Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2006
01:47 PM
Mitch Wagner
Mitch Wagner
Commentary
50%
50%

Spam's Making A Comeback And We're All Stuck With It

The New York Times reports grim news that anybody watching their e-mail in-boxes already knew: Spam is making a comeback. Worldwide spam volumes doubled since last year, and spam now accounts for more than 90% of e-mail worldwide. And it doesn't look like the problem is going away.

The New York Times reports grim news that anybody watching their e-mail in-boxes already knew: Spam is making a comeback. Worldwide spam volumes doubled since last year, and spam now accounts for more than 90% of e-mail worldwide. And it doesn't look like the problem is going away.

Smart people last year were saying the spam problem was solved. I was not one of those smart people -- how can anybody have said the spam problem was solved if it required significant investment in hardware, software, and services to keep spam at bay? But, still, spam was being kept at bay; spamfighters developed a few techniques that worked well to combat junk mail. Those techniques included blacklisting known spam-sending IP addresses and domains, analyzing the text of messages for spammy text and links, and spotting and blocking duplicate messages sent in bulk.

Spammers are getting around blacklists by using botnets -- armies of infected computers that the spammer takes over and uses to send spam. Spammers thwart text analysis by sending only images, with pictures of text in the images. And they block duplicate messages by varying the contents of messages by just a few pixels -- just enough to trick the spam filters.

The botnets also drive down the cost of sending spam. You used to read about spammers with multiple T-1 lines, each costing thousands of dollars a month, piped into a single, small office or the converted bedroom of a home. But by using botnets, spammers can steal the bandwidth of the infected machines -- usually, machines belonging to naive consumers. Spammers now have only minimal bandwidth costs themselves. They pass the cost on to their victims.

And spammers have been able to get rid of the one, surefire Achilles heel that worked against them every time. Used to be that they had to give out some information on how to buy the product they were selling. Generally, that meant linking to a Web site selling toy cars, or porn, or herbal Viagra, or whatever. Spamfighters could block spam by compiling databases of known spam URLs, and blocking messages linking to those sites.

[N]ot anymore. Many of the messages in the latest spam wave promote penny stocks - part of a scheme that antispam researchers call the "pump and dump." Spammers buy the inexpensive stock of an obscure company and send out messages hyping it. They sell their shares when the gullible masses respond and snap up the stock. No links to Web sites are needed in the messages.

Freedom to Tinker explains the economic terms of the competition. The payoff from sending spam is very, very low -- but the cost is even smaller than that. Felten explains:

The per-message payoff is probably decreasing as spammers are forced to new payoff strategies (e.g., switching from selling bogus "medical" products to penny-stock manipulation). But their cost to send a message is also dropping as they start to use other people's computers (without paying) and those computers get more and more capable. Right now the cost is dropping faster, so spam is increasing.

From the good guys' perspective, the cost of spam filtering is increasing. Organizations are buying new spam-filtering services and deploying more computers to run them. The switch to image-based spam will force filters to use image analysis, which chews up a lot more computing power than the current textual analysis. And the increased volume of spam will make things even worse. Just as the good guys are trying to raise the spammers' costs, the spammers' tactics are raising the good guys' costs.

I don't see a good outcome for this. Fighting technology-based social problems requires technology and laws. We have the technology, but it's getting less effective. And we don't have the law on our side. The three-year-old CAN-SPAM law is toothless (something spamfighters were saying from the very beginning, and they were ignored). And even if the U.S. government suddenly, miraculously found the will to pass an anti-spam law with teeth, much spam is coming from countries in Europe, Latin America, and Africa, where the U.S. has no jurisdiction or political leverage. This problem isn't going away, or even getting better, anytime soon.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd