We recently implemented our transparent outbound spam protection solution with a provider of “cloud” or “virtual” hosting services. This article anonymously discusses some of the interesting results and observations we can make regarding their outbound spam problem, and ways that outbound anti-spam filters can help.
We normally think of spam as originating from “botnets” of compromised personal computers. This is not a bad assumption to make, because it seems the majority of the world’s 300B spam messages do in fact still originate from compromised PCs. But botnets are not the only game in town. In fact, the emergence of cloud hosting services such as Amazon EC2, Rackspace Cloud, and others have provided a powerful, easy to use new platform for spammers to abuse. A cloud service typically provides a given unit of CPU, hard disk, and network resources at an hourly or monthly rental rate. In practice, this means a Linux machine instance hosted within a virtual machine of some sort. The cloud service provider chops up thousands of physical machines, hard disks, etc., essentially selling them piecemeal to customers to reap a return on their capital investment. Here’s how spammers abuse cloud services:
The blobs in red indicate steps taken by the spammer, and the consequences of spamming. The blogs in blue indicate the hosting provider’s steps. Here’s the process in plain English:
For spammers, the cloud hosting environment is in many ways superior to using a botnet, and in some ways is inferior. The superior features of a cloud hosting environment include:
As a result, we can observe some marked differences between spam that is delivered from cloud hosting networks versus spam that is delivered via a botnet. To illustrate, let’s look at a couple of graphs to show how hosting networks are “24×7″ whereas ISP networks operate mostly in the daytime – essentially giving a 16-hour advantage to the hosting networks as a spamming platform: First, here is a graph showing the sidereal (i.e. daytime-only) nature of SMTP traffic from an ISP’s subscriber network:
This data is from a customer in Asia, so the time zone shifts things a bit to the right of where they would be if they were in our time zone here in Vancouver, Canada, but you get the idea. People don’t generally have their computers turned on at night, and as a result, the spammers don’t have access to them to send email. In fact, this customer is located in a developing nation in Asia, where the daytime/night-time difference is even more dramatic than with ISPs in developed countries (because there literally isn’t power at night). Now, let’s look at a graph from a cloud hosting network:
The hosting provider’s network sends email 24×7. The spikes in traffic show times when a single machine leveraged the enormous capacity of a cloud hosting instance to establish upwards of 8,000 SMTP connections per second.
Spammers threaten the viability of cloud hosting infrastructure by abusing these services and generating excessive customer support and fraud-mitigation costs. Having now seen a good sample of traffic from cloud hosting networks and comparing that against traffic from ISP networks, I think we can make the following recommendations to cloud hosting providers:
Ensure deliverability for your hosting customer emails. Reduce support tickets. Eliminate IP blacklisting problems. Improve customer satisfaction and rentention
Learn how spammers damage the reputation of service providers and cause problems for delivering email.