The onslaught of spam (and the viruses and spyware that it often carries with it) is turning a significant number of people away from the Internet. In a survey of U.S. consumers conducted by Osterman Research from Jan. 18 to 20, more than one-third (34%) said spam, spyware and related problems had reduced their use of e-mail or the Internet "a bit," with another 10% saying they'd reduced their use "a great deal."
According to the research firm's president, Michael Osterman, mail-monitoring companies say 88% of all e-mail in 2004 was spam. And estimates indicate that the figure will reach 92% in 2005. Hmm, does that mean we'll hit 100% by 2007?
But there may be some good news. Antispam experts attending a recent conference expressed some optimism that they may finally have some tools to dramatically reduce spam, if not eliminate it.
The event was the second annual "Spam and the Law Conference," held Jan. 28 at a hotel near the San Francisco Airport. The roster of speakers included representatives of some of the biggest names in the spam wars:
• Lisa Rosenthal, an attorney with the U.S. Federal Trade Commission, which she said had filed more than 60 lawsuits against spammers since 1997 — three of them since the so-called CAN SPAM Act went into effect Jan. 1, 2004;
• Michael Grow, chair of the technology department of the Washington, D.C., law firm Arent Fox Kintner Plotkin & Kahn, who is credited with helping AOL convict notorious "spam king" Sanford Wallace in 1996;
• Aaron Kornblum, an attorney for Microsoft Corp., which he said has filed more than 120 lawsuits since 2003, reaping $306 million in legal judgments (although Kornblum acknowledged that an "insignificant amount" of that has actually been collected from the elusive spammers).
Much of the conference focused on the same legal approaches to fighting spam that have been employed for years. But two aspects of the spam problem seem to lend themselves to new defenses, which may be more effective.
Catching Spammers in Four-Tenths of a Second
Matthew Prince, a cofounder of Unspam LLC, an antispam consulting service based in Chicago, described recent advances that he believes can identify spammers much more quickly than ever before.
Unspam, which I reported on in this space on Nov. 30, has massively expanded Project Honeypot, its program that generates unique, one-time e-mail addresses on Web pages around the globe. Spammers use harvesting software to collect addresses from pages at random. When an Unspam address is harvested, the organization makes a record to use against the spammer.
At the end of November, Unspam had planted only about 4,000 decoy addresses on the Internet. Since that time, however, the effort has exploded, growing to more than 32,000 addresses, according to a counter on the organization's home page.
Prince says his organization's servers are capable of notifying Internet services providers (ISPs) and others within 0.4 seconds of a decoy address receiving a message. Such a transmission could only have come from a spammer, since the address in question never signed up for any legitimate e-mail lists.
Unspam's online blocklist, known as HTTP:BL, will become available in spring 2005, Prince says. The list can be used by ISPs to disable accounts as soon as it's clear they're being used for spamming, Prince says.
Although many antispam experts have criticized the U.S. CAN SPAM Act as too weak, Prince notes that the act includes an absolute prohibition against two techniques spammers depend upon to acquire addresses in the first place. These are harvesting attacks, as described above, and dictionary attacks, in which spammers send messages to random addresses to learn which ones are active.
By linking pieces of spam to their original harvesting attacks, Prince argues, withering technical and legal measures can be brought to bear against spammers. CAN SPAM allows ISPs to sue spammers, with damages ranging up to millions of dollars and jail terms up to five years.
Make Sure Your Address Isn't in the Dictionary
A major change in the nature of spam, however, is making dictionary attacks more common than harvesting attacks, according to Andrew Oakley, technical architect for MessageLabs, a respected mail monitoring service based in London.
He reports that since more homes have broadband access and more home computers are left on all the time spammers now have access to far greater bandwidth with which to send spam. About 80% of today's spam emanates from home computers that've been infected with "zombie" software controlled by spammers.
As a result, Oakley says, many spammers no longer bother to harvest addresses from Web pages. Instead, they have enough raw horsepower to simply send spam to every name that might appear on the left-hand side of the "at" sign (@) of a major company's domain.
One company that recently asked MessageLabs for help, Oakley said, was receiving 30 million spam messages a day. That number dropped to a more manageable 100,000 a day when the company — which Oakley would identify only as a teen-lifestyle site — started filtering out mail to nonexistent addresses. The spammers were using a list of some 6,000 common names, 200 of which happened to match real e-mail addresses at the company, which used each employee's first name to form the addresses.
This kind of attack can be deflected, Oakley says, by configuring your mail servers to drop connections from senders who mail to a lot of addresses that don't exist. You should also make sure your e-mail addresses contain punctuation marks and don't include names and words that can be found in a dictionary.
The Race Goes To The Swift
Anne Mitchell, president of the Institute for Spam and Internet Public Policy (ISIPP) and sponsor of the conference, feels the problem of spam is not a hopeless one.
"I don't think anyone enters this room with a single plan to end spam," she says. "People know it has to be a multi-pronged approach." The solution to spam, Mitchell says, will be a combination of technology, legislation and education.
She points out that, although spam volume is increasing, she's seen anecdotal evidence that corporate workers are seeing less and less spam as filters become more effective and widely used. That doesn't keep spam from being sent in the first place — the senders are generating more mail just to penetrate the filters, Mitchell says — but it may be the beginning of the end of spam.
For more information on the ISIPP and the next antispam conference, see ISIPP.com.