The spam wars are taking a turn-and right now, the good guys are losing. New legislation, new technology, and draconian anti-spam policies on the part of some Internet service providers are doing nothing to stem the tide of unsolicited e-mail. The stakes are far bigger than you probably imagine: Spammers hold the power to turn the tools of our technological society against us, for their gain and pleasure. And so far, we have been unable to devise technical means to prevent these tools from being misused.Most foot soldiers in the spam wars are too busy fighting day-to-day skirmishes to have such grandiose thoughts. A handful of coders genuinely believe that this is a battle that they can win with better software and protocols. Others seem to think that this war will be nothing more than a never-ending arms race resulting in greater annoyance but no serious harm.
Some of the greatest spam fighters in the world gathered last month at MIT for the second Spam Conference. The year’s big take-home message was that legislation like the recently passed CAN-SPAM Act of 2003 will not work-in part because more and more spam is originating outside the United States. Indeed, many of the conference’s participants were positively down on the federal anti-spam bill because it nullified many stronger measures that had been passed in states like Washington and California. But even if legislation won’t solve the problem, the hope was that fundamental changes being made to the way that e-mail flows over the Internet might stop the flood of spam, even if those changes have some unfortunate side effects for today’s Internet users.
Most of the technologists at the conference seemed pretty upbeat, as if they thought that the tide was finally turning. I think that this is a false hope; new technology aside, I’m watching a growing alliance between spammers, computer hackers and organized crime. This is a business relationship that bodes poorly for us all.
Years ago, computer security professionals condescendingly dismissed most hackers as “ankle-biters”: annoying kids who deface a Web site here and shut down an e-commerce server there, but who are incapable of jeopardizing the future of network computing. That’s changed. Hackers are now on the spammers’ payrolls. Some have created computer worms and viruses that break into computers and then turn those compromised machines into launching pads for sending out millions of spam messages.
Other hackers have taken to manipulating the fabric of the Internet’s routing system. First they find a set of IP addresses that aren’t in use-for example, addresses belonging to a dot-com company that went bankrupt. Then the hackers break in to the router of a medium-sized Internet service provider. They tell the router that the company is back in business and that it should announce to the rest of the Internet that it has the IP addresses. The hackers’ spammer then uses these addresses to send out a few million e-mails. Finally, the hackers tell the router to “drop the announcement”-and the IP addresses vanish once again from the face of the Internet.
These technical advances are having an impact. According to Brightmail, an anti-spam company that claims to filter 15 percent of the e-mail that is delivered on the Internet, spam constitutes 56 percent of all Internet e-mail-up from 40 percent one year ago. But even that depressing statistic underestimates the problem. For while some organizations and individuals get little or no spam, others get a torrent. Like me, for instance.
After the Spam Conference I decided to analyze the log files for my home e-mail server. I have a small domain I run for my personal e-mail. On Saturday, January 26, I received 114 legitimate e-mail messages from friends, business associates, and various mailing lists. (I know that this number is kind of low, but it was a weekend!) On that same day, I received 174 pieces of spam that were automatically identified by SpamAssassin, the open-source anti-spam filter. So I’m running 60 percent spam-a little worse than the Brightmail average. Except that even my 60 percent number underestimates the problem. That’s because my computer automatically rejects e-mail that’s sent to invalid addresses at the domain. Indeed, on that same Saturday, my server rejected 1,699 e-mail messages because they were sent to mailboxes on the computer that do not exist. Add those to the running total, and the amount of spam that my system was exposed to on January 26 rises to 94 percent of all received e-mail.
But even that number doesn’t tell the whole story.