Build a better spam trap and ... spam multiplies

By Thomas Crampton International Herald Tribune TUESDAY, JANUARY 24, 2006

PARIS Watch what you say at Davos. During a late-night session of the World 
Economic Forum in 2004, Bill Gates said the Internet spam problem would be 
solved within two years.

"We all maybe cringed a little bit when Bill made that statement," said Ryan 
Hamlin, who heads anti-spam activities for Microsoft as general manager for 
Technology Care and Safety. "But one great thing about Bill's statement was 
the call to action for the industry to work on it."

The statement did cause a great deal of excitement at the time, and Hamlin - 
perhaps not surprisingly - argues that Gates was correct. "I won't say spam 
is dead, but we can say spam is contained," Hamlin said. "If you use the 
latest anti-spam technologies and educate yourself on how to use them, you 
should not have a problem."

Not everyone agrees. Many e-mail users would argue that spam is still going 
strong, and some spam fighters even warn that the number of unsolicited 
e-mails is on the increase. What is more, a fundamental shift is under way 
in the world of cybercrime toward using spam to make specific organizations 
targets for extortion, a report from International Business Machines that 
was released Monday warned.

"I would go so far as to say that, not only is Microsoft wrong about the 
reduction of spam, but they are actually part of the problem," said Richard 
Cox, chief information officer of the Spamhaus Project, a self-financed 
group in London that distributes free data to combat spam. "Microsoft could, 
for example, more aggressively attack spammers operating off Microsoft-owned 
Hotmail accounts."

Spamhaus estimates that the total amount of spam on the Internet has more 
than doubled since Gates made his statement two years ago, and Cox added 
that any measure of spam reaching a user's desktop misses the point. "Even 
when spam doesn't get to your inbox, it uses up bandwidth," Cox said. "The 
necessary increased filtering also risks blocking genuine e-mails."

The unwanted commercial messages circulating on the Internet far outnumber 
legitimate e-mails. Outblaze, a company that manages more than 40 million 
e-mail accounts around the world, calculated a ratio of more than 14 spam 
messages to each genuine message when the company took a snapshot of more 
than 1.4 million messages received during a single minute late last year.

"It used to be that when you built a better mousetrap, the world beat a path 
to your door," said Suresh Ramasubramanian, a spam fighter for Outblaze. 
"With spam, I find that when I build a better mousetrap, the mouse just gets 
smarter." One dangerous new development, Ramasubramanian said, is the 
proliferation of spam carrying automated programs that install themselves on 
computers without the knowledge of the users.

Once in place, the hidden programs, known variously as worms, viruses or 
simply "malware," harness the computer's processing power and bandwidth to 
send out spam in a highly automated and decentralized way, without the 
user's knowledge. Such programs sometimes also steal personal data and 
e-mail addresses.

"Spammers now have zombie armies of networked computers that can send out 
spam messages from thousands of computers at the same time," Ramasubramanian 
said. "This started with the SoBig worm in 2003 and brought an industrial 
revolution to spamming."

The IBM security report warned that malware over the past year has become 
more potent and dangerous.

The Organization of Economic Cooperation and Development also has warned 
that spam tactics are becoming more criminal.

"Some feel the perception of spam as an annoyance has decreased because of 
filters and because people are getting used to it," said Claudia Sarrocco, a 
policy analyst at the organization's Information Computing and 
Communications Policy division. "But the bad news is that spam is changing 
from an annoyance into something actually very dangerous."

Spam began as a relatively harmless means of commercial promotion. The very 
first spam message, it is generally agreed, was sent by a marketing 
representative of the DEC computer company on May 3, 1978, over the Arpanet, 
a computer network that preceded the Internet.

The message, urging Arpanet users on the West coast of the United States to 
attend a DEC product presentation, prompted a predictably angry response, 
with one user even hinting legal action or sanctions.

In the past few years, however, spam has entered a more criminal phase, and 
new words like "phishing" and "spearphishing" have been invented to describe 
the evolution.

"Spam has shifted from basement amateurs to hard core criminal enterprises," 
Sarrocco said. "True criminals have started getting into the spam game."

In a phishing scam, an e-mail request for passwords, credit card numbers or 
other personal information seems to come from a bank, government official or 
network administrator. To enhance credibility, phishing e-mails often link 
back to Web sites that closely resemble real Web sites.

The IBM study released on Monday reported that in 2005 phishing represented 
an average of one in every 304 e-mails, up from one in every 943 the 
previous year.

The report added that phishing or spearphishing against specific targets was 
on the rise. Spearphishers attack a company or a specific group of users to 
make the request for information seem n more legitimate.

"This is a very powerful new technique and very worrying," Sarrocco said. 
"Spearphishing can be used effectively for industrial espionage or identity 
theft on a grand scale." Such techniques are particularly pernicious, 
Sarrocco said, because they undermine confidence in e- commerce.

"Threats to Internet security diminish trust and slow economic development," 
Sarrocco said. "We view this as a real risk to confidence in the Internet 
and something we need to urgently combat."

Fighting spam, Sarrocco and others spam fighters said, requires educating 
the public, further technical innovation and the creation and enforcement of 
anti-spam laws.

Legal approaches to fighting spam already have had effects in some parts of 
the world, Sarrocco said.

In Europe, for example, the law requires a company have explicit permission 
to send an unsolicited commercial message to a user. By contrast, in the 
United States and most other parts of the world, laws require only that 
companies offer a way for users to request to be taken off mailing lists.

Another twist to spam is that users in developing countries tend to suffer 
disproportionally from unwanted messages.

"Internet Service Providers in developing countries often have no idea how 
to stop spam effectively," said Ramasubramanian of Outblaze. "They put up 
basic filter software, but fail to actively manage the system." Active 
management is necessary, Ramasubramanian said, because the styles of spam 
and spam delivery evolve so rapidly.

"The basic filter will stop 70 or even 80 percent of spam, but that 20 
percent that gets through is a significant and growing amount," 
Ramasubramanian said. "Spam is like cockroaches: You stamp on one, another 
10 appear out of a different crack in the wall."



Copyright © 2006 The International Herald Tribune | www.iht.com 


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://listserv.icors.org/archives/vicug-l.html