Could The Bad Guys Win on Spam?

By Larry Seltzer  |  Posted 2003-12-05 Print this article Print

Spam and mail-based attacks are coming to dominate Internet e-mail. Nothing seems able to stop them, and some days it's rare to find real mail among the spam. Could it come to the point that it's not worth dealing with e-mail's problems?

On some days, life in the security business is more depressing than on others. My recent reading about Mimail.L, the latest in a long line of sociopathic worms, tipped me into the blues. Mimail.L is particularly vile. Here are some of the actions it takes:

  • It arrives as a pornographic e-mail with an attached ZIP file purporting to contain dirty pictures. That file contains a file with a .jpg.exe extension, so if someone runs it to see the picture they actually infect themselves. As always, this subterfuge works far more often than Id like to think, but so far its just a run of the mill worm.
  • It scours the hard disk for e-mail addresses and stores them in a file named xu298da.tmp in the Windows folder. It then mails itself out with the same porno message to these addresses.
  • If theres a problem sending that mail, it instead tries to send a different message without the attachment. This fallback message says that the recipients credit card has been charged for a purchase of child pornography. It directs the reader, if they want to cancel, to contact
  • The message also lists more than a half a dozen sites as places you can get more kiddy porn, including, and, and attempts to perform a denial of service attack on these sites.
So, not only is this a particularly offensive worm, but it specifically attacks anti-spam sites! Do the authors of the worm have a particular problem with these groups? Perhaps, or maybe its just more anti-social behavior. They also attack, but I doubt theyre opposed to domain name registration on principal.

After reading about this Im tempted to agree with a poster on a Slashdot thread on Mimail.L: "They wont stop til theyve destroyed e-mail." We keep hearing about the ever-increasing percentage of Internet e-mail that is composed of spam. The latest consensus I hear is "over 50 percent," but you can bet your last "F_R_E_E whatever" that the number will continue to climb.

My own spam rate is now well over 60 percent (although my inboxes are particularly vulnerable because I have multiple e-mail addresses on my articles around the Web). What happens when 75 percent of Internet mail is spam? How about 90 percent? And why should it stop there? A relative recently said he doesnt bother checking his e-mail anymore because theres just too much spam; its not worth it.

As Ill discuss in greater detail in a later column, I dont have a lot of confidence that the new CAN-SPAM act that recently passed in Congress will make a big dent. It would take a large, talented and well-funded enforcement effort to get a significant number of spammers through this act Besides, spammers are exactly the sort of people to fold up shop and start anew in some other state with a new identity if they ever get in actual trouble. The startup costs are puny, and heres the really good part: your cost of goods can be zero! Putting aside spam messages that result in naked theft, like the Nigerian bank transfer scams, how many "customers" are going to pursue you if they dont get the goods they order? Theres no doubt in my mind that a very large number of these "businesses" have absolutely nothing to sell, they just take your money. This makes the spam business model even more compelling.

If the government wont be sending the cavalry in the nick of time, that leaves technology. Many people think theres a great abstract case to be made for disincentivizing spam by changing the economics of the situation, generally by the imposition of some fee for sending mail. As Ive said before, I dont think such solutions are practical without the kind of massive technical changes to the Internet that could end spam without such fees. What it really comes down to is enforcing authentication on all e-mail users. There are systems for bolting authentication onto SMTP, but if cant be made mandatory, then it doesnt matter.

So the only options for stopping spam are continued use of the existing technological means at our disposal or a complete replacement of the entire e-mail system, as I once suggested earlier this year, when I was young and naive. But that aint gonna happen. When a protocol is as entrenched as SMTP its basically impossible to displace it.

So can the anti-spam industry save us when 90-something percent of the mail coming in is pornographic or malware? I used to think that one false positive was one too many. But when I see attacks like Mimail.L and I think about kids receiving e-mail, then perhaps one false negative is one too many. Businesses will be able to cope with 90-percent levels of spam and block it out. But at that level, kids and even lots of grown-ups will forgo e-mail. And when that happens, the bad guys will have won.

Discuss This in the eWEEK Forum Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel