Schneier on Security
A blog covering security and security technology.
« The Square Root of Terrorist Intent |
| Tracking People by their Sneakers »
December 12, 2006
I wrote an essay on spam for the Forbes.com website.
There's little in it I haven't said here and here.
EDITED TO ADD (12/12): Another essay.
Posted on December 12, 2006 at 8:47 AM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Spam won't stop until someone gets fed up enough to track down a spammer, kill him messily, and post the snuff video "pour l'encourager les autres"
Is that cure worse than the disease? I'll get back to you on that after I sort through a few thousand spams in my inbox.
That won't work. For example, drug dealers kill each other all the time, but new ones still seem to pop up.
Instead of killing them ourselves, let's just convince the government to classify them as "enemy combatants" and send them off to rendering plants (or is that "renditioning facilities"?)
I think that the "computational puzzle" solution is much easier than you appear to think, and would not involve "re-engineering the Internet":
The puzzle mechanism could be implemented as a custom mail header within existing mail protocols. When first implemented, it would simply involve flagging validated messages as such, for easy recognition by the user. As take-up increased, users would begin filtering messages based on this flag. Eventually, messages without the flag would be dropped.
The pace of take up could be left up to individual users, based upon how quickly their own friends and colleagues adopted the solution. If well implemented using a common, open standard agreed upon by all vendors, it would be straightforward for users to adopt. Easy for everyone, except for the spammers.
Antispam: That's been done already--search on "Vardan Kushnir".
I concur with Max, that won't work so long as there are huge easy profits to be made in spamming.
It will be a long time before new e-mail and subsidiary protocols are designed and widely implemented, if ever. My estimate of the probability that such new mail systems won't be hacked for spamming approaches nil.
I note in passing that by one measure the spam level may not be increasing. One mailbox I own which has recently seen a growing number of spam messages is actually receiving 30-50 copies of some spam messages (usually stock pump&dump), identical except for a name in the "from" and/or "subject" lines. Counting these all as one, perhaps the spam total is not going up as fast as it seems to be.
Looking for a real turnaround in spam: is there any way to discover whether there is any trend downward in the number of recipients who are biting at spam and thus keeping it alive?
Why use email? Because it is cheap and easy to use. The same reasons spammers use it. And using techniques like 'Rockphish' the bad guys are getting around even sophisticated blacklist techniques.
One solution I've heard about is not to charge to *send* email, but to *deliver* email. For instance, and email is delivered to my inbox without being on my whitelist. A polite email is returned asking for $0.10 to be deposited by paypal or visa to deliver the email. If I like you, I'll add you to the whitelist, if not, I'll increase the charge next time. Heck, I'm willing to delete spam if I get a buck or so for the privilege... And $0.10 is not enough to really hack off someone who needs to send me something but who I haven't entered in a whitelist.
Bruce should like this since it removes the externality.
@JBL: unfortunately, I suspect the biters while dropping arithmatically, are not catching up with the costs which are dropping geometrically or the volume which is going up exponentially...
I do not get the reason behind spammers trying to avoid spam-filters:
If I go to great lengths to set up a powerful filter mechanism, what am I going to do if a spam email actually makes it through the filters into my inbox? Surely, I will not say "Hey, great, an advertisement, I will go and buy the product at once."
Rather, I would be annoyed and delete the spam as fast as I could my finger to the appropriate button.
So: What sense does it make for spammers to circumvent filters? Their customers won't have filters in place if they would actually want to buy products advertised via unsolicited emails.
If they have filters, they won't buy anything that might happen to get through.
Still, as spam prevails, there MUST be people who buy stuff so advertised and measures to avoid filters must pay off as well (instead of just sending plain emails with 'ad:' in the subject -- something I would hardly have a problem with).
I just wonder why people are so dumb...
I think that combination of several methods (blacklists, whitelists, graylists, bayesian filters, relenting responses) operating in the receiving server would work. Bayesian filters in the destination *client* create a new problem: the false positive. If the filters were in the server, the message would be rejected during the protocol and the false-positive sender would be informed. Blocking of a sender server also would make providers a little more careful of whom they accept as a customer. With the actual setup, the burden is left to the final receptor that has to risk false positives or regularly browse through the junk folder.
