Real World IT
George OuMassive surge in spam hits the Internet
Summary
A massive surge of spam has hit the Internet in recent months that appear to be spammers increasing the use of botnets. The spam botnets have grown three times larger since June and they are flooding the Internet spam. TQMcube posted the following chart showing the alarming rise in spam.
The red [...]
Topics
Blogger Info
A massive surge of spam has hit the Internet in recent months that appear to be spammers increasing the use of botnets. The spam botnets have grown three times larger since June and they are flooding the Internet spam. TQMcube posted the following chart showing the alarming rise in spam.
The red lines represent the total amount of spam while the yellow line represents the size of the botnet.
Reader icheyne asked me if there was a good solution for spam and what I advocate. It was a very good question and I gave a summarized response here.
Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.
Disclosure
George Ou
http://blogs.zdnet.com/Ou/?page_id=557
Biography
George Ou
George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.
More from “Real World IT”
Related Discussions on TechRepublic
Did you know you can take part in these discussions with your ZDNet membership?Talkback Most Recent of 61 Talkback(s)
-
What is the solution?
Around 2000 everyone used to talk about spam and solutions for it, but now everyone seems to have just accepted it. Is there a permanent fix? George - what do you advocate?
icheyne10/29/2006 12:21 AM -
Heh
I think the only solution is to not have an email address. lol
WebThingy10/29/2006 12:40 AM -
Here's an idea
Shoot the people who buy the stuff advertised in spam emails.
toadlife10/29/2006 01:17 AM -
Very good question
Around 2002 I "thought" I had a pretty good idea which was to use domain level authentication between email servers. This was a lot easier than implementing end-to-end authentication because you only needed digital certificates for the email servers. I submitted it to the anti-spam community and it was shot down pretty hard by the anti-spam community because there was no agreement on how to handle this.
A year later SPF (sender policy framework) hit and Microsoft produced their own solution and merged with SPF for SenderID which they just recently released as a will-no-sue open standard. SenderID only used DNS to designate official outbound mail servers so that the ?from? address along with the email headers cannot be spoofed. The problem with SenderID is that it breaks 3rd party SMTP relaying and there was and still is a lot of opposition to it.
Around the same time in 2003 Yahoo came out with Domain Keys which was very similar to my idea a year earlier only Yahoo's idea solved the problem of having to buy digital certificates for the SMTP mail servers. Domain Keys uses DNS to publish the name and public key certificates so you didn't have to pay Verisign hundreds of dollars to get a certificate. I really liked Domain Keys and still do, but the email community opposes it and it still can't get traction.
The whole problem with enforcing email domain authentication is that it requires the whole world to use it or it won't work. So long as any significant number of legitimate email servers won't support it, you have to allow inbound unauthenticated servers or risk bouncing too many emails. So long as that remains the case, spammers will simply come in as unauthenticated.
But let?s say we can get the whole world to agree to use authentication. The problem there is that spammers will just switch domain names every day or every hour if they have to avoid blacklisted domain names. That certainly would make spammer?s lives much more difficult because they can only spam with a domain once before the entire world is notified. But if you?ve ever spent any time in the anti-spam mailing lists and forums where the experts hang out, you?ll understand that there is no agreement on how to handle this and there is still a lot of opposition to mandated domain authentication.
There is also the idea of bonded senders where a domain would put up some money and risk losing it if they send any spam. The problem with this is how you would even enforce this. If someone gets an AOL or Yahoo account and spams from it, would you punish the entire domain? Ok so we track each domain to see how responsible they are but who and how would we do this accurately? Do we get the government to track these statistics?
On the issue of Government, there is a little problem freedom if we ban all forms of anonymous emails. Imagine Governments like Russia or China could see the identity of the sender of every single email by looking at the digital certificate of the domain it was from. How would that go over with Amnesty International? I?m not saying these problems can?t be solved; just that it is VERY difficult to solve. I was na?ve three years ago thinking this was an easy problem to solve. I still think it?s solvable by using some form of sender authentication like Yahoo Domain Keys which provides authentication and non-repudiation IF we can ever satisfy the privacy advocates and IF we can work out all the implementation devils.
