Spambusters: war on unsolicited email

Although it lacks the headline impact of the various forms of nakedly malicious cyber crime such as hacking, phishing, identity theft, worms, viruses and denial of service attacks, spam is fast changing its status from that of on-line nuisance to major global menace.

Figures for the corporate costs of dealing with the consequences of spam - defined by the UK-headquartered anti-spam organisation The Spamhaus Project as 'unsolicited bulk e-mail' - vary quite widely but an estimate of US$50 billion in 2005 (excluding opportunity costs, from Ferris Research) and a projection of US$198 billion next year (from The Radicati Group) are often quoted. With these levels of waste it's small wonder that the war against spammers is about to be prosecuted much more savagely.

Fade away‾ Dream on"&brkbar;

One idea that recently achieved some currency was that spam was in decline. Dream on say the experts.

In November US provider of on-demand integrated message management services Postini announced that it had processed nearly 70 billion e-mail connections from September to November, and saw a 59% spike in spam over that period. Postini reckons that unwanted e-mail currently accounts for 91% of all e-mail, and that over the 12 months prior to November the daily volume of spam rose by 120%. 'This dramatic rise in spam attacks on corporate networks has the Internet under a state of siege,' said Daniel Druker, executive vice president of marketing at Postini.

'Spammers are increasingly aggressive and sophisticated in their techniques, and protection from spam has become a front-burner issue again. Spam has evolved from a tool for nuisance hackers and annoying marketeers to one for criminal enterprises.'

And if the experience of John R Levine, president of Internet consulting firm Taughannock Networks and co-chair of the Internet Research Task Force's Anti-Spam Research Group, is anything to go by, the spam problem actually just got twice as bad. 'You may have read reports that the total amount of spam is on the decline. Don't believe them. In the month of October, I saw the amount of spam in my traps here roughly double, from about 50,000 per day to 100,000 per day now,' writes Levine on the Taughannock Networks website. 'In conversations with managers at both ISPs and corporate networks, I'm hearing the same thing. One corporate network has gone from about 12 million spam rejects a month in June and July to 28 million in October. The very large mail systems don't publish their numbers, but they tell me informally they're seeing the same thing.'

Levine says that no-one seems to know why the increase is taking place, but offers the thought that perhaps there's a new generation of zombies, so numerous that price has dropped and spammers can buy twice as many of them.

Return of the zombies

Zombies are indeed the main generators of unsolicited e-mails according to IT security firm Sophos which has recently published a 'dirty dozen' chart of spamming countries for the July to September 2006 period (these are, with respective percentages: USA 21.6%; China (including Hong Kong) 13.4%; France 6.3%; South Korea 6.3%; Spain 5.8%; Poland 4.8%; Brazil 4.7%; Italy 4.3%; Germany 3.0%; Taiwan 2.0%; Israel 1.8%; and Japan 1.7%; other 24.3%).

'Most unsolicited emails are now sent from zombie PCs - computers infected with Trojans, worms and viruses that turn them into spam-spewing bots.


In the past hackers were very reliant on operating system vulnerabilities to convert an innocent computer into a zombie - now they are turning back to malware to trick users into running their malicious code, and opening the backdoor to hackers,' according to Carole Theriault, senior security consultant at Sophos.

'Hundreds of new versions of the Stratio worm have helped steadily increase the volume of spam seen travelling across the net.'

Filtering is one of the main technologically-based defences against spam. It can take various forms - accepting mail from known sources and refusing it from unknown sources, blacklisting, excluding e-mail on the basis of keywords or phrases in the message subject or body, quarantining of suspect e-mails, selection on the basis of user defined preferences and scoring based on a number of message characteristics being among the alternatives. The drawback to filtering is that it has the potential to stop unsolicited but legitimate e-mail (apparently sometimes called 'ham'). An alternative approach, as proposed by New Millennium Solutions Pty Limited in its TotalBlock solution, is challenge-response. This basically requires first time senders not on a known list of legitimate correspondents to identify themselves as human in order to send mail to any recipient. Once a sender is authorised, he or she isn't required to repeat the identify-authorise process unless they change their e-mail, domain or IP address.

