The State Of Spam

And they should know. Microsoft and AOL combined block nearly 5 billion pieces of spam every day. Nearly nine out of every ten e-mail messages at Microsoft's MSN Hotmail are spam. The company says 95 percent of them never reach their intended targets and thus, spam is contained.

"In some ways it's a good news, bad news situation," says Michael Geist, the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. "The good news is the filtering systems have become better and better in corporate environments and at Internet service providers. The level of spam users have received has decreased. The bad news is the amount of overall spam hasn't decreased at all. It may be increasing."

"The use of zombies as a tool in tandem with a real-world terrorist attack will happen, I have no doubt." Neil Schwartzman, CAUCE Canada

And it's getting increasingly pernicious. Messages that once pitched herbal remedies or guarantees to enlarge certain body parts now arrive ready to infect computers with viruses, spyware, or keylogging software. Once they round up enough contaminated PCs, spammers potentially can control networks of zombie bots they can use to send even more tainted e-mail or to command distributed denial of service attacks.

unit-1659132512259

type

Sponsored post

"The vicious content in the e-mail stream right now is beyond belief," says Neil Schwartzman, chairman of the Coalition Against Unsolicited Commercial Email (CAUCE) in Canada. "We're not talking about the old scams we saw from a few years ago. It's a lot nastier."

Schwartzman foresees a time when zombies are employed for purposes far more devastating than sending junk e-mail. "The use of zombies as a tool in tandem with a real-world terrorist attack will happen, I have no doubt. It's obviously a scary proposition. To compound a real-world attack, it could be effective."

For example, zombies could be used to call 911 simultaneously and overwhelm the emergency response capability of a particular municipality. In a similar scenario, Christopher Maxwell, 20, of Vacaville, California, pleaded guilty in May to shutting down computers, physicians' pagers, and operating room doors in the intensive care unit at Northwest Hospital and Medical Center in Seattle by means of a botnet attack. Phishing Comes To The Fore
On top of that, there's yet another type of spam that wreaks serious financial losses for its victims: phishing, the trick of fraudulently acquiring personal information, usually about credit cards or other accounts. Spammers aren't just pushing snake oil anymore; they're trying to clean out your bank account.

The State Of Spam

Nearly six out of ten business PC users receive at least one phishing e-mail every day, and 22 percent receive more than five a day, according to a recent poll conducted by computer security firm Sophos Plc. Phishing attempts worldwide have nearly doubled, the Anti-Phishing Working Group found. The organization, whose 1,500 corporate members include eight of the top 10 U.S. banks and four of the top five U.S. ISPs, detected 15,244 unique phishing reports in December 2005, up from 8,829 in December 2004.

To hear IBM tell it, though, the new strain of spam is spreading even more quickly. Big Blue announced in January that the number of viruses delivered via e-mail declined by about half from 2004 to 2005 to about 2.8 percent of all e-mail. But phishing attempts tripled, to an average of one in every 304 messages, because of increased use of botnets to generate massive volumes of scam e-mail.

By far, the companies spoofed most frequently by phishing attempts are eBay and PayPal, but banks are getting hit too. "We have to look at the online economy as under attack," Schwartzman says.

"Even the weak provisions of [the CAN-SPAM Act] are being violated with impunity by spammers every day." John C. Mozena, CAUCE U.S.

America, The Spam Leader
One misconception about spam is that it's largely the work of foreigners. In fact, America is the world's biggest spammer. According to Sophos, more spam (23.1 percent) was relayed through the United States than any other country during the first three months of the year -- though China, including Hong Kong, is a close second at 21.9 percent. South Korea is a distant third at 9.8 percent.

Existing laws haven't put much of a dent in America's reign as the king of spam. The CAN-SPAM Act of 2003 (which stands for Controlling the Assault of Non-Solicited Pornography and Marketing) didn't actually make spam illegal, but it prohibits deceptive subject lines and requires that recipients be given an opt-out method.

"We have a very weak federal anti-spam law," says John C. Mozena, co-founder and vice president of CAUCE in the United States. "But even the weak provisions of that law are being violated with impunity by spammers every day. The Federal Trade Commission and Department of Justice and other bodies with enforcement capabilities under CAN-SPAM don't have the resources [to enforce the law]."