Anyways, great question. I?ll probably have to clean this up and post it as a blog.
georgeou10/29/2006 01:26 AM -
It's an enforcement problem
The problem is two-fold
1) The internets mail infrastructure has some very archaic standards, but as George alluded to in his post, they are implemented everywhere and we are stuck with them. They will be very hard to change significantly.
2) The real problem here is one of enforcement. If the spam is shut of at source then there is no need for a technical solution. There are enough laws already passed to catch people.
3) Arresting the actual spammers themselves is useless, plenty more will take their place. However they are PAID to to place these "ads". Every spam mail has some way to get in contact with the vendor of the product so track down the vendor and make THEM pay. They are no different to "fly posters" and that is illegal in many cities.
Obviously the above won't get all spam - the "buy XXXX on Monday - it's going up, up, up" has no vendor, but it is a scam and there is legislation to deal with that - insider trading perhaps?
We don't need to get all the spam merchants, if we can break the back of the problem the remaining spammers will stand out a lot more and law enforcement will have a much easier time running them out of business.
bportlock10/29/2006 02:45 AM -
US is enforcing
Interestingly, this is one area where I think the US is doing a good job. A lot of spammers have been run out of the country in the last 5 years thanks to good enforcement. They are now spamming from overseas.
So just get most of the world to enforce anti-spam legislation and you're on your way.
Feldon10/29/2006 11:08 AM -
Fair enough....
.... but there is no point in chasing the spammers. Chase whoever gives them the work.
In the city I live in, fly posting was a problem. People would turn up in the middle of the night and stick posters for events, records, CDs, DVDs, whatever on any vertical surface. All sorts of suggestions including CCTV were passed around until the obvious was spotted - the police went after whoever's contact details were on the flyposter. They were guilty of littering by proxy and hefty fines were imposed. Fly posting is now a rare occurance.
All the spam you get for Viagra / whatever has to have a contact address on it or else there is no point in sending it. All the cops have to do is use the spam. click on the link, find out who the supplier is and prosecute them for the spam. Corporate responsibility means that a company cannot contract another company to commission an act that breaks the law. The company placing the order is as guilty as the spammer and lot easier to catch.
Spam would be massively reduced and the spammer's supply of money would dry up very quickly. Doing it this way, the bot nets take care of themselves - there's no point in setting one up if no-one will pay to use it.bportlock10/29/2006 12:06 PM -
Global enforcement is difficult
I completely agree with you, the problem is with enforcement especially on a global level.
"All the spam you get for Viagra / whatever has to have a contact address on it or else there is no point in sending it. All the cops have to do is use the spam. click on the link, find out who the supplier is and prosecute them for the spam."
What if the company has no knowledge of the spam being sent out? Do we automatically punish any company that hires another company to do marketing and it turns out some of those "marketing" activities include spam? So if I wanted to get someone in trouble, all I'd have to do is send spam on behalf of them? How do you prove the connection? I'm not saying it's not possible to do, just that it's hard to do. Spam isn't exactly on the top of the priority list for law enforcement, there are actual human beings missing or being murdered that they have to track down. There are people in this world that want to kill us that the Government has to worry about. Spam would probably be way down there on the list of priorities.georgeou10/29/2006 12:50 PM -
Process already established
"Do we automatically punish any company that hires another company to do marketing and it turns out some of those "marketing" activities include spam?"
No of course not, any more than you assume any suspect is automatically guilty. But if an investigation turns up a causal link then you prosecute.
If someone "makes trouble" deliberately then how is that any different from filing a false police report?
I agree with you that fighting spam is low on the police "list of things to do" and spam is harder than fly posting because the internet allows you to internationalise things.
Having said that, if the cops picked a big spam campaign and found that the orders for the goods went to a particular company then I think that company would have a lot of explaining to do. The argument of "someone must have done it to us" would be unlikely to hold water.
