Next generation spam: New threats and new technologies

This video examines the evolution of the content security gateway as it evolves beyond just blocking spam and Web filtering, emphasizing the techniques and technologies used to ensure data doesn't leave your organization.

About the speaker:
Michael Cobb is the founder and managing director of Cobweb Applications Ltd.

Go back to Spam 2.0: New attractions, viruses and prevention strategies.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact    

Next generation spam: New threats and new technologies

Eric Parizo:  Hello and welcome to Next Generation Spam: New Threats and New Technologies with guest speaker Michael Cobb.  My name is Eric Parizo and it's great to have you with us. 

Remember a few years ago when a pretty famous guy said that spam would be gone within two years?  Well, it's been longer than that and spam is still here.  In fact, security pros are now contending with what's being called Spam 2.0 - a new wave of spam technology.  This includes image spam, PDF spam and a host of other new threats that are giving traditional antispam counter measures all they can handle.  So, how are the economics that drive the business of spam changing and how can organizations thwart the latest methods that spammers use to get their malfeasant messages into your mailboxes?

In today's webcast we'll review the pros and cons of current antispam technologies and emerging industry initiatives, such as domain keys, identified mail and sender ID.  We'll also look at new strategies enterprises can implement to bring spam under control and keep your network from being used as a spam relay as well as what future spam battles lay ahead. We'll have all of that and much more.

Our speaker today, Michael Cobb, is a CISSP-ISSAP and a renowned security author.  He is the Founder and Managing Director of Cobweb Applications, a U.K. -based consultancy that offers IT training and support in data security and analysis.  He co-authored the book IIS Security and has written numerous technical articles for leading IT publications and is's resident expert on application and platform security issues.

Thank you for joining us today, Michael.

Michael Cobb:  Hi Eric, it's great to be here.  Welcome everyone to this webcast Next Generation Spam: New Threats and New Strategies.  Let me start by quickly giving you a look a today's agenda and the topics I'm going to be covering.  I think that it's important that we begin by understanding why spam is the problem that it is and why it's not going to go away any time soon.  I'm going to give you an insight into the economic drivers of spam.  Next, we'll cover some of the new techniques spammers are using to bypass anti-spam technologies.  Commonly referred to as Spam 2, they certainly show what an inventive enemy we're up against.  Next, we'll look at current anti-spam technologies - what works, what doesn't - the pros and cons of the different approaches.  I'll follow this with how you can tackle spam at the enterprise level.  I'm sure all of you have some form of anti-spam software on your home PC or laptop, but dealing with spam at the enterprise level is a different matter altogether.  Therefore, I want to spend some time on strategies and policies that apply to the enterprise.  Finally, we'll wrap up with making sure your own network resources are not being used by spammers, as well as looking at some of the future battles ahead.

Why Spam Isn't Going to Go Away

The famous person that Eric alluded to in his introduction was, in fact, Bill Gates.  He had famously said, back in January 2004, "Two years from now, spam will be solved."  As we all know, he's been proved very wrong.  In fact, according to recent statistics from Symantec, 61% of emails are, in fact, classified as spam.  The problem varies from country to country, and in some Asian nations it's even hitting 90% of emails being sent.  As you can see from the spam statistics from 2006, the total number of emails sent is a phenomenal number.  With such a high proportion of these being spam, it gives you an idea of the scale of the problem that we're facing.  So, why is there so much spam?  Why do people bother to send million of these unsolicited emails.  The simple answer is money.  Spammers only need a few people from the hundreds of thousands who receive their spam to respond to a message and they're in the money.  The break-even response rate is so low, because a spammer has virtually no operating cost.  This is mainly because they hijack other Internet user's resources.  Also, the chances of actually getting caught if you're a spammer are very low, indeed.  For example, spammers that are promoting stocks are very unlikely to get caught as the spam that they send out has no link to a website or anything that people can reference back to them, because all  they're trying to do is get you to purchase a stock that they're recommending.

