Several weeks ago I expressed skepticism at AOLs claims of substantial drops in spam coming into their network and delivered to their customers. I wanted to see some confirmation from other vendors.
I still havent seen anyone claim drops, but Ive seen two important reports of stabilization. First, Symantecs Brightmail unit is reporting that spam though their servers has stayed at 66 or 67 percent for the last 5 months. Thats still a lot of spam, but it follows a long period of steady increase, even as the overall amount of e-mail increases. If that number is still increasing, then it means that legitimate mail is growing faster than spam for the first time in ages. Of course, as you can tell from the numbers to come here, the definition of spam is not a standard thing.
Other large vendors are showing a flattening trend. MessageLabs, the e-mail service provider, has a detailed graph showing trends in their overall spam volume. The actual data shows a monthly peak in July 2004 of 94.5 percent, but things clearly have eased off since then and the overall trend is towards a flattening at, or just above, 80 percent.
Finally, Postini last week reported that for 2004, “spam was consistently between 75 percent and 80 percent throughout the entire year.” The numbers are reminiscent more of Brightmails than of AOLs, but Postini speculates the same reasoning as AOL: The advent of legislation, prosecution, private litigation and the increasing quality of much anti-spam technology are combining to discourage spammers and to decrease the amount of spam reaching actual inboxes.
Ive been asking everyone what they thought of AOLs numbers and the consensus reply goes something like this: “Gee, were not seeing anything like that, but I suppose its possible.” (That sure cleared things up.) In other words, they agree with me. The only way AOLs numbers make sense is if spammers really are so scared of AOLs litigation that they really are cleansing their lists of aol.com addresses.
Its always been assumed that part of how spammers make their money is by trading and selling lists of addresses, and removing the AOL addresses makes the list smaller. Does it make the list less valuable because it is smaller or more valuable because it is free of the dreaded AOL addresses? I havent heard anyone claim that AOL-free lists are a hot item in the list market.
Parenthetically, some number of addresses in these lists are aliases—such as bigfoot.com addresses—that forward to AOL addresses. Does AOL have the same standing to sue spammers whose messages reach its network through aliases as they do with spammers who send messages specifically to an aol.com address? Maybe not. If anyone knows for sure, please tell me.
Everyones numbers show a rapid increase in phishing attacks and forecast a continuing increase. Postini says that as much as 1 percent of all spam is phishing of some sort (like spam, the definition of phishing probably is not standard). Sounds like good news for companies that specialize in countering phishing attacks.
Ive also seen anecdotal evidence that—until this last weeks MyDoom and Bagle outbreaks—e-mail worm traffic had declined to very low levels. Now thats a trend I can believe, since theres no good reason for someone to get infected by one of these things unless they are utterly irresponsible.
AOL does insist that their numbers are for real, and they tell me that the numbers they put out factored into some of the issues I brought up, such as declining enrollment. Assuming for the moment that everyone (except me, of course) is exaggerating to advance their self-interest, AOL would be expected to give you the impression that they are better at blocking spam and intimidating spammers than their competitors. Postini, MessageLabs and Symantec, on the other hand, dont really have an interest in spam going away, because their sales are proportional to the level of threat.
And a number of unique factors about AOL make it possible, maybe even imperative, that they work more aggressively. First, since their user base is the biggest load of newbies on the Net, they are a natural target for spammers looking for naiveté. Second, AOL has been more aggressive about blocking outbound SMTP connections than other ISPs. Some ISPs still dont even require SMTP AUTH (where you have to provide logon information for your outbound connection); in such cases spammers can use a zombied system to send mail through the ISPs mail servers. They even have a rate-limiting capability called SRL that limits other ISPs zombied systems.
Its easy to see where such logic takes you, and I find it much more believable that the people Im talking to at all of these companies are professionals and really do see themselves as fighting spam on behalf of their users. This leads me to believe everyone, including the possibility that AOL really is way ahead of the curve. Perhaps the Internet Engineering Task Force should just recommend AOL accounts as a new Internet standard for spam fighting.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer