Spam: The monster that will not die

Three years ago, Microsoft’s Bill Gates promised that the problem of spam would be defeated. Today, it is worse than ever. What’s gone wrong?

By Graeme Burton

There’s always a moment in films like Robocop or Terminator – indeed, any film involving Arnold Schwarzenegger, it seems – in which the ‘monster’, while seemingly on the ropes, simply will not die. No matter how hard he is hit or how many times he has been blasted, he still comes back for more, even if there’s only a twitching hand left amid the carnage.

Spam, it seems, is similarly tenacious: blacklists, heuristic detection, low response rates and even the rapid removal of ‘spamvertised’ websites does not seem to stop the criminals and misguided marketers behind this scourge of modern communications.

Indeed, just a couple of years ago, as law-makers around the world started to pass new laws to outlaw spam, it seemed as if internet service providers (ISPs), law-enforcement authorities and anti-spam activists were finally getting on top of it. Spammers in the US and Europe were taken to court and more and more spam got quietly filtered to trash by automated systems before it could even pollute anyone’s in-tray.

However, 2006 has not only seen a continuing increase in the volume of spam sent, but also a worrying increase in the amount of spam evading capture and finding its way back into the in-trays of more people. The latest trick is for spammers to embed their message in image files, each a little different from the last in every spam they send.

In this way, they are able to evade the detection techniques used by anti-spam software that relies on capturing sample spam in a ‘spam trap’ (an e-mail address deliberately fed to the spammers) and propagating a signature to the anti-spam software to enable it to intercept all further copies of the unwanted e-mail.

Spam economics

If everyone hates it, why does it keep on coming?

The problem with spam is that the business model is just too compelling. The response rate may well be as low as 0.005 per cent, according to Andrew Leung of Canadian telecoms company Telus – meaning that on average only about five out of every one-million people respond – but even those five stupid people are enough to make it worthwhile. Why? Because spammers’ costs are so low.

In the 1990s, spammers had to pay big money for the bandwidth required to send their messages and pay a premium for ‘bullet-proof’ hosting. Today, they simply scour the internet for compromised PCs and poorly secured servers and use those to send their messages instead. Furthermore, crackdowns in Europe, the US and elsewhere have not solved the problem, but merely moved it to more lackadaisical legal jurisdictions.

Blacklisted

An early method of tackling spam was, quite simply, for an organisation to block e-mails from internet protocol (IP) addresses from where spam was being sent.

In response, it was not unusual for an otherwise reputable ISP to switch the IP addresses used by the spammer, so anti-spammers often blacklisted entire ranges. One even adopted a policy of blacklisting an increasing range of IP addresses, many of them belonging to legitimate businesses, in order to apply pressure on the ISP to ‘go straight’.

At one point, the entire island of Costa Rica was on several blacklists when the main ISP allowed itself to be infested with spammers. Likewise, South Korea became a spam-haven – and widely blacklisted as a result – when its government connected every school to the internet, but used equipment that allowed open relaying by default. As a result, any spammer could relay their e-mails via South Korea without betraying the spam’s true origins.

Exploiting open relays was one of the first ways in which spammers sought a way round blacklists. When the South Korean government finally patched its equipment after a year or two, the spammers moved into China, exploiting the huge number of similarly misconfigured e-mail servers there.

It took high-level government action – after many complaints and widespread blacklisting – before China’s open relays started to be closed. By then, however, spammers could commandeer entire armies of millions of compromised broadband-connected PCs around the world to use to send their spam.

Indeed, Spamhaus, the anti-spam blacklisting organisation, claims that a number of spammers are also behind some of the biggest viruses, too.

Furthermore, whereas the top-ten in Spamhaus’s Register of Known Spam Operations (ROKSO) once listed predominantly US-based spammers, today, more than half are based either in Russia or the Ukraine and many are alleged to be involved in such activities as child porn.

At the same time, many of the biggest US-based spammers – such as Alan Ralsky, Sanford Wallace and Scott Richter – have either been run out of town, hammered in high-profile court cases or eclipsed by more prolific rivals in Eastern Europe and China.

And, as long as they send their spam elsewhere, it seems that they are free to continue – even when the spam consists of spamvertising of child pornography websites and other offensive businesses – just as long as they don’t annoy their hosts.

One who did, Vardan Kushnir, who spamvertised his own English language school in Moscow to practically everyone in Russia with an e-mail address (and several million beyond) was brutally murdered in a bizarre robbery – and most Russian press reports celebrated his death.

Endgame

With so many compromised PCs connected via broadband – consuming vast quantities of bandwidth when the spammers converge on them for their spam runs – some ISPs have started to become more proactive. TeliaSonera in Scandinavia, for example, blocks all traffic to and from computers hosted on its network identified as sources of spam. Unable to send or receive traffic, the users are forced to take action. Plusnet in the UK already blocks several ports widely used by some of the most common Trojans, such as NetBus.

Unfortunately, short of physically hunting down the spammers and subjecting them to ‘rendition’ or expecting the jurisdictions in which they operate to crack down, this will probably be the way forward for the foreseeable future.

And, hopefully, the new security measures in Microsoft’s recently released Windows Vista operating system will also help – although ordinary users can often be relied upon to drive a coach and horses through whatever security measures, however well meaning, may be put in place.

Graeme Burton is managing editor of Enterprise Information. He can be contacted by e-mailing gburton@ark-group.com.