Spamming is just not like any other business where there are competitors and regulations that make starting a business up more difficult.  Also, there are an increasing number of mediums for spammers to target - mobile phones, instant messages, and so on.  These are all targets for spammers.  There is one other reason why someone might send spam and that is to launch a denial-of-service attack.  If a spammer sends all the e-mail direct to one user or one mail server, the sheer volume of messages can bring the targeted mail service to a grinding halt.  Needless to say, this is a less common reason, the main reason is money.

So, who's sending all this spam?  People often ask me this question by people.  Well, now it's a big business.  And any big business that's illegal attracts organized crime gangs.  There are also organized spam gangs.  A lot of these operate from Russia or Eastern Europe and they share many common features with other forms of organized crime.  In fact, 80% of spam received by internet users in North America and Europe can be traced back to fewer than 200 spammers.  Some spammers just operate on their own.  A lot of the advanced feed forward spam that has been coming from Nigeria, such as the Nigerian 419 scam, are just be sent by one user from a cyber cafe.  So, there are lots of different people looking to get in on the spam bandwagon.  A lot of them are fraudsters.  They're using spam as a means of getting their phishing emails into people's inboxes, hoping to defraud them, either by collecting bank account details and other personal identity information that they can then use.  Sadly, there are also bone fide organizations that can be accused of sending spam.  That's something I want to look at later on, to make sure that no one listening is actually sending out their own spam unintentionally. 

As you can see from the slide on the screen, spam comes from a variety of different places.  Asia, Europe and North America make up the bulk of where spam actually originates.  Let's just have a look, in a bit more detail, at the economics of spam.  I think it's probably easiest if you compare it to the economics of traditional mail, which is often called snail mail.  If you need to e-mail or mail shock a lot of your customers, or perhaps, you're a bank sending out monthly statements, as your volume increases, you tend to get a discount from the major postal services.  But this dropping cost in sending a lot of messages by snail mail only drops so far.  Now, spammers' economics are completely different.  They start off with very low costs and they decline rapidly with the more spam that they send out.  The main reason for this is that many spammers pay nothing for sending their messages.  This is because they hijack the resources of other people, either individuals or ISPs and use those resources to send out their spam.

So, what is the cost of spam for the rest of us?  We've seen that it is very profitable for the spammer, one of the reasons being, as I just mentioned, that they're using the resources of other people.  This impacts everyone else, certainly in terms of time and productivity.  Think to your own inbox when you come into the office in the morning, you have to go through and delete all the unwanted messages that you've received.  This takes up times and impacts everyone's productivity.  There's also a big issue with bandwidth. The volume of spam that's being sent is clogging up the internet and is using up bandwidth of organizations as they collect their emails every day.  It can even lead to a loss of service if an organization is receiving so much spam, it can put such a load on their own mail servers that the mail they want to send out get's swallowed right up, and it can impact on their own services. It also impacts storage and backup times.  Think of all the additional mail that's coming through the mail servers and into people's boxes, this all takes up storage space.  So, the backups run through the night and it's going to take the backups a lot longer because of all of the junk e-mail that's littering people's inboxes.  Unfortunately, it can also cause a loss of reputation.  If an organization is accused of sending out spam, either unintentionally or intentionally, it can really impact their reputation with the general public.  So, the cost of the rest of this is enormous and a lot of people don't realize all the different effects that spam has on day-to-day business.

What I want to do now is take a close look at the type of spam we're having to deal with, to ensure that everyone agrees on what spam is.  Spam is a type of e-mail that's unsolicited and sent in bulk.  Unsolicited means that the recipient has not granted verifiable permission for the message to be sent to them.  Bulk means that the message is sent as a larger collection of messages, all having substantially identical contact.  Now, a message is only spam if it's only unsolicited and bulk.  Unsolicited emails are a normal occurrence.  Think of contact inquiries, job inquiries, and sales inquiries.  These are emails are quite genuine, but haven't been solicited.  Also, bulk e-mail is normal e-mail.  People that run newsletters will send bulk emails.  People who are communicating with their customers or discussion lists, those will be sending out bulk emails.  Again, they're quite legitimate, it's only when e-mail is sent out unsolicited and in bulk that it is actually termed spam. 

