Over the last month, the Internet community has been witness to the cessation of services by a number of antispam providers as a result of continual forged email and denial of service attacks.
The most notable of these service closures was that of Osirusoft, distributor of one of the larger open relay blacklists, which resulted in operator Joe Jared adding a blacklist for "the world" in order to highlight the problem facing this service.
Following the closure of this service, a number of other antispam providers, including monkeys.com and compu.net, have been similarly targeted, resulting in service cessation.
Recent reports from Steve Linford of antispam services provider Spamhaus suggest a correlation between the source of these denial of service attacks and Windows machines infected with the SoBig virus. Similar observations have been made by Matt Sergeant of message services provider MessageLabs, who reports that the profile of denial of service attacks against antispam services appears to match that of machines infected with the SoBig virus.
The effect of this concerted effort against antispam service providers has also been experienced by the email verification technology company for which I work, Bluebottle.
Email verification, also known as challenge response, is an antispam technique which requires the original sender of an email message to reply to a one-time challenge issued by the mail recipient prior to the delivery of email. The original email message is only delivered to the mail recipient following the successful fulfillment of the details of the challenge request. The challenge may take the form of necessitating the original sender to reply to a specific email address, click on a Web link, or supply additional information about the intended mail recipient.
This approach to protecting mailboxes against spam has not been without criticism. Some of the major criticisms relate to the additional mail traffic generated by verification requests, the likelihood of misdirected verification requests, and the placing of an additional burden on the mail sender in order to ensure delivery.
Such concerns are valid, and great care must be taken when implementing an email verification system to ensure that the best principles for such systems are adhered to. These principles are outlined in the paper "Proper principles for Challenge/Response antispam systems" by Brad Templeton, Chairman of the Board of the Electronic Frontier Foundation (EFF). They include:
Such concerns were considered and incorporated into Bluebottle, which additionally incorporated tagged addresses, similar to those employed by the Tagged Message Delivery Agent (TMDA), for the handling of verification requests and error mail identification. The result has been an antispam system that has proven to be highly effective at protecting mail accounts in a manner minimizing false-positive attribution of mail messages as spam and recognizing the fundamental issue of spam as consent rather than content.
This, in turn, has appeared to make Bluebottle a target for attack over the last two months by individuals and groups of individuals intent on creating havoc for providers of antispam services. This attack took a similar form to that employed against monkeys.com and compu.net and resulted in ignorant administrators similarly blocking legitimate mail from Bluebottle users as a result of spam sent using forged and non-existent Bluebottle addresses.
This type of attack is known as a "joe job". In it, a spam message is fashioned to appear as if it originated from an different source. The term originated from an attack on Joe Doll, proprietor of Joe's Cyberpost. This Web site, first online in 1994, offered free Web pages to any user who agreed to abide by the rules of conduct, which included "good netiquette when publicizing your page".
In 1996, after terminating a user's account for sending unsolicited messages to newsgroups and email recipients, Joe Doll found that a large number of mail messages were being sent in a manner which made it appear that they originated from his Web site. The result was that he was inundated with complaints from newsgroups and email account holders and was eventually targeted in a Denial of Service (DoS) attack over a period of ten days. Further details on this attack can be found at http://www.joes.com/spammed.html.
As a result of the manner in which the attack was fashioned, in addition to all unsolicited email appearing to be from Bluebottle, all bounce messages from undeliverable addresses were similarly returned to the Bluebottle mail servers. This, combined with the roll that tagged addresses play in the Bluebottle system, led to a scenario in which significant delays were encountered in normal mail delivery. The number of bounce messages returned to the Bluebottle mail servers and the load which this placed on normal mail processing became so great that Bluebottle was required to disable all mail verification on user accounts in order to allow the delivery of normal mail in a timely fashion.
This incident highlights the core issue faced by email verification services, the requirement to balance the cost of processing mail messages in a timely and centralized fashion while still ensuring that the best principles associated with email verification implementation are adhered to.
In the case of Bluebottle, in which the message load increased as the result of a concerted effort by those intent on interfering with the operations of antispam providers, the time cost of processing these messages was too great to bear. The result was an untenable situation in which Bluebottle was faced with either delaying normal user mail by unacceptable standards or disabling email verification. The latter option was chosen in order to ensure that while potentially allowing unwanted and unsolicited messages, Bluebottle users could also receive their normal mail messages in a timely fashion.
The positive outcome of this incident is a better appreciation of the work the email verification community still needs to do. Development work is currently being performed to improve the structure of the Bluebottle email verification technology and provide a more scalable platform upon which a consent-based spam protection system can be based. This work includes:
Furthermore, where the querying of such backend data stores is considered "time expensive", the establishment of asynchronous querying allows mail message processing to continue while awaiting the return of information from these data stores. The efficiency of such a technical implementation can be further optimized by the incorporation of results caching for address filtering and permissive control at the level of the SMTP mailer.
With the level of unsolicited and unwanted mail messages on the Internet growing, such an understanding of email verification technology will be critical for any consent-based spam protection system to succeed.