Predicting security trends is not an exact science.
A prime case in point is Microsoft co-founder Bill Gates, who predicted at the World Economic Forum in Davos, Switzerland, in January of 2004 that spam would be “solved” within two years. Fast forward to 2009 – spam remains a nuisance to corporate networks and consumers alike.
A key part of Gates’ prediction was that it we would have the option to charge people to send us e-mails. If a relative sent you an e-mail, for example, you could let it in for free. However, if the e-mail came from an unknown address, you could charge them money.
That system obviously never materialized, in part because of the difficulties that would occur in administering the payment process and properly validating e-mail senders.
“Charging (for) e-mail usage simply doesn’t work, because we can’t track down spammers today,” noted Chenxi Wang, an analyst with Forrester Research. “Spammers are typically using bots to send bulk emails, and often times bots come with their own e-mail servers or use an e-mail server that is in a separate jurisdiction (e.g., in Russia). I am not sure how one would go about enforcing an acceptable charge mechanism.”
Another solution Gates spoke of at the time was using challenges to determine whether an e-mail was sent by a human or a machine, with the idea being that requiring human interaction would thwart botnets. This was never embraced by the industry because of the economics of commercial e-mail use, Wang argued.
“These large e-mail users have a lot of power and won’t go for the reverse-CAPTCHA model,” she said.
Spammers meanwhile have had a fair amount of success cracking CAPTCHA in recent years. Typically, they rely on either software or “mechanical turks” – people who either directly or indirectly create accounts traded online. The shift has prompted researchers to try to come up with more effective challenges, though some still question whether or not it matters given the role of mechanical turks.
The good news is that since Gates made his bold prediction, spam filters have improved. But it doesn’t take much to keep spam profitable. For example, a recent study by the University of California Berkeley and University of California San Diego found 350 million pharmacy spam e-mails sent out by the Storm botnet resulted in only 28 visits to the pharmacy’s purchase page.
“As long as there are people who are responding to spam attacks, even if it is just a tiny percentage, spam will continue to be profitable,” said Amanda Grady, senior analyst of anti-spam engineering at Symantec. “Spam is still relatively cheap to send out in large volumes, particularly if spammers can exploit the resources of others, for example by infecting ordinary PC users and turning their computers into spam bots.”
So on the story goes. Three months after the well-publicized McColo shutdown, spam has regained about 80 percent of its previous level. For the foreseeable future, it appears it will remain part of our lives.
“People need to realize that spam is not actually a technological problem – it’s a human problem,” said Graham Cluley, senior technology consultant at Sophos. “And we can’t roll out a patch or new technology that stops people buying products that have been advertised to them via unsolicited messages. I suspect even Bill Gates realizes that now.”