Communications of the ACM
Has the Spam War Been Won?
A decade ago, e-mail spam was a dire problem. Annoyances flooded most inboxes. Any attempt to read your e-mail started with deleting the crud that had leaked through your defenses.
Many predicted the problem only would get worse. A few predicted that e-mail would be dead in just a few years, the filters would be overwhelmed, the war lost, e-mail readers buried under an avalanche of spam.
Today, e-mail spam appears to be a solved problem. A 2003 study put response rates at 0.005%. A 2008 study where the authors infiltrated a major spam botnet found response rates had fallen to under 0.00001%, only 28 sales out of 350 million messages sent. Spam filters appear to have forced down response rates three orders of magnitude in five years. Spammers have fought back with misspellings, adding additional text to mails, trying to customize each e-mail sent, and many other tricks to evade detection, but their increasingly complicated efforts have not been able to outwit the filters.
My own experience is that e-mail spam has become a non-issue. Despite prostituting my e-mail addresses undisguised across the internet, despite receiving hundreds of spam messages daily, nearly zero make it to my inbox. The ones that I do see typically are borderline spam, companies and small businesses sending to a small list rather than the mass splattering of true e-mail spam.
Amazingly, the drop in response rates from 2003 to 2008 may be close to making spam an unprofitable enterprise. There is a substantial amount of effort required to attack and manage a botnet of 1M compromised machines that can cheaply send 12M messages per day. Huge e-mail campaigns that attempt to work around spam filters require sophistication to devise and run. E-mail address lists have to be purchased and maintained. It appears to be getting to the point that even massive and complicated spam efforts like the Storm botnet generate surprisingly low revenues for what appears to be the work required.
What is your own experience with e-mail spam? Do you think the e-mail spam war been won? Or are these declarations of victory premature?
Comments
Will Hartmann
I would argue that your declaration of victory is premature, but not for the obvious reason that spam in the inbox has been reduced. In that respect, spam in my inbox (and my spam folder as well) has gone way down in recent years and that is welcome.
However, two problems remain. First and foremost, there is still the problem of false positives. I still have to check my spam folder because the filters will occasionally falsely flag a legitimate email. Once I do find a desired email, I can flag it as non-spam to teach the filter and add the sender to a white list, but that is reactive. If you're receiving hundreds of spam emails a day, as you wrote, I imagine more than a few false positives slip by you.
Additionally, as an entrepreneur, sending email from a new company like mine that hasn't established itself with the many filters out there to be very time consuming and inefficient. If there was a proactive way for a legitimate sender to register itself and either post a bond or pay e-postage, I think that would clean up a lot of email inboxes. I know e-postage proposals haven't gotten very far in the past, but if the spam response rate is now down to 0.00001% then the postage can be a lot lower as well.
The second reason we can't declare victory just yet is the very fact that the spammers and their resources, both botnets and humans, remain alive and well. If email spam continues to become less and less profitable then they will simply send spam in other forms such as on Twitter, Facebook, etc. Individual computers continue to get infected and people still foolishly click on requests from Nigerian princes. Unfortunately, we have to continue to apply technological fixes to our networks and teach people not to be so gullible.
Believe me, I wish me could declare victory, but we're not there yet.
Barry Brown
If the spammers have lost, no one has told them. My gmail spam box is still filled with thousands of filtered messages. I've heard statistics quoted saying that over 95% of email sent is spam and it's still increasing.
Clearly, enough people respond to the few messages that slip through the filters to make it worthwhile for the spammers to continue their onslaught. The war is still on and the spammers are still winning.
Ariel Stulman
Take a look at this:
http://freakonomics.blogs.nytimes.com/2009/12/21/where-has-all-the-viagra-spam-gone/
and:
http://www.secureworks.com/research/blog/index.php/2010/02/10/spam-and-the-changing-business-model-of-cyber-criminal/
Frank Young
What about the problem of messages that do not reach the recipient? Spam control is sometimes done by just rejecting messages, keeping them from arriving at their intended destination. The recipient has no knowledge that this was done (and the sender may also be uninformed). Looking at one's junk folder will not uncover false positives that were never received. [Examples: Sites that reject all email that contains a clickable URL. Sites that reject all email that contains an .exe or .zip file attachment. Sites that reject email based on "content." Sites that reject all email from certain IP numbers.]
Displaying all 4 comments