Adam Shostack (currently at Microsoft in the role of security program manager and with whom I worked on a security audit of the service delivery platform at Radialpoint) and Andrew Stewart recently published The New School of Information Security.
The authors want to change our way of thinking about Information Security a tall order. Basically, they are seeking for security decision making to be based on real evidence and data, and for the analysis of that data to be done using approaches from a wider set of disciplines.
I recommend the book to both industry practitioners and customers, and wanted to share some of the commentary on email security and spam. The next few paragraphs borrow heavily from the book.
There are two kinds of spammers really, the annoying ones and the outright fraudsters. The annoying ones are companies you have done business with of some kind and now they continue to communicate with you while you no longer desire it (many, too many, companies fall under this category and this type of communication is near the edge of spam definitions and sometimes subjective). They might also have lent your email address to a subsidiary or partner who may be acting in the same way. The outright fraudsters are pushing sex pills, dating services, stock scams or credit fixes and are often using compromised computers to send these messages.
The annoying ones might try to hide behind consent, claiming that you knew they would be sending you stuff and sharing your address, when in truth you weren’t really paying attention. The fraudsters might use other spam to direct you to malware (or sites with malware) that infects your computer and joins it to their army of spamming bots. Or, they engage in lower-level fraud, by sending you defective products, charging your credit card and never sending anything, or selling your credit card to a nefarious 3rd party.
Fraudsters will use phishing attacks as well, in which legitimate companies are impersonated. Studies show that most people have a lot of trouble distinguishing a legit from a fraudulent phishing email (in fact, most people have trouble recognizing certain types of annoying spam, when it is a message directed to someone else). The authors suggest that the simple business practice of not including links in such emails and inviting customers to get to the website from a bookmark would alleviate this problem. For added security, that legitimate web address could be delivered to the customer using traditional mail.
Now, in line with the different thinking model on Information Security in the New School, will we ever be able to stop spam? This question can have two meanings: i) will we ever be able to stop spammers from trying to spam, or ii) will we ever be able to prevent all spam from getting through to end-users. The book and this post address the first question, which is more socioecomic than technical.
Here, the authors learn from economics. The spam ecosystem and economy includes people with products to sell, middlemen who market the products and infrastructure providers who send the messages. Spammers (the outright fraudsters) invest time and effort to get passed security measures, by varying the messages themselves and also varying (and massively distributing) the origin of the messages. If you live outside of North America in a place where the cost of living is very low, there is an enormous cost advantage. The few fractions of a cent you might make for successful messages will translate to a few thousand dollars, which go a lot further in Mozambique than in the U.S.
Those lower cost of living places will likely also have very lax security or spam laws, if they have them at all. In places where spamming might be illegal, spam fraud will not rate high as compared to more traditional (and slightly more violent) crime. Risks and deterrents to spammers are therefore very low, even with the recent highly publicized arrests of some mega spammers.
Externalities (i.e. what economists call spillover from an economic transaction) come into play as well. Who pays for the spam to be sent? The spammer? Not really, he is in a low-rent country and is using bots to send the spam. The owner of the infected PC that is now a bot? Not really, as long as the spammer doesn’t get greedy and under-distribute the spam command, the PC owner will not see a change in either system performance or bandwidth usage. There is not a large incentive for PC owners to have zombie prevention software on their systems.
So, according to the authors, put all these things together “low risk, low penalty, good ROI, externalities“ and it is unlikely that we will be ever able to stop spammers from spamming. That is of course, unless the answer to the second question is “Yes”.
In a future post, I will address that second question: will we ever be able to prevent all spam from getting through to end-users?
Leave a Comment