SAN JOSE, CALIFORNIA -- ISPs and spam filters are blocking record amounts of unsolicited messages, but this electronic nuisance is hardly on the decline--and it's getting nastier. Security experts report a growing link between spam and viruses, according to e-mail vendors and analysts at the inaugural INBOX: The Email Event conference here this week.
"You can't separate spam and viruses anymore," said Mark Sunner, chief technology officer of e-mail security vendor MessageLabs. "Virtually all the viruses this year have to do with spam," he said, speaking at a conference session entitled "How Serious Is It? The Threats by the Numbers."
Sunner said two-thirds of global e-mail is spam, and roughly two-thirds of those messages are sent from open proxies. Open proxies are insecure systems that accept connections from any network address and thus serve as gateways for untraceable spam. Open proxies can also allow the placement of a kind of Trojan horse program called a "botnet" on your system without your knowledge. Thousands of these viruses can infect systems and be instructed to launch a denial-of-service attack on a Web site.
You can prevent most such worms by keeping your antivirus software up-to-date, but there's always a lag of several hours between the time a virus outbreak is detected and when antivirus vendors post a fix for it. "Because the antivirus industry is reactive, there's always a window of vulnerability," Sunner said.
Recent months have seen a tremendous increase in phishing attacks, in which criminals try to steal credit card numbers and other personal information by sending messages that mimic official e-mail from large financial institutions. The links in the falsified e-mail lead to fake but official-looking Web sites.
The number of phishing attacks increased 180 percent from March to April this year, and the average monthly increase is 50 percent, according to Dave Jevans, senior vice president at e-mail security firm Tumbleweed Communications. Speaking at the same session, Jevans said "phishers" can rake in $100,000 per attack, and it can cost a company $30,000 to recover from such an attack. He also claimed 30 new phishing attacks occur every day.
Despite the continuing spam tidal wave and the arrival of more dangerous e-mail-borne pests, most analysts at the conference are upbeat about the changes under way in the messaging arena.
In his keynote address, Eric Hahn, chair of antispam vendor Proofpoint, extolled the virtues of the current e-mail system, which he said has served us very well over the past 30 years. Still, Hahn pointed out that the slow pace of change in the e-mail infrastructure needs to accelerate. "It's broken now; it's not serving us today," he said.
Hahn believes spam will eventually be beaten. "Even though spam traffic is increasing, the number of spam messages [getting through to users] is constant or dropping. Chalk one up to the good guys," Hahn said.
Not all INBOX session speakers share Hahn's optimism, however. While speakers generally agreed progress is being made in the important area of authentication, no universal authentication systems are in the offing. And a universal system still wouldn't solve all security-related e-mail problems.
That's because spammers aren't likely to play by the rules, said Dave Crocker, principal at the Internet consulting firm Brandenburg InterNetworking. "Spammers behave like criminals," he said, speaking at a conference session entitled "The Role of Authentication in E-Mail."
Crocker said the industry needs "incremental solutions that have a big impact in the short term." However, he cautioned that organizations underestimate the infrastructure costs of authentication. Also, users get annoyed if sending e-mail becomes too much hassle.
Another analyst who views the glass as half-full is Esther Dyson, editor of the popular technology newsletter Release 1.0, another featured speaker.
Dyson described her vision of the e-mail system of the future in a session entitled "Mail 2.0." She sees all messages, alerts, contacts, tasks, documents, shared calendars, and other information residing in a "cloud" that we can access securely from almost anywhere.
Such a next-generation messaging system will require more-robust access controls and ID management, as well as better thread management and search/classification capabilities, Dyson said. To be effective, it will also need the immediacy provided today with instant messaging. Unfortunately, she added, there's one massive impediment to the development of systems with that level of interoperability: Dyson calls it "the gravitational force of Outlook," Microsoft's ubiquitous e-mail program--and the target of many worms spread via spam.