Skip to content

All about TLS-encrypted spam: Part 1

By Ken Simpson | 3 minute read

A US Navy WAVE sets the Bombe rotors prior to a run

Encrypted spam is on the rise

In mid-December we noticed a substantial increase in the percentage of encrypted SMTP sessions exiting the networks for which we provide transparent outbound spam filtering. Working with our colleague Terry Zink at Microsoft (blog), we found that the increase in TLS was almost solely the result of a change in the way the Rustock botnet operates.

TLS is normally used by legitimate email users to connect to external mail relays for the purpose of delivering mail. Even though it’s more ideal to connect using port 587 (the message submission port), many users still contact their corporate and other outbound mail servers on port 25, and encrypt these connections using TLS to prevent snooping or modification of message content.

But why?

But why would spammers want to use TLS? It seems at first glance to be a wasteful expenditure of CPU resources to encrypt each SMTP connection, and there is no evidence that we can find that suggests TLS-encrypted messages receive priority treatment on receiving systems.

Our theory

Well, I have a theory. As MailChannels and others increasingly deploy transparent SMTP filtering systems like Traffic Control, spammers are increasingly unlikely to succeed in getting their email delivered if the content can be inspected as it flows out of the source network. Systems like Traffic Control intercept the spam, read its content, and then apply filtering techniques to get rid of it so that it never even reaches its intended destination.

By encrypting spam connections, the authors of the Rustock botnet have bought themselves a healthy advantage against these outbound filtering systems, which now can no longer inspect the content because it is encrypted.

What percentage of spam is TLS-encrypted?

So now let me share some data to illustrate just how large of a problem this has become. If we look at a slice of the traffic emanating from one of the world’s largest carriers, we see that there is now more TLS-encrypted traffic than non-TLS encrypted, as shown in the following chart of last week’s data:

Chart of encrypted vs. non-encrypted SMTP sessions emanating from a major carriers subscriber network during the week of March 22, 2010 - unspecified volume units

Who gets the most TLS-encrypted spam?

Taking a look at the most-spammed Class-C subnets in the last few minutes reveals a few familiar victims and some “noise” ones like Fidelity Financial:

OrgName:    Postini, Inc.
OrgName:    Postini, Inc.
OrgName:    Postini, Inc.
OrgName:    Postini, Inc.
OrgName:    Postini, Inc.
OrgName:    Fidelity National Financial Inc.
OrgName:    Postini, Inc.
  1. Google Postini
  2. Google Postini
  3. Google Postini
  4. Trend Micro
  5. Google Postini
  6. Google Postini
  7. InfoCrossing (WiPro)
  8. Fidelity National Financial
  9. InfoCrossing (WiPro)
  10. Google Postini
The Google result is not surprising because Google’s services host email for literally millions of businesses. InfoCrossing is an India-based IT services company that hosts email for business customers around the world. And Trend Micro offers a variety of hosted email security services. Fidelity is likely just a random anomaly (i.e. the spammers chose to target it during this particular chunk of time).
In my next post, I will dive a little deeper into the problems caused by TLS-encrypted spam. Following that, I will discuss potential next steps for the email security industry to help deal with this issue.
Read “All about TLS-encripted spam: PART II” here

Cut your support tickets and make customers happier