WHITE PAPER. How Spamhaus Cost-Effectively Eliminates Spam, Malware and Botnet Threats SPON. Published January 2015 SPONSORED BY

Transcription

1 WHITE PAPER Eliminates Spam, Malware and Botnet Threats An Osterman Research White Paper Published January 2015 SPONSORED BY SPON sponsored by sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington USA Tel: Fax: twitter.com/mosterman

2 EXECUTIVE SUMMARY is an excellent and ubiquitous point of entry for cybercriminals high value fraudulent activity. Consequently, it is important to note at the outset that while we discuss the problem of spam throughout this white paper, what we are fundamentally discussing is abusive namely, that constant stream of messages that contain not only fairly innocuous offers for things like a share of the fortunes held by Zambian princes widows, to truly malicious content that includes banking Trojans and phishing attempts intended to steal corporate information or drain financial accounts. Approximately nine out of ten s that traverse the Internet today is a spam message. The problem of spam continues to vex service providers, Internet service providers, telcos, Web hosting companies, network operators and others charged with managing services. The problems caused by spam include not only the individual annoyance of having to filter through inboxes and spam quarantines, but the much more serious problems of spam used for malware infiltration, as well as slower message delivery and increased storage requirements. One of the most serious problems caused by spam is the higher costs it imposes on everyone in the delivery chain: loss of employee productivity; additional investments required in spam-filtering hardware, software or services; crashed servers that take more IT time to address; additional investments in IT staff to resolve spam-related problems; and a host of other problems. For example, the cost of a single data breach caused by malware that comes into a network through spam can reach well into the millions of dollars. Worse, despite the tens of billions of dollars that have been spent on combatting the spam problem over the past 20 years, only one in five IT decision makers believe the spam problem is actually improving, as shown in Figure 1. Figure 1 IT Perceptions About the Spam Problem Survey of IT Decision Makers in Mid-Sized and Large Organizations Source: Osterman Research, Inc Osterman Research, Inc. 1

3 KEY TAKEAWAYS service providers, Internet service providers, network operators, telcos and others that manage large volume incoming streams need to do several things: Dramatically reduce the amount of unwanted content entering their network, including spam, phishing attempts, s with dangerous attachments, and the like. Protect users from harmful Web sites that could infect their computer or corporate systems from malware. Stop botnet traffic from entering the corporate network and from exfiltrating data by identifying IP addresses that host servers operated by cybercriminals for the purpose of controlling bots. Identify the servers and workstations on the corporate network that have somehow been compromised. Prevent the infrastructure from being hacked by cybercriminals. Minimize the risk that an organization s domain can get blacklisted. What service providers, Internet service providers, telcos and others need, therefore, is a) a cost-effective, robust and easy-to-use approach to solving spam and related types of problems; and b) to maintain current, real-time defenses to combat the newest threats from spammers and cybercriminals. The best practice for accomplishing these goals is to employ a multi-stage filtering system that will eliminate the vast majority of spam in an initial filtering stage, followed by one or more in-depth filtering stages that will examine messages for malicious links and other content. In other words, best practice is to eliminate the vast majority of the noise so that finer-grained tools can be brought to bear to pick out the malicious content that would otherwise be lost in the background clutter. ABOUT THIS WHITE PAPER This white paper, sponsored by Spamhaus and MX Tools, discusses the various techniques that can be used to thwart spam and other threats, and it discusses Spamhaus offerings in use by thousands of organizations worldwide that are designed to block the vast majority of spam before it can enter and impact a corporate network. This goal significantly reducing the cost of spam to organizations of all sizes is the focus of this white paper. SPAM REMAINS A SERIOUS ISSUE It goes almost without saying that the spam problem remains a fustrating and difficult issue. Depending upon the time of day, the day of the week and time of year, spam represents roughly 90% of all that traverses the Internet, as shown in Figure 2. It is also important to note that botnet traffic generally decreased during 2010, but then increased significantly starting again in Spring 2013 to the present Osterman Research, Inc. 2