So, with spam, really, the issue is about consent, not the actual content.  The content is irrelevant, really.  If the message is being sent unsolicited and in bulk, it is spam.  Initially e-mail spam was text-based and it started to appear on a commercial scale early- to mid-90s. Anti-spam technology emerged to combat this by scanning each e-mail and looking at whom the message was coming from, what words it contained and which websites it linked back to.  If this analysis deemed that the message was spam, it was blocked.  Now, spammers have been very effective in foiling this approach by moving their business model to a whole new level.  Spam 2 completely outflanked these current antispam systems.  A spammer's biggest problem is sending thousands of messages while avoiding detection. 

Now, a spammer who is command and control over a bot net can send messages from thousands of different computers by conscripting vast networks of computers to send out spam without the knowledge of their owners they achieve two things: they frustrate any attempt to analyze the reputation of the sender and, since each computer in the bot net sends just a few messages at a time, it makes their activity harder to detect.  Spam sent using a botnet would still be detected by content filtering if the body of the spam contains elements of the filter it's configured to deny.  Spammers have reacted to this by turning to using images to bypass text-based filters.  Spammers have used images in their messages in the past, often to offer a sneak preview of their offering, such as a pornography site or an amazing wonder drug.  They quickly realized that by putting their words inside the image they could easily frustrate text-based filtering. 

Now, by using a botnet and using other people's computers to send a large e-mail when it has an image in it, it actually made the tactic quite practical because they don't have to pay for the data traffic that they generate.  This actually tilts the economic of spam even more in their favor.  This image spam has become known as Spam 2.  Spam 2 is also being used to describe other new forms of spam, such as instant message spam, news group spam, Web search engine spam, spam in blogs, wiki spam, mobile phone messaging spam, and Internet forum spam.  Many of the Spam 2 messages are used to promote penny stocks.  It's part of a scheme that anti-spam researchers call "pump and dump". 

What happens is that spammers buy the inexpensive stock of an obscure company and then send out spam messages hyping it.  The aim is to sell their shares when the global masses respond and snap up the stocks.  The big advantage to the spammer is that there are no links to a website at all needed in the message, so it makes them very hard to trace.  Although this scam sounds fairly obvious, during a study by researchers at Purdue University and Oxford University found that "pump and dump" spam stocks actually work.  Enough recipients buy the stock that spammers are making between 5% and 6% return in just a couple of days.

Spammers have also figured out ways to elude other common anti-spam techniques.  One approach is by identifying multiple copies of the same message.  Brightmail was one of the first companies to do this and they did achieve early victories against spam by recognizing unwanted e-mail as soon as it hit the Internet, to look at the fingerprint of the e-mail and stopped every subsequent copy.  What spammers are doing now, to circumvent this technique, is writing software that automatically changes just a few pixels of the image that has their text message in it, therefore creating what I call a fingerless print.  This evades antispam technologies that are trying to block messages that all appear to be the same.

Let's move on and look at a few more techniques that Spam 2 spammers are using - PDF attachments.  PDF documents are being created with the document protection settings enabled.  What spammers are doing here, by using the PDF security model, they're preventing the document from being printed or the text being copied to the clipboard.  This makes it very difficult for traditional antispam countermeasures to analyze and identify the message content.  So, with these security features enabled, emails are far more likely to bypass typical means of detection.  It certainly is a growing use because around 20% of image spam now actually involves the PDF. 

Some of the other tricks they're using are spam spikes, which is where a spammer will suddenly send out a massive amount of spam in a very short period of time.  This is often seen during a pump and dump stock promotion and it's the size of the spike that separates this from a regular spam run.  A spam storm is slightly different.  It is when spam is being sent from a very large bot net known as "storm".  It's estimated that there are close to 2 million computers worldwide that are part of the storm botnet.  One attack that was launched in August of this year resulted in approximately 600,000 emails being sent in 24 hours by the storm bot net.  Also, each attack seems to utilize a number of different templates where the target e-mail address is generating relatively few delivery failures. 

What this indicates is that most of the addresses are genuine and have almost certainly been harvested from other infected computers within the botnet.  This is something else that spam is being used for. It's a way of distributing viruses very quickly.  A lot of the viruses are aimed at recruiting the recipient computers into the spammer's botnet.  The back-end server often automatically re-encodes the viruses that it's sending out to make it very difficult for traditional anti-virus to manage to catch the viruses as they're coming into people's inboxes.