It's no secret who's guilty. The Spamhaus Project, a London-based nonprofit that tracks spammers worldwide, posts its own Top 10 list of "the worst of the career spammers causing the most damage on the Internet currently," including their names, aliases, and operations.

But prosecutions can be costly. Microsoft, for example, has found them a losing proposition. John Scarrow, general manager of Microsoft's anti-spam and anti-phishing strategy team, says the company has filed 112 anti-spam lawsuits in U.S. courts and has been awarded more than $869 million in judgments, but it spends much more money in court costs than it receives in settlements. Hidden Costs
Some Internet service providers (ISPs) insist there's no need to worry. Why? Because they judge their success rate by consumer response, and complaints are few nowadays. A "report spam" button in many mail programs lets users inform their ISP if spam reaches their inbox. With this outlet, consumers are less likely to complain about spam. At the same time, spam filters have gotten better, which means less spam is reaching users' inboxes in the first place.

The State Of Spam

AOL member complaints about spam have dropped 75 percent since November 2003, according to Mike Jones, director of AOL's anti-spam operations. "As an industry, we're doing a better job of keeping [spam] away from members," says Jones. Still, he acknowledges the side effects. "Spam causes a multitude of problems, not just man hours but system resources" to deal with it.

Even if the unwanted messages are blocked from reaching inboxes, they still eat up bandwidth. Geist, the University of Ottawa professor, figures that if 80 percent of e-mail is spam, "then four out of five e-mail servers are there to deal with spam, not to deal with legitimate mail." Neither AOL nor Microsoft would disclose how much it spends to fight spam.

That doesn't count the costs facing corporate IT staffs, who typically buy third-party spam filters to protect their networks. Microsoft's Scarrow estimates that spam accounts for about two-thirds of corporate e-mail traffic.

"The technological cat-and-mouse game does little to solve the problem; rather, it just masks it." Michael Geist, University of Ottawa

Another cost relates to people's perception of the reliability of messages sent electronically. Filters turned up to their highest strength also have a habit of blocking genuine e-mail -- what's known as false positives. Geist estimates that as much as 10 percent of mail tagged as spam may actually be honest messages. "As their junk folder grows, the ability to pick out the legitimate from the spam is a task people don't bother with," he says.

How Not To Fight Spam

In the war against spam, fighting fire with fire might seem like a good idea, but in practice it's had disastrous results.

First there was Lycos Europe's effort to launch denial of service (DoS) attacks against spammers in late 2004. The Web portal distributed a "Make Love, Not Spam" screensaver that continually requested Web pages from servers it said were "verified to be spam advertising sites." The idea, said Lycos, was not to bring those sites down but to eat up bandwidth and drive up their costs. Within days, however, spammers had fought back with DoS attacks of their own against Lycos, and the company pulled the plug on its anti-spam scheme.

Then, in the summer of 2005, an Israeli startup called Blue Security announced its own fight-fire-with-fire strategy: The company monitored and analyzed the spam e-mail received by users of its BlueFrog client, followed links to the spammers' Web sites, and automatically filled out feedback forms on those sites with requests to be removed from their mailing lists. These opt-out complaints occurred simultaneously, overwhelming the target sites -- and skating awfully close to being DoS attacks.

Anti-spam groups and security firms criticized Blue Security's tactics over a variety of legal and ethical concerns. Nevertheless, Blue Security claimed to have enlisted more than 500,000 users in less than a year. But it all came crashing down when a spammer known as PharmaMaster sent threatening e-mails to BlueFrog users and launched a DoS attack against Blue Security.

The startup inadvertently made matters worse by redirecting all Web traffic from its company home page to its TypePad blog. The DoS attacks followed right along, bringing down not only Blue Security's blog, but millions of others hosted by TypePad and LiveJournal. Not long after, Blue Security threw in the towel and shut down operations.

-- Valerie Potter

Taking On Phishing
One of Microsoft's latest tactics to tackle spam, particularly phishing attacks, is Sender ID, an authentication technology protocol that validates the origin of e-mail by verifying the IP address of the server sending the message against a registered list of servers that the domain owner has authorized to send e-mail. The ISP or recipient's mail server automatically performs the verification before delivering messages.

The State Of Spam