Has the 'SpamThru' Trojan Doubled Spam or Not?

And if so, is the truth actually worse than the headlines?
Screaming headlines in the past few days have proclaimed that unsolicited bulk e-mail -- known universally as spam -- has broken all known records. But is this really the case, or does it just seem like it?

"Spam Doubles," proclaimed the New York Times in an article on Dec. 6 (free registration required).

Much of the blame is laid on a Trojan horse named "SpamThru" that has taken over approximately 73,000 PCs, according to a recent eWeek analysis. The robotic network of computers, reportedly directed by Russian hackers, silently pumps out millions of spam e-mails a day.

There's no question that new spam techniques are sneaking a lot of spam through filtering systems that previously were fairly effective. But has the volume of spam actually doubled?

How Fast Is It Doubling?

Of course, any business that's growing at a steady rate will double eventually, so I could write headlines such as, "Fast Food Consumption Doubles!" and I'd be 100 percent correct, if I didn't provide any time frame.

One antispam expert believes that SpamThru hasn't actually doubled the volume of spam. Instead, he says the Trojan bot network of so-called zombie PCs has proven itself to be twice as effective as other spam at getting through filters. That's actually a much scarier fact than the headlines have made clear.

The Degree of Control That Spammers Now Have

Richi Jennings is a London-based analyst for Ferris Research, which publishes reports on corporate messaging from its headquarters in San Francisco. "More spam is reaching the inbox," he says, "so naive commentators wrongly assume that a doubling of spam in the inbox equals a doubling of spam on the Internet."

His company's research indicates:

Spam increased up to 20 percent in the 4th quarter of 2006 to date, compared with the average from the first three quarters of the year. But the spam that actually made it into peoples' inboxes increased 100 percent in the same time frame.

Spam messages that use images to convey content are circumventing filters. "New botnets are employing content-morphing tricks that are fooling many vendors' content filters," Jennings says, "so more spam reaches the inbox." These tricks include varying the size of the images a slight amount in different spams. As a result, the messages don't have identical signatures that filters can learn to catch.

More images mean more bytes. "The image-spam messages tend to be about 10 times bigger than 'normal' messages," according to Jennings. That means a median size of about 30 KB for the image-bearing spams compared with 3 KB for legitimate e-mails. "So spam volumes are now much higher in terms of bits on the wire."

"Greylisting" is being defeated by the bots. Legitimate mail servers comply with requests from other servers' to wait a few seconds before sending anything. White-hat mail administrators use this fact as a defensive technique known as "greylisting." Spamming software used to immediately give up, moving on rather than pausing. The spammers have now hijacked so many computers that they can afford to obey wait requests, just like normal servers, Jennings explains.

Spammers have cracked major sources of e-mail addresses. To optimize one of their scams -- a "pump and dump" scheme that manipulates penny stocks -- the SpamThru hackers have reportedly broken into several databases of people who can trade equities. "I know of several occurrences of this with brokerages and financial websites recently," Jennings states, declining to name any. "It seems that some organizations aren't savvy to the risk of these subscriber databases being pilfered."

The numbers favor the spammers. The size that the bot networks have grown to is making them much harder to root out. The hackers behind the bots, Jennings says, "can send fewer messages per zombie, because the network is bigger, so they stay under the radar longer." Antispam blocklists have a harder time identifying and banning these individual PCs, which are the source of the spam.

Not everyone agrees with Ferris Research's point of view. Postini Inc., a major antispam service provider, for example, announced last month that spam rose 59 percent in the past two months and 120 percent compared with one year ago. Jennings explains that he trusts the statistics he gets from other sources, such as Commtouch and MessageLabs.

Say Thank-You While Spammers Steal From You

Whatever the actual statistics are, it's clear that spammers are making headway on their profitable activities. They may already have gained enough resources to defeat white-hat defenses permanently.

A notorious U.S.-based spammer, Jeremy Jaynes, was convicted of spamming by a Virginia court in November 2004 and sentenced to nine years in prison. (The decision was upheld in September and prosecutors are pressing for the jail time to begin immediately, according to antispam organization Spamhaus.) Testimony during the trial showed that Jaynes sent millions of spams a day, netting $350,000 to $700,000 a month after bandwidth charges, despite the fact that only 1 in 30,000 recipients purchased anything, according to Spamfo, an information site.

With that kind of money at stake, it's not hard to see why spammers are outstripping the ability of white hats to stop them.

Regarding the penny stocks that the SpamThru group likes to promote, researchers Jonathan Zittrain and Laura Frieder reported in July that a great deal of cash can be made. Spammers who buy such thinly traded stocks -- which they then promote in millions of spams – can make 5.79 percent returns in a single day, the study found. The suckers who buy the touted stocks lose an average of approximately 5.5 percent within two days, before paying brokerage fees. Repeat that process over many weeks and you're talking real profits.

Ending the Scourge of Spam

A big part of the spam problem is the fact that the United States, unlike jurisdictions such as the European Union and Australia, has not made spamming a serious crime. The so-called Can-Spam Act, passed by Congress in 2003, actually makes sending spam perfectly legal, as long as it bears some street address and links to an unsubscribe process (which is bogus, in the case of most spam).

The Direct Marketing Association of the U.S., an association that claims 54 of the Fortune 100 as members, lobbied strongly in 2003 for such weak legislation. It's now obvious that the law is a failure.

Having a tough U.S. law wouldn't magically eliminate spam by itself. But trying to stop shadowy, profitable activities is almost impossible if they aren't illegal. Only the existence of a Virginia law with real teeth tripped up Jeremy Jaynes. A strong U.S. law could go a long way towards catching even more spammers.

About 66 percent of the 123 top spammers -- who reportedly send 80 percent of all spam worldwide -- are based in the U.S., according to a listing maintained by Spamhaus. And once spamming is recognized for the massive criminal operation that it is, it's not impossible for countries to apprehend violators, no matter what part of the world they may operate in.

In this instance, unfortunately, weak laws in the U.S. are allowing a bad problem to become much, more worse.

Time for an Executive Break

The Executive Tech column is off for the holidays from Dec. 19, 2006, through Jan. 9, 2007. The next installment will appear on Jan. 17, when the column switches to publication on Wednesdays. Have a joyous season.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.