The Greenview Data Source An open discussion of email, encryption, security, & the web.

Rustock Botnet Wisely Abandons TLS

The big email spam news from last week was regarding MessageLabs' August Intelligence report, and the revelation that the Rustock botnet had risen to account for nearly 41% of all spam being sent. At over 46 Billion  messages sent per day, that's a lot of spam. But the interesting part of the story is that the increase came after the botnet shrunk to about half its former size. How was this possible?

The reason most likely lies in the fact that the botnet operators dropped their use of TLS encryption on the spam they were sending out. Using TLS to encrypt email causes a significant processing overhead, so by eliminating its use the botnet was able to send out more email per infected computer - in fact, over two times more - allowing greater volume even with the reduced number of hosts.

It was actually unclear why Rustock was using TLS to begin with. Speculation is that the operators may have hoped to get more of their spam past filters by encrypting it, which turns out to be a pretty useless tactic. Because TLS only encrypts the session and not the actual email content, then spam blockers have no problem identifying the malicious email once it arrives at the source. For example, with a hosted anti-spam service like SpamStopsHere, there's nothing stopping our software from accepting the encrypted connection, receiving the "secure" email, reading it and clearly recognizing it as spam, and discarding it before it ever reaches the customer's inbox. After losing a large chunk of their botnet, it's no wonder Rustock reverted back to unencrypted spam and "quantity over quality."

But this anecdote serves to highlight a larger issue, which is the use of TLS for encrypting email in the legitimate business world. It may seem absurd to compare the email choices and habits of the most prolific spammer in the world with those of, say, a healthcare provider, but there are some relevant points to be made. While the HITECH Act has made secure communications a priority for any company handling sensitive information, how to properly handle email encryption is still pretty murky. The important distinction to make is that there are two cases to consider: data at rest and data in motion. Using TLS only covers data in motion, which is why using it to encrypt spam doesn't actually help a botnet get more past the filters. To do that, they'd need to use encryption for the data at rest.

In the next few weeks, we'll have a few follow-up articles that go a little more in depth with how TLS and alternate solutions can work to encrypt your emails and get your organization HIPAA compliant. If there's anything specific you'd like to see discussed, please let us know in the comments.

About Dylan

Dylan is the long-tenured GVDS Curator of Historical Records & Manuscripts