BGP Security and SPAM

Spam might seem like an annoyance in the US and other areas where bandwidth is paid for by the access rate—and what does spam have to do with BGP security? In many areas of the world, however, spam makes email practically unusable. When you’re paying for Internet access by the byte transmitted or received, spam costs real money. The normal process for combating spam involves a multi-step process, one step of which is to assess the IP address of the mail server’s previous activity for a history of originating spam. In order to avoid classifiers that rely on the source IP address, spammers have turned to hijacking IP address space for short periods of time. Since this address space is normally used for something other than email (or it’s not used at all), there is no history on which a spam detection system can rely.

The evidence for spam related hijacking, however, is largely anecdotal, primarily based in word of mouth and the rare widely reported incidents. How common are these hijacks, really? What sort of address space is really used? To answer this question, a group of researchers from Symantec and the Qatar Computing Research Center undertook a project in this area, correlating BGP route hijacks with large scale SPAM operations. The researchers first tapped into another system that tracks the relationship between mass spam mailings and events in the Default Free Zone (DFZ—the global Internet core, in essence). Rather than detecting when a route is injected, it watches for a mass mailing, notes the source address, and then records if and when the route to the source address is withdrawn (so it is removed from the DFZ). This system finds a good bit of address space which is advertised only for sending spam in mass mailings. Next, the researchers set about finding out who owns the address space used for these mass mailings. What they discovered was surprising in some ways, and unsurprising in others.

First, in an 18 month period, they discovered 64 address blocks were hijacked to send mass spam mailings. This number might seem low, but examining the origin AS of each of these 64 address blocks uncovered an additional 2,591 address blocks that were also used for mass spam mailings, but were not detected through the original process. Remember this is just the lower/lowest number of such hijacks; the researchers intentionally used very narrow filters to reduce their intake of address blocks to investigate. This project ultimately investigate 2,655 hijacks related to spam events across 18 months, representing somewhere around 5 hijacks per day.

Second, in 92% of the hijacks, the address space was not being advertised by the actual owner at the time of it’s use by the spam operator. In these cases, the hijacker forged the first hop AS number, using a number different from the owning organization. In the remaining 8% of hijacks, the attacker used the correct origin AS, but advertised the correct origin AS as being connected to an incorrect upsteam provider.

It appears, from this research, that hijacked address space is a major origin of mass spam mailings. What can we, the folks who interact with, work on, or work around the Internet do to reduce the level of spam? One good place to start is to stop the hijacking of IP address space used to originate large scale spam operations. This means implementing one of the various mechanisms that would detect and allow operators to ignore or drop hijacked address space.