Manage Learn to apply best practices and optimize your operations.

Preventing spam bots from hijacking an enterprise network

According to security expert Michael Cobb, the likelihood of your enterprise being compromised by a botnet is not a question of if, but when. In this Messaging Security School tip, Cobb discusses how spammers use botnets to corrupt enterprise systems, and offers advice on how security pros can thwart their attacks. Security School
This tip is part of's Messaging Security School lesson, Spam 2.0: New threats and new strategies. Visit the Spam 2.0: New threats and new strategies lesson page for related materials, or visit the Security School Course Catalog for more learning content.

Despite Bill Gates' assertion in 2004 that the problem of spam would be solved by now, it's still with us. In fact, it's on the increase. According to recent figures from Symantec, 61% of emails are spam, and almost 90% of emails emanating from some countries are spam.

This deluge of unwanted and often malicious email can cost businesses dearly. Not only does spam negatively affect employee productivity, but it also consumes bandwidth and other network resources. Backup times and storage requirements can also increase considerably, but it gets worse. If an organization's network is hijacked by spammers, it can lead to a loss of reputation and even Internet connectivity.

A big problem for spammers is that if they send large amounts of spam from a single computer, the unusual volume of mail will be detected by the ISP, which will takes steps to block the IP of the computer they're using. Therefore spammers have turned to using botnets. Botnets have become one of the main vehicles used by spammers to send spam. Keeping your network clear of botnets is critical not just for your own security, but for the security of others as well. Let's examine how network administrators can prevent their networks from being hijacked to relay spam to the rest of the Internet.

A botnet is a collection of computers, also known as zombies or robots, that can all be controlled remotely by one person. This control is achieved by installing malicious software on a PC via illicit means, such as a virus or email attachment. Bots are generally versatile and can have the ability to log keystrokes, capture and analyze data packets, launch denial-of-service attacks and relay spam. A spammer who has command and control over a botnet can send messages from thousands of computers. This makes their activity hard to detect, since each zombie sends just a few messages at a time.

For more information:
In this Q&A, Ed Skoudis examines whether or not peer-to-peer (P2P) botnets can be detected.

In this tip, contributor Scott Sidel discusses how the open source tool SpamAssassin can eliminate the threat of spam email attacks.

Learn how antispam filters can help to solve the image spam problem.
The key to preventing spammers from using the computers on a network is to prevent them from infecting and press-ganging users' PCs into their botnets. It goes without saying that servers and client machines should be hardened and patches should be kept up-to-date. Unpatched or noncompliant computers put every network user at risk. Antivirus software should be installed on gateways and desktop computers.

Because users can introduce vulnerabilities into a network, it's important to educate them about how to protect their systems from malware, highlighting the importance of their role in the security of the network. This should be backed up by a "closed by default, open by exception" methodology, whereby users can install only the programs required to do their jobs.

Portable devices like USB keys can also introduce malicious programs, so these too need to be strictly controlled. A secure network must also include computers used by remote users. Network access control (NAC) technology should be used to ensure that only machines that comply with corporate security policies can access the network.

Even with these preventative measures in place, administrators must review logs from firewalls, intrusion detection systems, DNS servers and proxy servers. Signs of abnormal behavior can be a sign of an infection. Bots can choose any port that they want to communicate over, so look for outbound SMTP connection attempts or abnormal traffic loads on non-standard ports. Administrators should introduce strict inbound and outbound filters. Restricting outbound connections will prevent any bots from "phoning home". That way even if a bot finds its way in, it is relatively harmless if it can't communicate with its controller.

Unfortunately bots are not the only method spammers use to distribute spam. Email injection attacks often go unnoticed until antispam filters blacklist a server's IP address. If a company has an email form on its Web site, such as a feedback or contact forum, it basically acts like an SMTP proxy. Spammers try to hijack it by manipulating the mail headers, turning it into a spam relay. This attack can potentially work on any email script that fails to validate the user data it receives.

To ensure your email forms are not open to abuse, your script should:

  • Assume all data is from an untrusted source;
  • Validate all input for type, length, format and range;
  • Accept only data that is deemed valid and reject everything else;
  • Remove any line feeds or carriage returns;
  • Validate using a trusted server or application.

The war against spam, phishing scams and other email-related security issues is nowhere near over, but you can play your part in the battle. The US-CERT contends that the likelihood of becoming compromised by a bot or email injection attack is not a question of if, but when. It's critical to stay abreast of the latest research and advice on bots and have an incident response policy prepared to minimize the damage of a bot invasion.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several Security Schools and, as a site expert, answers user questions on application security and platform security.

This was last published in November 2007

Dig Deeper on Email and Messaging Threats-Information Security Threats