net.wars: Rumours of spam’s death: greatly exaggerated

by Wendy M Grossman | posted on 23 December 2005

Boggle of the week: the Federal Trade Commission announces that we’re all getting less spam.

Wendy M Grossman

Of course, this is one of those self-congratulatory exercises. The FTC was terribly pleased with itself when the so-called CAN-Spam legislation was passed in late 2003 (even though experts such as the Spamhaus Project commented acerbically at the time that the opt-out regime enshrined in CAN-Spam meant legitimising spam rather than stopping it). Now, two years later, it is saying the legislation worked.

Pause to laugh maniacally while deleting eight identical messages offering me the chance to “shoot” five times as much. (Really, seriously: that particular spam must appeal only to the very small market of the chronically infertile.)

The FTC’s main support for this claim seems to be the anti-spam vendor MX Logic, which issued a press release last week, which noted that the percentage of email that is spam dropped in the last year from 77 percent to 68 percent.

But MX Logic itself didn’t see this as a reason to declare a win against spammers. The release itself quotes Scott Chasin, one of the most knowledgeable people I’ve ever spoken to about spam, as saying, “Predictions of the impending death of spam are premature.” MX Logic also reported that only about 4 percent of spam complied with the labelling and other requirements in CAN-Spam. Certainly, as Chasin goes on to say, the Act has helped the Feds prosecute the spammers they can identify. Throw in a 14 percent increase in phishing attacks and somehow I’m not feeling so good any more about CAN-Spam. If I ever was.

Of course, even if the percentage went down a little that doesn’t mean the volume of spam went down. People are sending more email (and bigger attached files) all the time. And according to Spamcop, in fact the raw number went up. So what we’re really talking about is a slight downturn in growth.

But even if there had been any diminution in email spam (and my personal in box shows otherwise), that would be more than made up for by two things. First, the newer forms of spam that keep turning up. Earlier this year, in a discussion on a lawyers’ mailing list, I saw the interesting rule of thumb that there’s a threshold of about 10,000 readers above which blogs start to attract comment spam. Several of the lawyers had turned off comments as a result; software like Moveable Type has to include filtering software. IM spam. Spam blogs (splogs?) which are fake blogs automatically cobbled together for the sole purpose of pulling in clicks on Google ads or Amazon associate links. If email spam is passing out of fashion – and it’s too soon to say that it is – it’s only because there are newer, more fertile fields to sow. Remember, once upon a time, ten years ago, Usenet was where the spammers lived. Now, it’s years since I’ve seen more than a very occasional spam in any of the Usenet newsgroups I read regularly.

But second, over the two years since CAN-Spam was passed spam has become much nastier, as MXLogic’s figures on phishing attacks suggest. Much more spam is delivered via virus-infected PCs that got that way because of virus-laden spam. Security experts will tell you about the current incarnation of the old protection racket, in which companies are promised that in return for regular payments the extortionists will make sure their armies of infected PCs won’t mount DDoS attacks against them. How do those PCs get infected? Mostly through spam.

All that depressing stuff said, anti-spam technology is slowly getting better and more widely deployed. In the arms race between filters and spammers either the filters are a little ahead or the balance is stable.

The damage to email in general of anti-spam systems is also, I think, stabilising. Too many people are still, unfortunately, retreating behind the kinds of systems that break the kneecaps of email, such as challenge and response. And I myself got told off last year for using real-time blacklists to protect my server, on the grounds that the danger of such systems is that they make it possible for the list owners to arbitrarily censor the Net. (I’ve turned that off now, John)

But in the intervening two years we have also built ever-increasing amounts of redundancy into our contacts with others. When I was a child, everyone had one home phone number, one street address, and maybe one work phone and address. Now, an average contact has, on top of that, a mobile number, work and home email, maybe a fax number, several IM IDs, and probably a blog where in a pinch you could leave a comment. And if all those fail, well, I know which IRC channels they hang out on. So like I say, if there really is even slightly less email spam, it only means email is slightly less important.

I’m sure the spammers want me to wish you all Happy Holidays a thousand times, each misspelled in a slightly different way. Have a good one!Tags: , ,

Shoot more! - You can discuss this article on our discussion board.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).