IT Security Blog

I wanted to take a few minutes and post a follow up to my blog the other day about an article written by Lance Winslow that was originally written in 2005 and reposted here by ezinearticles.com with the date of December 31, 2008 making it appear as if the content was written recently by Lance. 

Businesses do have a lot of choices when making decisions about protecting their network infrastructures.  They can choose to do it in-house using a number of open source solutions or commercial desktop software.  They can also purchase a network based appliance which also typically has to be maintained in-house or businesses can look to in-the-cloud solutions using a Managed Service like MX Logic (I'll reiterate my partiality to Managed Services :) ).  No matter which type of solution you prefer for your organization, most all are effective at stopping spam.  Some of the bigger questions that must be answered by any company when making these decisions is how much control they want to have, how much risk they deem to be acceptable in the event of a large outbreak from a bandwidth perspective and what they want their internal resource allocation to be to managing these solutions. 

Overall, spam rates are still down about 45% from their most recent peak in August to now as a result of the McColo shutdown.  Despite the movement to the web as a primary malware delivery vehicle and with occasional peaks and valleys in mail flow over short periods of time, spam volumes historically continue to increase and will continue to do so.  The biggest reason for these historical increases are improved attack precision (i.e. more targeted attacks and less en masse spam campaigns) and refined social engineering which dupe users into opening attachments and visiting web sites that enlist their PC into botnets. 

I do agree with Lance's point with respect to the efforts already put forth by the FTC as being largely fruitless.  There have been few arrests since CAN-SPAM went into effect 5 years ago.  At the end of the day, spammers are criminals and should be arrested, but cooperation is needed by many others outside of law enforcement like the upstream bandwidth providers and domain registrars if we are really to make a dent in the spam problem.

At the end of the day whether spam volumes are up or down, cyber crime is both a criminal as well as a social problem.  I think the criminal part is pretty self-explanatory, but the what drives people to cyber crime?  Money.  Lots of it.  WIth the relatively few arrests that have been made in comparison to the number of spammers trying to fill our inboxes on an everyday basis, cyber crime is considered to be a low risk, high reward venture.  Considering the difficult economic times we are now in the middle of where companies are tightening their belts as much as possible and unemployment is rising on a daily basis it would not be surprising if you see more people getting involved in cyber crime activities. 

So, to come back to my original point before going on a bit of a tangent: Is an article written back in 2005 about spam volumes, tactics, and defenses entirely relevant today?  I would say both yes and no.  Although tactics have evolved and businesses are feeling more and more pressure every day to find ways to keep their mail servers online and prevent confidential data from leaking out of their networks, there are a lot of options available.  Businesses need to evaluate which type of solution provides them with the options and features that best suit their business and compliance needs.

An MXL co-worker (Thanks, Grant!) directed me to this blog posting by a guy named Lance Winslow titled "SPAM Killing Small Business Productivity".  It is no surprise to anyone that any small business that has not taken steps to protect their infrastructure with some kind of anti-spam/traffic shaping/traffic control device or service (I am partial to the managed service form factor, BTW :) ) is feeling the effects of the amount of spam flying over the internet on a daily basis.  So, in that respect Lance hasn't started off his post with anything revolutionary.

Then things start to get weird...

Lance states "...the Federal Trade Commissions; FTC’s war on SPAM is killing small businesses and flooding their inboxes with junk mail".  What?!  Last I checked, a LOT more people than just who are involved in the FTC are fighting spam on a daily basis and doing a pretty decent job of it.  I work with many of them on a daily basis both at MX Logic and at our many competitors.  Secondly, how is the FTCs war on spam killing small businesses and flooding inboxes with junk mail?  Last I checked, that was the spammers who were responsible for that....oh yeah, and the infected PCs that they use to do their dirty work.  I'll concede that CAN-SPAM hasn't done much, but spam hasn't increased as a result of CAN-SPAM.  Spam has increased due to money chasing criminals using spam as a vehicle to make money.

Lance then goes on to say "America Online indicated that it culls 75% of the incoming SPAM thru filters and many other companies are able to do this too. But what if you are a small business which does not have such features on your website? What do you do then? You cannot do a thing."  Strike 2!  Firstly, I know quite a few of the anti-spam folks over at AOL personally and I'll be more than happy to publicly defend them and say that I am sure they are catching more than 75% of incoming spam.  If that were MX Logic's catch rate I surely would have been fired years ago!  It certainly hasn't been my looks that has gotten me by! :)  Further, how can Lance ascertain that there is nothing you can do if you do "not have such features on your website"?  I am going to guess that he is really referring to inboxes here and not web sites (as web sites are a bit of a different animal than what he originally started out his post with).  Has he ever looked into the cost of a Managed Security Service or a network appliance?  Anyone can deploy anti-spam defenses at fairly low cost per user.  The cost can even be free if you are willing to do the work yourself to maintain your own installation of a software based service like Spamassassin. 

