Build a better spam trap and ... spam multiplies
By Thomas Crampton International Herald Tribune TUESDAY, JANUARY 24, 2006
PARIS Watch what you say at Davos. During a late-night session of the World
Economic Forum in 2004, Bill Gates said the Internet spam problem would be
solved within two years.
"We all maybe cringed a little bit when Bill made that statement," said Ryan
Hamlin, who heads anti-spam activities for Microsoft as general manager for
Technology Care and Safety. "But one great thing about Bill's statement was
the call to action for the industry to work on it."
The statement did cause a great deal of excitement at the time, and Hamlin -
perhaps not surprisingly - argues that Gates was correct. "I won't say spam
is dead, but we can say spam is contained," Hamlin said. "If you use the
latest anti-spam technologies and educate yourself on how to use them, you
should not have a problem."
Not everyone agrees. Many e-mail users would argue that spam is still going
strong, and some spam fighters even warn that the number of unsolicited
e-mails is on the increase. What is more, a fundamental shift is under way
in the world of cybercrime toward using spam to make specific organizations
targets for extortion, a report from International Business Machines that
was released Monday warned.
"I would go so far as to say that, not only is Microsoft wrong about the
reduction of spam, but they are actually part of the problem," said Richard
Cox, chief information officer of the Spamhaus Project, a self-financed
group in London that distributes free data to combat spam. "Microsoft could,
for example, more aggressively attack spammers operating off Microsoft-owned
Hotmail accounts."
Spamhaus estimates that the total amount of spam on the Internet has more
than doubled since Gates made his statement two years ago, and Cox added
that any measure of spam reaching a user's desktop misses the point. "Even
when spam doesn't get to your inbox, it uses up bandwidth," Cox said. "The
necessary increased filtering also risks blocking genuine e-mails."
The unwanted commercial messages circulating on the Internet far outnumber
legitimate e-mails. Outblaze, a company that manages more than 40 million
e-mail accounts around the world, calculated a ratio of more than 14 spam
messages to each genuine message when the company took a snapshot of more
than 1.4 million messages received during a single minute late last year.
"It used to be that when you built a better mousetrap, the world beat a path
to your door," said Suresh Ramasubramanian, a spam fighter for Outblaze.
"With spam, I find that when I build a better mousetrap, the mouse just gets
smarter." One dangerous new development, Ramasubramanian said, is the
proliferation of spam carrying automated programs that install themselves on
computers without the knowledge of the users.
Once in place, the hidden programs, known variously as worms, viruses or
simply "malware," harness the computer's processing power and bandwidth to
send out spam in a highly automated and decentralized way, without the
user's knowledge. Such programs sometimes also steal personal data and
e-mail addresses.
"Spammers now have zombie armies of networked computers that can send out
spam messages from thousands of computers at the same time," Ramasubramanian
said. "This started with the SoBig worm in 2003 and brought an industrial
revolution to spamming."
The IBM security report warned that malware over the past year has become
more potent and dangerous.
The Organization of Economic Cooperation and Development also has warned
that spam tactics are becoming more criminal.
"Some feel the perception of spam as an annoyance has decreased because of
filters and because people are getting used to it," said Claudia Sarrocco, a
policy analyst at the organization's Information Computing and
Communications Policy division. "But the bad news is that spam is changing
from an annoyance into something actually very dangerous."
Spam began as a relatively harmless means of commercial promotion. The very
first spam message, it is generally agreed, was sent by a marketing
representative of the DEC computer company on May 3, 1978, over the Arpanet,
a computer network that preceded the Internet.
The message, urging Arpanet users on the West coast of the United States to
attend a DEC product presentation, prompted a predictably angry response,
with one user even hinting legal action or sanctions.
In the past few years, however, spam has entered a more criminal phase, and
new words like "phishing" and "spearphishing" have been invented to describe
the evolution.
"Spam has shifted from basement amateurs to hard core criminal enterprises,"
Sarrocco said. "True criminals have started getting into the spam game."
In a phishing scam, an e-mail request for passwords, credit card numbers or
other personal information seems to come from a bank, government official or
network administrator. To enhance credibility, phishing e-mails often link
back to Web sites that closely resemble real Web sites.
The IBM study released on Monday reported that in 2005 phishing represented
an average of one in every 304 e-mails, up from one in every 943 the
previous year.
The report added that phishing or spearphishing against specific targets was
on the rise. Spearphishers attack a company or a specific group of users to
make the request for information seem n more legitimate.
"This is a very powerful new technique and very worrying," Sarrocco said.
"Spearphishing can be used effectively for industrial espionage or identity
theft on a grand scale." Such techniques are particularly pernicious,
Sarrocco said, because they undermine confidence in e- commerce.
"Threats to Internet security diminish trust and slow economic development,"
Sarrocco said. "We view this as a real risk to confidence in the Internet
and something we need to urgently combat."
Fighting spam, Sarrocco and others spam fighters said, requires educating
the public, further technical innovation and the creation and enforcement of
anti-spam laws.
Legal approaches to fighting spam already have had effects in some parts of
the world, Sarrocco said.
In Europe, for example, the law requires a company have explicit permission
to send an unsolicited commercial message to a user. By contrast, in the
United States and most other parts of the world, laws require only that
companies offer a way for users to request to be taken off mailing lists.
Another twist to spam is that users in developing countries tend to suffer
disproportionally from unwanted messages.
"Internet Service Providers in developing countries often have no idea how
to stop spam effectively," said Ramasubramanian of Outblaze. "They put up
basic filter software, but fail to actively manage the system." Active
management is necessary, Ramasubramanian said, because the styles of spam
and spam delivery evolve so rapidly.
"The basic filter will stop 70 or even 80 percent of spam, but that 20
percent that gets through is a significant and growing amount,"
Ramasubramanian said. "Spam is like cockroaches: You stamp on one, another
10 appear out of a different crack in the wall."
Copyright © 2006 The International Herald Tribune | www.iht.com
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://listserv.icors.org/archives/vicug-l.html
|