A spammer’s biggest fear is having their ability to send emails cut off. Inbox providers, inbound and outbound spam filters, ISPs, and blacklist operators constantly strive to reduce the number of spam emails that end up in users’ inboxes. That’s good for users, but bad for spammers whose business model depends on being able to blast as many people with spam as possible.
They need servers and bandwidth — and because it’s in the interest of everyone who isn’t a spammer to deny them those resources, they must constantly replenish their stock of compromised servers, hosting accounts, and, in the last couple of years, smart connected devices.
The Internet of Things is the marketing term for those devices. The number of connected devices has risen by orders of magnitude and will rise even faster in the future. Most aren’t the laptops, tablets, and phones we think of as using the internet: they’re appliances like routers, fridges, cameras, and a million others, each of which is equipped with storage space, an operating system, and a connection to the internet.
All of which would be fine if the Internet of Things was secure, but it isn’t. Most of these devices are woefully insecure, never updated, and use default usernames and passwords or no authentication at all.
Why waste time hacking one Linux server when you can walk through the door of a hundred connected web cameras?
Last year, one of the biggest DNS providers in the world was knocked offline by a huge DDoS attack. The Dyn DDoS attack took advantage of tens of thousands of insecure IoT devices to bombard the company’s servers with more bandwidth than it could cope with. But DDoS attacks aren’t the only risk: spammers can also use hacked smart devices to send their wares into the world.
Those who have a stake in blocking spam don’t care whether you’re spamming on purpose or have been hacked. Your IPs will be blocked regardless, and that will impact your ability to send legitimate emails, which can be crippling for any business that depends on having email delivered.
The obvious mitigation is to avoid putting insecure Internet of Things devices onto your network, but it’s becoming increasingly difficult to maintain such restrictions. When everything from the toaster to the lightbulbs are connected to the web — and become more useful because they’re connected — it can be next to impossible to maintain a watertight security policy.
Of course, companies should strive to cleanse their networks of risk, but defense-in-depth is almost always necessary, and that means making sure any spam emails sent from within your network never make it out of your network. Outbound spam filtering can help your company retain its ability to send email even if there are compromised devices on its network.
The DDoS and spam risk from the IoT is likely to get worse before it gets better. Hopefully, the recent massive negative publicity and fines generated by attacks that leverage insecure IoT devices will cause manufacturers to become less complacent, but for the foreseeable future, the best course of action is a layered defense that stops spam at the borders of your networks before the Internet’s defense mechanisms are activated.
Latest posts by Ciara Noonan
- Why Do Spammers Love The Internet Of Things? - January 31, 2017