IAS Security Hero

What do you do when you find out that you are the spammer?

Aww man, it's us

As a security professional, I spend a lot of my time making sure that the bad guys aren't able to break in. I set up all the fancy firewalls and anti-virus to keep us safe. But what happens when a user unknowingly gives up their credentials due to a phish? Well, if you are lucky, the spammers just use it to spam the world. If you are unlucky, the figure out how to attack the inside of your network to get to the crown jewels.

Recently, I was lucky and they only sent out copious amounts of spam. What most people don't realize, though, is that the Internet stops liking you when you have a bad reputation.

Spammers suck, and the Internet will let you know

And nothing makes you feel worse than when you find out that you are the spammer, except when the Internet lets you know that you are the spammer. Spamming (fake email) has been around for a very long time. And the Internet has gotten very good at punishing those who do it. This is great for large spam houses who do this all day long, and really sucks when your organization is punished by the Internet. Typically this happens by being listed on a Real-time Blackhole List (RBL).

Real-time Blackhole Lists (RBLs)

The way RBLs work is by keeping a list of IP addresses that are known to be spammy. Other mail servers around the world can look up these addresses by using simple Domain Name Service (DNS) queries. You take an IP address that you'd like to see if it is spamming, reverse the octets, put an RBL domain on the end and do an nslookup. If it results in an A record with a 127.0.0.2 address, then yep, you have a spammer. Here's an example.

I want to know if 192.168.1.2 is a spamming address. So, I reverse the ip to 2.1.168.192 and I add one of the RBL domains to it. We'll use "cbl.abuseat.org". Then we'll do a lookup.

$ dig +short 2.1.168.192.cbl.abuseat.org
127.0.0.2

Here I used a fake IP address, but this is the basic idea. The idea is that if an IP address is returned, the server or router will then re-route all packets destined for that IP address to the 127.0.0.2 address, which is a local loopback address, most likely not even defined. This creates a "blackhole" that the packets never escape from.

Anti-Abuse Project and Cisco's Talos Intelligence

The Anti-Abuse Project has a list of about 54 of these RBL services on their webpage, here: http://www.anti-abuse.org/multi-rbl-check/. You can type in the Internet IP address of your mailserver and see if it is listed on any of the RBLs to see if you might be blocked. If you are listed, you have to contact each individual RBL to have yourself de-listed. Before you start this process, though, you really need to make sure you have fixed the issue of the spammer inside your house first. Otherwise, you'll just get listed again, and the Internet is really not happy with repeat offenders.

Which brings us to Cisco's Talos Intelligence, AKA senderbase.org. Cisco has thousands of devices around the Internet looking at inbound email. Then users click on the spam button in their browsers. If enough users click and they see enough spam, they will downgrade your reputation on the Internet. Anyone using a Cisco IronPort or similar device will start blocking your inbound email. Cisco has told me that they base their reputation score on some ratio between number of complaints and volume of "good" email that they see from the ip address in question to change your rating. The scale goes between -10 and 10, but their public website will only tell you "poor", "neutral" or "good".

If you've cleaned up your spammy address and want to better your reputation with SenderBase, good luck. Cisco support has told me multiple times that this is based on a computer algorithm and that human intervention is not possible. If this is true, then I guess it is time to start bowing down to our computer overlords. When I spoke to my colleagues, I was told that having a Cisco IronPort in your datacenter may be pleasing to the computer overlords. I for one asked that question of my Cisco sales rep, who said that this was false. However, after 36 hours of waiting for the reputation to improve, it was only after speaking to my Cisco sales rep that the reputation went from -7 to 0. I think, perhaps, the computer overlords were listening on the line.

Another tip that I received from an anonymous source is that setting up multiple outbound mail servers with different IPs might help to distribute your accidental spam. In this technique, as long as you keep your IP from sending out a certain number of spams per hour, it might not get flagged. Again, this is something that might change now that I said it as the computers are always listening.

Repeat offender

Ok, so you cleaned up that one account that gave their credentials out to the phishing site, got yourself removed from the RBLs and burnt some cheap switches to please the computer overloads. Everything is starting to settle down and then a second address gets popped and the cycle begins again. One RBL, sorbs.net, says they are very unpleased with you. You see, if you mess up once, they can forgive, if you mess up twice, you are in trouble. Here is what their website says will happen for repeat offenders:

  • For first time listees you must have less than 10 spams recorded and wait a minimum of 48 hours.

  • For second time listees you must have less than 50 spams recorded and wait a mimimum of 7 days.

  • For third time listees you must have less than 100 spams recorded and wait a minimum of 30 days.

  • For forth time listees you must have less than 200 spams recorded and wait a minimum of 183 days (6 months).

  • For fifth time listees you must have less than 300 spams recorded and wait a minimum of 365 days (1 year).

  • The minimum perriod formula is a little more complex than described above and therefore delisting maybe longer based on the number of spams you have sent, however what is described is the minimum period.

Yikes! This means that your organization could potentially be blocked for a week after the second offense. I don't know about you, but my users won't tolerate not being able to send an email for 24 hours, let alone a week.

What can I do?

Well, the easiest thing is to change the IP address of your mail server. This allows your business to keep running while you try to sort out your mail issues. This will help with the majority of RBLs, but it wouldn't help at all with Cisco Talos Intelligence (AKA senderbase). To get a better reputation with them, they have to see legitimate mail coming out of your server. Of course, if that email is being blocked by major vendors/schools using IronPort, then what do you do? You could get fancy and route those emails over a new fresh and shiny IP that isn't compromised, and all the rest of the old IP to get it polished back up.

You could abandon the old IP and let it burn forever. This isn't ideal as you are probably using an IPv4 address, and rumor has it, we are getting low on those.

Or just wait it out. Good luck telling your users that one.

20 years ago, the Internet was a gentleman's agreement. We knew each other, we argued, we consoled and at the end of the day, we forgave and moved on. The tide seems to be turning on this one. As our computer overlords take over, the time for forgiveness is gone. We will have to revert to putting very strict controls on email to ensure that we are compliant, which might be to the detriment of the user. I think this is ok, as most users are getting used to email being as unreliable as it is.

Personally, with all the issues surrounding email and the multi-billion dollar industry it has created, I think it is time to rewrite it from scratch. A lot of young folks are doing this already by not using email and relying solely on social media to connect with their friends. Besides, who reads a whole email anymore. Actually, who reads a whole blog post anymore. Certainly not you. :)