Increasingly, the filters they're trying to get past are run by the ISP, not the user, so there's no direct connection between the presence of spam filters and the savvyness of the user.
@Paeniteo: You can add to that the increasing number of spams directed at RFC2142-required aliases. If a spam filter user is less likely to take kindly to getting spammed, imagine what root, admin, mail, uucp and majordomo think. Directing spam to admin addresses is something I absolutely don't get. (along with the items that come in in batches of 20 for the same address, differing only in Message-ID)
@badly informed boy
One fairly-straightforward computational puzzle that could be implemented is a Digital Signature. That way, email without one automatically gets spam-canned. ISP's can look for high-volume signing keys. The key-acquisition protocol can be arbitrarily slow (and include various Turing tests, as well), to prevent 'Bots from requesting a new key per SpamMail.
@K. Signal Eingang:
At least in Germany, users have to give explicit consent to allow their ISP to filter their mail ("supressing messages" is a criminal offense).
Therefore, the reasoning remains: If I authorize a 3rd party (ISP or other) to filter my email, I will hardly reward anything that gets through by buying the spamvertised products..!
You may have a point in the corporate area where an employer can possibly use spam-filtering without explicit consent of every employee.
I do not assume that there are users that are totally unaware of the spam-problem and would therefore consider UCE to be a "nice service".
Can spam be used somehow? Can we use spam traffic to monitor network latency & connectivity?
Infinite number of monkeys etc... surely we can harness this waste?
I would like to see the situation roled back to when spam was sent by individuals from their own machine to each recipient. Then I think the initiatives to add costs onto the spammer would be effective.
And, it should be possible: I don't understand why we generally accept people to send e-mail to any recipient without any authentication.
Users should authenticate when sending mail through their mail provider (web-mail users already do this). And, to authenticate the server delivering mail, servers could have client certificates with name matching the server's hostname for certificate based authentication.
CA's wouldn't like to issue certificates for spam domains - that hurt their business as their root cert would quickly become untrusted.
True, it is still possible for a hacker to take control of some innocent user's pc, but he would still have to send mail through the mail/network providers relay and the provider could more easily monitor activity and block users.
The protocols are defined and technology is here, the problem is that the cost of implementation is held at the source, but the benefit is at the destination. Only regulation can impose all to accept that cost.
Even if only some countries do not implement such measures, administrators can decide if they do business with non-trustable sources block all or some unauthenticated originating from there.
"... spam is one of computer security's success stories ...."
Spammers may redirect their efforts as current methods become less lucrative, but spam by any other name ....
But, you know, Spam isn't so bad if you can disassociate your mind from the probable manufacturing process. I've been meaning to try to Oven Roasted Turkey variety: Maybe for the holidays! :-)
Hmmm... we need to alter internet users' behavior to reduce spam's profitability.
What we should do, then, is form a Sysadmin's I.T. Association of America (SIAA). Then, this group starts suing everyone who buys spamvertised products, claiming the defendants are responsible for the economic losses caused by spam.
Word starts getting around to the public that buying spamvertised products can cost you big bucks on a settlement (of course, because of the high costs of litigation, it'll never be economical for the defendants to fight). This creates a deterrent.
Income from the settlements can be used to keep the litigation machine going, and/or to fund other antispam activities.
What I don't get is the return of popups. Lots of 'legitimate' sites, such as washingtonpost.com have upped the ante in the popup blocking war, and now get popups past the basic blocking of Firefox and IE. I would think they would understand that the general hatred of popups makes them a bad deal if you care about your image. Assume you reach 1 out of only 10000 customers, but you end up pissing off another 100 so that they'll never buy your product. Where's the economy in that?
The main problem with the law-enforcement approach is that it typically targets the wrong people. It is true, as you say, that often spammers are untraceable, or beyond the reach of the law. However, typically the _advertiser_ is easaily traceable, as he must be if a potential customer is to send money for his product.
