Future Tense: Spam! A Lot!
Print
Depending on who you ask, the percentage varies, but it’s always high. Way too high.
Allegedly, 90% of internet traffic is spam. Or maybe it’s 95%.
Personally, I don’t see as much spam as I used to. I use Gmail and its spam-filtering is pretty good. I haven’t heard from any Nigerians in a long time—which kind of disappoints me, because I always regarded the Nigerian swindle as an opportunity to have some fun.
I learned a long time ago that if something sounds too good to be true, it probably is. So when someone sends me an email telling me that if I will send them my bank account number, they’ll send me ten percent of forty million dollars, my BS alarm goes off big time.
I used to reply to the Nigerians with: “All of us here at the International Outreach Effort of the Institute for Homosexual Research are thrilled at your generosity. Your continuing donations will allow us to do important work all over Africa, educating people everywhere on the importance of gay liberation…. Please tell us how to proceed, etc.”
Why this? Because homosexuality is criminalized in Nigeria. Extremely so. So if someone is monitoring emails in Nigeria, this might very well put a few swindlers out of business in a very nasty way. As far as I’m concerned, swindlers are fair game. And no, I’m not a nice man. Why do you even bother to ask?
But getting back to the subject at hand, the percentage of internet traffic dedicated to malware, trojans, spyware, and spam is still on the rise. It’s an evolutionary process. The more that users protect themselves with security measures, the harder the spammers have to work to get through—and that means increasing both the aggressiveness of the spam they put into the cyber-ecology and the quantity.
While most power-users use a combination of security tools and common sense, there are still way too many people who remain vulnerable to pernicious little phishing tricks. The inventiveness of the criminal class is often astonishing.
The problem with the internet is that it is exactly what it was designed to be.
The original specification for the DARPA network that eventually became the internet, was for it to be a failure-proof network. The breakthrough was the idea that information did not need a continuous one-to-one connection for transmission. Data could be sent in packets from one node to the next. If any node failed, the packet would automatically detour around that node until it found a path through the network to its intended destination. The multiplicity of nodes was the rugged strength of the internet. Internet Service Providers (ISPs) became the entry and exit points for users, providing numerical addresses. What we call the World Wide Web was made possible by linking those numerical addresses to site-specific names like www.google.com or www.maximumpc.com.
But underneath the names, the numerical addresses still represent the real addresses. When you type in a site name, the Domain Name Server decodes it to the numerical address to make the connection.
And therein lies a partial solution to the problem of spam. Partial.
All spam and malware has to have an entry point. The ISPs control internet traffic. If ISPs had the power to shut down spammers at the source, a great deal of spam could be virtually eliminated. And to some degree, some ISPs have been responsible about shutting down criminal operations—when they are aware of them.
One part of the problem is that a lot of spam and malware comes in with spoofed (false) home addresses. One of the better suggestions I’ve heard is to add authentication to packet forwarding. Very simply, the receiving computer would send an inquiry back to the sending address. Did you send this message? If the address has been spoofed there will either be a negative reply or no reply at all, and the receiving computer will discard the packets as invalid. This would stop some, perhaps even many, kinds of malware schemes.
A few years back, I got an angry email from someone I did not know, claiming that I had sent him spam. I politely pointed out to him that the latest (at that time) trick of spammers was to raid the contact list of the infected computer, using one or more names from that contact list as spoof-addresses for the spam sent to everyone else. The enraged person replied that I was still at fault for having my name in the contact list of someone so careless as to allow his machine to be infected with malware. I replied that he had obviously been equally at fault for allowing his name to be in the same contact list. He did not reply to that. (Okay, I already admitted I’m not a nice man. Why do we keep having to have this conversation?)
One objection to authentication schemes is that they might slow down honest traffic—but my theory is that if we could eliminate the 90% of the traffic that is spam, everything else gets speeded up correspondingly and there’s more than enough time for authentication.
Another way to attack spammers at the source is to shut down questionable addresses—but spammers buy addresses by the terabyte. Shut down one and the spammer will open six more. It becomes a wild moose chase. (Geese are easy to track. Do you really want to piss off an angry moose?)
