Public sector IT security managers in Canada have succeeded in reducing the volume of spam in their users’ inboxes to virtually nil. An informal survey of government, corporate and private users shows that the deluge of “unsolicited commercial e-mail” of recent years has been choked off to less than a trickle. Even free web-based services like Hotmail, once so infested with spam as to be almost unusable, now repel all but the most insinuating and plausible messages. To most users, spam is no longer an issue.
If that’s the case, why is Canada’s Task Force on Spam, a high-level gathering of academics, bureaucrats and businesspeople, still forging ahead?
Well, to quote Winston Churchill, “We must be very careful not to assign to this deliverance the attributes of a victory.” Successes in these early battles against spam, costly as they have been, only mean that the war will move to a new and more dangerous level. Spammers will try even harder to reach the one or two buyers they need to make a profit from a million e-mail messages. In the months and years ahead, government IT organizations will face attacks of unprecedented ingenuity and daring, as criminal gangs struggle to maintain their profit margins. A year ago, spam threatened to smother the individual mailbox. A year from now, spam may threaten the entire e-mail system.
The history of “unsolicited commercial e-mail,” just over a decade old, has been one of technological escalation. When one avenue is barred, the spammers create another. Spammers have long known how to turn unwitting users’ home computers into zombies, ready to execute remote commands, including mass transmissions of spam. Now they have moved up the delivery chain, so that a huge percentage of spam now originates directly with the e-mail servers of major ISPs. Administrators don’t hesitate to block single spamming IP addresses, but they simply cannot block entire Internet service providers like Sympatico or AOL.
The spam problem has been compounded by some clumsy law-making. In the United States, the Can Spam Act came into law just over a year ago but did nothing to stem the flow of junk e-mails. In fact, it has pushed the illegal side of the business to offshore havens and challenged “legal” spammers to push the envelope even farther. Under the terms of Can Spam, bulk e-mailers are forbidden to use false information in their messages headers, and all unsolicited messages must allow the recipient to “opt out.” As Scott Richter, the latest in a long line of “spam kings” says, it has simply brought a little light and legitimacy to a previously shady business. Now that everyone knows the rules, they have some ground on the terra firma of legal fine print. Legitimate web sites harvest e-mail addresses legally, with contests, coupons or greeting cards, giving bulk e-mailers carte blanche to send legal spam. Many users won’t respond to opt-out reply options, fearing they only confirm their e-mail address to illegal spammers.
Criminal spammers do everything from breaking into wireless networks from parked cars to send spam from laptops, to operating from China and other countries with lax regulatory regimes. Their versions of eBay and the Better Business Bureau can be found at sites like www.spamforum.biz, where mailing lists and hosting services are bought and sold and where honour among thieves is maintained by posting the names of scammers, cheaters and rippers.
Want to get into the spam business? Just visit www.cheapbulletproof.com, where the quality is guaranteed: “Our servers are all China-based to ensure no problems arise from complaints generated by e-mail you send.”
The recent nine-year sentence handed to spammer Jeremy Jaynes in a North Carolina court will do nothing to deter others who are safely beyond the reach of the law. In the next few years, spam will place an unprecedented security burden on the Internet, as criminal gangs exploit every conceivable technical and human vulnerability possible to keep getting their messages out.
Government computers, with ultra high-speed connections, widely dispersed networks and trusted addresses are obvious targets.
The only way to end spam is to make it unprofitable. There is no simple, inexpensive way to achieve that, a fact the Task Force on Spam implicitly recognizes. Working groups are looking at improved enforcement, outstanding technological issues, guidelines for legitimate advertisers, public awareness and, most important, international cooperation. Steady progress on each front will eventually erode spammers investments to the point of no return, but they will not give up easily – their final days could be worse than anything we’ve seen before.
Richard Bray ([email protected]) is an Ottawa-based freelance journalist specializing in high technology issues.