Killer spam: the business threat
Ever-escalating spam levels are close to tearing the commercial guts out of any business and organisation that relies on email as a primary method of business communication.
Let’s scare ourselves with a stark, alarming fact: spam is poised to be a significant threat to legitimate commercial activity. It has succeeded where the many large scale virus attacks of the 1990s failed, by virtue of its ability to relentlessly hammer email inboxes every minute of every day of the year. There is absolutely no evidence that its scale will even level out, let alone decrease. The volume of spam is now becoming a serious issue that requires a consolidated approach to stop it from potentially undermining email as a major communication tool in commerce.
In 2006, nearly 90% of all business email traffic was spam, and the problem is not just localised to a few countries. A quick look at the data available on the Spamhaus website confirms that this is a worldwide problem, and it is evident that the solution will have to involve global cooperation.
Spam has been a plague for years now. It eats into a company’s network and manpower resources, exposes it to increased risk of litigation, viruses, not to mention causing hair-tearing frustration among users. Most businesses would not survive without some form of spam protection, which is why, when the volume of spam suddenly increased in the second half of 2006, alarms rang inside the IT security industry.
The spammers had changed tactic and started to use volume as an attack mechanism to get their message past spam filters undetected. Most good anti-spam filters operate at around 97% effectiveness – most businesses are able to cope with the 3% that gets through.
But the spammers had realised that, by dramatically increasing the volume of spam, this 3% soon becomes a significant number of emails that would reach target inboxes. It was an effective tactic that had security experts scurrying to implement methods against it; but it also acted as a warning.
Businesses got a taste of what might lie ahead if spam levels continue to escalate. Those businesses relying on internal systems probably found their network administrators panicked by the unprecedented increase in their management workload. Businesses using automated update services or hosted solutions may have found their emails delayed as scanners tried to digest the massive increase in spam.
If spam distribution levels continue to rise at a similar rate as seen recently, it is possible that a tipping point between commercial viability and costs required to mitigate the spam to a manageable level will be reached. Action taken now will make a difference in the long term, but quite what that action should be – and whose responsibility it is to take – is a topic of heated and contentious debate.
In January 2004, Microsoft’s Bill Gates infamously told a group of World Economic Forum participants that he could rid the world of spam in two years. Three years on, we’re still waiting. But that’s no surprise to anyone: agreeing standards was always going to be a sticking point. However, it takes just one look at the amount of ineffective legalisation that has been introduced to conclude that, without the will of governments around the world to enforce it, any attempt at a solution is futile.
In the UK, for instance, the law can only be applied for spam originating in its jurisdiction. If the UK made a lone stand and tightened its position, spammers would just move to a different country. Even if the law was changed to broaden the government’s powers, it is unlikely that vast resources would be poured into catching the spammers, because junk mail is a very fluid business and swapping from country to country proves no problem at all.
In addition to lack of enforcement, the ease with which anyone can purchase a spam kits complete with email addresses and a handy ‘how-to’ guide does not help the situation. In fact, some people believe that criminals make more money in selling the kits than the ones doing the actual spamming.
But the concern over these elements is, to some degree, masking the real enemy – the ever-growing army of botnets. These legions of zombie computers must be stopped now if we are to control spam in the future. It is the increasing use of botnets and their continuingly sophisticated techniques to avoid being disabled that accounts for the large increase in spam seen in the last 12 months. Technology alone may not be enough to destroy them.
Alongside technology and law enforcement, education needs to play a larger role in the fight against spam. Currently, computer users either lack the understanding or are not interested in computer security. This is unlikely to change without government intervention.
Netsky is a perfect example of user apathy to computer security. Despite the fact that the last outbreak was in 2004, the worm consistently accounts for a large proportion of viral email traffic. In the UK alone, SoftScan has identified that there are at least seven times as many unique IP addresses that distribute emails infected with Netsky than Mytob and four times as many than Bagle. Its apparent staying power is most likely due to unprotected computers.
Years ago, if a machine became infected, it was such an inconvenience to the user that even if they were not aware of the threats before, they quickly took steps to prevent anything from happening again. However, today we have a situation where vast numbers of machines are infected without their users’ knowledge. Being part of a botnet doesn’t affect them directly, apart from perhaps the machine occasionally going slow, but that one machine in the right hands causes misery to thousands of others.
Only once the tipping point is reached and governments worldwide are obliged to enforce international anti-spam laws for the sake of commerce will we start to see a serious reduction in spam through a mixture of technology, enforced legislation and education.
How much worse will it need to get to reach the tipping point is unclear as it depends on many factors: how quickly spam continues to grow, what developments can be made in technology to counteract this and the continuing rise of botnets. There are other considerations too. Microsoft’s Vista operating system will hopefully put a dent in the number of botnets with its increased security, but how long for? And how quickly will companies and – more importantly – home users upgrade to Vista?
Whether spam remains a mere inconvenience or reaches the tipping point, in the long term it will undoubtedly risk damage to e-commerce worldwide. Before this juncture is reached it makes sense for all interested parties to start working together on a global scale to tackle the problem head-on.
Governments should do more to help – but what?
There is – and indeed always has been – a lot of cooperation between security vendors in trying to find ways to solve spam and other security issues. However, technology is only part of the answer to resolving the problem of spam. What is required is government involvement to assist in the other aspects, but, without a collective voice demanding action, spam is easy for them to ignore.
One particular area that government involvement could help is to provide additional resources to make it easier for the police to react to spam crime, and provide simpler mechanisms for citizens to report spam, even across borders.
When the spammers have been caught and tried, greater sentencing and fines than we have seen so far could also make some decide that spamming is not worth the risk.
From the governments’ perspective spam is a global issue, which means that every country is suffering the same problem, and therefore there is no advantage or disadvantage caused by spam between one country’s e-commerce tax revenue and another’s. If one country did suddenly discover a significant improvement from reducing spam, the others would surely follow.
Instead there is stalemate. Governments need to realise that it is not just a resource inconvenience to business, but potentially very damaging to e-commerce as a whole. They could wait until big businesses stand up and shout that they need to do something about it, but by that time it will be too late for the millions of smaller organisations that built their business around e-commerce early on.
Still, there is hope. After taking a tough stance on spam and enforcing its Spam Act 2003, by the middle of last year Australia dropped from 10th to 23rd on the list of worldwide sources of spam.
Of course, it still only means that the spammers have gone to another country, but it shows what could be achieved if only everyone made the effort.