FTC Launches Attack on Zombie Spammers

The Federal Trade Commission today launched "Operation Spam Zombies," a campaign to encourage Internet service providers (ISPs) to crack down on compromised computers within their networks that are being used to spew spam onto the Internet.

These "zombie" computers -- so-called because they're remotely controlled by malicious parties who plant malware on a machine without its owner's knowledge -- account for as much as 40 percent of the unsolicited e-mail in the world, according to Sophos, a global security firm.

"Without solving the zombie problem, you'll never solve the spam problem," Gregg Mastoras, a senior security analyst in the Lynnfield, Mass., office of Sophos, told TechNewsWorld. "The rate of increase in spam we've seen in the last two years is due primarily to zombies."

Zombie Punchlist

In a letter sent to some 3,000 ISPs today, the FCC, along with 35 government authorities in some 20 nations, is recommending a punchlist of "best practices" that the providers should implement to thwart the zombie menace.

Among the measures recommended by the FTC:

• Blocking, when possible, a common Internet port used for e-mail;
• Applying rate-limiting controls for e-mail relays;
• Identifying computers that are sending atypical amounts of e-mail and take steps to determine if the computer is acting as a spam zombie. When necessary, quarantine the affected computer until the source of the problem is removed;
• Providing plain-language information for customers on how to keep their home computers secure; and
• Providing or pointing their customers to easy-to-use tools to remove zombie code if their computers become infected.

Education Effort

Internet Lab Coordinator for the FTC Don Blumenthal explained to TechNewsWorld, "This is a public education effort, it's not a law-enforcement action."

The effort began two years ago by targeting open relays, then moved on to open proxies and is now trained on zombies.

In addition to its best-practices letter, the FTC is working with ICG, of Princeton, N.J., an Internet traffic monitoring and analysis company. Blumenthal explained that in a couple of months, ICG is going to use its data to identify spam zombies on networks and inform ISPs and enterprises of the culprits.

Chairman and CEO of ICG Michael Allison explained that his company has been collecting spam for years as part of its work with the Anti-Spam Technical Alliance, which includes Yahoo (Nasdaq: YHOO), Microsoft (Nasdaq: MSFT), America Online and Earthlink. "We suggested to [the FTC] that an analysis of our database would allow them to alert ISPs to the size and nature of botnets operating on their backbone," he told TechNewsWorld.

ISP Police

Allison explained that the FTC "is using us as an intermediary to notify the ISPs of the problem in the hope that the ISPs will self-police and take some action."

In the past, he continued, it was thought that operators of zombie networks could not be identified and reached. "That's not quite the case," he said. "Each year, we feel, we get better at identifying people. We're going to pierce that pseudo veil of anonymity and nail them."

The FTC action appears to have taken the ISPs by surprise. "We're not really certain what the goal of the FTC initiative is," David P. McClure, president of the U.S. Internet Industry Association (USIIA), told TechNewsWorld.

Not in My Backyard

He contended that the zombie offensive was aimed at service providers outside the United States. "In other nations, you have situations that are far different from what you have in the United States," he said. "So we don't see it as being aimed at U.S. ISPs."

According to McClure, there are real dangers to monitoring zombie networks. "To begin to control zombie networks, you have to begin monitoring the acts of users," he maintained. "That very definitely is a violation of their privacy."

"The ISPs shouldn't be turned into cops," Wendy Seltzer, a staff attorney with the Electronic Frontier Foundation in San Francisco, told TechNewsWorld. "The government encouraging ISPs to spy on their customers or even gently nudging them in that direction is really not a good idea."

Combating Plague

However, some security professionals welcome the FTC's involvement in the zombie issue. "It's important for a government organization like the FTC setting best practices and policy," Scott Chasin, CTO of e-mail defense solutions provider MX Logic in Denver, Colo., told TechNewsWorld.

"However," he continued, "best practices and policies are only a slice of the solution. Technology and industry cooperation are the other factors here which will help combat the plague."