Who's going to take the rap for spam?

Graham Cluley, senior technology consultant at Sophos, looks at who should take responsibility for controlling spam. 

For many people, spam has become accepted as the norm - an irritant to be deleted without opening when you log onto your computer every morning. 

However, changes in the nature of global computer crime, with the growing presence of financially-motivated cybercriminals, has led to the growing realization that spam represents much more than just a nuisance to businesses and consumers.   

Huge quantities of unwanted emails are capable of clogging major corporate networks, causing delays which can result in huge financial losses for businesses. 

Another concern is that spammers are now using new techniques to try and dupe computer users into parting with sensitive information, or installing malicious code. 

Recently, Microsoft went so far as to warn that without some sort of coordinated action, spam, viruses and fraud could well render the internet unusable in the next five years. But one of the factors limiting such action has been the difficulty in determining who has responsibility for the problem, and therefore, who should be tasked with solving it. 

The US has long been identified as the world's worst spamming nation, relaying substantially more spam than any other country. 

Recent research into the top 12 spam relaying countries revealed that between April and September 2005, the US was responsible for relaying 26.35 per cent of the world's spam - more than 15 times the amount relayed by the UK, which was ranked tenth in the list. 

However, these figures do not tell the whole story, and before condemning the US, it is worth examining the situation 12 months earlier. 

While the US may still be responsible for relaying over a quarter of all spam, this actually represents a vast reduction in output, compared to the same period in the previous year, when it was responsible for an astonishing 41.5 per cent of all spam relayed. 

To bring about such a turnaround is commendable, and can be attributed primarily to tighter legislation, and a higher standard of security for Windows-based PCs. 

January 2004 saw the introduction of the controversial CAN-SPAM act. At the time this was criticized for allowing certain forms of spam to remain legal, while stating that recipients would have to actively 'opt-out' of receiving such messages, rather than the 'opt-in' process encouraged by the anti-spam industry. 

It was argued that the legislation would create greater confusion in an already complicated legal area, and could even encourage more companies to send unsolicited emails. 

Research conducted twelve months later, in December 2004, gave weight to this criticism, showing that the US had been responsible for relaying 42.11 per cent of the world's spam - far more than any other nation. However, the evidence now suggests that CAN-SPAM is finally making an impact - forcing prolific spammers either to quit the business or relocate overseas. 

Perhaps the biggest example of the crackdown came in September 2005, with an FBI raid on the home of suspected 'spam king' Alan M. Ralsky. 

Computers, laptops, disks and financial records were seized, essentially shutting down Ralsky's operations, which were based in his £430,600 Detroit property. Ralsky, who was already well known to the authorities, was a known backer of CAN-SPAM, having gone on record saying the act 'made my day'.   

Whether Ralsky still feels this way about the legislation remains to be seen, but it is clear that, with enough evidence, the US authorities now have the power to act. 

In November 2005, a 20-year-old man suspected of running a network of 'zombie' computers was arrested by the FBI, having allegedly amassed a profit of £34,450. 

Criminal hackers can use zombie PCs to launch distributed denial-of-service attacks, spread spam messages or to steal confidential information - without the knowledge of the owner. 

In this case Jeanson James Ancheta, the man accused, is said to have profited from his attacks by installing adware on a network of innocent third-party compromised computers. 

If convicted of all counts, Ancheta could face a maximum term of 50 years in prison. 

The US is right to be stepping up its efforts to apprehend those responsible for zombie networks - over 60 per cent of the world's spam currently stems from zombie computers. 

The introduction of Windows XP service pack 2 has had a major impact on reducing the amount of spam relayed from the US. The pack has given home users a higher level of security, and made it considerably more difficult to infect a PC and turn it into a zombie. 

Despite this, however, an unprotected Windows-based PC still has a 50 per cent chance of being infected by a malicious program within 12 minutes of connecting to the internet - without the user having to actively access or download anything.   

The reduction in the amount of spam relayed by the US has inevitably meant that other countries have seen a rise in their own figures.  South Korea is now responsible for relaying 19.73 per cent of global spam, with China close behind on 15.7 per cent. 

The UK, despite relaying substantially less than the US, has also seen an increase in 2005. But again, these figures may not be telling the whole story. 

In the Ancheta case, prosecutors state that some of the computers attacked were at the Weapons Division of the US Naval Air Warfare Center in China Lake, California and at the US Department of Defense. 

However, the advantage of using zombie networks is that the culprits don't actually have to be in the same country as the computers they are using. So while Ancheta is alleged to have attacked US computers, it would have been possible for him to take control of users' PCs in South Korea or China to do this. 

With so much spam being generated by these zombie computers, it is difficult to get a true indication of which nations are housing the biggest spammers. 

The conclusion to draw from this is that any attempt at curbing the impact of zombie PCs must be global in nature. 

For a start, ISPs have a responsibility to alert users worldwide if their PCs have been compromised, and help them to disinfect the problem as quickly as possible. 

ISPs can also do more to restrict the damage caused by the hijacked computers. 

While they currently scan incoming email, there is a strong argument that they should also scan outgoing emails, in order to identify abnormally high quantities of distribution. 

However, to truly eliminate the problem, there needs to be greater acknowledgement of the problem worldwide, and greater sharing of information between individual nations' authorities - a joined-up effort both to locate the zombie PCs, and to locate the criminals behind them.   

Graham Cluley is senior technology  consultant at Sophos, a world leading computer security specialist.  He is a respected security industry expert and has given talks around the world on the threats posed by viruses and spam. 

www.sophos.com 

in a nutshell 

  • Microsoft warn that without some sort of coordinated action, spam, viruses and fraud could well render the internet unusable in the next five years. 
  • Between April and September 2005, the US was responsible for relaying 26.35 per cent of the world's spam. 
  • The evidence suggests that CAN-SPAM is making an impact. 
  • A man said to have profited from installing adware on a network of innocent third-party compromised computers could face 50 years in prison.

January 2006

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.