Finally, there's another form of image spam that's been very popular in the last few months and that's where spammers have made use of the popular photo-sharing site ImageShack to upload their spam images.  What spammers are doing is that they're sending emails containing a URL leading to the spam image that's being hosted on the ImageShack website.  If someone opens the spam, the image is uploaded from the ImageShack without it having to go through the anti-spam technology looking to filter out image spam.  So, as you can see spammers are a very inventive lot.

I want to now look at the technologies to try and combat this problem.  First of all you have manual specification.  This is what e-mail programs such as Outlook and Outlook Express give you.  You can set your own safe and blocked senders lists or create your own rules about which words you want to have blocked.  Anyone trying to combat spam just using this method is probably aware of how fruitless a task it is and also how time consuming it is.  It does mean, though, that individuals can ensure that their favorite newsletter sent by e-mail does get through. 

The next step up, and really just as rudimentary, is black list and white list.  This involves continuously updating huge lists of approved and disapproved domain names from which emails are either allowed or disallowed.  Now, there are lots of free lists available on the Internet, such as and  There are lots of different sites that provide these black and white lists and also a lot of companies that incorporate them into their software.  This approach is rather labor intensive and nowadays the spammer fairly easily evades it because they're using such big botnets and so the spam is originating from lots of different domains.  Also, one of the big criticisms of these lists, particularly black lists, is that if a genuine address is added to the black list it can take a long time to get it removed and it causes a huge problem for the victim while their IP address is being blocked. 

Another less popular technique is called challenge and response.  This works by the technology intercepting incoming emails and sending a challenge to the sender such as a request to click on a link or answer a very simple question.  If they send a correct response to the challenge message, the original message is forwarded on.  Otherwise the message is disregarded.  What this approach does is that it authenticates the sender by confirming that they actually sent the e-mail.  The basic idea is to require some element of human participation in the sending of the response so that the recipient knows that it's not a spammer that sent it. 

In theory this looks quite an effective approach to stopping spam, but there are some various drawbacks that need to be considered.  The challenge response process effectively shifts the work of filtering e-mail from the recipient to the sender, legitimate or otherwise.  If you think about this, your clients may well not bother to go through the challenge response in order to communicate with you.  You are also unlikely to receive e-mail subscriptions you've requested, as publishers are not going to complete the challenge response when they have thousands of messages to send. 

Content filtering.  This has been the most popular technique used to try and combat spam and, as I mentioned earlier, was used in the very early days by looking at message headers and the content of the message to look to see whether the content of the message contains spam.  A lot of people feel that content filtering has outlived its useful life, given the advent of Spam 2.  It certainly does block a percentage of spam, but it is struggling to keep up with the changing behavior of spammers.  One of the other problems with content filtering is that it can frequently misclassify legitimate e-mail as spam.  So, you might be waiting for a message from somebody and it never gets through because the content filter deemed that the message was spam.  This is called false positive and can cause a lot of problems in lost emails. 

The next method that is gaining popularity is traffic analysis.  When a spammer sends out spam, the traffic that it generates is quite different to that of legitimate emails.  What traffic analysis does is monitor the traffic going through the network or the mail server and works out whether it's a strong likelihood or not that the messages are going out whether they're spam.  This is different from content filtering in that content filtering actually looks inside each e-mail whereas traffic analysis just looks at the general nature of the traffic to determine whether the messages are spam are not. 

My favorite version of this is bandwidth throttling.  What bandwidth throttling does is it looks at the nature of the e-mail traffic that is being sent out, and instead of actually blocking those mail messages, just throttles the bandwidth that they're allowed to use.  What this does is reverse the burden of spam back to the spammer.  By reducing the amount of resources that the network is providing to the spammer, it slows down their spam dramatically.  This means that it can take a long time for a spammer to send out all their spam and that's one of the economic drivers - that they're sending a lot of spam in a short space of time at no cost.  I want to look at bandwidth throttling just a little bit further because I do think that it's possibly one of the ways ahead as we look to the future. 

