Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/30/2005
05:42 PM
Mitch Wagner
Mitch Wagner
Commentary
50%
50%

Let's Make 2006 The Year We Wipe Out Spam

We don't care about spam anymore, and that's wrong. Spam is a crime highway that runs straight through your computer, carrying a cargo of worms, fraud, viruses and other attacks. Security vendor Sophos reported that attacks jumped 48% in the first 11 months of 2005. The most dangerous threats were spam-distributed. Spam has direct financial costs, as network managers are required to spend money on software and

We don't care about spam anymore, and that's wrong. Spam is a crime highway that runs straight through your computer, carrying a cargo of worms, fraud, viruses and other attacks.

Security vendor Sophos reported that attacks jumped 48% in the first 11 months of 2005. The most dangerous threats were spam-distributed.

Spam has direct financial costs, as network managers are required to spend money on software and services to filter spam, and buy additional hardware and bandwidth to carry the load of unwanted e-mail. That's money and resources that could be used for something productive.

And that's just the beginning. Secondary costs of spam are even worse.Attackers use their spam-borne attacks to take over target computers, and then use those computers to send more spam, which delivers a payload of fraudulent business offers and questionable medical remedies to prey on the fearful, ignorant, and insecure.

Compromised machines also become platforms to launch denial-of-service attacks. Often, the denial-of-service attacks are accompanied by threats to continue, and keep a business offline, unless the business pays the attackers to stop.

In a pathetic display of government incompetence, the Federal Trade Commission recently admitted that it can't prove that the two-year-old CAN SPAM law reduced. Less spam gets into users' in-boxes, but the spam that gets in is more malicious, the FTC said. Spam comprised 68% of e-mail in 2005, down from 77% in 2004. according to anti-spam vendor MX Logic, which said that technology, not the law, was responsible for the decline, noting that 96% of junk mail violates the requirements of CAN-SPAM.

You already know most of the preceding, but you don't really think about it. I know you don't think about it because if you thought about it, you'd do something about it. The Internet has become a crime zone, and decent users are like residents of gated communities, who've learned to ignore the sirens and breaking glass.

What needs to happen to stop spam? Technology has taken us about as far as we can go. We need better laws. CAN-SPAM is currently fairly useless--it allows marketers to send unsolicited bulk e-mails so long as they identify themselves and provide unsubscribe unstructions; the law needs to be amended to, quite simply, ban unsolicited bulk e-mail. What kind of assault law would allow attackers to hit you over the head so long as they identify themselves ("Hi, I'm Bill, I'll be the guy beating you up today!") and stop when you ask them to?

Moreover, CAN-SPAM needs to be amended to allow for the right of private action. Currently, only the government has the right to sue spammers, which creates bottlenecks. Anybody who receives spam should have a right to sue.

Is spam a big problem for you? What are you doing about it? What should society do about it? Leave a message below to let us know.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.