Trends Quarantining Infected Users to Secure the Internet Ecosystem, Microsoft By Desmond Liao | 3 minute read At the RSA Conference 2011, Microsoft’s Scott Charney gave a talk proposing that ISPs should quarantine compromised customer accounts that are spewing spam. Charney argues that this can be done with existing technology using a system that checks a computer’s “health” before granting unfettered access to the Internet. In general, we think this approach is a good idea, but as with many “big picture” security ideas it has a few flaws. The main flaw is, how do you know that a system is clean? Perfectly clean systems can be infected with zero-day malware and begin spewing out spam and malware on a moment’s notice. What value would the health certificate have in this case? Another flaw is that the security certificate system would have to be “signed” by someone. Who would create certificates, and how would the Internet community know that they can be trusted? Fortunately, because compromised computers tend to be used for spamming and other obvious network-borne attacks, there is an easier and immediately implementable solution that doesn’t require certificates to provide great protection to the Internet community. The solution involves monitoring the external behaviour of machines through network sensors and filters, and then clamping down on a machine’s access to Internet resources (i.e. bandwidth and ports). MailChannels specializes in outbound spam filtering, so we can comment on detecting spam in the network. But other companies offer solutions for detecting other kinds of nefarious activity – particularly the accessing of botnet command and control systems. If you’re not familiar with what we do, consider this a quick refresher. Or, if you’re interested in understanding more about how to protect the reputation of networks from compromised customer accounts sending spam, please read on. Outbound Filtering According to reputation security networks, most ISPs in the world have a chunk of IP addresses that are bad – some even as high as 99%. When you take a closer look at “Poor” addresses, we find many of them are listed on blacklists. Anyone sending email from within these IP ranges will be blocked by most of the Internet. Outbound spam filtering allows ISPs to take immediate action within seconds, and completely automate the process of improving your reputation before botnet infections get you blacklisted. Transparency Our outbound spam filtering operates transparently so you can deploy without major configuration changes. It transparently intercepts all port-25 traffic coming out of the network, and passes the traffic through one or multiple content filters from leading vendors. SMTP AUTH and SSL encryption is fully supported so the privacy of conversations are respected. — How are you identifying fraudulent customer accounts?