What bandwidth throttling does is that it slows down the connections from paths that are judged to be sending spam.  It dynamically adjusts the resource allocation to accept valid e-mail while slowing what it deems to be spam down to a trickle.  One of the big advantages of this is that there are no false positives.  It is not actually looking at the emails themselves and deciding that they're spam or not.  What it's doing is assessing whether the flow of emails are likely to be spam and if they are, it throttles back the bandwidth and resources that it's allocating to processing them, therefore really slowing down the amount of spam that a spammer can send.

I want to quickly look at some of the technology-based industry initiatives.  What we've looked at so far is the general means of trying to halt the flow of spam into people's mailboxes.  Fortunately, the industry has decided that it needs to come up with an industry-wide approach to combating span.  For example, with Internet products there's quite a bit of politics and in fighting over which method to adopt.  Really, there are 2 camps that are emerging, looking at slightly different technologies to try and identify e-mail senders.  Sender ID has been around for a couple of years and is an e-mail authentication framework that is championed by Microsoft.  What it aims to tackle is the problem of verifying a sender's identity by checking that each e-mail message originates from the Internet domain from which it claims to have been sent. 

Most spam emails sort of forge or spoof the sender's address on their e-mail messages.  What sender id does is that it lets the receiving mail server determine whether the sending mail host is actually authorized to send e-mail for a particular domain.  This is done by checking the address of the server sending the mail against a sender policy framework record published in the sending domain's DNS records.  This verification is automatically performed by an internet service provider  or recipient's mail server before the e-mail is actually delivered to the user.  Sender ID is a combination of Microsoft's caller ID for e-mail and sender policy framework.  Sender ID and sender policy framework differ somewhat in that they address slightly different problems.  They validate different header fields and work at different levels of the e-mail system.  Sender ID actually requires sender policy framework in order for it to work, which makes it a higher-level protocol. 

Now, as with most Microsoft-led initiatives, there has been some controversy.  Depending on how Sender ID is implemented, it can be incompatible with existing specifications.  Also, Microsoft holds patents on key parts of Sender ID.  Though they have said that they're going to police these patents under the open specification promise, which should make them compatible with free and open source licenses.  Hopefully this will encourage the release of more products and services using Sender ID technology.  According to Microsoft, about 5 million domains currently use Sender ID.  This means that around 30% to 36% of all legitimate e-mail actually uses this technology.  Microsoft obviously uses it to check its own incoming mail to its own servers and those of MSN and Hotmail. 

There are other technologies in development to combat spam, as well, which include sign-in solutions.  Yahoo has created domain keys.  This uses public key cryptography as part of its authentication process.  This will certainly prevent some types of attacks, but deployment is not going to be as easy.  Also, they can't reject a message until the whole body of the message has been received, whereas Sender ID can.

How well does Sender ID stop spam?  It's a significant step toward cantering spam and phishing attacks.  It's also very easy to implement.  However, it does require everyone to create a SPF record for their domain so that senders can be verified, and this isn't happening overnight.  This is one of the problems with a lot of the technology-based industry initiatives is that it will require the whole industry to agree on either one or two initiatives and implement them right across the board.

Some of the other anti-spam initiatives involve education and awareness.  Banks are doing a very good job in this role because the banks have been subject to lots and lots of different phishing attacks, so they are working hard to try and educate their users about the problems of opening unsolicited e-mail.  Also, a lot of e-marketing organizations are trying to establish ethics amongst their users to try and prevent what is legitimate bulk e-mail being classified as spam and being prevented from reaching people's inboxes.

The Anti Spam Research Group investigates tools and techniques to mitigate the effects of spam.  Their main focus is on technology solutions and is part of the Internet Research Task Force.  They tend to focus on the longer-term research and everyone is very hopeful that they will come up with ideas and solutions that might help us to combat spam in the future. 

The Stop Spam Alliance is a joint international effort, trying to coordinate antispam initiatives around the world.  The objective of the Stop Spam Alliance is to help coordinate international action against spam and related threats by effectively gathering information from resources and research that's taking place amongst all its participants. 

