The State Of Spam

Filters have gotten so effective at keeping junk e-mail away from users that there's little public outcry against spam today. But behind the scenes, the problem is worse than ever--and it could mask a serious, real-world threat.



If billions of spam messages travel throughout the Internet every day, but consumers see just a few of them in their inboxes, do they really exist?

Unsolicited bulk e-mail, otherwise known as spam, accounted for about 80 percent of all the e-mail traffic on the Internet during the first three months of 2006. This was the conclusion reached by the international Messaging Anti-Abuse Working Group, whose members include AOL, Bell Canada, Cingular Wireless, EarthLink, France Telecom, Microsoft, Verizon, and Yahoo. Together, these organizations account for about 390 million mailboxes.


The State Of Spam


•  Introduction

•  Phishing Comes To The Fore

•  America, The Spam Leader

•  Hidden Costs

•  How Not To Fight Spam

•  Taking On Phishing

•  A Bleak Outlook


And they should know. Microsoft and AOL combined block nearly 5 billion pieces of spam every day. Nearly nine out of every ten e-mail messages at Microsoft's MSN Hotmail are spam. The company says 95 percent of them never reach their intended targets and thus, spam is contained.

"In some ways it's a good news, bad news situation," says Michael Geist, the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. "The good news is the filtering systems have become better and better in corporate environments and at Internet service providers. The level of spam users have received has decreased. The bad news is the amount of overall spam hasn't decreased at all. It may be increasing."


"The use of zombies as a tool in tandem with a real-world terrorist attack will happen, I have no doubt." —Neil Schwartzman, CAUCE Canada

And it's getting increasingly pernicious. Messages that once pitched herbal remedies or guarantees to enlarge certain body parts now arrive ready to infect computers with viruses, spyware, or keylogging software. Once they round up enough contaminated PCs, spammers potentially can control networks of zombie bots they can use to send even more tainted e-mail or to command distributed denial of service attacks.

"The vicious content in the e-mail stream right now is beyond belief," says Neil Schwartzman, chairman of the Coalition Against Unsolicited Commercial Email (CAUCE) in Canada. "We're not talking about the old scams we saw from a few years ago. It's a lot nastier."

Schwartzman foresees a time when zombies are employed for purposes far more devastating than sending junk e-mail. "The use of zombies as a tool in tandem with a real-world terrorist attack will happen, I have no doubt. It's obviously a scary proposition. To compound a real-world attack, it could be effective."

For example, zombies could be used to call 911 simultaneously and overwhelm the emergency response capability of a particular municipality. In a similar scenario, Christopher Maxwell, 20, of Vacaville, California, pleaded guilty in May to shutting down computers, physicians' pagers, and operating room doors in the intensive care unit at Northwest Hospital and Medical Center in Seattle by means of a botnet attack.

Phishing Comes To The Fore
On top of that, there's yet another type of spam that wreaks serious financial losses for its victims: phishing, the trick of fraudulently acquiring personal information, usually about credit cards or other accounts. Spammers aren't just pushing snake oil anymore; they're trying to clean out your bank account.


The State Of Spam


•  Introduction

•  Phishing Comes To The Fore

•  America, The Spam Leader

•  Hidden Costs

•  How Not To Fight Spam

•  Taking On Phishing

•  A Bleak Outlook


Nearly six out of ten business PC users receive at least one phishing e-mail every day, and 22 percent receive more than five a day, according to a recent poll conducted by computer security firm Sophos Plc. Phishing attempts worldwide have nearly doubled, the Anti-Phishing Working Group found. The organization, whose 1,500 corporate members include eight of the top 10 U.S. banks and four of the top five U.S. ISPs, detected 15,244 unique phishing reports in December 2005, up from 8,829 in December 2004.

To hear IBM tell it, though, the new strain of spam is spreading even more quickly. Big Blue announced in January that the number of viruses delivered via e-mail declined by about half from 2004 to 2005 to about 2.8 percent of all e-mail. But phishing attempts tripled, to an average of one in every 304 messages, because of increased use of botnets to generate massive volumes of scam e-mail.

By far, the companies spoofed most frequently by phishing attempts are eBay and PayPal, but banks are getting hit too. "We have to look at the online economy as under attack," Schwartzman says.


