Stemming the tide of spam

14 Jun 2007

Three years ago Bill Gates predicted the spam problem would be solved by 2006. Now it’s worse than ever. How did he get it so badly wrong?

As forecasts go, it proved about as accurate as the apocryphal quote of a former IBM chairman who once famously foresaw a worldwide market for five computers.

At the start of 2004 Microsoft founder Bill Gates (pictured) addressed the World Economic Forum in Davos, declaring the problem of unsolicited bulk email, or spam, would be solved within two years.

To say he got it wrong would be an understatement.

In the time since his prediction rates of spam worldwide have increased massively.

Six months after Gates spoke, the ratio of spam in worldwide email traffic peaked at 94.5pc, as measured by MessageLabs.

Globally and locally, since 2004 the trend has been the same with the graph moving relentlessly upwards. For Irish businesses, the problem has become just as acute.

According to data from IE Internet, which tracks spam and virus activity every month, 64pc of the total amount of email coming into Ireland during May was spam.

Another example is starker still. Trinity College Dublin recently tested a new email service from Microsoft. Over the course of 20 days, 12.1 million emails were sent to addresses in its domain and of that number, 11.1 million messages or 92pc of all incoming email traffic was identified as spam.

These figures don’t always correspond to the amount of junk email that ends up in people’s inboxes. This is usually filtered along the way and some is discarded before the user has to open it.

Nonetheless, spam still carries a cost measurable in terms of lost productivity and having to throw technology at the problem.

It takes employees time to open an email, read it, identify it as spam and delete it. Setting up electronic filters to trap spam before it reaches users carries a financial overhead.

But as anti-spam technology improves, spammers simply change their tactics, using different techniques to avoid being caught by email filtering systems.

“We have a cold war situation where each side is upping the ante each time,” says Ken O’Driscoll, technical director with IE Internet.

Jason Steer, EMEA (Europe, Middle East and Africa) product manager with Ironport, adds that many spammers react by sending out even more emails, only adding to the volume of junk email.

“It’s purely a numbers game. Spammers need to deliver a certain number of messages,” he explains.

“If they send 20 million, 90pc of them get deleted but 10pc get through to a mailbox. Then, 1pc of that gets read and then 1pc of those that read it click through and buy.”

The reason Gates’ prediction was incorrect, says Steer, is because spam isn’t just a technology problem.

Amazing as it may seem to any of us who have deleted a poorly spelled email promoting Viagra, some people actually want to buy what spammers are peddling.

“Spam is selling a product. It’s a market fuelled by people who make purchases this way,” he points out.

There is some hope at hand.

Last month the Internet Engineering Task Force, an independent standards body, granted preliminary approval to a technology called DomainKeys Identified Mail (DKIM).

Many in the industry believe this could be a significant step to detect and block spam emails as it uses digital signatures to verify the sender.

“Internet mail as we have it today has a design constraint – there’s a lack of ability to validate the identity of who’s sending the email,” says Craig Spiezle, director of online safety technologies with Microsoft.

Until now, spammers have taken advantage of that weakness by faking the address, making it appear as if their messages are legitimate. Crucially, DKIM would remove spammers’ ability to do this.

The initiative has the backing of internet heavyweights like Yahoo! and Cisco but there are alternative technologies such as Microsoft’s Sender ID.

According to Spiezle, competing authentication systems can work together and some internet service providers run them in tandem.

It’s apparently having some success. Although spam rates are up by 40pc this year alone, Microsoft’s Hotmail service has used Sender ID to decrease the volume of junk email arriving in users’ inboxes by 50pc, Spiezle claims.

Although there are benefits to technologies like Sender ID and DKIM, there are limitations. Both the sender’s and recipient’s email servers must comply with the standard in order for it to work.

Spiezle acknowledges some of the shortcomings of this approach. “Email authentication is not the silver bullet,” he says.

O’Driscoll argues that older ways like blacklisting addresses of known spammers are more effective.

He also questions whether email sent from a mobile device would be incorrectly classed as spam by an authentication system.

It’s a legitimate concern as more and more people start using devices like the BlackBerry and smart phones to pick up their email on the move.

Another possible option for verifying email is to assign the sender a score based on their reputation. Not only is their identity independently verified but they are validated as having no history of sending spam.

In the same way that a driver’s licence and driving record are separate documents, Spiezle says that this is distinct from authentication.

Email from addresses that have a poor reputation score would be flagged as spam. Microsoft, Google and other internet service providers use various versions of reputation scoring.

“I do expect in the near future to see some reputation data in anti-spam solutions from third parties,” says Spiezle.

O’Driscoll doesn’t believe that technology can eradicate spam by itself. “You can’t use technology alone to solve a problem that is essentially an industry worth billions a year,” he says.

It’s not just a typical case of supply and demand, however, because spammers routinely hijack other computers to send email for them.

In doing so, spammers also clog up valuable internet bandwidth – leaving others to carry the cost while they make money.

There are other, less technical, ways of tackling the problem. Last month police in the US arrested a man alleged to be one of the world’s biggest spammers, demonstrating a will among the authorities to crack down on spam (see panel).

Steer is downbeat in his assessment of the situation. He suggests it’s a problem that will at best be controlled rather than eliminated in the short term. “It’s down to the consumer. If people continue to buy, spam will continue to plague us. Spam will be around for a long time, I suspect.”

Spam king dethroned

The arrest of so-called ‘spam king’ Robert Soloway in late May is unlikely to bring much respite in the war on spam.

In the days following his capture, some IT security providers pounced on the news and claimed to have seen a falloff in the rate of junk email.

In reality, that’s likely to be short-lived and others will take his place, many experts believe.

Police in Seattle, Washington, arrested 27-year-old Soloway, after he was indicted on charges of mail fraud, identity theft and money laundering.

Soloway allegedly used a large network of zombie computers to send millions of spam email messages.

Zombies are legitimate machines that have been hijacked and are used to send out large volumes of spam without the owner’s consent.

Soloway has pleaded not guilty to all the charges. If convicted of all the charges, he could face a sentence of up to 65 years in prison.

Anti-spam activists hope the severity of the sentence may act as a deterrent to other would-be spammers.

Reports differ as to how much money Soloway is said to have made from his alleged spamming, with estimates ranging between US$730,000 and US$1.6m.

“An arrest of a single suspected spammer is unlikely to relieve the pressure on the typical person’s email inbox but does send out a clear message that the authorities are serious about pursuing those who send out junk email,” commented Graham Cluley, senior technology consultant for the security software company Sophos.

Top five ways to reduce your spam levels

1 Don’t publish your staff’s email addresses on the web – this is how spammers gather their mailing lists
2 Don’t ever click on a link in spam to see if it’s genuine – this could take you to a website running malicious software
3 Encourage staff not to use work email addresses to register for competitions or newsletters over the internet
4 Make sure your network uses the latest anti-spam technology and that every PC is running it too
5 Never reply to a spam email or try to unsubscribe from it – you’ll only prove that your address is genuine and receive more spam in the process

By Gordon Smith