All about TLS-encrypted spam: Part 1

Encrypted spam is on the rise

In mid-December we noticed a substantial increase in the percentage of encrypted SMTP sessions exiting the networks for which we provide transparent outbound spam filtering. Working with our colleague Terry Zink at Microsoft (blog), we found that the increase in TLS was almost solely the result of a change in the way the Rustock botnet operates.

TLS is normally used by legitimate email users to connect to external mail relays for the purpose of delivering mail. Even though it’s more ideal to connect using port 587 (the message submission port), many users still contact their corporate and other outbound mail servers on port 25, and encrypt these connections using TLS to prevent snooping or modification of message content.

But why?

But why would spammers want to use TLS? It seems at first glance to be a wasteful expenditure of CPU resources to encrypt each SMTP connection, and there is no evidence that we can find that suggests TLS-encrypted messages receive priority treatment on receiving systems.

Our theory

Well, I have a theory. As MailChannels and others increasingly deploy transparent SMTP filtering systems like Traffic Control, spammers are increasingly unlikely to succeed in getting their email delivered if the content can be inspected as it flows out of the source network. Systems like Traffic Control intercept the spam, read its content, and then apply filtering techniques to get rid of it so that it never even reaches its intended destination.

By encrypting spam connections, the authors of the Rustock botnet have bought themselves a healthy advantage against these outbound filtering systems, which now can no longer inspect the content because it is encrypted.

What percentage of spam is TLS-encrypted?

So now let me share some data to illustrate just how large of a problem this has become. If we look at a slice of the traffic emanating from one of the world’s largest carriers, we see that there is now more TLS-encrypted traffic than non-TLS encrypted, as shown in the following chart of last week’s data:

Who gets the most TLS-encrypted spam?

Taking a look at the most-spammed Class-C subnets in the last few minutes reveals a few familiar victims and some “noise” ones like Fidelity Financial:

1. Google Postini
2. Google Postini
3. Google Postini
4. Trend Micro
5. Google Postini
6. Google Postini
7. InfoCrossing (WiPro)
8. Fidelity National Financial
9. InfoCrossing (WiPro)
10. Google Postini