A technique used by spammers to hide an e-mail's origin underscores the need for a multi-tiered approach to tackling spam, say security experts.

Spammers have traditionally used software to route their messages through a mass of "zombie machines" to reach recipients.

However, an increasing amount of spam is being sent to zombie machines and then passed through servers at the zombie machines' ISPs before reaching recipients, security experts at The Spamhaus Project and MessageLabs have warned.

The technique makes blocking spam more difficult, they said, because it bypasses the traditional IP blacklist approach take by anti-spam software. If the messages appear to be coming from an ISP, the lists become useless in targeting the real culprits. "No blacklist can block a whole ISP or e-mail itself would start to crumble," said MessageLabs' CTO Mark Sunner.

While the delivery method is problematic when using blacklists, many systems for filtering spam do not rely on blacklists alone. Filters often employ other means such as scanning subject headers or entire messages to detect unsolicited mail.

ISP routing does not spell "gloom and doom" for blocking spam, but emphasizes the need to take a multi-layered approach to filtering, Sunner said.

Graham Cluley, security technology consultant at Sophos, agreed, saying that anti-spam filters that use a "cocktail" approach and don't rely on one or two filtering methods will suffer less from spammers' shifting strategies.

The technique puts the onus on ISPs to monitor their outgoing mail carefully, however, and make sure they aren't being used as a proxy for spammers, according to Sunner. "At the end of the day there is increased pressure on ISPs," Sunner said.

Routing spam through ISPs could potentially give them more visibility and control over spam, Cluley said, but they need to revisit their policies for filtering outbound, and run the risk of being put on blacklists if they send out spam directly.

Spamhaus estimates that as much as 75 percent of the traffic arriving at most ISPs is spam. Some ISPs already monitor their outbound mail. ISP organisation the London Internet Exchange has also moved to prevent ISPs being used as proxies for sending spam. The group issued a list of best practices in August stating that ISPs should identify and be able to trace the source of all the e-mail passing through their systems.

"It's a cat and mouse game," Sunner noted.