Let’s consider another way to improve internet security. I call it the ISP-peer-pressure method. Let’s assume there’s an ISP that provides a safe-haven for spammers and pirates. (An easy assumption, there’s more than one.) After enough back and forth traffic, it should be obvious how much of that service provider’s traffic is malicious. At that point, other ISPs start downgrading its traffic, slowing it down more and more until that ISP becomes functionally useless. It then becomes the responsibility of that ISP to police itself. When it cleans up its act, restoring its integrity, the service resumes. (Of course, this does penalize the honest users of that ISP, but I don’t doubt they will put immediate pressure on their ISP to get rid of the customers who compromise their access.)
This would probably require a rating system among ISPs, based on an analysis of traffic or some other reliable metric, but I can’t think of a better way to control spam than to put the responsibility for policing it onto the shoulders of those who are profiting by providing the access.
There are probably other good methods to go after internet criminals and spammers. But ultimately, it boils down to a question of cost-effectiveness. How much time and effort and resources are you willing to spend to guarantee your security? And how much time and effort and resources is the criminal willing to spend to break your security?
Because the individual is effectively outnumbered by the spammers and because no anti-malware is 100% effective, the only real defense is a united effort. Given that cyber-crime is now costing all of us hundreds of millions, even billions of dollars a year, we can’t afford not to take action.
In principle, we need to make it so hard for spammers to do their mischief that it’s no longer cost-effective. In practice…there will always be those who can’t resist the challenge, whether it’s profitable or not.
But I believe there’s a lot more we can do and must do to make spam unprofitable.
What do you think?
David Gerrold is a Hugo and Nebula award-winning author. He has written more than 50 books, including "The Man Who Folded Himself" and "When HARLIE Was One," as well as hundreds of short stories and articles. His autobiographical story "The Martian Child" was the basis of the 2007 movie starring John Cusack and Amanda Peet. He has also written for television, including episodes of Star Trek, Babylon 5, Twilight Zone, and Land Of The Lost. He is best known for creating tribbles, sleestaks, and Chtorrans. In his spare time, he redesigns his website, www.gerrold.com
More like this
JohnP
July 09, 2010 at 1:48pm
One MAJOR objection I have is the often quoted " cyber-crime is now costing all of us hundreds of millions, even billions of dollars a year". Now I have never lost a cent to "cyber-crime", my kids have never lost a cent, my sisters have never lost a cent, my in-laws, my nephews, my friends. So exactly WHO is losing all this money and HOW do we "know" exactly how much is being "lost to Cyber-Crime"?
Me, I implicitly trust Symantec to tell the exact truth about how much money is actually lost. Question though, if we are losing billions of dollars a year to cyber-crime, isn't Norton and all the other Internet security programs AT FAULT? Should I sue Symantec for making a product that fails to prevent "cyber-crime" or is it all the OTHER anti-virus companies fault?
And another point. If we lose billions of dollars to cyber-crime but we spend billions of dollars for protection (which apparently we are NOT getting), which is worth MORE? I mean If I have never lost any money but am spending $150/year for my 3 computers protection, then I am LOSING MORE MONEY THAN I AM PROTECTING. It would be worth it to me to STOP buying protection!
One last question. If I WERE to lose money to cyber-crime, would I be able to get a TAX BREAK on it? I mean, if I have capital losses over losing money in poor stock buying and selling, I get a tax break. Is there a place on my 1040 tax return for "paid $30,000 to a Nigerian e-mail scammer"? How would I prove it to an IRS auditor, go to Nigeria and get a letter of payment? Now, I am a relatively honest man, but having a $3,000 tax write-off for 10 years sounds pretty good to me!
What a crazy, freakonomic way of looking at cyber crime!
nHeroGo
July 08, 2010 at 2:24pm
Please don't be so down on spam. It is good for the economy.
Good to see your reply to the Nigerians. Good warm-up for you. Soon you get to do that to Texas GOP as well, as they intend to make homosexuality a felony. Homosexuality, the new nigger.
lostcause64
July 08, 2010 at 11:58am
I couldn't stop laughing! It's refreshing to see "famous" people with the same attitude I use when it comes to dealing with the fungus of the human race. I'm not a nice a nice man, either, with evidence of that being in my screen name. I received the name lost cause from family...
My anti-spam solution is to have multiple email addresses. I have an old, free, Juno account from back in the day that I use for junk mail, or it's the address I use when I expect to be spammed. I have other addresses I give out with various levels of trust up to my main address that not even all of my friends get. It's been very effective over the years, especially since I don't even have an email program on my pc. No need for me to download a possible problem when I can look at it online and flush it up there.