What can you do, if you're running an enterprise, to try and prevent the amount of spam you're receiving from having a dramatic impact on your overall business?  Certainly, where technology stands at the moment, you're going to have to look at multiple techniques across the enterprise to stand any chance of keeping the amount of spam down to a minimum.  I think that manual specification is important.  It gives your users the ability to finesse the inbox rules and message rules to ensure that they can get the messages that they need and also stop messages that are coming through despite other solutions that you may have in place.  Content filtering is still going to be an important part of your anti-spam strategy. 

Although as we've seen with Spam 2 content filtering is really struggling to keep up, it does keep out a lot of the less sophisticated spam that is sent.  So, it is going to be part of your overall strategy.  Traffic analysis is going to be important as well, and I think traffic analysis is the way a lot of technologies are going to be going in the future.  Purely because the spammer is becoming very sophisticated at avoiding content filters, whereas traffic analysis picks up on the fact that spam, when it's sent out in bulk, creates quite a distinctive traffic pattern that can be picked up by sophisticated technologies.  So, you'll be looking at desktop-based products.  A lot of these are fairly well known.  They need to be installed on the desktop so that the user has got some of their own control.  Server-based products are going to be doing the bulk of the content filtering and traffic analysis, looking at mail that's coming into the network. 

Finally, you do service-based products, as well.  This is where you actually outsource your mail services to an organization that's set up to deal with the problems of spam.  They will be using black and white lists, content filtering, traffic analysis and other techniques, such as bandwidth throttling, to control the amount of spam that actually comes into your organization.  They're taking a lot of the load that's required to service big mail servers.  They're taking it off your hands, processing all the e-mail first before letting it through to your own servers.  For a lot of organizations, this is quite economical because it reduces the number of in-house resources to try and handle the amount of spam that a large organization will be having.

What will be your plan of action to implement an effective antispam enterprise strategy?  First of all, you must review and assess the various technologies, certainly the ones we looked at.  There are lots of different offerings in this sector of IT security and it's very important to pick one that fits well with your own particular infrastructure.  Processing e-mail is resource hungry, particularly when you're looking at content filtering and traffic analysis.  It's very important that you assess what sort of impact the solutions you look at have on your infrastructure.  I know your boss is probably bemoaning your mantas for spam that gets into his inbox, but if the spam stops but emails are taking a lot longer to send and receive because of the various technologies you've introduced, he's not going to be happy with that either.

Finally, something that a lot of people forget when they are looking at anti-spam technology, because spam is such an emotive topic, is a cost-benefit analysis.  There's no point in spending a lot of money to completely eliminate spam, because I doubt very much whether you'll actually be able to do that.  You have to agree on what is an acceptable level and then look at the cost of trying to achieve that.  Because trying to eliminate those last couple of spam messages, the money you would have to spend probably wouldn't be worth it.  So, do look at the return on investment when you're looking at the various technologies that you want to implement.

There's no point in introducing a lot of new spam technologies if you don't back that up with an antispam policy.  It's going to be very important that as an organization yourself, you manage your own e-mail output.  As a large organization, I'm sure that you'll have various different mailing lists - the customers, the suppliers, the staff and other third parties.  It's very important that you limit the number of mass mailings that you do and control access to the mailing lists so they're not overused by overzealous salesmen within your organization.  It's also very important to have a well-stated public policy that gives people opportunity to opt in to receiving your communications and also the ability for them to easily unsubscribe to your communications as well.  This way you'll be seen as a responsible bulk emailer.  Also, you need a fair usage policy, which should cover both e-mail and Internet fair use amongst your own staff.  By actually educating your own staff about the problems of spam, both sending it and receiving it, will help reduce the amount of spam that's being sent and will reduce the amount of spam that you're receiving.

Let's just have a quick look to see whether you are a spammer.  A lot of organizations don't realize that from the outside they may well appear to be a spammer themselves and it is a very emotive subject.  Back in November 2004, Lycos Europe actually released a screensaver called Make Love Not Spam.  What this did was created a distributed denial of service attack against the spammers themselves. This met with a large amount of controversy and they pulled the screensaver just a month later.  This shows you what an emotive issue spam is and that people aren't really sure how to go about combating it. 

