Ever wonder why so much spam exists today? By some estimates, more than 100 billion spam messages are sent every day. This represents around 85 percent of global daily email traffic. Some of the most common types of spam messages include financial scams, phishing attempts, ransomware, and botnet malware. In this article, we focus primarily on botnets.
Spam is big business. The barriers to entry are low and the payoffs are high. If a spammer sends out 50,000 spam messages, but only a handful of users click on a link in one of these messages, the spammer’s efforts will likely have paid off.
A single spammer may not have the resources to send out a large-scale spam attack, however, a spammer’s job is made much easier by the use of botnets – networks of hundreds or even thousands of malware-infected computers (known as spambots) that can be remotely controlled over the internet. Similar to legitimate cloud services such as Amazon’s AWS, a botnet-for-hire provides individuals with ample cloud-based resources to carry out large-scale spam campaigns with very little effort.
According to Spamhaus, the top five countries with the most spambots are India, Vietnam, China, Iran, and Brazil. As of May 23, 2016, India had close to 2 million spambots!
The botnet-for-hire industry is a growing industry that makes it easy for anyone to send out thousands of spam messages using the botnet as the attack vector.
In addition to sending out spam, botnets can be used to launch DDoS attacks by flooding a company with thousands of connections over a short period of time – in an effort to try to shut down a company’s network or to damage its reputation.
User education is likely the most important factor in preventing a computer from becoming a spambot. The following are a few guidelines that every email user should know by now.
- Never open an email from an unknown source.
- Never open an attachment from an unknown source.
- Even if the sender appears to be someone you know, always verify – because spammers often forge the sender’s address.
- Use anti-virus software on your local computer.
- Learn how to recognize phishing
- Messages that contain threats to shut your account down
- Requests for personal information such as passwords or Social Security numbers
- Words like “Urgent” – portraying a false sense of urgency
- Forged email addresses
- Poor writing or bad grammar
- Don’t give your email address to sites you don’t trust.
- Don’t post your email address to public websites or forums.
- Understand that reputable businesses will never ask for personal information via email.
Spambot Detection in MDaemon
The information provided above applies primarily to end users, but what actions can be taken by the mail server administrator to detect and prevent spambot activity? While MDaemon has many spam-fighting features, MDaemon 16 includes tools to detect spambot activity and block it from further communication with your server. This new feature is called Spambot Detection. Spambot Detection tracks the IP addresses that every return-path value (sender) uses over a period of time. If the same return-path is used by multiple IP addresses (more than can be expected from users switching between their computers and mobile devices) in a given timeframe, then it’s possible that this activity is being generated by a spambot. Of course, it’s also possible that this activity is completely legitimate. However, in some cases, tests have shown that this can be an effective tool at detecting a distributed spambot network as long as the same return-path is used in the spam messages. If a spambot is detected the connection is dropped and the return-path value is optionally blacklisted for a designated period of time. You can also optionally blacklist all known spambot IPs for a designated period of time.
As with most MDaemon security features, various settings allow you to bypass Spambot Detection for mail from trusted sources. You can exempt specific IPs, senders, and recipients from Spambot Detection using the White list feature, and exempt connections from authenticated sessions or trusted IPs. Click on the Advanced buttons to view a list of return-paths or IPs that are currently blocked. If a return-path or IP is blocked by mistake, you can easily remove it from the list.
We demonstrate how to configure Spambot Detection in this tutorial video.
Spammers are always coming up with new ways to spam users. That’s why user education and a properly configured mail server are equally important in the war against spam.
Spambot Detection is one more tool in MDaemon’s arsenal of anti-spam and security features. When these features are enabled, MDaemon can help protect your users and your business from spam, phishing attempts, and malware. For more information on protecting your MDaemon server, check out our knowledge base article on recommended MDaemon security settings.
If you’re not yet an MDaemon user, and would like to take advantage of its robust security and anti-spam features, click here to download your free trial!