Google Says Spam Volumes On the Rise

alphadogg writes "Despite security researchers' efforts to cut spam down to size, it just keeps growing back. The volume of unsolicited email in the first quarter was around 6 percent higher than a year earlier, according to Google's e-mail filtering division Postini. Security researchers have won a few significant battles against the spammers in the last year, first against those hosting the spammers' control systems, and later against the control systems themselves, but they will have to change tactics again if they want to win the war. In the first half of last year, security researchers concentrated their efforts on identifying the ISPs or hosting companies that allowed command-and-control servers to operate, and shutting these botnet purveyors down. The success of that tactic was short-lived, however."

If One Person Clicks, We All Lose

[eldavojohn]

If you are successful at combating spam, you will see a rising volume. Here is the chain reaction that takes place:

1. A spammer has an established source of income that he profits from his operations. Let's say it's ten grand a month. Everything is going well--he kicks back and watches watches the money machine.
2. You implement a better spam blocking program or a better educate users or do something so that the five hundred clicks he gets a day drops to four hundred clicks a day.
3. The spammer now finishes at eight grand at the end of the month and notices something is wrong.
4. The spammer is certain that he can grab back those clicks and all he (did you ever notice how spammers are always men?) has to do is crank up the volume whether it be by getting more e-mails to spam or sending more frequent spams or revolutionizing his spamming tactic and adding new templates and variables to trick people or get around blocks.
5. In the end we see spam rise.

Now, maybe he makes that two grand back in his push and maybe he don't. Maybe your new method reduced his clicks from five hundred to five per month. Either way the best we can hope is that at some point that income shrinks to negative or so little it's not worth his time. The problem is that even if 0.0001% of his spam messages generates a click, he's making bank.

The battle for clean e-mail should be fought on a number of fronts. Public awareness is the key weak link in the chain in my opinion. And as a new net savvy generation arises, that will come naturally.

No matter how much I tell my friends and family to be safe on the net, my friend in Cairo had ten credit cards opened in her name and I had to help her clean it up over here. To make sure it didn't happen again we went over smart procedures like if your bank sends you an e-mail you should read it and then open up your browser by hand and type in the bank's URL as you know it by hand and look for the corresponding information on the site. Yeah, it's a pain in the ass but if you can't find it you can always just call them. Don't click the e-mail link and drop your username and password into some site you don't trust. If I had to guess how she got tripped up, it was when she went to Cairo for school she couldn't afford to talk on the phone and had gotten lazy and careless with doing all her banking online.

Re:If One Person Clicks, We All Lose

[houstonbofh]

Kidnapping for money is a big industry in Mexico. It is all but unheard of in the United States. Why? Because the FBI made it unprofitable. They use whatever resources are needed to track down and bust the kidnappers, however long it takes. We need that kind of will in the fight against spam. It is expensive at first, but less expensive as people get out of the business.

Re:If One Person Clicks, We All Lose

[Tom]

Good point. The strategy was invented by the Romans, in case you care. The Roman Empire had a kind of primary objective on any and all sieges, namely that they win. No matter how long or what ressources it takes, there was the order from Rome that they will never leave defeated.

A famous mountain fort considered itself invulnerable due to natural features - there was only one small path up to the fortress. The romans built a big camp at the foot of the mountain and started building a ramp. It took them years to build it, but they did it, and took the invulnerable fortress.

That's why one day, when the roman army had just begun besieging another city, its ambassador came for talks, and he boasted "we have food for ten years". To which the romans replied "then we will accept your surrender in the eleventh". The next day, the city surrendered.

I'm telling that story because I like it a lot, but also because it shows that insane investment can pay off in the end. Yes, the romans poured ressources into a few sieges that were far beyond what they gained. But once the word had spread, the return-on-investment came.

There are two things we have to do to get rid of spam, minus the small amount you can never get rid off.

One is to make it very hard to make a profit via spam. A few simple laws could cover that. Going through the credit card companies would probably work great. Simply allow people a chargeback for any and all products sold via spam. All you have to do is send the spam message to the credit card company and ask for it. The CC company may not charge you. They don't want to pay for the trouble themselves, either. They will charge the merchant. That would pretty much eliminate all the non-working crap that's being sold via spam.

Two is to go absolutely anal on the spammers themselves. While #1 reduces the ROI, #2 increases the risk. Once you do that, the business case for being a spammer goes away. I don't necessarily mean higher penalties, but more effort in actually bringing them to justice, in an international effort.

Re:If One Person Clicks, We All Lose

[X0563511]

I don't think you realize just how much time, energy (electricity to run the infrastructure, cool said infrastructure etc), and manpower is wasted because of spam.

Lets put it this way.

To deal with spam at my company, we use a 10-server cluster. This cluster may seem excessive to you... but note that we get alarms once or twice daily that the load on one of the nodes has exceeded critical levels.

Now, comes the fun part.

These servers use about 3 amps each, at 110v RMS. If left without cooling, they would quickly melt down - so add on the air conditioning. I won't factor the AC into this calculation because it cools many other things too, but just be aware of it's presence.

So, we have 30 ampers at 110v 24/7/365. Now P=VA (where P = watts) so:
3300 = 30 * 110
These servers are responsible for a total energy use of 3.3 kW on average. Every day has 24 hours, and lets settle on say 29 days/m. This comes out to 696 hours per month. 3.3 kW * 696 = 2296.8 kWh per month.

Holy shit! This is a fairly small datacenter too.

So, you see... take this little anecdotal calculation and scale it up worldwide... and you begin to see the problem.

Re:What about...

[Jaysyn]

It still has to travel thru email servers & routers costing money via electrical & bandwidth costs.

Re:What about...

[KiloByte]

Network bandwidth taken by emails is indeed nearly free -- a typical piece of spam is just around 5KB (median). Yet, with more and more complex processing needed to run spam filters, you need quite a bit of CPU to weed them out. Looking at my logs, SpamAssassin runs are around 8 seconds each. Part of that time is spent for DNS queries, but there's a number of CPU-intensive tests as well.

And servers are certainly not free.