You have to think about your own newsletters and mass mailings.  Are you sending out too many?  Have people been able to have the opportunity to opt in and out and unsubscribe to your newsletters?  Do you have any zombies, or compromised PCs, within your own network?  The bulk of spam now is coming from computers that have been compromised and are being used by spammers to send out their spam.  You need to ensure that your own network hasn't been infected.  You also need to check your feedback forms on your website, such as guest box or comment forms.  If they're not correctly configured, spammers can hijack those and use those to send out spam, as well. 

So there are a lot of areas you need to look into to make sure that, as an organization, you're not being either used by spammers or seen as a spammer, though you think the emails you're sending are legitimate.

What sort of future battles are we going to have going forward?  I think there will be a lot more laws and regulations passed, although, at the end of the day, I don't think they're really that effective.  I think that the problem is becoming so large and the cost so high that it will force governments around the world to try and introduce more legislation than we currently have at the moment.  The OECD has a task force on spam.  In the US  the Can Spam Act passed in 2003, although this hasn't really proved to be that effective.  There are also going to be cost-based conflicts.  We've seen AOL stating that people, to send large amounts of e-mail to their AOL users, they would have to pay a fee.  A lot of people felt this was very unfair, but it is one way of trying to control the misuse of bulk e-mail.  I think we're going to see more of these cost-based issues as we go ahead as people desperately try to find ways to prevent spam from becoming an ever-increasing problem. 

With ongoing initiatives, for one, there's the Spam House Project.  What this tries to do is track Internet spammers and spam gangs and provide dependable, real-time anti-spam protection for ISPs.  Its early work with law enforcement agencies was to try and identify and pursue spammers worldwide.  Spam got loose started back in 1998 and although it's since been taken over by un-port Systems, it still works as a free spam reporting service, allowing recipients of unsolicited bulk e-mail and unsolicited commercial mail to report offenses to this end of Internet service providers. 

So, there are different ways that people are looking at trying to bring the problem of spam under control.  Sadly, though, I think, unless we can get a global initiative and global agreement on a way that we can really tackle this problem, it's not going to be a problem you'll ever solve.  Sort of a low note to end on, but I think you have to be, certainly when you're looking at your enterprise strategy, you have to be realistic and accept that you're never going to completely eliminate your spam.  You have to come up with a strategy where you can control it to an acceptable level at an acceptable cost.

Eric Parizo:  Thanks.  Great presentation, Michael.  Thank you so much.  Michael, I have a few follow-up questions for you. 

You covered both technology-based antispam initiatives as well as those based on regulation.  Philosophically speaking, I'm wondering if there's an approach that you feel is more effective. Should either have an edge in the way that enterprises approach spam?               

Michael Cobb:  I think, in terms of what we've seen in the past, when people have tried to introduce legislation to control the Internet or control the way it's been used, it's not that effective.  It tends to add to the barriers and hurdles to the genuine user, yet has really little impact on those that want to use the Internet for illegal or malicious means.  So, I feel that the best way that we're going to tackle spam is through a globally agreed technology initiative.  I think this is probably going to be some form of key signing, something along the lines of Sender ID, or Yahoo's initiative.  It's going to have to be something like that.  Unfortunately, at the moment, we've got the different players all vying to promote their own solution.  Until we get a global agreement the spammers are going to be able get through the cracks.  They only need a small crack and they can send an awful lot of e-mail.

Eric Parizo:  Michael, following up on that and your closing to your presentation, I'm just wondering what you think it'll take to actually get a global, international accord on spam?  It seems like the problem is large enough to merit that kind of cooperation, but it just hasn't happened.

Michael Cobb:  I agree.  Back in 2001 the European Union estimated that spam had cost users 10 billion euros.  In 2004, the California legislature estimated that spam had cost $10 billion.  These are big numbers and they're growing all the time.  I would have to think that we're close to the point that the cost of spam is so high for everybody that it will force a global initiative where politics and commercial interests can be put aside and people come up with an agreement.  I think, although I feel that it will take technology and not legislation to solve the problem, some sort of international agreement or legislation that says that anyone running a mail server has to follow particular guidelines, has to be registered under the Sender ID policy, that type of thing, that might start to move everybody in the same direction. 

