Has the Internet Outgrown Spam?

spam
Graphic: Diego Aguirre
In the late 1990s Robert Soloway made $20,000 a day as a spammer. He drove fancy cars. He wore Armani clothes. He was, by all accounts, one of the most successful spammers on the planet. But if he were starting out today, he'd find some other line of work.

In 2011, spamming just won't pay the bills. "It's not something financially feasible for anyone to even consider," says Soloway, who was released from the Federal Correctional Institution in Sheridan, Oregon a few months ago, after serving almost four years in prison for spamming.

spam soloway
So-called Spam King Robert Soloway, recently released from prison.
For a time, his business was good. He spammed people to advertise his company, Newport Internet Marketing, which in turn offered a full range of spamming services for the unscrupulous marketer. $195, for example, would buy a 15-day spam run targeting 2 million addresses. Those with more cash could pay $495 and the Spam King, as federal prosecutors called him, would hit 20 million inboxes.

But Soloway now says that even before federal agents arrested him four years ago, spam was a losing proposition. In 2007, "when I had ten years of experience and knew every possible way to send out spam," he was still losing money, he said.

His problem? Spam filters had become too good. In 1997 Soloway was making his $20,000 a day with just one Earthlink account and a single mail server. Ten years later, he had hundreds, perhaps thousands of accounts, computers and Internet domains which he used to play an increasingly complex game of cat-and-mouse with the antispam crusaders trying to shut him down. When he finally stopped, he was making just $20 per day. "That should tell you how effective the antispam community has become," he said.

Spam Pales Amid Cybercrime

With each passing year, the reports of criminal activity on the Internet seem to get more disturbing. Distributed denial of service attacks knock entire nations offline; criminal gangs make off with hundreds of millions of dollars using stolen bank card data, a nation's nuclear ambitions are thwarted by a new type of computer worm.

Spam volume trends (click to enlarge chart). Source: Cisco

But lately a ray of light has cut through all the gloom. Spam -- the Internet's original sin -- dropped in volume for the first time ever at the end of 2010. In September, Cisco System's IronPort group was tracking 300 billion spam messages per day. By April, the volume had shrunk to 34 billion per day, a remarkable decline. "The largest spam-sending botnets are being shut down and a lot of the big pharmaceutical spam has disappeared," said Nilesh Bhandari, a product manager with Cisco.

Spam watchers say a handful of high-profile arrests at the end of 2010 put a dent in the business, but there may be a bigger issue: E-mail spamming, at least in its traditional form, may not be as profitable as it once was.

"You don't see a lot of new blood coming to the table," said Joe Stewart, a researcher with Dell's SecureWorks group. Every year or two Stewart takes a look at the top spamming botnets on the Internet. He analyzes spam messages and tracks down the networks of hacked computers responsible for sending them out.

This year, the news was that there was no news. Stewart didn't find any new spam botnets. "Everything that is spamming today is pretty much what was spamming two years ago," he said in February when he released his latest report.

There was a brief, halcyon day when the Internet, or rather its precursor, the Arpanet, was spam-free. But then a Digital Equipment Corporation marketer named Gary Thuerk decided to let a few hundred Arpanet users know about his new DecSystem-20 mainframes, and it was downhill from there. When consumers flocked to the Internet in the mid 1990s -- Soloway's glory days -- the open online culture provided a breeding ground for fraudsters, and soon the vast majority of all messages on the Internet was unsolicited commercial e-mail.

Spammers Shift Tactics

Until recently, spammers were in an ugly war of attrition. As spam filters got better and better, spammers bumped up the volume of messages they pumped out. If a fraction of one percent of a million messages get through, that's not profitable. Make that a billion messages and the money starts to add up. But it now seems as though this war of escalation has subsided; not because the spammers have given up, but because the game is changing.

spam can-spam act
Illustration: Joe Zeff
U.S.-based spammers have all but disappeared, scared off by prison sentences handed down to the likes of Soloway under the 2004 CAN SPAM Act. Even overseas there has been progress. In the past year a series of spam-spewing botnets -- Waledac, Pushdo, and most recently Rustock -- have been taken offline thanks to the efforts of law enforcement and private security researchers. And in October 2010, an affiliate marketing website called Spammit closed its doors. It was used by spammers pushing online pharmaceuticals, and was a major source of income for many spammers.

