Could The Bad Guys Win on Spam?
By Larry Seltzer

On some days, life in the security business is more depressing than on others. My recent reading about Mimail.L, the latest in a long line of sociopathic worms, tipped me into the blues.

Mimail.L is particularly vile. Here are some of the actions it takes:

It arrives as a pornographic e-mail with an attached ZIP file purporting to contain dirty pictures. That file contains a file with a .jpg.exe extension, so if someone runs it to see the picture they actually infect themselves. As always, this subterfuge works far more often than I'd like to think, but so far it's just a run of the mill worm.
It scours the hard disk for e-mail addresses and stores them in a file named xu298da.tmp in the Windows folder. It then mails itself out with the same porno message to these addresses.
If there's a problem sending that mail, it instead tries to send a different message without the attachment. This fallback message says that the recipient's credit card has been charged for a purchase of child pornography. It directs the reader, if they want to cancel, to contact [email protected].
The message also lists more than a half a dozen sites as places you can get more kiddy porn, including Disney.go.com, Spamcop.net and Spews.org, and attempts to perform a denial of service attack on these sites.
So, not only is this a particularly offensive worm, but it specifically attacks anti-spam sites! Do the authors of the worm have a particular problem with these groups? Perhaps, or maybe it's just more anti-social behavior. They also attack Register.com, but I doubt they're opposed to domain name registration on principal.

After reading about this I'm tempted to agree with a poster on a Slashdot thread on Mimail.L: They won't stop 'til they've destroyed e-mail. We keep hearing about the ever-increasing percentage of Internet e-mail that is composed of spam. The latest consensus I hear is over 50 percent, but you can bet your last F_R_E_E whatever that the number will continue to climb.

My own spam rate is now well over 60 percent (although my inboxes are particularly vulnerable because I have multiple e-mail addresses on my articles around the Web). What happens when 75 percent of Internet mail is spam? How about 90 percent? And why should it stop there? A relative recently said he doesn't bother checking his e-mail anymore because there's just too much spam; it's not worth it.

As I'll discuss in greater detail in a later column, I don't have a lot of confidence that the new CAN-SPAM act that recently passed in Congress will make a big dent. It would take a large, talented and well-funded enforcement effort to get a significant number of spammers through this act

Besides, spammers are exactly the sort of people to fold up shop and start anew in some other state with a new identity if they ever get in actual trouble. The startup costs are puny, and here's the really good part: your cost of goods can be zero!

Putting aside spam messages that result in naked theft, like the Nigerian bank transfer scams, how many customers are going to pursue you if they don't get the goods they order? There's no doubt in my mind that a very large number of these businesses have absolutely nothing to sell, they just take your money. This makes the spam business model even more compelling.

If the government won't be sending the cavalry in the nick of time, that leaves technology. Many people think there's a great abstract case to be made for disincentivizing spam by changing the economics of the situation, generally by the imposition of some fee for sending mail.

As I've said before, I don't think such solutions are practical without the kind of massive technical changes to the Internet that could end spam without such fees. What it really comes down to is enforcing authentication on all e-mail users. There are systems for bolting authentication onto SMTP, but if can't be made mandatory, then it doesn't matter.

So the only options for stopping spam are continued use of the existing technological means at our disposal or a complete replacement of the entire e-mail system, as I once suggested earlier this year, when I was young and naive. But that ain't gonna happen. When a protocol is as entrenched as SMTP it's basically impossible to displace it.

So can the anti-spam industry save us when 90-something percent of the mail coming in is pornographic or malware? I used to think that one false positive was one too many. But when I see attacks like Mimail.L and I think about kids receiving e-mail, then perhaps one false negative is one too many.

Businesses will be able to cope with 90-percent levels of spam and block it out. But at that level, kids and even lots of grown-ups will forgo e-mail. And when that happens, the bad guys will have won.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


More at eWeek