4 Figure 2 Proportion of Spam, Q1/2012 through Q2/2014 Source: M 3 AAWG, "M 3 AAWG Metrics Program: The Network Operators Perspective, THE PAIN OF SPAM Spam carries with it a wide variety of problems, including its impact on individual users, companies, network operators, Internet service providers, cloud messaging providers, companies that are purportedly sending phishing attempts and others. Among the problems that spam causes are: Malware infiltration Spam can be an effective method for delivering malware into an organization through the use of so-called blended threats that attempt to phish for victims using spammy content. Spam that contains either malicious payloads or links to malicious sites is commonly used by cybercriminals to infiltrate user accounts with malware, such as a banking Trojan or some other high value malware that can be used to drain financial accounts or steal sensitive information. A malware infiltration can also be used to generate outbound spam from individual user accounts, which in turn leads to user accounts getting shut down by service providers and/or users panicking because they themselves have become unwitting spammers. In either case, users bombard help desks after these infiltrations, driving up costs for service providers. Increased storage requirements that is suspected to be spam is captured and placed into quarantines that users can generally inspect in order to check for false positives legitimate that has mistakenly been identified as spam. If we assume that the average service provider customer receives 75 spam messages per day, that each spam message is 50 kilobytes in size, and spam is retained in the quarantine for just one week, the quarantine of a 100,000-account service provider will contain 2.4 terabytes of content per user at any given time. Bandwidth constraints Transmitting spam across a corporate network consumes network bandwidth, resulting in slower delivery, slower access to Web sites, the need to add Osterman Research, Inc. 3

5 bandwidth as spam volumes increase, and so forth. Further, some types of spam messages, such as those messages that contain images, are up to ten times larger than conventional spam, and so place even greater demands on both bandwidth and storage. A key element of the spam-imposed bandwidth problem is driven by botnet traffic. This creates an enormous outbound spam problem for service providers that cannot stop infected PCs from connecting to command and control servers or at least throttle the traffic they are generating. This is becoming a particular serious problem for mobile devices that now have the computing power to become spam-generating bots: AT&T, for example, is now logging approximately 1,000 botnet-compromised phone numbers on a typical day. Severe drains on network and server resources Spammers will often attempt to gather new addresses through directory harvest attacks, in which servers are flooded with a massive number of s in an attempt to determine which addresses are valid. Because the SMTP protocol is designed to return information on which addresses are not valid, those addresses that do not bounce back are assumed to be legitimate, generating new addresses for spam campaigns. These attempts can consume a large proportion of an server s resources and can result in a server crash. Loss of employee productivity Even with good spam-filtering technology in place, some spam still gets through. This means that employees will spend time looking at some spam messages, particularly those with seemingly valid subject lines, and then deleting those messages. This results in loss of employee productivity and, in some cases, employees actually purchasing items they see advertised in these messages. Financial losses Perhaps among the most serious consequences of spam is the fact that some people will be fooled by these messages, such as phishing attempts, and provide spammers with sensitive or confidential information. THE COSTS OF SPAM REMEDIATION The cost of managing spam is roughly proportional to the amount of spam that is received. The more spam that enters an organization, the greater the number of servers, spam filtering servers or appliances, support resources, anti-spam services, network bandwidth and other infrastructure elements that are required, driving up the cost of managing a network and messaging system. The costs associated with spam remediation are focused on four areas: Transactional/processing costs These are the hardware, software, network, system administration and related costs related to dealing with spam that enters or leaves an organization. Productivity costs The lost productivity that arises when users must deal with spam or when servers or individual PCs are shut down because of spam- or malware-related issues. Incidental costs A catchall for things like closing customer accounts because of SMTP Auth abuse, which then results in calls to the help desk. Anecdotally, this can result in a selfinflicted DDoS of the call center as irate customers call in to fix their account. Clean-up costs At their most benign, these are the costs associated with removing malware from a user's computer. At their most frightening, these are the myriad costs associated with a significant data breach and its subsequent public airing Osterman Research, Inc. 4

6 BEST PRACTICES TO ADDRESS THE SPAM PROBLEM Given the current severity of the spam problem and its impact on virtually anyone who sends or receives , there are a variety of best practices that any organization should implement to deal with the problem. BLACKLISTS / BLOCKLISTS Block lists are lists of known or suspected spammers IP addresses or domains whose content can be used to manage incoming . If a suspected spammer s content enters a network or messages are received from a suspect IP address or domain, the content can simply be blocked. Using a Domain Name System Block List (DNSBL), such as those offered by Spamhaus, a company, network operator or other processor can access useful, real time information about incoming . These are passive tools in that they simply provide information about each incoming , allowing the recipient of the to use this information in a manner consistent with its own policies. For example, if an incoming sender s IP address is listed on the DNSBL, it can be rejected outright, accepted or tagged as suspect and then passed along to a secondary filtering system. The advantages of a DNSBL are that it is inexpensive in both outright cost and in CPU cycles, and it provides information to the sender so that legitimate sources listed on the DNSBL can take corrective action for future messages. RBLs ARE THE MOST EFFECTIVE WAY TO STOP THE TRAFFIC Organizations should implement a multi-layered defense that uses RBLs as a first stage filter. This simple and low cost solution blocks significant volumes of spam (85-95%) before it is accepted by mail servers. This approach will dramatically reduce resource requirements, making mail servers more responsive because they are not using CPU cycles to process the large volume of spam that would have been accepted at the gateway. This approach will also reduce latency in overall message delivery. For example, Virus Bulletin s November 2014 comparison anti-spam test report found that the Spamhaus ZEN (SBL, XBL and PBL) spam capture rate was 83.65% and the Spamhaus Domain Block List (DBL) capture rate was 37.64% i, which in combination produce a spam capture rate in excess of 95%. This two-stage approach to filtering traffic is effective because it allows a large volume of incoming mail to be reduced dramatically, while allowing the second stage to do more in-depth analysis of the message content, such as the URLs included in them. Reputation analysis is a technique that examines the reputation of sending sources to determine the likelihood that a message is legitimate. Using real-time or near realtime traffic statistics and data on the amount of spam sent by each IP address, the reputation for a particular IP address can be determined. The theory behind reputation analysis is that if an is received from an IP address that previously has sent large quantities of spam, the new will be more likely than not to be spam. Content received from those IP addresses can then be throttled back to receipt of a small number of messages per hour. This will allow legitimate to be received in the event that the reputation score of the IP address was incorrect, but it will slow spam coming from that IP address to a trickle. The fundamental advantage of reputation analysis is that it can stop a large proportion of from entering a network, relieving spam-filtering systems from the burden of processing most of the spam that they otherwise would be required to manage Osterman Research, Inc. 5

7 WHITELISTS A whitelist is a simple list of addresses of known legitimate senders of . These can be maintained at both the corporate directory level and by individual users, and can speed delivery of by passing through content from those on the whitelist without having to scan the content for its spamminess. HEURISTICS AND RELATED TECHNIQUES Heuristic filtering works by running each message and its various parts through a gauntlet of pre-defined rules and then scoring each message based on its content, the proximity of words to one another and other criteria. Messages that reach a particular threshold score are assumed to be spam and are then placed into quarantine. Messages that score lower than this level are sent through to their intended recipients. A somewhat related technique is Bayesian filtering, in which filters are trained by examining a corpus of legitimate and spam. Based on the characteristics of these two types of , the filter can then determine with a high level of probability the likelihood of future messages being legitimate. HOW SPAMHAUS HELPS TO DEFEAT SPAM THE NEED FOR CONTENT FILTERING Today, use of the classic DNSBL (blocklisted IP addresses) is no longer sufficient to achieve satisfactory results. Because many spammers rotate IPs more quickly than they change domains, checking domains against the DBL at SMTP connect time will improve the spam rejection rate significantly. These checks can be performed on the SMTP MAIL FROM ("envelope sender"), the machine name transmitted in SMTP HELO, and the domain name appearing in the reverse DNS (PTR) record associated with the connecting IP. Unfortunately, not all message transfer agents (MTAs) allow all of these actions to be performed, and so developers should be encouraged to implement all of these checks against domain-based blocklists. Using the classic IP-based checks and these domain-based checks, the majority of spam will be blocked at the SMTP negotiation level before the message is even transmitted by the sending server, saving bandwidth and important I/O resources. However, a small fraction of spam will still get through, normally the part delivered by mail servers of ISPs, or by legitimate servers abused by spammers due to a security problem. In these cases, the IP of the sending server might not be listed to avoid blocking legitimate mail, but a listed IP corresponding to the spammer's injection system may appear within the message headers. Those can be checked too, but headers require the whole message to be examined by the MTAs in order to be seen, and so these checks are usually considered part of content filtering. Finally, the message body should be examined, looking for spam domains and bad IPs in URLs and addresses within the message body. Typically, DNSBL listings are used to compute spam scores together with other criteria, and messages exceeding a certain threshold are labeled as spammy and processed in a different way. NEED FOR BLOCKING AT THE SMTP LEVEL At the same time, organizations should be strongly discouraged from running an antispam system with content filtering alone. Spamhaus' blocklists' primary intent is to block at SMTP connect time. The lists are designed, and their policies written, with this in mind, together with the need to avoid false positives, so the chance of losing legitimate mail by SMTP blocking is very low. By catching spam at such an early stage, bandwidth is left free as the message need not be downloaded, storage space is not consumed by unwanted spam, and processing power in conserved as junk need not be put through content filtering (the only disk I/O activity involved for a blocked message is normally the emission of a few lines of logging) Osterman Research, Inc. 6