John
Have you ever wondered why intelligence can normally be found in an individual, but runs screaming in terror from a group? Though, there are exceptions...
kiddcreole99
July 08, 2010 at 11:54am
If you support net neutrality, then ISPs policing their subscribers to reduce spam or stop spammers is not an option. While I hate spam as much as the next person, I am not willing to forgo neutrality to prevent it. If we want the freedom to do and see what we want on the internet without restriction, that opens the door to malicious behavior. We can't "cherry pick" what is or isn't filtered/restricted.
As for using the a peer pressure system like you mentioned, spammers could also use this approach to almost or completely DoS an ISP (and all of its associated users) by intentionally targeting AT&T, for example, by attaching to their network sending tons of spam, and having the peer ISPs downgrade AT&Ts traffic. The spammer doesn't care because they can just move on to Comcast, Mediacom, or a host of other ISPs and DoS them as well.
It would be great to be able to shut spam off at the source, but what are the trade-offs we are willing to sacrifice? The best option listed, IMHO, would be your first suggestion of a SYN/ACK type of validation to the source of the traffic, but as you mention, that could slow things down and there could be malicious uses for that very functionality.
I don't have a good solution to shutting the problem down at the source, so I do what I can to prevent or contain it at the destination. As long as anti-spam software catches the majority of the trash for C!aL!$ or V!Agr@, I am ok with the occasional Nigerian scam getting through. How can you have fun with them if you don't get those emails once in a while. ;-)
Biceps
July 08, 2010 at 12:30pm
That is how it became the Phillipines favorite noon-day treat! The fact that someone named malicious emails after a perfectly square meat product is unfortunate.
While I appreciate the author's creativity here, I must agree that SPAM is now, and will forever be, a fact of life. The internet is a new technology (really, 20 years of common-people usage is pretty new), and it means there there are still entire generations out there who don't only not know how to use the internet, they aren't aware of the dangers inherent with internet usage, email, phishing, etc. My grandmother only knows one kind of fishing, and it is spelled with an 'f'.
I agree with kiddcreole that net neutrality is far more important than avoiding a few annoying (and occasionally entertaining) SPAM emails. Maybe Australia or North Korea would be interested in having ISPs filter for SPAM, but I seriously doubt that Americans would go for it if they understood the implications.
timmyw
July 09, 2010 at 10:33am
You doubt that Americans would go for it? They cheered when the Patriot act was passed.
This is how liberty dies, to thunderous applause. --Padme Amidala
You did say "if they understood the implications" but how few Americans can be bothered with understanding anything. If they understood the implications of spam, they wouldn't respond. If no Nigerian ever got money they would eventually give up. If no one bought little blue pills from a spammer they would eventually give up. If they understood the security implications of phishing they wouldn't be ripped off. I think you seriously overestimate the reasoning abilities of the general public.
Even if it means that we are exposed to the seedy underbelly of the Internet, I would take that any day over giving government any control over Internet traffic.
IFLATLINEI
July 08, 2010 at 10:21am
Im cracking up over here! I too miss messing with the Nigerians.
I cant help wondering. If Spam makes up 90-95% of all internet traffic then whats all this business of throttling and capping customers? I thought torrents and video streaming were monopolizing the bandwidth?
dedgar
July 08, 2010 at 6:58pm
Torrents and video streaming are sucking up bandwidth necessary for spamming. lulz
Connect with MaximumPC
Featured Content
We introduce Intel's latest class of tablet killers and review 4 of the first Ultra...
Where have all the memorable videogame enemies gone?
This month's issue
Feature
11 Hardware Hacks
Feature
Overclock Your CPU
How-To
Supercharge Your Smartphone
Build It
A Powerful $830 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Analysts: 9-Inch Kindle Fire This Summer http://t.co/QDYApwCZ1 day 3 hours ago
- maximumpc: Micron: DRAM Prices Likely as Low as They're Going to Get http://t.co/fFUWuFOm1 day 6 hours ago
- maximumpc: Yar, Mateys! All Of Pirate Bay Made Available As A Single 90MB Zip File http://t.co/j5LHlXEZ1 day 7 hours ago