Eric Parizo:  Michael, let's circle around and talk about the technology again for the moment.  Can you explain a little more about the differences between traffic analysis and bandwidth throttling technologies?  They seem like they have some similarities.

Michael Cobb:  They do, indeed.  It's more what the technologies do as a result of analyzing the traffic.  Traffic analysis determines whether the emails are spam by analyzing the traffic flow and then stops them.  Bandwidth throttling goes through the same process of determining whether emails are spam, but it doesn't actually stop them.  All it does is reduce the amount of resources that the particular connection can use to send the emails.  So, this greatly slows down the number of emails that a spammer can send.  Since it's economics that are driving spam, if you start to make it uneconomical for spammers by slowing their emails down to a complete trickle, they'll ether give up or have to go and attack or try and use a softer target.  So, traffic analysis actually stops the e-mail whereas with bandwidth throttling, the emails will finally get through, but the spammer will probably be long gone and given up before the bulk of their spam has gone through, because they're looking for quick, sharp blasts of spam.  The bandwidth throttling just reduces the resources they've got so their spam is not going out quickly enough for them.  Why I like it is that it's starting to try to turn the economic balance against the spammer and that is going to be one way of curing spam - making the economics not stack up for the spammer.  I think that bandwidth throttling is one of the technologies that are starting to do that.

Eric Parizo:  Michael, here's our last question.  What would your ideal enterprise anti-spam infrastructure look like, if money were no object and you could do whatever you wanted to do?  Just give us a sense of what that picture would be and how successful you think it would be?

Michael Cobb:  It probably wouldn't look too different from what most people have nowadays, with the desktop that have their own antivirus, antispam software installed, particularly on mobile devices, such as laptops.  I think that's one of the problems, mobile devices aren't always connected to the network tend to be infected more often and they introduce infections into the network.  I would still be using content filtering, but I would be looking to prioritize spending on things such as traffic analysis and bandwidth throttling because I think that spammers are innovative that content filtering does struggle to keep up with the different techniques they use, whereas traffic analysis is looking at the fairly unmistakable pattern of what bulk e-mail looks like.  I would also be looking to implement one of the industry initiatives such as Sender ID. 

As I mentioned earlier, those initiatives aren't going to be the cure until everybody is using them, but certainly I would want to part of that.  I would also be looking at using some form of key signing or ways to be signing emails so that at least my customers could verify that they emails they'd received from my organization had actually come from the organization.  I think that's an area that the industry is probably going to have to focus on and come to some agreement of how they're going to implement digital signatures on a cost effective basis for everybody.  I would certainly be looking to join some of the organizations that are working against spam to make sure I was up to date about the latest initiatives and ideas.  At the end of the day, though, I wouldn't blow my whole budget on trying to fight spam, because I think that you get decreasing returns trying to stop those last one or two.  I think that I would have to explain to my users that they're always going to get some spam, but we're doing our best to reduce the amount as best we can, as cost effectively as we can. 

Eric Parizo:  So, everything but the kitchen sink, it sounds like, would be the ideal scenario.  I'm just wondering, quickly, Mike, if you think management is unruly in that regard?

Michael Cobb:  I think there has to be more done on user awareness about the problems of spam.  People are becoming more aware about phishing attacks and dangers to their own personal data.  Unfortunately, a lot of people, when they get to work, tend to not be quite as careful and they tend to click on messages and links and open attachments that they wouldn't at home because the evidence shows that a lot of compromised computers that are part of the bot nets that are used to send spam exist within large enterprise networks.  So, I think there is more work to be done at a management level trying to ensure that the enterprise network hasn't been compromised and isn't being used by spammers to send more spam.  If we can shut down the bot nets, that will again shift the economics of sending spam and make it less attractive.

Eric Parizo:  Alright.  Very good, Michael.  Thanks so much for your insight today.  This brings us to the end of today's webcast.  Once again we'd like to thank Michael Cobb, Founder and Managing Director of Cobweb Applications for joining us today.  Be sure to check out more resources from our messaging security school by visiting  Thanks to all of our listeners for joining us on this webcast. Stay safe out there.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.