ISPs Under Pressure To Crack Down On Bots And Spam

The problem of customers' compromised computers sending spam can dramatically impact an ISP's bottom line, according to a survey by Osterman Research released today: Nearly 40 percent of ISPs had their IP addresses blacklisted by the Real Time Blackhole Lists (RBLs) in the past year. A blacklisted mail server could lead to dropped e-mail -- and an increase in support calls to the ISP.

The outbound spam issue highlighted by the report is one example of the business issues that compromised computers pose for ISPs. One in six providers spends more than $100,000 attempting to prevent outbound spam from impacting their business, according to the report, which was funded by e-mail security service CommTouch.

"I haven't found a service provider that does not have at least a couple of people tasked with dealing with outbound spam," says Asaf Greiner, vice president of product for CommTouch. "If you don't deal with outbound spam, you run the risk of having your IPs blocked."

Nearly half of respondents said outbound spam adds to their costs of doing business, wastes time for the IT departments, damages their reputations, and affects their customers' service levels.

The outbound spam problem is just one way Internet service providers are being driven by regulatory and market forces to pay more attention to the security of their customers' networks. Some Internet service providers have already embarked on initiatives to clean the traffic flowing through their systems. ISPs in Australia, for instance, have signed an agreement to notify consumers if a PC is compromised by malicious software. Those ISPs could curtail the compromised computer's bandwidth to slow the spread of harmful code. In the Netherlands, more than a dozen ISPs have agreed to exchange information about security issues, notify users if their system is compromised, and block traffic from infected systems, essentially quarantining users.

"I am a firm believer in the role of ISPs helping to protect customers against security threats," said Jose Nazario, senior researcher at network security firm Arbor Networks, in a recent interview. "It needs to go beyond the practices that we have seen in the past, beyond blocking traffic and protecting the network, to protecting customers themselves. If they are spamming the network, they are going to get their traffic dropped. That is a significant business impact."

ISPs' security measures, however, have to strike a delicate balance: Block too many compromised users and the support calls could beggar the business, but block too few and the ISP runs the risk of government intervention or being added to the blacklists. A single customer call can cost an ISP as much as the profit from the customer over two years, says Nazario.

Yet if large ISPs tackle the issue of compromised computers in their networks, the problem of spam is solvable, according to a paper presented this week at the Workshop on the Economics of Information Security. Researchers from Delft University of Technology in the Netherlands, Michigan State, and Trend Micro found that two-thirds of compromised IP addresses were located in the networks of the top 200 ISPs. The research analyzed more than 63 billion unsolicited e-mail messages during a four-year period, finding more than 138 million unique sources of spam. By correlating the source IP addresses with the networks maintained by Internet service providers, the researchers discovered that a small number of networks were responsible for the majority of spam. The top 50 networks, for example, accounted for more than half of all compromised IP addresses.

Convince those 50 ISPs to solve their customers' security problems, and you can make a significant dent in spam, says Michel van Eeten, professor of public administration at Delft University of Technology and one of the paper's authors.

"Those 50 ISPs ... are the ones we deal with every day, and so are more approachable and are in the reach of government," he says.

Yet a large problem for regulators and consumers alike is how to measure the effectiveness of ISPs' efforts to secure their networks. Internet service providers tend to pledge to clean up their networks, but in reality their efforts fall short. One large ISP, for example, removed 1,000 infected systems a month from its network, but it likely had 40,000 to 200,000 compromised computers sending out spam, van Eeten says. The gap between ISPs' promises and actions makes it difficult for companies and consumers to gauge which ones are taking security seriously, he says.

"There is no way for a consumer to assess any of the claims that a particular ISP cares about its security," van Eeten says.

Van Eeten and other researchers are attempting to create technology that can track ISPs efforts in tackling spam. If successful, such an effort could make the Internet less friendly for spammers.

"It is not about blocking the spam, but blocking the spammers," CommTouch's Greiner says. "Prevent their message from going out on your network, and you hurt their business."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.