8 Moreover, another advantage of blocking at SMTP connect is that mail rejected by a DNSBL during delivery is not silently discarded into the "bit bucket". A DNSBL realtime rejection creates a delivery status notification (DSN) to the sender identifying the cause of the rejection, thereby allowing immediate troubleshooting on the sender's end. (i.e., no "lost messages", typically in some hidden away spam folder). WHAT SPAMHAUS DOES Spamhaus maintains a number of capabilities to protect users and providers from spammers, bots and cybercriminals: Mail filtering feeds (ZEN, DBL) Eliminates 90-95% of spam and malicious before it can enter the network. DBL Remove malicious and/or spammy posts within a blog s comments section. Outbound mail filtering (ZEN, DBL) Blocks/throttles outbound spam in order to help organizations and users maintain a clean reputation. Security feeds (BCL, exbl) Identifies compromised users/machines within a network. DNS RPZ Protects users from harmful sites. BGP datafeeds (BCL, DROP/eDROP) Blocks botnet traffic from entering and exiting a network. AuthBL Protects mailservers or IMAP servers from being hacked. THE TWO-STAGE PROCESS EMPLOYED BY SPAMHAUS Spamhaus uses a two-stage approach to eliminate the vast majority of spam: Stage 1 (Spamhaus ZEN Blocklist) The first stage is to install the Spamhaus ZEN blocklist on incoming mail relay(s), a combination of Spamhaus' SBL, XBL and PBL blocklists. Stage 1 deals with the SMTP-level connection and is used to block on IP. DBL is used to block on the sender s domain (MAIL FROM), and on the connecting service according to HELO according to rdns. This stage will identify and reject the vast majority of a normal mail relay's incoming mail traffic. Stage 1 effectively rejects 80-85% of junk (83.65% in November 2014, as noted above), keeping this traffic off the network and freeing internal resources from having to process this content. An important benefit of ZEN is that it generates a very low false positive rate. If, however, a false positive is generated, the sender s own server will provide notification of the rejection and provide information about resolving the false positive. Stage 2 (Spamhaus DBL) More than 60% of spam messages contain the URLs of malicious Web sites whose Web server IP addresses are listed on the Spamhaus SBL. Stage 2 checks contents (both headers and body) against SBL, XBL and DBL; looking for IP addresses and domains in header received lines and in the body of messages as URLs. Stage 2 is often used with other elements to assign a spam score to each message. Testing of the dual-stage Spamhaus approach has shown that 99.6% of spam can be stopped with virtually no false positives. For example, the Virus Bulletin Osterman Research, Inc. 7

9 results from November 2014 found that Spamhaus ZEN had a false positive rate of 0.05% (one false positive per 2,000 messages), while the Spamhaus DBL generated no false positives ii. HOW EFFECTIVE IS SPAMHAUS? Spamhaus lists the IP addresses of spammers' Web servers and DNS servers, in addition to spam sources in the SBL for this purpose. Spammers may find fresh sources not yet on Spamhaus DNSBLs, but in most cases they need to advertise a Web site hosted somewhere. Remaining spam, which should now be reduced to less than 7% of an organization s total incoming traffic, is managed easily by a spam filter s other components, such as the Spamhaus DBL, with the result that the vast majority of spam can be eliminated with great accuracy and with virtually no false positives. It is important to note that the use of multiple solutions represents a best practice approach to dealing with spam, since not all malicious content can be captured by a single solution. For example, the Intra2net Blacklist Monitor for the week ending January 11, 2015 iii found that Spamhaus ZEN had an accuracy rate of 75.61% with an inaccuracy rate of 0%. This monitor also found that the Spamhaus PBL had an accuracy/inaccuracy rate of 34.52%/0%, Spamhaus XBL was 59.38%/0%, Spamhaus DBL was 63.04%/0.16%, and Spamhaus SBL was 13.09%/0.17%. A multi-stage filtering approach using several of these tools will result in an extremely high and very accurate spam capture rate. SPAMHAUS IS REASONABLY PRICED Spamhaus protects just under 2.2 billion user mailboxes worldwide, making it the largest single provider of spam-source data. Subscribers to the Spamhaus Datafeed Service receive a continuous feed from the three block lists. When an SMTP connection is made to one of its customers servers, these block lists are checked before the is accepted. If the sender is on the list, the SMTP connection is simply not accepted, allowing customers to block spammers before their content can enter the network. As shown in Figure 3, Spamhaus is quite reasonably priced Osterman Research, Inc. 8