So an effective anti-spam law would make it illegal to contract with a spammer for advertising, rather than merely banning the sending of spam. Law enforcement agencies could then follow the same money trail as customers, incriminating advertisers by making sting purchases.
After a few advertisers take the perp walk, one would expect that the demand for spam services would drop significantly, and that the spammers themselves would dry up and blow away.
The comments so far seem to assume that spam is still only used to advertise. A lot of it is now viral vector, so "getting past the filter", and being accessible to Outlook Express, is enough of a success. Once the malware has hijacked the machine, there are many uses beyond advertising; hosting a phishing site, DDOSing some time-critical website (e.g. bookies just before major sporting events) etc. There is no clear "sponsor" to punish for such things. In its spare time, the infestation spreads itself to everybody in the victim's whitelist.
Charging a nominal amount to receive each email may sound like an attractive idea at first. Even if it were only a tenth of a cent (1/1000 of $1 US) per delivery -- so that an ordinary user's emails sent would cost mere pennies a day -- with the vast volume of email worldwide there would be billions of transactions per day, making fraudulent transactions hugely attractive. The first person who racked up one billion fake deliveries would be $1 million richer.
Contrary to what Forbes added in the article, Yahoo! does not 'filter' for spam; they merely scan for known terms that are typical of spam and then put it in a Bulk mail folder.
But if you wanted to actually filter and block spam from your Yahoo! account, you can't do it with their domain blocking tool, despite what they claim.
That system works by scanning the headers of incoming mail, looking at the Sender, or Return-Path address, which is pointless because all spammers spoof the sending address. But this is what Yahoo! wants you to enter as the domain to be blocked, even though they know it won't work for you. If they really wanted to let you block mail from a domain, they'd be scanning the headers for the originating domain, but they aren't even trying to do this.
Even services like pobox.com will let you block mail from specific countries as well as use other spam blacklists. But for reasons unknown to us peons who are Yahoo!'s customers, they make no effort to provide this basic filtering ability.
It is very true that spammers only realize a tiny fraction of the "cost", well, "damage" is probably a word for it. I do some consulting work for a small ISP with only a few thousand users, and the amount of spam going in affected their mail processing and delivery time greatly, sometimes to a good few hours for a message to show up at a customer's inbox. I setup spam and virus filtering but the incoming rate was simply greater than the processing rate so the queue continued to build up. The ISP had to purchase a customized spam gateway, the same one used by most companies, just to prevent unwanted messages from even reaching their servers and to guarantee reasonable mail delivery time for their customers.
Another problem I'm having with spams is the amount of bounces from bad addresses. I'm sure I am not alone here. If you host a few domains and run your own mail server, the amount of "failure notices" you see could be insane. Basically spammers use [some random username] @ [your domain].com in the From: line in the spam message, the targeted email addresses from their to-spam lists contain mostly invalid addresses, this causes the mailservers of the targeted domains to send bounce messages to MAILER-DAEMON@[your domain].com. I get so many of these that I began to just drop everything sent to my postmaster account. It still brings my system load *way* up about once a day.
Most servers default to at least double-bounce, I reckon the amount of Internet bandwidth wasted from bounces of undeliverable spams might be a bigger problem than spam itself.
No marketing, no spam. Let's just kill all marketing people instead ;p
I agree with Corey, that the only solution is to attack the demand, not the supply. There are so many ways for spam-suppliers to evade the barriers, they will never fall far behind in the "arms race".
Attacking the demand - the spam consumers - on the other hand, works for any technology, any device - email, browser, phone, whatever. There is not necessarily even a need for any new law.
ISPs could change their terms of service to allow them to do this: send phony spam to their subscriber John Doe. If John responds in a way that would benefit the "spammer", suspend his account for a week and put his name on the "this person encourages spam" list of shame for all to see.
Repeat that a few million times, and the spammers will be hurting.
And all those "you sent an email with a virus in it" bounces. Yeesh! It's amazing how many mail admins out actually think viruses use real 'from' addresses.