"Even the weak provisions of [the CAN-SPAM Act] are being violated with impunity by spammers every day." —John C. Mozena, CAUCE U.S.

America, The Spam Leader
One misconception about spam is that it's largely the work of foreigners. In fact, America is the world's biggest spammer. According to Sophos, more spam (23.1 percent) was relayed through the United States than any other country during the first three months of the year -- though China, including Hong Kong, is a close second at 21.9 percent. South Korea is a distant third at 9.8 percent.

Existing laws haven't put much of a dent in America's reign as the king of spam. The CAN-SPAM Act of 2003 (which stands for Controlling the Assault of Non-Solicited Pornography and Marketing) didn't actually make spam illegal, but it prohibits deceptive subject lines and requires that recipients be given an opt-out method.

"We have a very weak federal anti-spam law," says John C. Mozena, co-founder and vice president of CAUCE in the United States. "But even the weak provisions of that law are being violated with impunity by spammers every day. The Federal Trade Commission and Department of Justice and other bodies with enforcement capabilities under CAN-SPAM don't have the resources [to enforce the law]."

It's no secret who's guilty. The Spamhaus Project, a London-based nonprofit that tracks spammers worldwide, posts its own Top 10 list of "the worst of the career spammers causing the most damage on the Internet currently," including their names, aliases, and operations.

But prosecutions can be costly. Microsoft, for example, has found them a losing proposition. John Scarrow, general manager of Microsoft's anti-spam and anti-phishing strategy team, says the company has filed 112 anti-spam lawsuits in U.S. courts and has been awarded more than $869 million in judgments, but it spends much more money in court costs than it receives in settlements.

Hidden Costs
Some Internet service providers (ISPs) insist there's no need to worry. Why? Because they judge their success rate by consumer response, and complaints are few nowadays. A "report spam" button in many mail programs lets users inform their ISP if spam reaches their inbox. With this outlet, consumers are less likely to complain about spam. At the same time, spam filters have gotten better, which means less spam is reaching users' inboxes in the first place.


The State Of Spam


•  Introduction

•  Phishing Comes To The Fore

•  America, The Spam Leader

•  Hidden Costs

•  How Not To Fight Spam

•  Taking On Phishing

•  A Bleak Outlook


AOL member complaints about spam have dropped 75 percent since November 2003, according to Mike Jones, director of AOL's anti-spam operations. "As an industry, we're doing a better job of keeping [spam] away from members," says Jones. Still, he acknowledges the side effects. "Spam causes a multitude of problems, not just man hours but system resources" to deal with it.

Even if the unwanted messages are blocked from reaching inboxes, they still eat up bandwidth. Geist, the University of Ottawa professor, figures that if 80 percent of e-mail is spam, "then four out of five e-mail servers are there to deal with spam, not to deal with legitimate mail." Neither AOL nor Microsoft would disclose how much it spends to fight spam.

That doesn't count the costs facing corporate IT staffs, who typically buy third-party spam filters to protect their networks. Microsoft's Scarrow estimates that spam accounts for about two-thirds of corporate e-mail traffic.


"The technological cat-and-mouse game does little to solve the problem; rather, it just masks it." —Michael Geist, University of Ottawa

Another cost relates to people's perception of the reliability of messages sent electronically. Filters turned up to their highest strength also have a habit of blocking genuine e-mail -- what's known as false positives. Geist estimates that as much as 10 percent of mail tagged as spam may actually be honest messages. "As their junk folder grows, the ability to pick out the legitimate from the spam is a task people don't bother with," he says.


How Not To Fight Spam


In the war against spam, fighting fire with fire might seem like a good idea, but in practice it's had disastrous results.

First there was Lycos Europe's effort to launch denial of service (DoS) attacks against spammers in late 2004. The Web portal distributed a "Make Love, Not Spam" screensaver that continually requested Web pages from servers it said were "verified to be spam advertising sites." The idea, said Lycos, was not to bring those sites down but to eat up bandwidth and drive up their costs. Within days, however, spammers had fought back with DoS attacks of their own against Lycos, and the company pulled the plug on its anti-spam scheme.

