Corporate IT needs to change stance on spam, says security researcher

Spam is expected to continue to be a major problem for businesses in 2010 unless corporate IT departments change strategy.

Spam is expected to continue to be a major problem for businesses in 2010 unless corporate IT departments change strategy.

In 2009, only 0.11% of e-mail received by companies in the most highly targeted motor industry was legitimate, according to the annual malware report from PandaLabs, the anti-malware laboratory of Panda Security.

Spam frequently contains links to malware that can put businesses at risk. Some 25% of the at least 100 million computers around the world that have been hijacked for by spammers are within corporate networks, according to researchers at security firm Trend Micro.

This means corporate IT departments are not only failing to keep spam out of their networks, but they are also failing to prevent millions of their computers from becoming part of the problem.

Corporate IT departments typically attack the problem by securing computers on their networks, but this is not enough, as routers and other network devices can also be used to send spam, says US-based Dave Rand, chief technology officer at Trend Micro.

Target the source

The only proven way to counteract spam is to cut it off at the source. Internet service providers (ISPs) can do this easily, he says.

Turkey has led the way in attacking spam. It has shown that if all ISPs prevent spam from leaving their networks by blocking port 25, which is used for all e-mail not sent through an ISP's mail servers, the number of active spam sources can be cut from 1.7 million to a mere 35,000 within a year, says Rand.

As a result, Turkey no longer features in the international spam rankings after occupying top position between 2006 and 2009.

"The problem is in most other countries, ISPs are unwilling to take this step for fear of user backlash, but Turkey has shown it can be done successfully by providing ways to authenticate legitimate e-mails sent through web-based or corporate e-mail servers," says Rand.

Instead of being part of the problem, corporate IT departments can help slash the number of spam sources by demanding that all ISPs block port 25, says Rand.

If businesses and other customers of the world's 38,000 ISPs demand this action, spam could be brought down to much more manageable pre-1995 levels, he says.

But the Internet Services Providers' Association (ISPA UK) says blocking port 25 is not a simple and easy fix, particularly in countries such as the UK where, unlike Turkey, businesses change ISPs regularly and many use web-based third-party e-mail providers.

Although some UK ISPs do block port 25, mandating this for every ISP would need thousands of e-mail recipients to update their systems to enable alternatives such as messaging port 587, which is not turned on by default, says James Blessing, ISPA council member.

Many anti-virus programs monitor port 25 by default, so blocking this port would leave users unprotected unless they manually change their security software settings, he says.

Blessing adds that blocking port 25 will also force spammers to use even more sophisticated methods, making detection and prevention much more difficult than it already is.

"A better approach is for all ISPs to filter all spam and malware on their mail servers and for users to keep their own security up to date to take care of the small proportion that ISPs miss," he says.

Organisations and individuals need to accept greater responsibility for ensuring the security of their own computers, says Blessing. For many corporates, this means ensuring that security systems are patched regularly and kept up to date.

ISPs should notify businesses when their systems are compromised 

Businesses should demand that ISPs notify all customers whose systems have been compromised by spammers, says Dave Rand, chief technology officer at Trend Micro.

"The problem often goes undetected for years because many corporate IT departments are unaware that their computers are being used by spammers," he says.

Computers compromised by spammers are in use for an average of 300 days before they are detected and blocked, with a third taking more than two years, Trend Micro research has shown.

Most UK ISPs will notify customers if they see evidence that their systems have been compromised because it is not in their interests for their reputation to be damaged, says ISPA council member James Blessing.

"Some of the biggest ISPs, however, could do a better job if they were to spend more time and effort on this," he says.

The Netherlands has taken the lead by being the first country to require all ISPs to notify customers whose computers have been hijacked by spammers from January 2010.

Trend Micro is working with the University of Amsterdam in the Netherlands on a spam report for the Organisation for Economic Co-operation and Development (OECD).

"In the absence of a global internet governing body, hopefully the OECD will release a set of guidelines that will promote a more co-ordinated effort against spammers," says Rand.

He points out that the size and scope of this problem demands concerted action at a national and international level, and CIOs have a definite role to play in achieving this.

"CIOs need to come together to discuss how best to collaborate in tackling this common problem to ensure corporate data is secured and protected," says Rand.

Read more on Hackers and cybercrime prevention