His final paragraph states "A concocted report from MX Logic purports that SPAM is down a whopping 9%? If you believe that you are on drugs just like the FTC. If you are a small business getting 300 junk mails per day, obviously this is not going to help you in the least as it still means you are getting over 275 junk mails a day. Worse the figure of nine-percentile is said to be a complete misrepresentation and convenient fabrication."  Perhaps Lance should do a bit more reading about the decline in spam volumes since the shutdown of McColo back on November 11th (although I do appreciate that he is reading our report!).  Although the botnets that were originally debilitated as a result of the McColo shutdown are back online, spam volumes overall are still down from where they were pre-McColo.  Now, I will agree with Lance's point where he said that if you were getting 300 spam emails per day and are still getting anywhere from around 275 per day, you are still getting deluged (perhaps our sales folks should try to sell Lance an anti-spam solution :) ).  At a micro level this doesn't seem like a big deal, but when looked on a much more macro scale in an environment like ours and other major ISPs who process hundreds of millions of emails per day, the effects are dramatic.

I'm curious as to what authority he stands on or interviewed to make the statement that drops in spam volume are a "complete misrepresentation and convenient fabrication" ?  How is saying that spam volumes are down convenient for us?  In our business, spam sells.  The more there is, the better sales numbers grow as businesses become more aware of the inadequacies of their own systems in trying to manage spam themselves.  They realize that they NEED an alternative so that they can focus on their core competencies and not just on keeping their mail servers online.  As a result, crises and large spam events like the CNN outbreak from back in August are great for our sales numbers.  It certainly makes selling the need for a solution easier on them.  I've been accused during media interviews by less tech savvy reporters of trying to spread FUD because "I have to say that spam volumes are up because fighting spam is the business that we are in", but never that I'm lowering numbers for convenience.  I don't quite see how that argument makes any sense.

The closing of his post is the coup de gras: "If you have innovative thoughts and unique perspectives, come think with Lance."  I would certainly say that Lance's perspectives are unique (and completely uninformed), but his thoughts are not quite so innovative (however quite imaginative!).

Ireland is tired of spam and is putting legislation into law that will fine spammers up to 250,000 Euros if convicted according to this siliconrepublic.com story.  The story does not go into specifics of the law or what an email needs to contain in order to be in compliance (e.g. CAN-SPAM has several rules that marketers must follow in order to be compliant), but references "spammers" as a general term.

Lost in the noise of all of this let us not forget the difference between a "spammer" and a "spam message". 

Spammers are people who send nothing but spam 100% of the time.  Spammers utilize botnets to conceal the original message sender and utilize networks that they otherwise have no right or license to use. 

Compare this to a (accidental) sender of a spam message. 

Most ESPs occasionally sign up customers whose intentions are to use the ESPs network to send out email to purchased lists or to people who did not specifically opt-in to receive that mail.  Of course, this is unbeknownst to the ESP until the email goes out and the complaints roll in about spamtrap hits, unknown user rates, and users hitting the "This is Spam" buttons in their webmail clients.  The good ESPs will shut those folks down immediately and make them go troll their email elsewhere.  Does this make these ESPs spammers?  No.  Are they culpable under this new law?  Not sure yet, but those details will certainly come forward.

I can respect what Ireland is trying to do here, but I hope they can take a lesson from the United States and not repeat the same mistakes of CAN-SPAM.  If not implemented correctly (i.e. enforce policy on the true spammers and the ESPs who are not making good faith efforts to remove bad customers from their systems) the only people they may end up hurting are the legitimate email marketers who occasionally have an "oopsie" from a bad customer while the true spammers continue their practices unfettered.

Happy 5th Birthday to the CAN-SPAM Act (The Controlling the Assault of Non-Solicited Pornography and Marketing Act) of 2003!  The CAN-SPAM Act was the brainchild of Senators Burns of Montana and Wyden of Oregon in April 2003 before undergoing some revision and being signed into law by President Bush on December 16th, 2003 (ok, so the real birthday was yesterday).  The CAN-SPAM Act took effect on January 1, 2004.

Although a standard for how ESPs enforce compliance on the part of their customers, it has largely been ignored by spammers.  MX Logic has been tracking adoption of the CAN-SPAM Act since its inception and even at its peak only about 3% of all spam was in compliance.  This was in May 2004.  Compliance has typically hovered around 0.2-0.3% since 2005.  As a result, many have resorted to calling it the U-CAN-SPAM Act.

If you are not familiar with the CAN-SPAM act it imposes a number of requirements on commercial email:

-- Ensure that the "FROM" line clearly reflects the sender's identity

-- Include subject line text consistent with message content

-- Include the advertiser's valid postal address

-- Contain a working opt-out mechanism as a way for the consumer to decline to receive further commercial email from the sender

As part of the CAN-SPAM Act the FTC was also authorized to create a "Do Not Email" registry, much like the existing "Do Not Call" registry for telemarketing.

We blogged back in October about a loophole that auspiciously exists in the CAN-SPAM Act which does not disallow the mass sending of unsolicited political email, due to its non-commercial nature.  This opinion drew quite a bit of both positive and negative comments from both sides of the aisle. 

So, as we move forward into 2009 and you toast in the New Year, be sure to raise a glass to the CAN-SPAM Act.  Five years of reducing spam to nobody!