Identity of mail senders in business should be accepted and that would solve the problem for a fair amount of people, mainly those who seem to complain. Unfortunatly, the USA is very reluctant to accept automatic Identification of any sort and they all seem so attached to protect anonymity. As a business user, I would welcome a system were only authenticated email is delivered, one who care so much about being anonymous does not need to to business with me. I believe the business world will this way eventually split up with private world by adopting some scheme of authentification, making it automated was the only way to make it cheap, unfortunately it seems to be so unacceptable to so many.
I had planned, back before Jerry Orbach died, to write a "Law and Order" episode on the subject of spam. I only managed to do the teaser (as found in the link)...
The story would illustrate a point where the cost of spamming would get _very_ high.
I got a surprising amount of approving feedback from this story...
And, yeah, it's on an Adult Stories site, but I provided a direct link so you won't be exposed to anything except the specter of violence.
As you can read, solving the spam problem isn't likely to occur.
Solutions that require identification (SPF, dsigs) won't work anytime soon because of slow adoption.
Legal avenues fail because spam comes from too many countries with different laws and often originates from spambots.
Charging for email doesn't work because it needs identification to work and adds the burden of actually making and receiving payment.
Those that send bounces -- or worse those automatically generated emails that say they won't accept email unless you can prove you are a human (even if their email to ask for this is not from a human, so what if I send them the same response to their's?) -- don't work because they only increase usage and slow down delivery of email.
Whitelists won't work because we often communicate with companies and people we don't know in advance.
Blacklists won't work because of spambots and constantly changing IPs.
Heck, many can't even figure out what spam is since we get people complaining we spammed them for emails that are not spam.
@X the Unknown:
Digital sigs are being done -- called DomainKeys or DKIM -- the latter nearing completion of IESG's last call.
You are confusing 2 very different things. User attempts to filter spam is pointless today. One of Bruce's article's point was that the more advanced the spam detection, the more advanced the spammers have gotten. For the cases you point out, spammers moved past these in 1999. But, all email clients have that minimal feature set, and in some cases the features can be useful. For instance, the ex-significant other problem can generally be solved with end-user filters. The fake rolex/pharm/etc problem can not.
Know you weren't all that serious, but... since there is no definition of spam that anyone can agree on, that would certainly stop the problem -- every user in the world would be removed!
Damn straight I'm serious. Who says everyone has to agree?
These won't be borderline "well _maybe_ it's sort of OK" phony spam, they'll be no -holds-barred, this-fools-no-one spam. You buy it, you're a willing spamee, no question about it.
Oh, you clicked by mistake? Then don't make that mistake again. Meanwhile, catch up on some book-reading.
I find it slightly ironic that, having clicked on the link and started to read the article, a pop up appeared asking me if I wanted to take part in a survey!
SPF won't work, not because of slow adoption but because anyone can set a SPF entry in their DNS records. In fact some spammers were quick to do so.
On the other hand, digital certificates issued by a trusted third party will work. CAs could issue mail server certificates and their business would depend on not issuing certificates for spammers. Certificates could also be used ensure that mail is only sent through the authorized relay.
Slow adoption is a problem, and slow adoption is caused by the fact that those who benefit are not those who have the cost of implementation which is why pushing it with law may be considered.
If you take a sufficiently large economy, say US or EU and push such requirements, then everyone working within that economy can benefit on this: Small companies not doing business with partners outside can simply opt for blocking the rest, and larger companies can implement extra checks on un-trusted mail.
If large economies make that step, other countries will likely follow simply in order not to be cut off from doing business.
In EU a directive has been passed that enforces all countries to imlement national CAs, knowing that these work within national boundaries of the EU means that server certificates issued by these are issued to entities working under EU common law and hence EU anti spam and privacy directives apply to the entities. Hence these certificates can be trusted for mail server authentication.
I have recently written to the EU commisioner to propose that authenticated e-mail be required, so any comments as to why this is a bad idea are wellcome. The EU is currently considering how to clam down further on spam and wellcomed my suggestion ...
