Why Spam Won't Go Away

By Bruce Schneier
Forbes
December 12, 2006

Spam is filling up the Internet, and it's not going away anytime soon.

It's not just e-mail. We have voice-over-IP spam, instant message spam, cellphone text message spam, blog comment spam and Usenet newsgroup spam. And, if you think broadly enough, these computer-network spam delivery mechanisms join the ranks of computer telemarketing (phone spam), junk mail (paper spam), billboards (visual space spam) and cars driving through town with megaphones (audio spam). It's all basically the same thing--unsolicited marketing messages--and only by understanding the problem at this level of generality can we discuss solutions.

In general, the goal of advertising is to influence people. Usually, it's to influence people to purchase a product, but it could just as easily be to influence people to support a particular political candidate or position. Advertising does this by implanting a marketing message into the brain of the recipient. The mechanism of implantation is simply a tactic.

Tactics rise and fall in popularity based on their costs and benefits. If the benefit is significant, people are willing to spend more. If the benefit is small, people will only do it if it is cheap. A 30-second prime-time television ad costs 1.8 cents per adult viewer; a full-page color magazine ad about 0.9 cents per reader. A highway billboard costs 0.21 cents per car. Direct mail is the most expensive, at over 50 cents per third-class letter mailed. Direct mail needs to be far more effective than a highway billboard, per recipient, to justify the cost.

Spam is such a common tactic not because it's particularly effective--the response rates for spam are very low--but because it's ridiculously cheap. Typically, spammers charge less than a hundredth of a cent per recipient. And that number is what spamming houses charge their customers to deliver spam; if you're a clever hacker, you can build your own spam network for much less money.

If it's worth $10 for you to successfully influence one person--to buy your product, vote for your guy, whatever--then you only need a 1-in-100,000 success rate. You can market really marginal products with spam.

However, this cost/benefit calculation is missing a component: the cost to the recipient. Spam costs corporations millions in Internet capacity, clogs up infrastructure, requires people and products to deal with it and wastes employees' time wading through whatever spam makes it into their inboxes.

There are also less tangible costs. Marketing messages annoy. The advertiser pays part of the cost of annoying people if they decide to boycott his product. But more of the cost is paid by the receiver: the beauty of the landscape is ruined by the billboard, dinner is disrupted by a telemarketer, spam makes e-mail a more annoying task and so on.

This is why spam is such a hard problem to solve. For each e-mail, the spammer pays a cost and receives a benefit. But there is an additional cost paid by the e-mail recipient. Because so much spam is unwanted, that additional cost is huge--and it's a cost that the spammer never sees. If spammers could be made to bear the total cost of spam, then its level would be more along the lines of what society would find acceptable.

The best solutions raise the cost of sending spam. Spam filters raise the cost by increasing the amount of spam that someone needs to send before someone will read it. If 99% of all spam is filtered into trash, then sending spam becomes 100 times more expensive.

This is also the idea behind whitelists--lists of senders a user is willing to accept e-mail from--and blacklists--lists of senders a user is not willing to accept e-mail from.

Filtering doesn't just have to be at the recipient's e-mail. It can be implemented within the network, or at the sender level. Several Internet service providers already filter both outgoing and incoming e-mail for spam, and so do Web-based e-mail providers like Google, Yahoo!, and Microsoft. The trend will increase.

Anti-spam laws are another attempt to raise the cost of spam to an intolerable level; no one wants to go to jail for spamming. We've already seen some convictions in the U.S. Unfortunately, this only works when the spammer is within the reach of the law; it's less effective against criminals who are already committing fraud and using spam merely as a mechanism.

Other proposed solutions try to impose direct costs on e-mail senders. I have seen proposals for e-mail "postage," either for every e-mail sent or for every e-mail above a reasonable threshold. I have seen proposals where the sender of an e-mail posts a small bond, which the receiver can cash if the e-mail is spam. There are other proposals that involve "computational puzzles": time-consuming tasks the sender's computer must perform, unnoticeable to someone who is sending e-mail normally, but too much for someone sending e-mail in bulk. These solutions generally involve re-engineering the Internet, something that is not done lightly, and hence are in the discussion stages only.

The best way to think of this is an arms race. Anti-spam products block a certain type of spam. Spammers invent a tactic that gets around those products. Then the products block that spam. Then the spammers invent yet another type of spam. And so on.

Blacklisting spammer sites forced the spammers to disguise the origin of spam e-mail. White lists, and other anti-spam measures, led spammers to hack into innocent machines and use them as launching pads. Scanning millions of e-mails looking for identical bulk spam forced spammers to individualize each spam message. Semantic spam detection forced spammers to design even more clever spam, or embed their messages within images. Each defense is met with yet another attack, and each attack is met with yet another defense.

Honestly, there's no end in sight. In early 2004, Bill Gates stood up at the World Economic Forum and predicted the end of spam within two years. Last week, The New York Times reported that spam has doubled in the past year and now accounts for 90% of all e-mail messages.

But even so, spam is one of computer security's success stories; current anti-spam products work pretty well. I get only a few spam messages a day, and very few legitimate e-mails end up in my spam trap. It will be a long time before spam stops clogging up the Internet, but at least we don't have to look at it.

earlier essay: My Data, Your Machine
later essay: MySpace Passwords Aren't So Dumb
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..