Spam Is on the Decline; What Are the Implications?

By Terry Zink
Terry Zink

Previously, I wrote that the total amount of spam that we are seeing has seen a significant decline over the past year and a half. What does this mean in real terms? Are we finally winning the fight against spam?

There are multiple angles. On the one hand, processing spam takes significant system resources:

  1. It takes up network bandwidth. A mail server must be able to handle 10x the load of messages because of all the spam.
  2. It takes of storage (disk) space. If you have a lot of spam, you are probably storing portions of it somewhere in a spam quarantine or on the network server in your mailbox's junk folder. This is akin to saving your messy neighbor's garbage in a garbage can in your own home.

A decline in spam means the hardware costs associated with stopping it are reduced. Hardware that was previously dedicated to providing capacity now can be reused into doing something useful (just like if nobody committed crime, we wouldn't need police officers and they could be used elsewhere). Pharmaceutical companies can stop spending resources on protecting their brands and going after spammers who impersonate their products. Users see less spam in their inboxes and don't have to muck through as much junk in order to get to the good stuff.

Sounds good, but the problem is not that simple.

As run-of-the-mill spamming through email has become less profitable (stock spam, products spam, etc), the spammers have shifted tactics. They have also reacted to the techniques that spam filters use. An example of this is sending out mail through compromised accounts. Whereas in previous years spammers used to send out mail directly through compromised machines, now the compromised machine connects to a free webmail provider like AOL, Google, Yahoo or Hotmail and sends out spam that way. Below is a chart that shows how much spam mail we get from each service since March 2010 (I don't have earlier stats, note that the left Y-axis is normalized):

Contrast this to the total amount of inbound spam (content filter + network rejections):

If you look at the total amount of inbound spam over this period you would think that it has declined. Yet paradoxically, over the same period, spam from the big webmail providers has ramped up (part of the reason for the huge spikes is that I have added additional IPs to the tracking ranges but the trend is still the same). You can see that each service oscillates a lot with frequent up-weeks and down-weeks but analysis is the same — spam from compromised accounts has not declined the way total spam has.

These do not represent all compromised accounts. There are plenty of students and business people that get hacked all the time. But spam from compromised accounts are more difficult to filter because IP reputation cannot be used without causing lots of false positives. Content filters are usually a little slower to update and therefore even though there are fewer spams arriving at the doorstep, they are more difficult to filter.

What about malware? In my other post, I deliberately decided to omit malware as one of the problems that we were still facing in email spam. It was a mistake to not include that.

Malware has become more insidious but it is also difficult for me to measure. Below is a chart of how many mail messages contain malware attachments and how many contain general malware content (i.e., a link to a malicious URL, or suspicious malware patterns; anything that wasn't a malicious attachment). This is all mail that has not been rejected at the network edge which is a small proportion of total mail:

If you look at this chart, there was a huge spike in the first part of 2010 but after that, malware kind of subsided. The problem with this chart is that I don't trust it. Rather than asserting that malware has been pretty constant for years with the occasional outbreak, the fact is that my statistics-gathering mechanisms are not very good at tracking malware. For this, I need to rely on anecdotal evidence.

2011 is a year where plenty of companies have been hacked. Some have been for "fun", others have been for profit (or worse). While some of them were due to vulnerabilities in web pages, others have been due to email spam. For example, when RSA was hacked earlier this year, it was because an employee reached into their junk folder, retrieved a message, opened it up and their system was infected with a zero-day malware. This allowed hackers to get into the system and take a great deal of information.

This type of scenario is not unusual. It has occurred over and over this year. While 2011 is not the first time this has occurred, it has proliferated. I will defer to the A/V folks on this, but the amount of malware signatures is growing all the time and getting worse, not better. Unlike spam where the volume of them is becoming less, malware is getting worse.

And therein lies the problem. Spam is getting harder to detect (traditional techniques don't work as well on zero-day spam or spam from compromised accounts), and its payload is more difficult to detect. The developers of the Zeus-malware kit have different versions for different banks they want to impersonate for their phishing kits (i.e., a version for Bank of America, another for Wells Fargo, a third for Chase). Their payload is better at covering its tracks and the malware authors have gone to greater depths to evade detection than they have in the past. It may very well be true that malware has decline in spam, but that's because spammers have moved to a targeted approach. They no longer fling mud against the wall to see what sticks, but probe defenses to see where the weaknesses are and then go after them.

Finally, there is spam 2.0. This is spam from social media like Twitter (fake tweets), spam in blog comments, abusive Facebook accounts with attempts to befriend others, mobile malware, etc. I have written about all of these topics in the past, but I do not have any metrics on any of them. These are other avenues where spammers have shifted their abuse tactics because it is profitable for them. They have gotten much worse in the past and will be worse in the future, but this type of abuse is not the same as email spam and therefore I omit it from my statistics.

Thus, the decline in spam is really a "decline" in spam. As users have shifted communication patterns from email to include other types of messaging, spammers have followed suit. The same guys are doing the same things as before, and the Internet is not any safer. The problem is as bad today as it was yesterday.

But at least we need less hardware to fight email spam. That's one victory we can take to the bank.

By Terry Zink, Program Manager. Visit the blog maintained by Terry Zink here.

Related topics: Cybersecurity, Malware, Spam