Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2006
01:47 PM
Mitch Wagner
Mitch Wagner
Commentary
50%
50%

Spam's Making A Comeback And We're All Stuck With It

The New York Times reports grim news that anybody watching their e-mail in-boxes already knew: Spam is making a comeback. Worldwide spam volumes doubled since last year, and spam now accounts for more than 90% of e-mail worldwide. And it doesn't look like the problem is going away.

The New York Times reports grim news that anybody watching their e-mail in-boxes already knew: Spam is making a comeback. Worldwide spam volumes doubled since last year, and spam now accounts for more than 90% of e-mail worldwide. And it doesn't look like the problem is going away.

Smart people last year were saying the spam problem was solved. I was not one of those smart people -- how can anybody have said the spam problem was solved if it required significant investment in hardware, software, and services to keep spam at bay? But, still, spam was being kept at bay; spamfighters developed a few techniques that worked well to combat junk mail. Those techniques included blacklisting known spam-sending IP addresses and domains, analyzing the text of messages for spammy text and links, and spotting and blocking duplicate messages sent in bulk.

Spammers are getting around blacklists by using botnets -- armies of infected computers that the spammer takes over and uses to send spam. Spammers thwart text analysis by sending only images, with pictures of text in the images. And they block duplicate messages by varying the contents of messages by just a few pixels -- just enough to trick the spam filters.

The botnets also drive down the cost of sending spam. You used to read about spammers with multiple T-1 lines, each costing thousands of dollars a month, piped into a single, small office or the converted bedroom of a home. But by using botnets, spammers can steal the bandwidth of the infected machines -- usually, machines belonging to naive consumers. Spammers now have only minimal bandwidth costs themselves. They pass the cost on to their victims.

And spammers have been able to get rid of the one, surefire Achilles heel that worked against them every time. Used to be that they had to give out some information on how to buy the product they were selling. Generally, that meant linking to a Web site selling toy cars, or porn, or herbal Viagra, or whatever. Spamfighters could block spam by compiling databases of known spam URLs, and blocking messages linking to those sites.

[N]ot anymore. Many of the messages in the latest spam wave promote penny stocks - part of a scheme that antispam researchers call the "pump and dump." Spammers buy the inexpensive stock of an obscure company and send out messages hyping it. They sell their shares when the gullible masses respond and snap up the stock. No links to Web sites are needed in the messages.

Freedom to Tinker explains the economic terms of the competition. The payoff from sending spam is very, very low -- but the cost is even smaller than that. Felten explains:

The per-message payoff is probably decreasing as spammers are forced to new payoff strategies (e.g., switching from selling bogus "medical" products to penny-stock manipulation). But their cost to send a message is also dropping as they start to use other people's computers (without paying) and those computers get more and more capable. Right now the cost is dropping faster, so spam is increasing.

From the good guys' perspective, the cost of spam filtering is increasing. Organizations are buying new spam-filtering services and deploying more computers to run them. The switch to image-based spam will force filters to use image analysis, which chews up a lot more computing power than the current textual analysis. And the increased volume of spam will make things even worse. Just as the good guys are trying to raise the spammers' costs, the spammers' tactics are raising the good guys' costs.

I don't see a good outcome for this. Fighting technology-based social problems requires technology and laws. We have the technology, but it's getting less effective. And we don't have the law on our side. The three-year-old CAN-SPAM law is toothless (something spamfighters were saying from the very beginning, and they were ignored). And even if the U.S. government suddenly, miraculously found the will to pass an anti-spam law with teeth, much spam is coming from countries in Europe, Latin America, and Africa, where the U.S. has no jurisdiction or political leverage. This problem isn't going away, or even getting better, anytime soon.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...