At war with the spammers
- 05 December, 2006 16:09
I have mixed feelings about outsourcing. I subscribe to the old adage, "The good Lord helps those who help themselves." This attitude may stem from my parents, who lived through the era of both World Wars and the Great Depression and know how to make do with very little. They are self-sufficient Yankees who tend not to ask for help, which I think instilled the do-it-yourself tendency in me.
I actually feel guilty when I hire people to do work for me that I could do myself. I'm getting wiser now, so that guilt doesn't last long. Usually by the second or third hole on the golf course, I've gotten over the fact that the landscaper is busy fertilizing my lawn. But I still haven't outsourced the mowing of the lawn, because I firmly believe that some things require personal attention.
Likewise, as a security practitioner, I'm generally reluctant to hand off the protection of my company. I like the feeling of being capable and prepared. I'm not one to look to someone else, such as the government, to bail me out. Still, there are times when asking for assistance is the practical thing to do. You can't always handle everything on your own. One of the main ways I learned this was back in the mid-1990s, when my company was struggling through a series of disruptive attacks caused by spammers who were trying to profit by driving Web traffic to pornographic websites--and using our company's good name to do so. ---PB___
You might remember early spam blasts like this. Each weekend, e-mails would go out to millions of addresses, mostly AOL accounts. The mailings contained links to pornographic websites, and the headers said the messages came from where I worked. Later I learned that the names of at least a half dozen other reputable companies were abused during this massive spamming campaign, but at the time it felt like we alone were in this situation.
The spammers were not sophisticated about the addresses they used. It seemed that they had simply generated every possible permutation of characters and affixed them to the AOL domain name (email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org and so on). Some addresses actually existed, but most did not. The ones that didn't were bounced back to our company e-mail server as undeliverable. Thousands of these messages flooded our server and brought it to its knees. It was this denial-of-service attack that originally clued us in to the spamming campaign.
Because the messages appeared to come from a respected company, the recipients opened them. This type of con artistry is often called social engineering and is sometimes referred to as the "false authority syndrome." The information looks like it comes from a reliable source, so people trust it. It's the same principle that to this day propels virus hoaxes across the planet: "This information comes from a high-level expert at <
Imagine people's outrage, however, when they clicked on the links and were brought to extremely graphic pornographic websites. Almost immediately, complaints began streaming in to my company. The common refrain was, "How dare you send such filth!" and "Why is a reputable company like yours sending such offensive material?"
Our public relations people shifted into high gear--and turned to me for an explanation.
In the past decade, the tactics and purposes of unsolicited commercial e-mail have evolved and proliferated. Today we know that spam often carries a malicious payload or bait for a phishing scam. Ten years ago, however, spam was considerably more simplistic. Spammers like the ones targeting our company blasted out thousands of messages containing links to websites, and the main purpose was to drive traffic to those sites. The bulk of the spam I was seeing contained links to pornographic websites, where, for the small fee of US$19.95, a subscriber could reap all the thrilling benefits of the porn site.
When the attacks began, however, I didn't know any of this. To get answers, I turned to a consulting company that I knew had a strong security practice. The consultant had lived through a few cyberattacks and knew how to approach our situation. In retrospect, I know that without the guidance of someone with experience, I probably would have bungled the case, and the spoofed e-mails might have continued indefinitely.
The consultant suggested that we ask the FBI for help, and the FBI, to my surprise, agreed to get involved once we had established that our monetary losses met a certain threshold. The amount wasn't as high as I expected--less than US$10,000, if I recall correctly--so I encourage CSOs to check with their local field office before assuming agents won't help out with a case. Depending on the circumstances, the FBI may even be interested in helping with a case that seems small. In some situations, there are other victims, and collectively the problem may be far greater than any one company realizes. But I digress.
One of the first things I learned in working with the FBI and the consultant was to keep good notes; another was to carefully preserve evidence. We began saving firewall logs and keeping track of each and every action we took in our response to the spam attacks. Another valuable lesson: Follow the money. When I began to understand why the spam was being sent, it became apparent that we could choke it off at the source by figuring out who was profiting from it.
Along with the FBI and the consultants, my team began to analyze the spam messages. We worked with our Internet service provider to track the messages to their source. Although the spammers used open mail relays that belonged to other unwitting accomplices, we eventually tracked online activity to dial-up Internet connections. These points of presence, or POPs, allow people to connect to the Internet by telephones and modems. The owners of the POPs, large telecommunications companies like AT&T, charge for access to the POPs. Payments are generally made with checks and credit cards.
Here is where the FBI came in. The FBI filed subpoenas and obtained billing records from the telecom companies, something we couldn't have done on our own. By correlating information from our firewall logs, ISP logs and telecom logs, the trail eventually led to about 50 credit card numbers. Unfortunately, additional research by the FBI determined that the credit card numbers were stolen, and as far as I knew at the time, the trails fizzled out.
Meanwhile, the spam assaults continued. Each week in the wee hours of Sunday morning when most IT security people are asleep, the spammers unleashed their spoofed messages. After a couple of weekends of spam floods, on the good advice of the consultant, we arranged with our ISP to divert the spam back to their server. This kept our server available for legitimate e-mail.
Despite the fact that the fallout was no longer flooding our server, however, the spam was still reaching a lot of people. Our reputation was being tarnished, and the potential cost of that far exceeded the lost service of our e-mail system. We needed relief and couldn't wait for the FBI or anyone else to solve the problem.
The spam messages contained links that led to websites, and we decided to focus on the providers that were hosting the websites for free. Invariably the providers' terms of service forbid pornographic or offensive material from being posted, so we began our own campaign of notifying those companies that their terms were being violated. They were all well-known, legitimate services, and they acted responsibly when notified of the problem.
After a few weeks of spam attacks, my staff became proficient at tracking the links, checking the hosting sites' terms of service and requesting that the sites be taken out of service. Within 45 minutes of a new volley of spam, my staff was able to get the porn sites taken down.
The game of spam and site dismantlement went on for about six weeks; then the spam stopped as abruptly as it had started. I believe that our persistence and quick actions drove the spammers away. We just made it too hard to do business with us. It may have seemed to the spammers that using our good name would help get the spam read, but the ploy backfired because we kept knocking down the sites that brought in the money.
If I hadn't been willing to look to others for help, I may never have gotten on the right trail. The FBI and Secret Service were working on the problem behind the scenes, and years later I learned of how widespread the spamming and fraud scams were. Although we received help from the FBI, I believe that by fending for ourselves we discouraged the spammers and drove them away.
In the end, I learned, the decision about outsourcing is not really an either/or one. Even when you outsource, it's wise to stay engaged. Stay open to the idea that others may be better suited to a task than you are, but at the same time, don't abdicate your responsibilities. And never underestimate what you can do for yourself.
Undercover is written anonymously by a real CSO. Send feedback to email@example.com.