For a brief instant in November 2008, the spam-industrial complex—that amorphous machine that sends out some 62 trillion junk emails a year—suffered a blow. McColo, a Web hosting firm based in San Jose, Calif., known as a safe haven for some of the Internet’s most virulent spammers, was knocked offline. Overnight, global spam, which by then totalled 100 billion messages daily, plummeted by 70 per cent. Purveyors of emails about cheap Viagra were beaten back; techies in the know rejoiced. But within three months, spam levels were back to where they had been. And if anything, the spammers had gotten wiser. After the next rogue-company takedown, last June, spam levels fell by a more modest 30 per cent, and crept back up in a matter of weeks. By the time the Latvian-based firm Real Host was disconnected in August, says Adam Swidler, product marketing manager for Google, “it only took them three days to get spam volumes back.”
Since the first known spam message was sent more than three decades ago, junk email has gone from mere nuisance to actual danger. Today, almost all spam is part of an organized criminal activity, says Gordon Cormack, a University of Waterloo computer science professor and a spam researcher. And it’s no longer limited to email: blogs, search engines and social networking sites, which exploded in popularity before developers could prepare their defences, have given spammers lots of room to grow. All it takes is a few clicks on an email or a perfectly legitimate-seeming Web page to download a virus. According to a recent Sophos security report, a new infected website was detected every 3.6 seconds last July, a fourfold increase from a year earlier.
Thanks to advances in spam-filtering and anti-virus technology, most of us see only a fraction of the junk destined for our inboxes. But the war on spam rages on. According to Microsoft, which blocks 4.5 billion emails a day from reaching its Hotmail accounts, 97 per cent of all email sent is unwanted. It’s kept out of mailboxes thanks to round-the-clock surveillance by automated systems and thousands of human experts—at great cost. Analysts at California-based Ferris Research predicted that in 2009, the worldwide cost of spam in IT expenses, anti-spam software and lost productivity would amount to US$130 billion—a 30 per cent increase over 2007.
All of which simply spurs more innovation in the spam world. “Every time there have been efforts to try and control spam, there have been responses that have made for more spam,” says John Arquilla, director of the U.S. Naval Postgraduate School’s information operation centre and a pioneer of the cyberwarfare field. Canada’s first anti-spam bill is set to go before the Senate this year. If adopted, it will bring Canada in line with the majority of G8 countries. The bill, says Industry Canada, seeks to “deter the most damaging and deceptive forms of spam” by allowing businesses and consumers to sue those who violate its terms. But in the meantime, it’s user beware. According to Arquilla, the Internet remains a new frontier. And while the wilderness is virtual, he says it’s “as risky as living in the Mohawk valley in the 18th century.”
Our feelings toward electronic junk mail trace back to 1970, and a Monty Python sketch that had nothing to do with the Internet. It featured a restaurant diner whose frustration mounts as her order is repeatedly overwhelmed by a group of Vikings, among others, shouting “SPAM!”—the brand name of the canned-meat product popularized during the Second World War. The scene captured perfectly the experience of a hapless Internet user hit with an arsenal of unsolicited messages. In the early ’90s, with the advent of the World Wide Web, the word began to appear in chat rooms, where members would inundate newcomers with an endless stream of “spamspamspam,” to keep them out.
It didn’t take long for more money-minded individuals—and scammers—to harness intrusion for personal gain. To expand their reach, online hawkers and fraudsters began letting mass emailing software do the heavy lifting. By 1999 the world had its first known mass-mailing virus, called “Melissa,” dispensed as an email attachment. Spammers have now graduated to using junk email—or fraudulent Facebook links or website ads for bogus cash rewards—to steal information and money from users curious enough to open attachments or click on a link—what Arquilla calls “the weaponization of spam.” In taking the bait, says Cormack, we grant spammers access to our personal data, contacts, passwords and, in some cases, every keystroke we make. In 2007, the Storm campaign, aimed at Microsoft Windows users, tricked people into following malicious links disguised as provocative news videos. One fake headline read: “230 dead as storm batters Europe.”
The war on cyberterror, of which spam is one part, isn’t entirely unlike the war on terror. The bad guys “attack from a hidden position,” leaving security experts scrambling, says Arquilla. So-called “firewalls,” meant to arm a computer’s operating system with a defensive shield, are, in fact, penetrable to new viruses and spam until they are detected. “There is no such thing as a firewall,” says Arquilla. “It only recognizes what it knows.”
