Symantec Study Mischaracterizes Linux Spam
The latest MessageLabs Intelligence Report from Symantec Hosted Services is filled with interesting and useful information regarding the current state of malware and e-mail borne threats as well as the trends over time. Of particular interest to me is the assertion in the report that "any given Linux machine is five times more likely to be sending spam than any given Windows machine."
I am generally one of the first to point out that the security risks associated with the Windows operating system are often exaggerated, or at least that the relative threat level is a function of market share, and that if Linux or Mac OS X had 90 percent market share those systems would be at least as vulnerable, and at least as targeted by malicious attack as Windows is now. That said, saying that Linux is five times more likely to distribute spam than Windows seemed like skewed math for the sake of sensationalism.
I checked with other malware security experts to gather some additional insight on the issue of Linux as a purveyor of spam. What I found was a consensus regarding the root cause behind the metrics, and ultimately that Linux may, in fact, be an inordinate source of spam messages.
Tyler Reguly, lead research engineer for nCircle, told me "I actually find the report rather odd, and also question their methods for remote fingerprinting. If they were using passive fingerprinting on mail coming into their server, they wouldn't necessarily have an accurate fingerprint of the host sending the mail. They could instead be fingerprinting a mail server with an open relay, or an ISP "smarthost". They also acknowledged that much of the Linux attributed spam could be coming from direct marketing emails... these would most likely be mailed out through a proper mail server (which is quite likely to be running Linux)."
A security researcher from FireEye e-mailed to say "We wouldn't be surprised if these Linux boxes just have TCP port 25 open and are being abused as open SMTP relays. The malware is doing this to hide the locations of the infected (Windows) machine. Modern malware is designed to maintain long-term control over systems since the primary cost of building these malware infrastructures is the time and energy needed to "acquire" infected systems."
Andrew Brandt, lead threat research analyst at Webroot, also found the report potentially suspect "The Spam Index feature in the report appears to overemphasize a problem which may have little to do with any inherent issue or vulnerability with a particular operating system. The spam index seems odd with no context; we don't know whether there's any kind of active infection on a machine running a particular operating system."
Brandt goes on, though, to arrive at essentially the same conclusion as the first two experts. "Linux servers can be misconfigured (or deliberately configured by someone who thinks this is a good idea) to be open mail relays quite easily. Open relays are frequently used by spammers to distribute spam, and because operators of machines with open relays aren't typically closely monitoring these boxes (if the owners of these servers knew what they were doing, the box wouldn't be set up as an open relay in the first place) they could, in theory, send far more spam per IP address from an open relay than from a typical Windows desktop machine on a broadband connection."
As it turns out, Symantec also provides a more detailed investigation into the Linux spam issue. Symantec elaborates to say it "found that in most cases it came from a machine running an open source mail transfer agent (MTA) such as Postfix or SendMail, that had been left open. This suggests that one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers, and are using open source software to keep down costs, have not realized that leaving port 25 open to the internet also leaves them open to abuse."
So--the true source of the spam messages is still most likely a compromised Windows PC--probably part of a massive botnet. However, misconfigured, or poorly configured Linux systems are being leveraged as relays which hides the originating system, and skews the results so that it appears that Linux is responsible for spam that is more likely just passing through.
Webroot's Brandt explains "If you don't know what you're doing, or you don't understand the problem with having an open mail relay, and you run a Linux server on a large pipe, you could be contributing to the problem."
The FireEye engineer summed it up nicely. "The report does rightly point out that Linux IT admins need to pay attention to the threat of modern malware. The malware may not directly infect the Linux host, but it does probe and abuse Linux systems as part of its malware infection lifecycle."
If you are a Linux administrator, make sure your systems do not have open mail relays available to be exploited by botnets to distribute spam e-mail messages. You can kill two birds with one stone--clearing up the security reputation of Linux, and eliminating a layer of obscurity to help identify the real source of spam messages so the compromised systems can be taken offline and cleaned up.