10 Figure 3 Spamhaus (PBL/SBL/XBL/DBL) Annual Pricing 20,000 to 200,000 Users/Accounts Source: Spamhaus WHAT IS THE ROI? Given the very low prices 1 for Spamhaus and the significant benefits it offers, the return on investment for Spamhaus is extraordinarily high, as noted in the following examples. SOME REAL-WORLD EXAMPLES What follows are examples of how Spamhaus has provided significant financial benefits for various types of organizations: Large ISP o Tier 1 ISP that manages 70 million domains o Spamhaus stops more than 80% of spam in Phase 1 o Saves the ISP more than $500,000 annually by reducing the number of filtering servers and other IT required o ROI in excess of 7,800% Small ISP o Processes five million s per week, Spamhaus blocks 45 million spam s per week o Using Spamhaus, the number of servers, storage and IT administration resources needed to manage cut in half o COST SAVINGS Eliminate two servers at $6,000 each: $12,000 Reduced 550Gb of storage: $1,000 Reduced IT admin time (0.1 FTE): $4,000 TOTAL COST SAVINGS: $17,000 SPAMHAUS COST: $3,200 ROI: 531% 1 Non-profit organizations and educational institutions receive a 50% discount. The price for ISPs is capped at $25,000 for free Webmail/POP/IMAP consumer mailboxes Osterman Research, Inc. 9

11 SUMMARY service providers, Internet service providers, telcos, network operators and other high volume providers should implement a multi-layered defense that uses RBLs as a first stage filter. This is a simple and low cost solution that will block that vast majority of spam before it is accepted by mail servers. This will dramatically reduce overall resource requirements, making mail servers more responsive because they are not consuming CPU cycles to process the large volume of spam that would otherwise have been accepted at the gateway. This approach will enable CPU cycles to be devoted to more in-depth filtering and will also reduce latency in overall message delivery. ABOUT SPAMHAUS Spamhaus is an international organization whose mission is to track the Internet's Spam Gangs, to provide dependable real-time anti-spam protection for Internet networks, to work with law enforcement agencies to identify and pursue spammers worldwide, and to lobby governments for effective anti-spam legislation. Founded in 1998, Spamhaus is headquartered in London, England and is run by a dedicated team of 25+ investigators and forensics specialists located in various countries. APPENDIX The following pages contain datasheets for the following Spamhaus offerings Osterman Research, Inc. 10

12 2015 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. REFERENCES i ii iii Osterman Research, Inc. 11

13 DELIVER NO SPAM Spamhaus is a global Spam monitoring and Spam blocking service that blocks messages from know Spam sources. Spamhaus maintains comprehensive lists of known or suspected spammers. o o o o SBL (Spamhaus Block List) - Contains IP addresses that are controlled by known spammers. XBL (Exploits Block List) - Contains IP addresses of virus-compromised computers that are sending Spam PBL (Policy Block List) - Contains IP addresses that should not be delivering unauthenticated SMTP DBL (Domain Block List) - Contains list of domains used in spam which link to fraud, phishing and malware sites As a subscriber to the Spamhaus Datafeed Service, you get a continuous feed from your selected Spamhaus lists. When an SMTP connection is made to one of your servers, the IP blocklists are checked. If the sender is on the list, the SMTP connection is not accepted. This allows you to block and prevent Spam from entering your network. Also, if you choose to incorporate the DBL list, this datafeed will verify domains which are included in the message body and message header of s. This combination is highly effective, blocking more than 90% of all Spam- with near 0.0% false positives. < 100,000 queries/dayno charge Online Query Service Testimonial SMB/Non Comercial Spamhaus Global mirrored sites >100,000 + queries/day- Requires fee for service Spamhaus Data Feed Service ISPs/Enterprise/ government/education BEST PRACTICES Define the use of reputation services (aka blacklists) as a first stage to improving the effectiveness and performance of your infrastructure. By deploying a spamfilter organizations prevent over 90% of Spam from entering their network, blocking this unwanted traffic at SMTP connect time. This provides dramatic improvements by reducing traffic loads, reducing required server / infrastructure / administration costs, and improving the performance of your critical system. Spamhaus Userbase* As of October 2013 the Spamhaus Blocklists are protecting 1,986,608,000 user mailboxes * ww.spamhaus.org/organization/index.lasso Spamhaus is widely regarded as best in class, used by 1,000 s of organizations worldwide SPAMHAUS PLATINUM PARTNER