The rise of botnets in the past few years has, without question, been the most significant tactical shift in this fight. Rather than simply using malware (malicious software) to invade and control individual systems, botnets, or “zombies,” link networks of compromised computers, which are then used in massive spam campaigns and coordinated cybercrime attacks. Storm was one campaign; Steve Santorelli, a director of global outreach for Chicago-based IT security non-profit Team Cymru, estimates there are several thousand such networks, stretching across tens of millions of infected computers. (When the Conficker botnet made headlines last year, it included an estimated 15 million systems.) Santorelli says there’s a specialization akin to that of pseudo-professional bank robbers in the ’70s and ’80s. There used to be getaway drivers and stick-up guys. Likewise, in encrypted chatrooms, expert virus writers, botnet creators and virtual money launderers subcontract their services. Says Cormack, “The person who delivers the email is not necessarily the one who runs the compromised computers, and isn’t the one who knows how to use credit card numbers that get captured.”
Since the McColo takedown, a new generation of sleeker, more decentralized botnets has emerged. “Hackers were out there, essentially having to rebuild their networks,” says Google’s Swidler. “They were rebuilding them with the latest and greatest technology.” Despite a fix from Microsoft for the Storm virus, for instance, the botnet remained a powerful force. In 2008, it took aim at customers of several British banks through email, marking the first time botnets were used in a major phishing attack. (The emails were identified by bank security before they did any real damage.) Recently, cybercriminals have been hooking victims through the very fear their presence generates. According to Symantec, in 2009 an estimated 40 million of us have been coaxed into purchasing fake anti-virus software, forfeiting our credit card numbers, personal information and, quite possibly, our computers.
In the war on cyberterror, as in the war on terror, there are people who end up trapped in grey areas. After Mark Ellis’s Web connection was abruptly cut off several years ago, he received a letter from his Internet service provider (ISP), advising him his business was no longer welcome. He says it wasn’t until he was booted off a second ISP that he figured out why: he’d been blacklisted, reportedly for running a major spam operation. The charge was levelled by the Spamhaus Project, one of several anti-spam non-profits whose findings are used by many ISPs.
Spamhaus’s Register of Known Spam Operations, an online database of some 120 alleged repeat offenders, lists about a dozen Canadians. Ellis is one of them. He insists Spamhaus, which is based in Geneva and London, has the wrong guy. “Somebody was spamming from my connection,” he says. “It wasn’t secured.” He says the dubious honour has made him the target of threatening emails and phone calls: “People say, ‘I’m going to find out where you live. I’m going to kill you.’ ” (Concerned about attracting further attention, Ellis declined to use his real name for this story.) Though he’s managed to convince his ISP to restore his connection, he says many of his business-related emails never reach his clients, presumably because his ID is blocked by other ISPs.
Spamhaus declined requests for an interview, but in an email, CIO Richard Cox wrote: “Almost all spammers claim as a matter of course that they are ‘doing nothing wrong,’ but we can assure you that extensive research is done to both establish their identity, and prove their responsibility for the spam.” In addition to the public information on its registry, he said, Spamhaus keeps “extensive dossiers,” which it is contractually obligated not to release, except to law enforcement officers. Companies, too, rely on such enterprises to crack down on abuse. Swidler says Google, for one, uses Spamhaus. But the blacklist approach raises troubling questions. And Arquilla says it risks punishing innocents without deterring the real masters of spam.
In fact, the war on cyber junk may just be getting started. As Internet access in developing countries continues to rise, says Arquilla, “the slope [of spam] will actually go up. From a smaller proportion of [overall Internet] traffic, it will grow to a larger proportion.” New technologies can inadvertently help things along. According to a recent Sophos report, smartphones can lead to new modes of attack. And the economic downturn may give spam an added boost: Swidler suspects some laid-off computer programmers “are finding it more lucrative to turn their talents toward writing malware than legitimate software.”
In Canada, there is hope that anti-spam legislation will empower law enforcement to take action and send a strong message. “Everybody recognizes that the law isn’t a silver bullet,” says Michael Geist, Canada Research Chair of Internet and e-commerce law at the University of Ottawa. “But it is a necessary condition, and one that’s long overdue.”
But technology and legislation can’t save us from ourselves. When we’re presented with a proposal from a Nigerian prince or breaking news about a deadly storm, curiosity sometimes trumps reason. And as long as we continue to click blindly on alluring links and open mysterious attachments, spammers will find a way to deliver their message.