Each day millions of unique, anonymous, untrusted SMTP mail systems connect or attempt to connect to large Internet Service Providers (ISPs) to transmit email. In general, the ISPs accept the connections and deliver the email, even though a large proportion of such email is spam and/or contains viruses. Some ISPs receive 90% spam. Large ISPs may receive 500 million spam messages each day, transmitted from tens of millions of unique IP addresses, many of which have never before connected to the ISP. The mail systems misrepresent themselves during session establishment and a growing number of them provide untruthful responses to ISP queries.
As a result of being unsure of the sender's identity, the systems' trustworthiness, the lack of reputation, the volume and breadth of attacks, and the ever increasing difficulty of ascertaining whether a message is spam, ISPs have had a hard time improving the effectiveness of their current spam blocking and filtering processes. As a consequence, spam is increasingly being delivered to the ISP members' mailboxes and has significantly and adversely affected their experience with using email. In addition, from an ISP's perspective, it has greatly affected the cost of providing service.
Spammers need targets for their spam, resources to deliver it, and a consumer market that would consider purchasing their products. This new process for preventing or mitigating attacks focuses on the spammers' need for “resources to deliver spam”. Because of the current blocking and filtering efforts, spammers now require a considerable amount of resources to deliver their spam. As a result, spammers have compromised vast numbers of PCs to use as their resources to deliver spam. So the goal is to control the amount of traffic that comes from these millions of compromised PCs, many of which have never connected to the ISP, do not have a reputation for sending spam, misrepresent themselves, cannot be trusted, and send spam that is not caught by spam filters.
Currently, ISPs use an integrated blocking and filtering process to prevent or mitigate spam attacks. ISPs first focus their efforts on either obtaining spam filtering rules from a vendor or developing their own from analysis of spam messages. Secondly, ISPs either obtain a spam IP blacklist from a vendor, or they compile their own by analyzing the verdict results, arriving at a reputation for each mail system and determining whether it should be added to their block list.
More specifically, the operation of the blocking and filtering process is as follows: When an originating mail system attempts to transmit email to a destination mail system, the originating IP address is checked against a blacklist. If the originating IP address is on the blacklist, the connection and associated messages are rejected. An error is returned on rejected connections and, in many cases, a non-delivery notice is sent back to the originator of a rejected message. If the connection is accepted, the message(s) is (are) passed to a filtering process to determine if it is spam. If the message is determined to be spam, then the message is either quarantined or deleted. If the message is not determined to be spam, the message is sent to the recipient's Inbox.
A problem with such prior art solutions is that spammers can easily send spam that gets past the blacklists and filters. They send spam from a vast number of different IP addresses that have no reputation or not a bad reputation. They modify their spam messages as often as they need in order to get a sufficient amount of spam through the filters. They test their spam messages prior to initiating an attack to insure it is sufficient. As a result, ISPs are constantly updating their blacklists and their filtering rules after the fact, in the hope that it may mitigate the next attack.
The effectiveness of the current filtering process is limited because it is very hard to mitigate attacks by simply filtering spam messages post-emptive. Spammers easily change or randomize the content of the spam messages to bypass even the best filters. Additionally, spammers can execute test spam attacks to determine whether their spam messages for this specific spam attack will get past the filtering defenses. Even if a high percentage of the spam gets filtered out, the spammers will increase their volume until they get a sufficient amount of spam through the filters.
The ISP will then respond by attempting to block more spam, and this escalation can consume more ISP resources. This may lead to the ISP continuing to add ever more resources to handle the increase in connections and message traffic, ultimately running out of resources, with the result that the spam attacks can cause Denial of Service (DoS) conditions.