1. What is meant by infrastructure security and spam?
Infrastructure security measures are those procedures, methods and tools internet service providers (ISPs) and e-mail service providers (ESPs) employ to protect the integrity of their system against outside threats. ISPs/ESPs must secure their infrastructure, not only because this is often a mandatory requirement, but also because providing infrastructure is their core business. Spam is the internet term for unsolicited (usually junk) e-mail promotions, advertisements or scams. Spam distribution lists are created through searches of discussion boards and groups, chat rooms, internet relay chat channels, web pages, bots, etc.
According to ENISA’s survey, spam is the second greatest threat to security infrastructure topped only by virus attacks which are the biggest problem facing providers. Other threats to security (in order of priority risk following virus attacks and spam) include:
- Distributed Denial of Service where a hacker floods an organisation’s online business with false or fraudulent traffic with the intent to “bring down” the portal;
- Worm programmes which reproduce by replicating themselves across computer systems;
- Social engineering/spying;
- Domain Name System (DNS) attacks;
- Act of nature (e.g., fire); and
- Hijack of Border Gateway Protocol, the predominant inter-domain routing protocol used in internet protocol networks.
2. Why did ENISA conduct this survey?
E-commerce and use of the internet more generally is vital to European economic growth and global competitiveness. While still low, according to Eurostat, the number of Europeans using the internet to purchase goods and service has grown to 30% in 2007 and is continually on the rise. User confidence in, and uptake of, e-commerce relies heavily on actions internet and e-mail service providers take in response to security threats and unwelcome marketing approaches.
It is important to note that because only 6% of all e-mail traffic reaches user mailboxes (i.e., increasingly less spam reaches its final destination), the media and public perceive spam to be under control. The reality is, however, that spam is growing in quantity, size and bandwidth and remains a huge, costly problem for providers. Spammers are constantly finding new and unique ways to get around spam filters though image spam and the use of non-English languages for example. Europe has been identified as the worst spamming continent with 35% of all spam originating within its borders.
ENISA’s 2007 work programme calls for an annual report on e-communication security measures, detailing those implemented, security trends and advice. This survey is the second of its kind and aims to offer concise and up-to-date information to the network information security (NIS) community. With this annual survey, ENISA hopes to contribute to an understanding of the challenges that providers face along with a catalogue of solutions they apply – and which others may want to adopt. The overall objective is to promote good practice and build trust in e-communication channels.
3. Who participated in the survey?
Thirty service providers responded to the detailed survey, most of which were ISPs. ESPs also participated. Of the total respondents, 43% represented telecommunication operators. There were 25 responses from 16 EU Member States, three from Norway and one each from Iceland and the US.
4. What does the study cover?
The study examines the technical and organisational aspects of security and anti-spam measures and provides:
- Overview of the questionnaire responses;
- Analysis of the trends year-on-year;
- Recent developments in this field and a list of sources;
- Comments on the trends and developments;
- Advice on possible actions, discussions and solutions for ISPs and ESPs; and
- Overview of future ENISA action.
5. What were the key findings relating to security infrastructure?
Looking at organisational and technical aspects, the study covers those measures providers have taken to protect their services and keep customers informed of developments. On par with previous findings, almost every provider offers contact details for e-mail abuse and publishes information online. An extremely promising trend is the number of those offering training and awareness campaigns which has increased from a low of about 15% to over 40%. Awareness helps to prevent system compromise and is more cost-efficient then “after the fact” actions. Also positive is the amount of providers who provide written guidance for subscribers which almost doubled to more than 60%, while whose those who offer clear contact details for security violations rose to more than 80%. ENISA noted there is a growing tendency for smaller providers to follow guidance set out in national legislation (up from 38% to 65%) paralleled by a decrease in those following international standards (down from 46% to 35%). Usually larger providers favour international standards but there is a time, financial and resource cost associated with doing so. ISPs might be waiting for feedback on newer international standards before applying them.