Actually, authenticated e-mail might be implicitly required by the new data retention directive (in the name of the war against terror) that requires e-mail envelopes to be logged - what use is this if data cannot be trusted? So, the idea can be sold on the "war against terror" argument ... (although I prefer not).
Another benefit would be that certificate based authentication of servers would require servers to support SSL/TLS and hence provide encryption of mail in transit for improved privacy.
"SPF won't work, not because of slow adoption but because anyone can set a SPF entry in their DNS records. In fact some spammers were quick to do so."
SPF is not to prevent spam as such. It is to prevent spammers from using fake from-addresses.
I receive many "delivery status notification" bounces, because spammers use MY email address as the source for their sh**. I have set up very strict SPF records that clearly indicate the few IP addresses allowed to send email in the name of my domain but mailservers don't seem to listen.
The problem is that I have to decide between training my Bayes-filter on these bounces or not, as sometimes a bounce is a nice thing (to repeat: if the email causing it comes from my mailserver).
Why not spam the spammers?
If there was an automated system which detected spam and forwarded the spam to all the spammers detected so far the spammers mailbox would be flooded with spam and they would have no possabilty of picking out the genuine replies from suckers out of thier mailbox.
This of course would only work against real spammers who want actual replies and not malicous spammers who want to install malware.
I guess the big problem is that no one person or organisation is annoyed enough to actually pay for effective anti spam measures.
Ironically, I get about 2% of the spam delivered that I used to get perhaps 3 years ago. Then when I used to get 100 dropped into my Inbox per day, now it is more like one a month. Maybe the filtering done these days is better?
I think filtering sounds like a poor solution, but now that I'm getting basically no spam with zero false positives in the "spam box"... I dunno, the problem has been solved for me.
Still using the same email address since 1993 as well.
Yesterday while reading the article at Forbes, a little advertising window scurried across my screen. When I clicked to close it my computer froze and had to be rebooted. Apparently Firefox 126.96.36.199 is not hardened against irony.
I stay ahead of the spammers by changing my gMail accounts often. It is easy, cheap, just let my white list friends know my new address.
Decades ago, there was a silly idea to use spam to hide stegnographic data.
I see a way to revive this idea - Bob conceals an encrypted message in a jpeg, and then sends the jpeg as spam-mail to millions of users. most will kill the message off with filters (Bob uses a rather cheap spammer service). Some will be annoyed and delete it. And only Alice will get the idea and extract the message.
However, Bob and Alice have to negotiate means of recognising a message "disguised" as spam beforehands...
I'm not so sanguine about "winning" the war on spam.
When we rolled out our new mail cluster last year, we were getting about 1,000 legitimate emails a day, and 11-12,000 spam messages a day.
We enabled strict FQDN name checking at the HELO on incoming mail transactions and rejected 87% of our incoming mail attempts. Unfortunately, two of those rejections were from domains that ought to know better, so the FQDN name check was removed. (Thank you sysadmins who either don't have a proper MX record or who make errors in your DNS zonefile).
Now we're delivering about 34,000 emails a day, but we still only have about 1,000 legitimate emails. Any way you cut it, that's a staggering increase in spam in a year.
If the numbers continue to increase along these lines, we're looking at a having to accept a half-million spam messages within a couple of years in order to get 1,000 legitimate emails. Suddenly a task that *should* require a marginal amount of processing power (come on, 1,000 mails could be delivered on a 286 platform) is going to require a pretty massive amount of resources just to get a reasonable signal/noise ratio.
[quote] I'm sure I am not alone here. If you host a few domains and run your own mail server, the amount of "failure notices" you see could be insane. [/quote]
This only happens when you run a misconfigured mail server, e.g. a mail server accepts mail for @yourdomain.com. Check tech.documentation for your mail server how to turn this off.
Computational puzzle? HashCash is already old hat and is recognized by SpamAssassin.
More irony to this old post. I receive 3-4 emails a week from forbes.com or sponsored by them for HP, etc. I have opted-out online, written their privacy contact and 5 months later still get email. Amazing now that they are the spammers!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.