“I’m Not a Spammer, so why is my IP Address Blacklisted?”

Everyday, legitimate email users find their outbound email flow blocked by recipient email servers using blacklists (aka Blocklists, RBLs) to block spam. Most of these users are shocked to find their IP Addresses on a list with IP Addresses used to flood the world’s inboxes with spam and malware. The news of their listing stirs up fear, anger, and righteous indignation. “How can we be on a blacklist when we don’t spam?” they ask. That is a great question–how do business email IP Addresses operated by non-spammers get placed on legitimate, targeted spam blacklists (i.e. blacklists that list IP Addresses that have recently sent spam, instead of lists that include large ranges of IP Addresses by default)? Simple…by spamming.

“What,” you ask, “A non-spammer that doesn’t spam gets listed on a spam blacklist for spamming?” Yes. For several years, spammers have hijacked mail servers and other computers to send spam. The spammer’s strategy has always been to find a quiet, undefended place on a network where they can send spam and perform other illicit acts without detection. A recent example from one of our clients provides a real life illustration of how this works.

Spammers Hide Clever Tools Where You Least Expect

This particular client (who will remain un-named) runs an email server, as well as an internal document server. They utilize an enterprise-grade email spam and virus filter for security and are relatively proactive in managing their network for security risks. Despite these efforts, a spammer was able to download a mass mailer program onto the client’s document server. How the spammer bypassed the client’s security is a question that remains unanswered. The payload was most likely delivered via a malware infected website. In this case a simple anti virus software solution that stops executable programs from loading without administration permissions would have stopped it, but the document server had no anti virus services running at all. What is most important to note, though, is where the spammer put the program and what the program did.

The program was a modified commercial mass mailing program know as Advanced Mass Sender 4.3 (published by KBB Software. This screenshot was forwarded to us after our client discovered the program on the document server:

The program is touted as a powerful email marketing tool that is developed to manage and send mass quantities of email to a large number of clients, quickly and affordably. The program’s features include:

• Built-in SMTP server, powerful, supporting packet-sending emails without using the SMTP server of your provider allows you do send up to 500 emails a minute using a modem. The unique ability to send through several SMTP servers simultaneously allows you to send up to 1500 emails a minute using a fast connection.

• Support for large sender lists – 200000+ addresses per group.

• Support for proxy servers.

The spammer managed to download the program onto a document server, a machine with no SMTP capabilities that most network administrators would not associate with email. But, because the program has a built-in SMTP, the spammer was able to send a high volume of spam from the server–40,000 messages in total at a rate of 1,500 per minute. (note: these volumes indicate that the perpetrator was not particularly sophisticated when compared to other bot herders. Most spammers today prefer to send low volumes of messages from multiple machines to avoid detection).

The Fallout from Hosting a Spammer

The client’s public IP address was blacklisted instantly on five widely used blacklists. Fortunately, we handle the client’s outbound mail flow through or secured connections so the backlist listings did not effect their ability to send email. Had they been sending outbound email from their own IP address, most major ISP’s and many business mail servers would have blocked their email. And, if their local service provider would have seen the traffic coming off of his network they likely would have stopped all SMTP traffic, causing catastrophic email failure.

This particular client is proactive and technologically savvy, so they quickly determined that something was not right on their network, found the problem and terminated it. But, what if they had not been so fast? What if they did not use our outbound mail filtering service? The consequences could have been devastating. Not only would they have inadvertently contributed to the global spam scourge, they would have suffered extreme email failure due to large scale listings on blacklists.

How to Protect Yourself

There are several lessons you should take from this study:

1) Spammers can use any part of your network that is connected to the internet to send spam, whether it is part of your email system or not.

2) Even well defended networks can fall victim, which is why you have to move from a well-defended network to an extraordinarily well-defended network. Block threats from all potential entry points, instead            of the most common entry points.

3) Constantly monitor your network for intrusions and infections

This case certainly does not resemble every bot infection, but is a real-world illustration of how an infection can occur.