Another welcome development is the increase in providers which inform subscribers of a security breach risk (doubling to almost 70%) while virtually all are given information on possible remedies they can take and more than 50% are advised of the risk of not implementing countermeasures. There has also been a positive trend in the number of providers with a policy to stop servicing non-compliant customers (from just under 10% to almost 40%) which is a starting point in the battle against botnets (see ENISA Position Paper: Botnets – The Silent Threat) and to improve the overall security of the internet. Although there is a move toward developing risk management processes (56% as compared to 23% in 2006), including disaster recovery and business continuity plans, one in ten providers still have no provisions in place. ENISA strongly encourages great investment in risk management and the testing of business continuity plans.
The technical aspects of security measures are equally promising:
- All providers apply basic ingress filters to incoming traffic – up from 85% last year - while 88% apply content filters almost doubling from 2006;
- 92% employ basic egress filters to outgoing traffic, up from 46%, with more than 70% using content filters. The use of egress filters demonstrates that providers are willing to invest in the interest of the internet community as a whole.
- The movement from the reactive tracking of customer complaints towards the proactive monitoring of traffic peaks and anomalies is a more effective means of identify security or spam problems at an earlier stage.
6. What were the key findings relating to anti-spam measures?
Spam is a pervasive problem and as such 90% of all providers offer spam-filtering methods to subscribers free-of-charge. However due to the complexity of tackling spam, which is an international problem compounded by different time zones, language and laws, providers tend to spend more time filtering spam than analysing its origin or trying to eliminate it. Although a majority (over 85%) of providers say they process spam abuse reports, the management of spam could be improved. Only a quarter process these reports automatically due to a lack of available tools for abuse report management. Some form of manual processing will always be needed, however, as analysis is required to decide what action should be taken. Providers are often caught between their obligations and the need to keep customers happy. Providing the latter a choice as to whether and how aggressively they want to be protected from spam appears to be a good solution. ENISA strongly supports the work of intermediaries, such as SpotSpam which facilitates legal action against spammers at the international level.
On a more technical note, while several sender authentication mechanisms are employed, the survey found that a majority (81%) of providers favour SMTP AUTH compared to just 62% one year ago. A variety of spam-filtering tools are employed but a majority of providers use a combination of at least five measures including blacklisting, content filters, greylisting and sender authentication. To prevent outgoing spam, almost half the providers limit the volume of outbound mail and block access to Port 25, the channel used for communication between an e-mail client and an e-mail server through which all e-mail sent via the Internet is routed. Over 60% scan for viruses. Overall ENISA believes these numbers should be higher. While there are cost implications of protecting other networks from outgoing spam, providers should recognise the benefits of developing a reputation as a “clean provider”. This would help prevent their email from being filtered by others and avoid the risk of legitimate mail being blocked.
7. What will ENISA’s role be? What are the next steps?
ENISA is proposing to examine DNSSEC as a means to improve the security of the existing DNS protocol – a critical function for the majority of internet activity. The survey found that DNSSEC is not widely deployed in Europe. ENISA also intends to follow the developments of interventions such as Spotspam and Signal Spam, a French initiative.
As part of its 2008 work programme and building on the result of this survey, ENISA will conduct a study on how providers create, improve and maintain the resilience of their infrastructures.
8. What can internet and e-mail service providers do to improve the situation?
ENISA’s top tips for providers include:
- Joining an ISP/ESP association to share good practice;
- Quarantining computers in the network unless they are well protected (e.g., operating system patches and anti-virus signatures);
- Investing in risk management;
- Monitoring traffic peaks and implement traffic anomaly detection to enhance network security;
- Reporting spam abuse to National Regulatory Authorities (NRAs) or to a trusted third party (e.g., Spotspam);
- Providing feedback loops and increasing the quality of bulk mailings (targeted at larger providers); and
- Implementing anti-spam measures outlined in this report, particularly blocking Port 25 to limit spam originating in Europe.
9. What can other organisations do?
The EU should mandate the reporting of security and privacy breaches while national governments and regulatory authorities should encourage or require the reporting of spam waves. Standardization bodies should make standards easier to implement and test and develop a standard for the handling of automated abuse reports. ICANN, which manages DNS, should reexamine domain tasting as this technique is often used by spammers. Domain tasting enables a domain name registrant to use the five-day “grace period" to test the marketability of the domain.
10. Where can I find more information about spam?
Details on previous results and ENISA’s work in this area can be found at ENISA Anti-Spam section.