In the picture

However technological ingenuity is clearly not the sole preserve of the righteous. In practice it's often the case that interaction between the bad guys and the good guys is on a leader-follower basis. Thus, for example, Sophos reckons spammers now rely more on images to bypass filters. The company says that the use of spam containing embedded images continued to rise in Q3 2006, and by November accounted for nearly 40% of all spam, the vast majority being used by pump-and-dump stock spam campaigns. Sophos says this trick gives spammers a better chance of having their messages read, since images can avoid detection by those anti-spam filters that can only analyse textual content. Often, image spam is animated to further help the message bypass the filter. Having multiple layers of images loaded on top of each other adds 'noise', which complicates the message by making every one unique.

One response to this new challenge was announced by messaging security, privacy and compliance solutions vendor BorderWare Technologies in November. The patent-pending Intercept(tm) Image Analysis technology is specifically designed to detect and block image spam by analysing image attachments found within an e-mail message to derive an accurate characterisation of the message. This new analysis acts as additional input to the overall BorderWare classification of a mail message by tracking 30 pieces of information about an image to identify it as spam. 'As the spammers think up new ways to threaten email systems, it's critical that we remain one step ahead of them,' said BorderWare ceo Tim Leisman. In this case, though, the problem obviously preceded the solution. And what comes after image spam remains to be seen (no pun intended), but it's a racing certainty that something, somewhere is presently being cooked up to circumvent enterprise and personal spam defences in new ways.

Name, shame and release the legal eagles

Technology aside, naming and, hopefully, shaming is another weapon in the war against spam. This is part of what The Spamhaus Project is all about.


Spamhaus says that 80% of spam received by Internet users in North America and Europe can be traced via aliases and addresses, re-directs, hosting locations of sites and domains, to a hard-core group of around 200 known spam operations ('spam gangs'), almost all of whom it lists on its Register of Known Spam Operations (ROKSO) database. The organisation also publishes a top ten list of the alleged worst Internet Service Providers (ISPs) in terms of  failure to curtail the activities of spammers, and a top ten list of alleged worst spammers.

As Spamhaus has noted, successful legal challenges to spammers are on the increase. Spamhaus lists four successful US actions - one state and three brought under the federal CAN-SPAM Act of 2003 (S.877/HR 2214) - in September 2006. Elsewhere the Australian Communications and Media Authority in October welcomed the decision of Justice Nicholson in the Federal Court in Perth to award a pecuniary penalty of A$4.5 million against Clarity1 Pty Ltd and A$1 million against its managing director, Wayne Mansfield, for contravening the Spam Act 2003 (Spam Act). ACMA's prosecution of Clarity1 was the first prosecution under the Spam Act.
The background to the Australian action was that on 13 April 2006, Justice Nicholson found that both Clarity1 and Mansfield were in breach of the Act for both sending unsolicited commercial electronic messages, and for using harvested address lists. Among other matters, ACMA submitted to the Federal Court that Clarity1 Pty Ltd and Mansfield sent out at least 231 million commercial e-mails in twelve months after the Spam Act 2003 commenced in April 2004, with most of these messages unsolicited and in breach of the Act.

'ACMA's action in this case underscores its vigilant approach to the enforcement of the Spam Act and combating spam,' said ACMA chairman Chris Chapman. 'Spam causes significant inconvenience to individuals and businesses: disrupts e-mail delivery, clogs up computer systems, reduces productivity, wastes time, irritates users and raises the cost of Internet access fees.'

'This judgment provides a strong warning to Australian spammers that contraventions of the Spam Act can result in substantial penalties being awarded against individuals and organisations,' continued Chapman. 'ACMA has previously demonstrated its determination to pursue important matters vigorously, a determination that will be a key attribute in its continuing success across its broad regulatory responsibilities.'

But on a less positive note, Spamhaus reports that although Microsoft Corporation won in the British courts what could be the largest award against a spammer in Europe thus far, rather than invoke the weak British anti-spam legislation, the software giant sued for breach of the terms and conditions of Microsoft's free Hotmail service. Those terms explicitly prohibit the delivery of spam to Hotmail users. Award of the damages - the sum of ‾5,000 - was announced in September 2006.

At the same time Spamhaus judges the US CAN-SPAM Act of 2003 to be flawed because, contends the spam buster, the act attempts to regulate rather than ban the practice of spamming.

ISPs in the firing line‾

For the future the suggestion is being made in some quarters that ISPs should be held legally responsible for the actions of spammers operating on their networks. Such a measure would not be easy to implement, and would likely be vigorously resisted by the ISPs themselves. Still, if spam is to be prevented from causing the Internet to grind to a halt, some radical form of remedy is in order.