Could The Bad Guys Win on Spam?

Spam and mail-based attacks are coming to dominate Internet e-mail. Nothing seems able to stop them, and some days it's rare to find real mail among the spam. Could it come to the point that it's not worth dealing with e-mail's problems?

On some days, life in the security business is more depressing than on others. My recent reading about Mimail.L, the latest in a long line of sociopathic worms, tipped me into the blues.

Mimail.L is particularly vile. Here are some of the actions it takes:

  • It arrives as a pornographic e-mail with an attached ZIP file purporting to contain dirty pictures. That file contains a file with a .jpg.exe extension, so if someone runs it to see the picture they actually infect themselves. As always, this subterfuge works far more often than Id like to think, but so far its just a run of the mill worm.
  • It scours the hard disk for e-mail addresses and stores them in a file named xu298da.tmp in the Windows folder. It then mails itself out with the same porno message to these addresses.
  • If theres a problem sending that mail, it instead tries to send a different message without the attachment. This fallback message says that the recipients credit card has been charged for a purchase of child pornography. It directs the reader, if they want to cancel, to contact security@europe.spamhaus.org.
  • The message also lists more than a half a dozen sites as places you can get more kiddy porn, including Disney.go.com, Spamcop.net and Spews.org, and attempts to perform a denial of service attack on these sites.

So, not only is this a particularly offensive worm, but it specifically attacks anti-spam sites! Do the authors of the worm have a particular problem with these groups? Perhaps, or maybe its just more anti-social behavior. They also attack Register.com, but I doubt theyre opposed to domain name registration on principal.

After reading about this Im tempted to agree with a poster on a Slashdot thread on Mimail.L: "They wont stop til theyve destroyed e-mail." We keep hearing about the ever-increasing percentage of Internet e-mail that is composed of spam. The latest consensus I hear is "over 50 percent," but you can bet your last "F_R_E_E whatever" that the number will continue to climb.

My own spam rate is now well over 60 percent (although my inboxes are particularly vulnerable because I have multiple e-mail addresses on my articles around the Web). What happens when 75 percent of Internet mail is spam? How about 90 percent? And why should it stop there? A relative recently said he doesnt bother checking his e-mail anymore because theres just too much spam; its not worth it.

As Ill discuss in greater detail in a later column, I dont have a lot of confidence that the new CAN-SPAM act that recently passed in Congress will make a big dent. It would take a large, talented and well-funded enforcement effort to get a significant number of spammers through this act

Besides, spammers are exactly the sort of people to fold up shop and start anew in some other state with a new identity if they ever get in actual trouble. The startup costs are puny, and heres the really good part: your cost of goods can be zero!

Putting aside spam messages that result in naked theft, like the Nigerian bank transfer scams, how many "customers" are going to pursue you if they dont get the goods they order? Theres no doubt in my mind that a very large number of these "businesses" have absolutely nothing to sell, they just take your money. This makes the spam business model even more compelling.

If the government wont be sending the cavalry in the nick of time, that leaves technology. Many people think theres a great abstract case to be made for disincentivizing spam by changing the economics of the situation, generally by the imposition of some fee for sending mail.

As Ive said before, I dont think such solutions are practical without the kind of massive technical changes to the Internet that could end spam without such fees. What it really comes down to is enforcing authentication on all e-mail users. There are systems for bolting authentication onto SMTP, but if cant be made mandatory, then it doesnt matter.

So the only options for stopping spam are continued use of the existing technological means at our disposal or a complete replacement of the entire e-mail system, as I once suggested earlier this year, when I was young and naive. But that aint gonna happen. When a protocol is as entrenched as SMTP its basically impossible to displace it.

So can the anti-spam industry save us when 90-something percent of the mail coming in is pornographic or malware? I used to think that one false positive was one too many. But when I see attacks like Mimail.L and I think about kids receiving e-mail, then perhaps one false negative is one too many.

Businesses will be able to cope with 90-percent levels of spam and block it out. But at that level, kids and even lots of grown-ups will forgo e-mail. And when that happens, the bad guys will have won.

Discuss This in the eWEEK Forum

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer