - either sent directly by the spammer, or sent by the spammer through a hijacked computer (proxy). For most anti-spam systems these two sources have been relatively easy to deal with, as they can both be efficiently blocked.

But sources are changing, and with them spam volumes. Over the last few months a number of major email services reported to Spamhaus that the source of their incoming spam was changing and they were seeing far more spam coming directly from the major mail relays of other ISPs. AOL, one of the first to notice the change months before others, now reports that over 90% of its incoming spam comes directly from other ISP mail relays.

This change in proxy-spam activity is caused by new versions of the stealth proxy spam software ("spamware") released by proxy spammers, software specially written to take control of private computers, usually those on the world's broadband networks, and to use them to send out spam for pornography or illegal drugs from without the PC owner's knowledge or permission, by acting as an anonymous "proxy" for the spammer. New versions of proxy spamware packages released by Russian spammers operating in the US now have a feature which instructs the hijacked proxy to send the spam out via the mail relay of the ISP the proxy is downstream of.

Spamhaus sees this change and the increase in spam it is producing as a threat to be taken seriously. At the current pace of ever-incrementing spam levels Spamhaus predicts that by mid-2006 spam could reach 85% of all email traffic and we would at that stage begin to see visible signs of a slow meltdown of some email delivery systems caused by overloaded email queues and stressed spam filters.

We are now increasing our efforts to tackle the vendors of illegal proxy hijacking software, and those who knowingly host them, and advising mail services to take protective measures to avoid or lessen the problem, such as, 1) Throttle the outgoing mail from IPs of broadband customers, 2) Separate the incoming and outgoing SMTP servers, 3) Mandate email authentication (SMTP-AUTH) for all customers.

Update: 2005-02-04 20:10:41

NB: Contrary to a press article which reported erroniously that we had stated that the world's email delivery system is "about to collapse" (a misquote based on which a number of 'competitive' security solutions vendors including spam filter firm Postini then jumped in to criticize what they didn't realize wasn't correct), we stress that - as our article states above - Spamhaus states we see the rise in spam and change in spam source as a threat which, if not acted on, would in a year's time begin to cause email delivery problems. Collapse? Certainly not. Serious threat? Certainly.