That's taken a big dent out of spam, but the nature of the business has evolved. Once a source of irritating commercial marketing messages, unsolicited mass e-mails are increasingly being used by scammers and criminal hackers to ply their trade.

No longer is spam just a way to sell pornography or cheap pills. Spam messages are being used to install malicious software, and for a targeted form of spamming called spear phishing that has become a particularly effective hacker technique. A spear phishing attack opened the door to RSA security and helped hackers to compromise the security of RSA's SecurID tokens.

Spammers may be getting more crafty, too.

"There has been a decline in what we're getting in our traps, but what we're seeing that's out there is smarter spam," said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham. Warner helped set up a massive database at the university that vacuums up as many as a million spam messages per day.

Take February 14, for example; Valentine's Day. Instead of the usual Viagra or Rolex spam, Warner saw a flood of messages advertising a legitimate florist -- FTD. That's a more targeted form of spam than what his team would typically have seen a couple of years ago. And the spammers were directing people to a legitimate Web site -- FTD Flowers -- making their money from Web marketing referral fees. If the spammers succeeded in reminding just a few absent-minded spouses to order flowers, they could make money.

Web Changes, Spam Shifts

Another example of smart spam? Those strange e-mails that come from friends, telling you to visit an online pharmacy or watch a video. Criminals break into Hotmail or Gmail accounts and send messages to every one of the victims' mail contacts before anyone realizes. This type of spam -- sent between two people who know each other -- is much more likely to evade filters.

spam social media twitter
Scammers have taken this game to Facebook, YouTube, and Twitter too. Sometimes they send @messages to their targets. Other times they hack into an account and use it to send out their messages. That's what happened last week to "Shaun of the Dead" actor Simon Pegg's Twitter account. It was used to spam out a Trojan horse program disguised as a screensaver to his 1.2 million followers.

The hunt for new ways to pump out unwanted messages is a natural evolution. Old fashioned e-mail isn't the ubiquitous connector it once was. According to the Pew Center for Internet Life, young Internet users shy away from e-mail, preferring texts and instant messages. Pew's December 2010 Generations report on Internet usage found that 70-year-olds are now more likely to use e-mail than teenagers.

In an effort to reach these younger Internet users, scammers have turned to search engines too, poisoning search results by gaming Google or Bing.

"People are spending more time on Web properties than they were four or five years ago," said Paul Judge, chief research officer at security appliance vendor Barracuda Networks. The result is that search engine results are becoming cluttered with blatantly commercial or useless pages, in much the same way that e-mail boxes were flooded when spam first spiked about a decade ago.

Scammers know how search engines work, and they work hard to get their dodgy pages to pop up near the top of search results. They bombard online forums with links to their pages or hack into websites to add links -- all in an effort to boost their Google ranking. For less than $100, crooked marketers can automatically add 10,000 links --typically from the comments section of blogs -- to whatever webpage they want. This can quickly push a webpage to the top of Google or Bing's results.

New Tricks

This doesn't only lead to bad Web-searching. Sometimes it means that people get hacked. In fact, the number of malicious Web pages that use search engine optimization tricks to lure visitors nearly doubled between June and December last year, Judge said.

spam
Illustration: John Bleck
Even spammy Web pages that aren't malicious, the ones slapped together with stolen or low-quality content, are becoming a problem. Earlier this year Google was forced to acknowledge a "slight uptick" in spam pages, and said it was trying new tricks to exclude unwanted pages from its results.

Spam is morphing. So while the spam boom that kicked off in the late 1990s may finally be abating, that doesn't mean unwanted mass e-mails are going away. It's still an effective way for scammers to quickly and cheaply connect with millions of people they don't know, and convince them to buy something they don't need or to go to a Web site they should really avoid.

On just one day last week, Cisco's IronPort group tracked more than 45 billion spam messages. That means spam accounted for 86 percent of all the e-mail on the Internet that day. In a recent report, Symantec pegged spam at 73 percent of all e-mail. But both companies agree that it's at its lowest levels in years.

Robert Soloway believes spam will never die, so long as e-mail is free. But the barriers to entry are getting higher. According to the former Spam King, people will try it out, then once they realize how hard it is to make it big, most will move on to something else.

But those who have found a way to make money will be around for a long time, said Dell's Stewart. They may be dinosaurs, but "they're dinosaurs that are still making money," he said. "I don't think they're going to quit."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Subscribe to the Security Watch Newsletter

Comments