Schneier on Security
A blog covering security and security technology.
« Marx Brothers on Security |
| German Police Want the Right to Hack Computers »
April 11, 2007
There Aren't That Many Serious Spammers Out There
If there's only a few large gangs operating -- and other people are detecting these huge swings of activity as well -- then that's very significant for public policy. One can have sympathy for police officers and regulators faced with the prospect of dealing with hundreds or thousands of spammers; dealing with them all would take many (rather boring and frustrating) lifetimes. But if there are, say, five, big gangs at most -- well that's suddenly looking like a tractable problem.
Spam is costing us [allegedly] billions (and is a growing problem for the developing world), so there's all sorts of economic and diplomatic reasons for tackling it. So tell your local spam law enforcement officials to have a look at the graph of Demon Internet's traffic. It tells them that trying to do something about the spammers currently makes a lot of sense -- and that by just tracking down a handful of people, they will be capable of making a real difference!
Posted on April 11, 2007 at 6:41 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
How exactly does he arrive at the conclusion, though? All I can see is that he asserts that "it is clear that very significant volumes of spam is being sent by a very small number of gangs", but there never seems to be any reasoning why this would be true, much less and data to back up that claim.
I'm not saying it's not true, but after reading that article, I have no reason to believe it is that I didn't have before.
Read the comments - he explains how he reaches that conclusion a little more there.
One of the comments on the source page was this:
"While it’s clear that a small group of spammers is responsible for some huge volume of spam, it’s not clear that *all* or even most of spam comes from them. E.g. your numbers are consistent with 5M spam messages a day of “background��? spam with thousands of different sources, and the rest of it due to a small gang."
I'm sure this question is asked every time spamming is discussed but why can't spammers be tracked down by subpoenaing the makers of the products that are advertised (who must be accessible). If they are using an illegal tool to sell their product they must be liable to pass on their spammer contacts, surely?
This is what Spamhaus has been saying since years. They keep records about all the spam gangs out there.
You do wonder why it is so hard for law enforcement to track them down while Spamhaus can.
I thought this was pretty obvious; most spam is repetitive, so it's coming from only a few groups. And, of course, it would be relatively easy to stop, if there was any actual interest on the part of law-makers and law-enforcement personnel.
@Hanno: "You do wonder why it is so hard for law enforcement to track them down while Spamhaus can."
The difference between Spamhaus and law enforcement is that the latter have to provide *evidence* to a judge/jury...
@Paeniteo: I consult lawyers from time to time. Check the records at Spamhaus. I'd consider their material fairly good evidence for many of the cases where the spammers have been spamming for years without being hassled by law enforcement or a court.
@David: Spammers use several layers of fake contact data and maildrop companies to avoid being found. By the time law enforcement tries to make sense of those, the spammers have long moved on to new fake contact data.
It's a question of persistence. I'm sure that law enforcement could track them down if they wanted to. But it appears to me that they consider it too difficult and not rewarding enough, so they don't.
Spam is a very white collar crime. You don't see any actual victims.
@Randolph Fritz: "I thought this was pretty obvious; most spam is repetitive, so it's coming from only a few groups."
That, or all the little spammers are all using only a few different products to send their spam, and those products are providing most of the content (fill in your stock name here, we generate the GIF with pump & dump text and generate the chaff for the rest of the message).
Yep, it's a FAQ (why not just go after the sellers of spamvertized products?)
The answer: joe jobs (i.e. the spamming may be without the authority of the merchant. For example, if it were illegal to have a spamvertized product, I could crush my competitors by spamming their product).
I'll follow up with my own crackpot anti-spam idea: Take a page from the RIAA's playbook. Get some heavily moneyed interest to realize spam hurts them. Have them throw civil lawsuits at spammers until they wither and die from legal defense costs. Have them get their country's anti-spam laws toughened, and then get other coutries to "harmonize" their anti-spam laws with that.
The burden of proof is lower for civil cases.
As far as I can tell, he's hanging this entire analysis on the behavior of the week 3 (green) curve between Sunday and Monday. That curve goes from an unusually low level to a significantly high level in one day. But all the other points are consistent with slowly-changing secular trends that don't seem to require explanations in terms of small numbers of external causes.
Maybe he's spotted the outline of a pattern, but it would require a much more extensive analysis with a lot more data to support his conjecture. What he shows is not worth making public policy with.
Re: following the contact data. My understanding is that the recent surge in penny stock related spam allows the spammers to receive revenue by manipulating the stock price without having to provide direct contact info.
The statistics of a peak on one ISP could be explained by spam tools which move serially from one ISP to another (e.g. since they get better surprise that way?). However, Spamhaus claims 80% of spam by 200 spammers.
If their evidence isn't pretty solid, I would guess some of their comments (read the descriptions of the spammers) were quite open to attack by lawsuit..
