The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Tuesday, November 18, 2008

Yes, you can fight spam — part 1

Last week, I wrote about a study conducted by researchers at the University of California on the economics of spam. They had determined that the spammers were obtaining a conversion rate of less than one in twelve million from their botnet-sourced spam. That is, the spammers had to send twelve million spam emails for every customer they snagged.

I concluded that "just hit delete", educating the users, improved filters, or trying to use the legal system just were not going to work to stop spam.

This week, I'm going to talk about something that apparently does work: not tolerating the bad actors responsible.

If you follow spam issues in the news, then you may have heard of the takedown of a black-hat ISP in San Jose, California known as "McColo". You can read all about it in Brian Kreb's Washington Post article Major Source of Online Scams and Spams Knocked Offline.

In a nutshell, McColo was one of the prime bad-guys of the internet. Child porn, phishing, credit-card processing for criminals, you name it. We're talking the Dr. Moriarty of the internet here. As part of all that, they were knowingly hosting the command-and-control centers for major botnets.

McColo had been well-known to a number of internet security experts and spam-fighters. Attempts to get them disconnected by their upstream providers, Hurricane Electric and Global Crossing had long fallen on deaf ears. Finally, it reached the point where their support of McColo was going to reach a wider audience. Faced with a public shaming, they finally did the right thing and gave McColo the boot.

Here's what's significant: The shutdown of McColo resulted in a 60-70% drop in spam worldwide overnight.

Let me say that again: A 60-70% drop in spam overnight. Worldwide. From disconnecting just one bad actor.

This chart, courtesy of SpamCop shows it best:

Other spam-tracking sources are reporting similar reductions in spam. It is reported that detections of the Srizbi botnet (the biggest, at 60 billion spams/day) are down by up to 95%. Similar reductions in activity have been seen in several other botnets, including Mega-D, Bobax, Rustock and possibly Asprox.

I don't have any illusions that this drop is permanent. The spammers and bot-herders will be looking to rebuild their networks almost immediately. I've already noticed an increase in virus spam lately, as have others.

(Note: This may be a good time to remind your friends and relatives not to click on any attachments they receive — especially anything in a .zip file.)

Also unfortunately, McColo had a backup plan in the form of Swedish internet service provider TeliaSonera who, not knowing what was going on, left McColo connected to the internet. McColo was savvy enough to wait until the weekend before taking advantage of their backup connection. The problem was discovered within hours, but getting them disconnected again required CEO approval, which took even more time. All told, McColo was back online for about twelve hours. Enough time, unfortunately, to transmit botnet control updates to servers in Russia. More details can be found in the U.K. Register.

It will probably take time for the spammers to get the botnet up and running, but we should see spam levels begin to rise again shortly.

Other articles on this takedown:

Next: You can fight spam by disconnecting bad actors

Wednesday, November 12, 2008 sued for false advertising

You've seen the ads for, I'm sure. Banners at the top of seemingly every web page on the internet that say "She married him? Catch up on the latest petty gossip at". Or something like that.

Today's Wired magazine has an article entitled User Sues; Schoolmates Weren't Really Looking for Him. The headline pretty much says it all. Anthony Michaels of San Diego, CA received a message from telling him his old high school chums were looking for him. He paid $15 for a premium membership and found out — get ready for it — they lied. Nobody was looking for him. Now he's suing (scanned pdf, 20 pages) for false advertising and hoping for class action status.

Friday, November 07, 2008

Researchers Hijack Storm Worm to Track Profits

Always good for information on the spam economy, Brian Krebs of the Washington Post has just published a truly fascinating article: Researchers Hijack Storm Worm to Track Profits.

Bottom line: a one-in-twelve-million conversion rate of spam to sales seems to be enough to keep the spam economy going.

The article covers a project by researchers at UC San Diego and UC Berkeley, who managed to infiltrate the Storm Worm bot network and take over a small portion of it.

They then redirected some of the spam payloads to fake websites which had been set up to mimic the actual websites advertised in the spam. Would-be customers would go to the fake web sites and try to order their penis pills and become another statistic for the researchers. (At which point the sale fails to go through — the researchers were fishing for statistics, not credit card info.)

All told, 350 million spams over 26 days resulted in 28 sales, for a total of just over $2700. Researchers estimate that they took over just 1.5% of the Storm Worm network, meaning that the network sends about — let's see, carry the one — just under 900 million spam emails per day, with a revenue of just about $7000 per day.

That's it. There's your math. $7000/day pays for something like 20% of the total spam load we all endure, day after day. And the vast majority of it going to penis pills that don't even work.

One more piece of math: The worm propagates as a virus mailed from victim to victim. Researchers discovered that a whopping one in ten people will click on the link and download the virus.

So what does this mean in terms of fighting spam?

Well, first of all, educating people about spam, or getting them to sign the Boulder Pledge to not buy anything advertised via spam, is hopeless. You'll never convince everybody. If the spammers only have to reach one person in twelve million spams, then educating 99% of the people, or 99.99% of the people, or even 99.9999% of the people just isn't enough.

In other words, Just Hit Delete won't work.

Technological means? So far, no good. We build better filters, spammers add more entropy to their message text to bypass them. I'm sitting behind at least three good filters at home, and I'm flooded with the stuff.

Legal means? Not very effective so far, mainly thanks to CAN-SPAM, which protects spammers from almost all legal remedies. Only state governments and the very largest ISPs have been able to take legal actions against spammers, and the spammers generally make themselves judgement-proof well before it comes to that.

The Federal government can theoretically put a spammer in jail, but I'm unaware of any such cases except when other crimes such as wire fraud are involved, in which case CAN-SPAM violations are added on the side.

Other questions about this research present themselves. Such as, if the researchers could take over a small portion of Storm Worm, why can't they take all of it over and shut it down?

Can Storm Worm be repurposed for good? Maybe launch a popup on the user's screen when it's installed, saying "hey dumbass what did you think you were doing when you clicked on that link?" or "are you really so stupid that you believed a Nigerian prince wanted your help laundering a vast fortune out of the country?" Sheesh.

I've always dreamed that someone would write a virus that takes over the victim's system and installs all the necessary security updates. Or maybe upgrade them to Linux. It would be a public service.

Here's a thought: credit card companies should run fake sites like this, and use it as a way to educate consumers who get caught in the net — or maybe just take their credit cards away and do us all a favor.

More seriously, I would have liked to see some effort by the researchers to track the worm to its source, but I think it's likely that they tried without success. It's believed that the bulk of this spam originates from Russia, where there is little or no hope of getting any real information on the spammers. Given that restriction, I think the researchers were forced to be satisfied with the information they were able to collect.

The academic paper is available from Berkeley's International Computer Science Institute (pdf).

Update: This morning, the BBC had a good article on the report. In it, they made one very good point: the conversion rate is so low, and the profit margin so slim, that this suggests some avenues of attack on the spammers.

As for myself, I'm not convinced. My first thought was that the old idea of charging postage for email might be worth pursuing. At a conversion rate of less than $1 per hundred thousand emails, an e-postage rate of 1/100 of a penny per email would pose no burden on ordinary consumers, but break the economic back of spam. However, I quickly dismissed this idea upon realizing that since the majority of spam is sent by 'bots, it's the consumers who will be paying the postage, and not the spammers. Further, the postage would be so cheap that most victims wouldn't be charged enough money to motivate them to do something about the problem, and certainly not enough to make law enforcement — who don't even get out of bed for anything less than grand theft — take any notice.

Is there any other way to pass the economic burden spam — any economic burden at all? — to spammers? If there is, word of it has yet to reach my ears.