OVH Strengthens Its Fight against Spam
At the start of 2015, OVH undertook a responsible approach in the fight against spam and other types of abuse. With its membership to the organizations of Signal Spam and M3AAWG, the implementation of a new Abuse center and R&D dedicated to identifying new methods of combatting malicious behavior, the company has seen a steady decline in the amount of spam sent from its infrastructure. Romain Beeckman, Chief Legal Officer and Stéphane Lesimple, CISO and SOC department leader, explain the measures deployed by the European Leader of Digital as a Service.
OVH’s main activity is supplying infrastructures, all of which are potential tools for spammers. For a number of years, the provider has been fighting against spam, phishing, etc., but the methods used are beginning to reach their limits. Romain Beeckman details, “First, we invested in technologies allowing us to control the security of our network flow. In particular, the anti-DDoS technology that we implemented at our network’s entry point allows us to mitigate extremely large volumes of denial of service attacks and guarantees optimal protection to our customers, regardless of their services. Spam is also one of our priorities and as such we have implemented anti-spam technology to block the sending or receiving of spam from our network. This was a necessary step albeit insufficient. Today, our desire is to integrate the ecosystem of all those concerned in the fight against spam with the aim of working together around a common goal.” Stéphane Lesimple, CISO at OVH adds, “We are a major player in our market and therefore have a duty to set an example by helping to eradicate botnets, spam, phishing, etc., on the network. We must work together with all the stakeholders of the Web and use technologies that we have developed, so that the network as a whole is more secure.”
50% less spam with Signal Spam
The OVH group has joined two organizations it has identified as being pertinent in the fight against malicious e-mail:Signal Spam and M3AAWG(Messaging, Malware and Mobile Anti-Abuse Working Group).
The French non-profit organization Signal Spam brings together public authorities such as CNIL*, professional associations, Internet users and businesses. “Moreover, some of OVH customers and partners, notably Mailjet and Vade Retro, make up part of the association. Our membership to Signal Spam therefore makes total sense. Now in this fight against spam, we finally have the relay between the group, our customers and the customers of our customers,” comments Romain Beekman.
But what are the advantages of working with Signal Spam? Until now, spam or phishing reports were sent to OVH by ISPs (Internet service providers), emails or through the abuse platform. The biggest difficulty in the fight against undesirable mail is obtaining complete reports. Many do not contain all the relevant information required for OVH to retrace the email’s route and identify the customer or infrastructure of origin. Some reasons for this are as follows. Third parties do not wish to provide full information to prevent the disclosure of their customers' personal data. Other times, reports are technically incomplete, prohibiting us from determining which client infrastructure is posing the problem. Still yet, there is the difficulty of identifying essential information because reports are not sent in a standard format. Individuals reporting spam are unaware of how to compose reports in a comprehensive manner. In these cases, it is difficult to act any faster.
“The 350,000 Internet users that are members of Signal Spam each have a plug-in integrated into their email client*. When they receive a fraudulent email, they can transfer the mail, in its entirety, to the organization directly via the plug-in. The organization then analyzes the data, consolidates information and identical reports, making all data available to us,” details Stephane Lesimple.
“OVH obtains some very complete data, allowing us to act very quickly in contacting customers whose email campaigns have been the subject of many reports. We invite them to review their business model or clarify their policies concerning the sending of emails and unsubscribe options. If the situation does not change after several warnings, we do not hesitate to drop customers who do not respect our contractual terms. The same also goes for those who are not vigilant enough with the security of their machines,” explains Romain Beeckman. In six months of collaboration with the French association, OVH has seen a reduction of 50% in the number of complaints reported to Signal Spam concerning its infrastructures.
Stepping up the fight on a global scale with M3AAWG
OVH has also intensified its fight against spam on a global scale through its membership to M3AAWG, which brings together a large number of North American and European players. “You will find, amongst others, Apple, Blue Ocean, Facebook, Google, Orange, Mailjet, PayPal, Rackspace, Signal Spam, Time Warner, Vade Retro and many others,” says Stéphane Lesimple. The work group is not only focusing on fighting spam, but is also fighting against other types of abuse such as phishing, malware, botnets, viruses and even DDoS attacks.
By joining M3AAWG, OVH was able to develop a trusting relationship with various members, like Spamhaus. This has led to optimizing the report processing time, as well as identifying and taking corrective measures with customers who are the cause of a large number of spam complaints. This work has proved successful as OVH is no longer among the top 10 ISPs hosting spammers, according to Spamhaus.
In creating a privileged communications channel with these professionals of the digital world, OVH receives relevant and verifiable information through their data bases. Thus, the company has elements to compare with the reports that it receives from its abuse platform and can effectively evaluate which measures to take.
Improving detection and incident management
The ambition of OVH is also to improve the manner in which it treats reports received from its abuse platform. “This service is crucial within OVH, because it concerns all of our products and services,” asserts Stéphane Lesimple, “We cannot neglect it, as otherwise we may put the security of our customers at risk.”
At the start of 2015, a new team was created and it benefited from new tools and new technologies. The Abuse team has employees in both Europe and North America, ensuring maximal coverage time throughout the day. This unit consolidates different levels of expertise, including experts in information security which perform detailed analysis of botnets, identify behavior patterns, particularly in the methods of communication between compromised machines and the command and control servers (C&C) for botnets. They also manage incident reports coming from the Abuse alert platform, external partners or internal detection systems. They identify similarities between various cases, establishing a typology which can allow OVH teams to be more proactive in regards to risk behaviors. “This enables us to improve detection and the handling of incidents,” adds Stéphane Lesimple, “we are not going to just deal with cases that are reported to us, but also detect weak signals in order to deal with them upstream, even before a user reports them to us.
There are two ways to treat abuse issues. The first is the simplest and also the most commonly used: systematically handpicking clients. This is accomplished through due diligence during the ordering process, verifying the existence of the customer’s postal address by sending verification through the mail. This technique is also often coupled with establishing a floor price. For example: if a company only offers relatively expensive services with high added value, there are generally fewer problems of abuse. But this technique is not compatible with OVH.
Indeed, our DNA not only drives us to innovative, but also to offer innovations at fair prices, allowing all to benefit. It is very easy, in just a few clicks, even on a Sunday at 4 a.m. in the morning, to put together an infrastructure at OVH to test an idea or a concept. This applies to a person with legitimate needs as well as someone with dubious intentions and this is why it is essential to have a very effective abuse team. This isn’t a bug, it’s a functionality. We want to be the catapult that allows entrepreneurs to put their ideas in orbit and create value in relying on OVH know how. That is to say, to provide scalable infrastructures which are the foundations of the services that make up our customers. The challenge for our team is to detect illegitimate use of our products as quickly as possible, without putting up obstacles for legitimate customers.”
Research and development for a more secure Internet
OVH has other ideas for the future, to not only detect problems on OVH infrastructures, but also of those of other market players. “Botnets can be partly hosted with us and in part hosted with other providers. Therefore, our abuse team may be required to contact their counterparts at other providers to present the results of our analysis. Our idea is that everything encompassing the fight against spam, malware, etc., knows no boundaries”, concludes Stéphane Lesimple.
The new internal platform for reception, analysis and processing of complaints, used daily by the OVH Abuse team, is always under development and is constantly improving. Once successful enough, this interface will become the same interface that will be shared by OVH in an open source format, to allow as many people as possible to benefit from the work of the service provider’s teams.
*CNIL – is an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data.
*This plug-in is available for Thunderbird and Outlook email clients. New plug-ins for Mail (Mac) and Chrome, Safari and Firefox web browsers, having compatibility with most major webmail, will be available before the end of 2015.