Escalating Spam Wars Take Their Toll

Spam has never been cheaper. online-marketing firms are falling over themselves to offer spam campaigns of millions of addresses. These e-mail blasts are disturbingly inexpensive. Pro Software Pack, for example, charges just $125 to send 1 million mes sages. Despite spending billions of dollars fighting spam over the past decade, the security industry is in no danger of winning the war soon:

Spam now accounts for 19 of 20 e-mails, and its cost to businesses doubled between 2005 and 2007 to $100 billion (about a third of that in the United States), according to Ferris Re search, a San Francisco-based consultancy.

In their cat-and-mouse game with security, spammers have been innovative. To avoid filters, at first they inter changed some letters and numbers and broke up words with spaces. When keyword filters got better, spam appeared with addi tional, unsuspicious text that reduced the percent age of trigger words. Since the added verbiage confused recipients, spammers began sending it as invisible (white on white) text. When securi ty firms employed filters that could detect hidden text, spammers then be gan placing their mes sages on Web sites and providing links to them. When filters were pro grammed to hunt for spam by following links, spam e-mail appeared with dozens of links to legitimate Web sites to overwhelm filters. And so on.

The growth of illegal drugs has fueled a new class of underground spammers with no pretense of legality. IronPort, a Silicon Valley computer-security giant, investigated a recent 2 billion-spam campaign flogging Viagra. (Researchers extrapolated that figure by counting spams sent to the 300 million ad dresses IronPort protects.) The spams, sent (or relayed) from 16 countries, provided links to 12 professional-looking Web sites that process payments through a P.O. box in Hay ward, California. The Viagra, shipped from China and India, ranged from placebo to extra strength. The spam was sent by an illegal bot net—a network of computers remotely com mandeered by hackers. Individual botnet computers send relatively few spams to better avoid detection by owners or Internet service providers who fear being blacklisted as spam conduits.

Botnets are rented and sold in underground online markets, along with illicit software that creates the botnets and manages blasts. An of ficial at Britain's Serious Organised Crime Agency, unauthorized to speak for attribution, refers to these black markets as "a one-stop shop" for spammers. Shutting down botnets, he says, is difficult be cause spammers activate and deactivate parts of their network to confound security per sonnel. Even shut down, he says, "they're back up in hours."

Many outfits that op erate supposedly legiti mate spam services rely on botnets; without them, spewing so much spam would be nearly impossible. Some, in cluding Pro Software Pack, seek legal protection by compensat- ing people who send spam on their behalf. These botnet users will often use these par- ticipation contracts to pass for legitimate businesses.

Spam's most-serious threat is still in spreading viruses. Dominique Loiselet, head of Websense France, a computer-security firm, says 5 percent of the 350 million e-mails the company inspects each week carry viruses. Many try and steal data such as banking de tails. They carry an unquantifiable cost: con fidence in the Internet as a "legitimate in strument" is suffering, says Cynthia Heijna, a spokeswoman at OPTA, a communications law-enforcement agency in The Hague. That's bad news for businesses and e-mailers alike.