It occurs to me that any company prepared to market their goods through bot-nets and hijacking is probably worth investigating anyway - their corporate ethics would be rather low and I'm sure that plenty of dodgy stuff would come to light.bportlock10/29/2006 02:15 PM -
Joe job
So if I wanted to get someone in trouble, all I'd have to do is send spam on behalf of them?
Already happened...
http://en.wikipedia.org/wiki/Joe_job
johndoe44556610/30/2006 06:57 AM -
serious security threat
Gourge Ou writes:
"Spam isn't exactly on the top of the priority list for law enforcement, there are actual human beings missing or being murdered that they have to track down. There are people in this world that want to kill us that the Government has to worry about. Spam would probably be way down there on the list of priorities."
IMHO this is the core of the problem. Most governments (and many software companies) act as if spam is just a nuisance. May I suggest that spam has become a serious security threat, not just to the US but to all developed countries. Spam has historically been the primary method by which machines are infected and become bots. The bot networks continue to grow. So far their mischief has been largely benign (petty theft, small DOS attacks, extortion, etc). Sooner or later (i hope later) someone with a little money will coordinate the various networks to attempt much more ambitious mayhem. Maybe even coordinate it with a terrorist attack just to amplify the economic impact.
The more we depend on the internet infrastructure, the bigger the target grows. Meanwhile the threat continues to grow with no end in sight.
So George, if i may suggest - you would be doing the world a great favor if you used your soapbox to sound the alarm. The whole world is just way too complacent on this front.
nocluerequired10/30/2006 08:17 AM -
Sounds like the excuse HP used
As HP has discovered, a company has the duty to know just how firms they hire will accomplish the task at hand. If we can blame HP for the tactics of its investigative firm, then we can blame vendors for the tactics of its marketing firms.
shechief10/30/2006 12:56 PM -
Oh, That's Brilliant.
Please, please, please pass this law. Go after the people who have contact info in the spam instead of the spammers.
I'll rent a server, send out about a billion e-mails with contact info for each of my business competitors that tell people to buy their products and insuate that they all have small "members" that my competition could chemically enhace and sit back and wait for the feds to come in and shut them down.
Cost?
One Billion Phoney Spam Emails? $0
One dedicated server month? $175
Watching my rivals sent to Sing-Sing? Priceless!
XanaduRanch06/24/2007 08:34 AM -
Penny Stock Spam
Obviously the above won't get all spam - the "buy XXXX on Monday - it's going up, up, up" has no vendor, but it is a scam and there is legislation to deal with that - insider trading perhaps?
My solution to these penny stock spams would be to require the Federal Trade Commission to suspend trading of any stock spammed for 10 days. Even though these are Over-The-Counter, they still are within reach of the Government.
During the suspension, the company would be audited to see if anyone internal would gain from a mass trade event, and if so, those individuals would be prosecuted. Otherwise the trading would resume after 10 days.
M.W.Jones10/30/2006 07:29 AM -
Wouldn't work . . .
If I was your competitor, I just might keep arranging to have your stock spammed and suspended for 10 days - and that would lead to 'Spamwars'.
simonbailey10/30/2006 03:36 PM
Talkback - Tell Us What You Think
- Data Storage Podcasts
- HP Storage Product Selector Tool
- IT Resource Center Forum - Storage
- Around the Storage Block
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
Blog Roll
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- A Developer's View
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Five Nines: The Next Gen Datacenter
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- India IT
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- Networking
- On Sustainability
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Blog Archive
White Papers, Webcasts, & Resources
- Earned Value ManagementInstantly save $400 off the standard course price when you register ... (Global Knowledge) Download Now
- CISSP Prep CourseIf you are ready to take your security career to the next level, our ... (Global Knowledge) Download Now
- Live Webcast: Web Performance Monitoring - A Competitive Advantage for SaaS Companies Do you deliver your products or services through the ... (Keynote Systems) Download Now