I am always somewhat surprised that I can set up a new email account, not use it or register with any website and within hours if not a day start receiving spam. This is not limited to a single ISP, pop3, or even web based email accounts. Nor is it an easy email name to just generate as a blind guess.
OK I just set up a honeypot spamtrap email account. Also registered for Dancing with The Stars at ABC dot calm. Lets see how long it takes to receive spam at this email address.
Expensive, yes, but spam prosecutions get lots of media coverage, since journalists are heavy email users. Making a case against a big spam gang could be a great political move for a computer crimes prosecutor interested in running for higher office.
"The answer: joe jobs (i.e. the spamming may be without the authority of the merchant"
That makes no sense then... if the spammer is not being paid by the merchant (or some one in the chain) that benefits from the sales, there is no value to the spammer. The spammer needs you to eventually contact someone / place in order to sell the product or phish for your information. The chain-of-conections may not be easy to detect or determine, but it is there nonetheless -- its just a matter of determination.
As well, the spammers have to enter the 'net at some point in order to send out all the spam, If the major ISPs ever develop the moral fortitude to do the right thing, they could readily co-ordinate their efforts and track the spammers to some common sources and deal with it. But just as with banks and credit card fraud, it is easier and cheaper fo them to ignore the issue and just pass the costs along to the innocent consumers.
As he said, a joe job: http://en.wikipedia.org/wiki/Joe_Job
In this case, the spam is not sent by somebody who cares about the sales at all: it's sent by a rival organization or disgruntled employee to look like it came from the company, so as to trash their reputation. If having a product sold via spam is illegal, then sending spams on somebody else's behalf could be used to destroy their ability to do business. The sender doesn't care about seeing any sales: he only cares about the resulting damage.
@ Randolph Fritz said "And, of course, it would be relatively easy to stop, if there was any actual interest on the part of law-makers and law-enforcement personnel."
I agree with @Corey. Let the recording industry copyright the spam - or even better, find copyrighted material in the spam - and let their Dogs of War loose. That would be a fight worth watching. (And get the RIAA off our backs, too.)
My personal best was creating a new Yahoo account a few weeks ago and getting 30 spam in the first 45 minutes. And I disclosed that address to no one.
Also, last weekend I saw about 800 bounces to a non-existent address at my domain. Clearly a joe-job, but I didn't think I had any enemies. :)
Somewhat related, I've never understood the logic behind sending spam to administrative addresses (root, admin, info, etc). One would think spammers would prefer addresses not pre-qualified as anti-spam.
Okay, let's say hypothetically that there are really only five spam gangs that generate ~90% of the spam volume.
Wouldn't these five entities be wealthy beyond imagination, and quite capable of fending off little threats like prosecution, infiltration, disconnection, and assassination?
Said Brian: "In this case, the spam is not sent by somebody who cares about the sales at all: it's sent by a rival organization or disgruntled employee to look like it came from the company, so as to trash their reputation."
Frequently this is a tactic attempting to bruise an active anti-spammer. Half the problem is that the victim is an apparent spammer, the other half is the vast quantity of bounces the victim receives because of the bad addresses in the spammer's list.
i use Gmail and never get spammed. just use Gmail and all your trivial human worries are gone.
I figured they were just joking all along.
Why is nothing being done about this?
Could it be that our public leaders "cough, cough SERVANTS cough" are so clueless?
So far, I think so!
Time to start writing to congress and tell them to start earning a paycheck!
"My personal best was creating a new Yahoo account a few weeks ago and getting 30 spam in the first 45 minutes. And I disclosed that address to no one."
You must have your computer infected with a trojan, then. I created a Yahoo e-mail account months ago and disclosed it to no onw (I use Sneakemail's aliases to receive and post from that account). I haven't received ONE SINGLE spam message.
Sorry 'bout the late comment. Life's been busy. If this analysis is correct, and there really are just a few small spam houses, that creates a very interesting possibility if you're an ISP. The CAN-SPAM act allows an ISP to sue spammers to the tune of $25-100 per individual spam message, up to a max of $1M. I've posted details here:
A local trojan is possible; but I guess we should give readers of this blog the benefit of the doubt. Employees from ISPs have previously been caught selling lists of email addresess. Whether your address would get sold is likely a matter of luck. Also, every router / ISP from your PC to Yahoo may be suspect. Especially if they are running a (transparent?) proxy.
I think many of the email hosting companies (like yahoo) try quite hard to keep their email lists secret, but it's going to be quite hard to do reliably.
Rather than prosecuting the vendors of spamvertised products, we should subpeona them to provide details about who they contacted their spamvertising to. In the case of Joe Jobs, this would be a dead end, but he is the exception, not the rule.
Another option would be to go after the botmasters. I'm not an IRC expert, but there should be some way of tracking who is running these channels back to an IP address, right?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.