Then, in the summer of 2005, an Israeli startup called Blue Security announced its own fight-fire-with-fire strategy: The company monitored and analyzed the spam e-mail received by users of its BlueFrog client, followed links to the spammers' Web sites, and automatically filled out feedback forms on those sites with requests to be removed from their mailing lists. These opt-out complaints occurred simultaneously, overwhelming the target sites -- and skating awfully close to being DoS attacks.

Anti-spam groups and security firms criticized Blue Security's tactics over a variety of legal and ethical concerns. Nevertheless, Blue Security claimed to have enlisted more than 500,000 users in less than a year. But it all came crashing down when a spammer known as PharmaMaster sent threatening e-mails to BlueFrog users and launched a DoS attack against Blue Security.

The startup inadvertently made matters worse by redirecting all Web traffic from its company home page to its TypePad blog. The DoS attacks followed right along, bringing down not only Blue Security's blog, but millions of others hosted by TypePad and LiveJournal. Not long after, Blue Security threw in the towel and shut down operations.

-- Valerie Potter



Taking On Phishing
One of Microsoft's latest tactics to tackle spam, particularly phishing attacks, is Sender ID, an authentication technology protocol that validates the origin of e-mail by verifying the IP address of the server sending the message against a registered list of servers that the domain owner has authorized to send e-mail. The ISP or recipient's mail server automatically performs the verification before delivering messages.


The State Of Spam


•  Introduction

•  Phishing Comes To The Fore

•  America, The Spam Leader

•  Hidden Costs

•  How Not To Fight Spam

•  Taking On Phishing

•  A Bleak Outlook


"We're paying more attention to reputation of the sender," Scarrow says. "That has been a really big deterrent for phishing. We're seeing people who really want to protect their brands -- eBay, PayPal, banks, e-marketers -- using Sender ID." Nearly one-third of Hotmail traffic has Sender ID attached to it, says Scarrow.

However, Sender ID is just one of three approaches to sender authentication -- along with Sender Policy Framework and Domain Keys Identified Mail -- under review by the Internet Engineering Task Force, an international standards organization.

Sender ID is the least useful of the three, according to Arabella Hallawell, a research vice president at Gartner. She says that DKIM is the most comprehensive of the three authentication methods and is gaining the fastest adoption rate among financial services companies and other spoofing victims.

Hallawell adds that e-mail authentication standards in general are much better at preventing phishing than spam. She believes that an arsenal of spam detection also should include connection-management techniques, which examine the traffic patterns and history of a domain-sending e-mail. This is an important step because not all spammers hijack domains.


"You'd think that voting against spam would be like voting in favor of Mom and apple pie...but it's not." —John C. Mozena, CAUCE U.S.

A Bleak Outlook
The constant back and forth between spammers and the programmers trying to stop them seems to have no end. Spammers have even called in to AOL's Postmaster (a team that works with e-mailers to be sure their mailings do not constitute spam), posing as legitimate mailers and asking about the company's practices, according to Jones.

"You can't just put a spam rule in place and expect it to work forever," Jones says. "If we weren't constantly adjusting those rules we wouldn't be able to block as much because the spammers adapt quickly."

So what's the next step in stopping spammers? Not everyone believes more spam-fighting software is the answer. "The technological cat-and-mouse game does little to solve the problem; rather, it just masks it," says Geist, who would like to see more international cooperation between law enforcement and governments.

It's unlikely that any help will arrive soon in the form of tougher legislation. "There isn't the outcry that there was a few years ago, telling legislators to get this done," says CAUCE's Mozena. His organization has pushed for state legislators in Michigan to make it illegal to send spam to any computer network owned by a governmental or educational entity that is supported by taxpayers, but interest is tepid.

With no public outcry against spam today, legislators are more concerned with identity theft. "You'd think that voting against spam would be like voting in favor of Mom and apple pie," Mozena says. "You'd think that would be a slam dunk legally and politically, but it's not."

This could all change, of course, if spam-captured zombies are used in conjunction with a terrorist attack, as CAUCE's Schwartzman predicts. But in the end, it is our choice as to whether spam becomes an issue for our leaders to pay attention to, or simply another modern (and expensive) irritant to be tolerated.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2019 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service