Spam's Making A Comeback And We're All Stuck With It
The New York Times reports grim news that anybody watching their e-mail in-boxes already knew: Spam is making a comeback. Worldwide spam volumes doubled since last year...
The New York Times reports grim news that anybody watching their e-mail in-boxes already knew: Spam is making a comeback. Worldwide spam volumes doubled since last year, and spam now accounts for more than 90% of e-mail worldwide. And it doesn't look like the problem is going away.
Smart people last year were saying the spam problem was solved. I was not one of those smart people -- how can anybody have said the spam problem was solved if it required significant investment in hardware, software, and services to keep spam at bay? But, still, spam was being kept at bay; spamfighters developed a few techniques that worked well to combat junk mail. Those techniques included blacklisting known spam-sending IP addresses and domains, analyzing the text of messages for spammy text and links, and spotting and blocking duplicate messages sent in bulk.
Spammers are getting around blacklists by using botnets -- armies of infected computers that the spammer takes over and uses to send spam. Spammers thwart text analysis by sending only images, with pictures of text in the images. And they block duplicate messages by varying the contents of messages by just a few pixels -- just enough to trick the spam filters.
The botnets also drive down the cost of sending spam. You used to read about spammers with multiple T-1 lines, each costing thousands of dollars a month, piped into a single, small office or the converted bedroom of a home. But by using botnets, spammers can steal the bandwidth of the infected machines -- usually, machines belonging to naive consumers. Spammers now have only minimal bandwidth costs themselves. They pass the cost on to their victims.
And spammers have been able to get rid of the one, surefire Achilles heel that worked against them every time. Used to be that they had to give out some information on how to buy the product they were selling. Generally, that meant linking to a Web site selling toy cars, or porn, or herbal Viagra, or whatever. Spamfighters could block spam by compiling databases of known spam URLs, and blocking messages linking to those sites.
"
[N]ot anymore. Many of the messages in the latest spam wave promote penny stocks - part of a scheme that antispam researchers call the "pump and dump." Spammers buy the inexpensive stock of an obscure company and send out messages hyping it. They sell their shares when the gullible masses respond and snap up the stock. No links to Web sites are needed in the messages.
"
Freedom to Tinker explains the economic terms of the competition. The payoff from sending spam is very, very low -- but the cost is even smaller than that. Felten explains:
"
The per-message payoff is probably decreasing as spammers are forced to new payoff strategies (e.g., switching from selling bogus "medical" products to penny-stock manipulation). But their cost to send a message is also dropping as they start to use other people's computers (without paying) and those computers get more and more capable. Right now the cost is dropping faster, so spam is increasing.
From the good guys' perspective, the cost of spam filtering is increasing. Organizations are buying new spam-filtering services and deploying more computers to run them. The switch to image-based spam will force filters to use image analysis, which chews up a lot more computing power than the current textual analysis. And the increased volume of spam will make things even worse. Just as the good guys are trying to raise the spammers' costs, the spammers' tactics are raising the good guys' costs.
"
I don't see a good outcome for this. Fighting technology-based social problems requires technology and laws. We have the technology, but it's getting less effective. And we don't have the law on our side. The three-year-old CAN-SPAM law is toothless (something spamfighters were saying from the very beginning, and they were ignored). And even if the U.S. government suddenly, miraculously found the will to pass an anti-spam law with teeth, much spam is coming from countries in Europe, Latin America, and Africa, where the U.S. has no jurisdiction or political leverage. This problem isn't going away, or even getting better, anytime soon.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024