Has the ‘SpamThru’ Trojan Doubled Spam or Not?

Screaming headlines in the past few days have proclaimed that
unsolicited bulk e-mail — known universally as spam — has broken all known
records. But is this really the case, or does it just seem like it?

“Spam Doubles,” proclaimed the New York Times in an article on Dec. 6 (free
registration required).

Much of the blame is laid on a Trojan horse named “SpamThru” that has
reportedly taken over approximately 73,000 PCs. The robotic network of
computers, reportedly directed by Russian hackers, silently pumps out
millions of spam e-mails a day.

There’s no question that new spam techniques are sneaking a lot of spam
through filtering systems that previously were fairly effective. But has the
volume of spam actually doubled?

Parsing The Numbers

Of course, any business that’s growing at a steady rate will double
eventually, so I could write headlines such as, “Fast Food Consumption
Doubles!” and I’d be 100 percent correct, if I didn’t provide any time
frame.

One antispam expert believes that SpamThru hasn’t actually doubled the
volume of spam. Instead, he says the Trojan bot network of so-called zombie
PCs has proven itself to be twice as effective as other spam at
getting through filters. That’s actually a much scarier fact than the
headlines have made clear.

The Degree of Control That Spammers Now Have

Richi Jennings is a London-based analyst for Ferris Research, which
publishes reports on corporate messaging from its headquarters in San
Francisco. “More spam is reaching the inbox,” he says, “so naive
commentators wrongly assume that a doubling of spam in the inbox equals a
doubling of spam on the Internet.”

His company’s research indicates:

Spam increased up to 20 percent in the 4th quarter of 2006 to
date, compared with the average from the first three quarters of the year.
But the spam that actually made it into peoples’ inboxes increased 100
percent in the same time frame.

Spam messages that use images to convey content are circumventing
filters.
“New botnets are employing content-morphing tricks that are
fooling many vendors’ content filters,” Jennings says, “so more spam reaches
the inbox.” These tricks include varying the size of the images a slight
amount in different spams. As a result, the messages don’t have identical
signatures that filters can learn to catch.

More images mean more bytes. “The image-spam messages tend to be
about 10 times bigger than ‘normal’ messages,” according to Jennings. That
means a median size of about 30 KB for the image-bearing spams compared with
3 KB for legitimate e-mails. “So spam volumes are now much higher in terms
of bits on the wire.”

“Greylisting” is being defeated by the bots. Legitimate mail
servers comply with requests from other servers’ to wait a few seconds
before sending anything. White-hat mail administrators use this fact as a
defensive technique known as “greylisting.” Spamming software used to
immediately give up, moving on rather than pausing. The spammers have now
hijacked so many computers that they can afford to obey wait requests, just
like normal servers, Jennings explains.

Spammers have cracked major sources of e-mail addresses. To
optimize one of their scams — a “pump and dump” scheme that manipulates
penny stocks — the SpamThru hackers have reportedly broken into several
databases of people who can trade equities. “I know of several occurrences
of this with brokerages and financial websites recently,” Jennings states,
declining to name any. “It seems that some organizations aren’t savvy to the
risk of these subscriber databases being pilfered.”

The numbers favor the spammers. The size that the bot networks
have grown to is making them much harder to root out. The hackers behind the
bots, Jennings says, “can send fewer messages per zombie, because the
network is bigger, so they stay under the radar longer.” Antispam blocklists
have a harder time identifying and banning these individual PCs, which are
the source of the spam.

Not everyone agrees with Ferris Research’s point of view. Postini Inc., a
major antispam service provider, for example, announced last month that spam rose 59 percent in the past
two months and 120 percent compared with one year ago. Jennings explains
that he trusts the statistics he gets from other sources, such as Commtouch and MessageLabs.

Say Thank-You While Spammers Steal From You

Whatever the actual statistics are, it’s clear that spammers are making
headway on their profitable activities. They may already have gained enough
resources to defeat white-hat defenses permanently.

A notorious U.S.-based spammer, Jeremy Jaynes, was convicted of spamming
by a Virginia court in November 2004 and sentenced to nine years in prison.
(The decision was upheld in September and prosecutors are pressing for the
jail time to begin immediately, according to antispam organization Spamhaus.) Testimony during the trial showed that Jaynes
sent millions of spams a day, netting $350,000 to $700,000 a month after
bandwidth charges, despite the fact that only 1 in 30,000 recipients
purchased anything, according to Spamfo, an information site.

With that kind of money at stake, it’s not hard to see why spammers are
outstripping the ability of white hats to stop them.

Regarding the penny stocks that the SpamThru group likes to promote,
researchers Jonathan Zittrain and Laura Frieder reported in July that a great deal of cash can be made.
Spammers who buy such thinly traded stocks — which they then promote in
millions of spams – can make 5.79 percent returns in a single day, the study
found. The suckers who buy the touted stocks lose an average of
approximately 5.5 percent within two days, before paying brokerage fees.
Repeat that process over many weeks and you’re talking real profits.

Ending the Scourge of Spam

A big part of the spam problem is the fact that the United States, unlike
jurisdictions such as the European Union and Australia, has not made
spamming a serious crime. The so-called Can-Spam Act, passed by Congress in
2003, actually makes sending spam perfectly legal, as long as it bears some
street address and links to an unsubscribe process (which is bogus, in the
case of most spam).

The Direct Marketing Association of the U.S., an association that claims
54 of the Fortune 100 as members, lobbied strongly in 2003 for such weak
legislation. It’s now obvious that the law is a failure.

Having a tough U.S. law wouldn’t magically eliminate spam by itself. But
trying to stop shadowy, profitable activities is almost impossible if they
aren’t illegal. Only the existence of a Virginia law with real teeth tripped
up Jeremy Jaynes. A strong U.S. law could go a long way towards catching
even more spammers.

About 66 percent of the 123 top spammers — who reportedly send 80
percent of all spam worldwide — are based in the U.S., according to a listing
maintained by Spamhaus. And once spamming is recognized for the massive
criminal operation that it is, it’s not impossible for countries to
apprehend violators, no matter what part of the world they may operate in.

In this instance, unfortunately, weak laws in the U.S. are allowing a bad
problem to become much, more worse.

Time for an Executive Break

The Executive Tech column is off for the holidays from Dec. 19, 2006,
through Jan. 9, 2007. The next installment will appear on Jan. 17, when the
column switches to publication on Wednesdays. Have a joyous season.

In addition to writing a column for JupiterWeb’s Datamation, where this column
first appeared, Brian Livingston is the editor of WindowsSecrets.com and the co-author
of “Windows Me Secrets” and nine other books. Send story ideas to him via
his contact page.

News Around the Web