|
Jointly published by the Internet Infrastructure Coalition (i2C) and the Messaging, Malware and Mobile Anti-Abuse Working Group, the new document outlines proven activities that can help Web hosting services improve their operations and better protect end-users.
The new best practices describe how to identify customers that are spammers or criminals, policies to prevent abuse, and processes to remediate known threats for the hosting, DNS and domain registration provider communities. These recommendations are intended to help hosting companies establish a stable operating environment and minimize additional customer support costs resulting from network operators frequently blocking the service for abusive activities, according to Michael Adkins, M3AAWG Chairman of the Board.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API
Although section 5.4 “Set up internal telemetry…” might imply this as part of traffic analysis, I propose:
Track counts of tcp syn packets sent to port 25 to ip addresses outside your network, summarized by customer. Maintain appropriate per customer thresholds. If the customer exceeds their (5 minute, hourly, daily, whatever) limit, block all subsequent outbound mail from their accounts.
There are two very different methods available to spammers. One is to attempt to stay under the radar by sending spam slowly. This generally requires a lot of ip address space. The other method that I see more frequently lately is where the spammer knows their ip address space and/or domain names will be blocked soon, so they hammer out as much as they can for relatively short periods - less than two hours.
If we can see hundreds of spam attempts in an hour on a trivially small mail server, they are sending a LOT of tcp syn packets. Those bursts should be able to get them automatically firewalled by their provider within minutes.