14 Benefits of Spamhaus o Over 90% of all Spam is rejected before entering your network. o By refusing messages from senders whose IP address are on a Block List, your systems will not process these messages and therefore will not be liable for delivery or forwarding of Spam. o You will free up highly valuable infrastructure bandwidth and resources. o Protect the reputation of your organization by eliminating Spam being forwarded through accounts hosted by you. o Dramatically improve delivery times. o No fears of false positives (FP rate 0.0%). o Successfully deployed by thousands of organizations and Tier 1 ISPs worldwide. o Lower your operational costs and improve your mail systems preformance. Spamhaus is Used and Trusted by... About Spamhaus Spamhaus is an international non-profit organization whose mission is to track the Internet's Spam Gangs, to provide dependable real-time anti-spam protection for Internet networks, work with law enforcement agencies to identify and pursue spammers worldwide. For more information, visit About MXTools MXTools is a Spamhaus Platinum Partner. Providing sales and technical support for the Spamhaus Datafeed Services and other messaging anti-abuse tools. MXTOOLS 30 Taschereau Blvd. Suite 203 La Prairie, QC J5R 5H7 Canada [email protected] SPAMHAUS PLATINUM PARTNER

15 Spamhaus Domain Block List The Spamhaus DBL data is a very effective addition to IP reputation usage. Domain reputation is mostly used in content filtering, but can also be used in the SMTP transaction phase. It is a powerful tool to identify malicious and /or Spammy s from otherwise reputable IP sources. List of Malicious domains found in Spam messages Remote usage (via DNS) or local usage (Rsync) Built with Spam trap, honeypot and ISP production feedback data 60 second publishing interval Extremely high accuracy rates with near 0.0% false positives Used by thousands of ISPs and Corporations worldwide Includes domains/ hostnames which are used in spam including phishing, fraud/"419" or domains sending or hosting malware/ viruses The Spamhaus Domain Block List (DBL) provides reliable and up-to-date domain (URI) reputation data. The DBL can be used to check the reputation of all domains involved in headers and bodies. This enables doing pre- and post-accepts filtering. Experience, care and processes mean that capture rates are consistently high with low false positives. Usage Scenarios The DBL is typically used during SMTP transactions and/ or during content filtering after accepting the transaction. In both cases a positive hit can trigger rejection, rate-limiting, spam folder placement or scoring, depending on local policies. For an even more fine-grained control, an extended dataset is available that goes beyond a binary good/bad to a scored reputation per domain, showing badness and confidence levels (edbl). MXTOOLS 30 Taschereau Blvd. Suite 203 La Prairie, QC J5R 5H7 Canada [email protected] SPAMHAUS PLATINUM PARTNER

16 Spamhaus Botnet Controller List Prevent users from getting infected and block traffic of known botnets with the Spamhaus Botnet Controller List (BCL) Other types of messaging abuse vectors have become increasingly available to bad actors. More importantly, other Internet based technologies have become an intrinsic part of Spam operations. Malware-infected servers, botnet command and control (C&C) nodes and members (bots) send an astonishing amount of spam and malware. To cope with these new Spam vectors, Spamhaus is proud to offer the Spamhaus Botnet Controller List (BCL). This list contains IP addresses which Spamhaus has identified as hosting servers operated by cybercriminals and used to control malware-infected computers. The Spamhaus BCL is available exclusively through Spamhaus authorized vendors. It is intended to block C&C nodes from contacting bots on their networks and thereby protecting both their customers and the Internet from botnet traffic. Spamhaus Quick Facts 1.9 Billion Mailboxes Served More than 90% Pre-Data Capture Rate Serving 500M DNS Queries Per Second Near 0.0% False Positives 10 years of constant uptime In the first year of operating the Spamhaus Botnet Controller List, we identified more than 5,700 botnet controllers that met the listing criteria. We now see many organizations using this data to protect their users and block traffic from/ to servers which are operated by cybercriminals and used to control infected computers. -Thomas Morrison (Spamhaus) PREVENT cyber criminals from stealing sensitive data MITIGATE cyber threats and block malicious traffic IDENTIFY and clean infected computers within your network MXTOOLS 30 Taschereau Blvd. Suite 203 La Prairie, QC J5R 5H7 Canada SPAMHAUS PLATINUM PARTNER