Spam Mutates

— -- Joe ZeffPeter Shinbach recently threw in the towel and shut down Bach Door, his online-communications blog.

The public relations executive from Birmingham, Michigan, was fed up with so-called comment spam. Returning from a weeklong vacation, he found a slew of comments on his blog that had nothing to do with communications: They were posts from spammers promoting gambling sites and prescription drugs.

"I'm not in this to spend hours a week cleaning up the mess spammers leave behind," Shinbach says. Ironically, the surge in spam to his blog coincides with a decrease in spam to his inbox: Shinbach says that his desktop antispam software and his ISP's spam filters together block about 95 percent of junk e-mail sent to his account.

Shinbach is one of many who are starting to fret more about spam on blogs, instant messages, and cell phones than about traditional unsolicited e-mail--at least in part because old-style spam appears to be losing some momentum. While the volume of junk e-mail continues to mount, it stopped growing at double-digit rates last year. Many ISPs and e-mail providers claim that they blocked more than 90 percent of unsolicited commercial e-mail.

"Spam filters have gotten so good, a properly managed filter can turn the sting of spam into a minor inconvenience," says Richi Jennings, analyst at Ferris Research, a market research firm that specializes in messaging.

In contrast, other forms of spam--prompted by the rise of new messaging media--are just gathering steam.

"Many spammers are reinventing themselves," says Paul Judge, chief technical officer for messaging security firm CipherTrust. "Whatever messaging paradigm that consumers are using, spammers will be right there."

Comment spam is one of the new forms. Another is the splog--short for spam blog, a blog that is created purely for marketing purposes.

Some spammers create dozens, if not hundreds, of splogs that link to the spammer's Web site, helping to artificially inflate its ranking in Google and other search engines. Another type of splog seeks to get visitors to click ads that link to sites that pay the splogger referral fees.

Derek Gordon, spokesperson for Technorati, a blog-resource Web site, estimates that 10 to 15 percent of the 70,000 new blogs created daily are splogs. CipherTrust's Judge says he expects that percentage to grow in 2006. These shady blogs have become a serious headache for companies, such as Google, Microsoft, and Yahoo, that offer free blog services. Many are fighting back with software designed to identify splogs, similar to programs that identify e-mail spam.

Bloggers plagued by comment spam can also get help from sites such as SplogSpot and Splog Reporter, which collect information on such content to help network administrators filter it out.

Spammers are testing other waters, such as instant messaging and mobile phone text messaging, as well.

Judge estimates that 10 percent of instant messaging traffic is spam. "It is where e-mail traffic was several years ago," he says, adding that IM spam is likely to become even more ubiquitous as online messaging networks become interoperable (Microsoft and Yahoo, for example, have announced plans to allow their IM users to communicate with each other). The growing availability of IM services on cell phones will make instant messaging even more appealing to spammers--and vulnerable to viruses spread by spam, warns IMlogic, a messaging security firm.

Spammers have become increasingly attracted to cell phone text messaging. In fact, at least one case involving text messages has already made its way through the courts: This February, a federal court judge granted Verizon Wireless's request for an injunction barring Passport Holidays, a travel agency based in Ormond Beach, Florida, from sending unsolicited text messages to Verizon Wireless customers. In addition, Passport Holidays agreed to pay Verizon Wireless $10,000.

Verizon Wireless's lawsuit alleged that Passport sent 98,000 unsolicited messages to Verizon Wireless customers encouraging them to call a toll-free number to claim a cruise to the Bahamas.

But carriers aren't relying solely on the legal system to deal with the problem.

"We use filters and other tools to prevent spam from reaching our customers," explains Rochelle Cohen, a Cingular spokesperson.

Cingular also lets customers block incoming text messages at certain times of the day, and ban all incoming text messages that are sent via e-mail.

Wireless carriers say customers never see most spam because their spam-filtering software intercepts it. Verizon Wireless spokesperson Jeffrey Nelson says that the carrier works closely with conventional ISPs to learn the best ways to combat spam.

But while ISPs may be getting more effective at filtering traditional e-mail spam, junk e-mail marketing in general is getting ever uglier. "Filters make spamming harder, so spammers have to break the law to get a good delivery rate," acknowledges Amir Gans, the owner of New-Approach, an Israeli direct e-mail marketing company. Gans is identified by antispam nonprofit group SpamHaus as one of the top spammers--a label that Gans does not repudiate.

But while sending spam that can bypass filters (for example, by disguising a sales pitch to look like a personal e-mail) violates the U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, many spammers shield their identity by using hijacked PCs--often referred to as spam zombies--to send spam (see our interview with a spammer).

David AschkenasDan Larkin, head of the FBI's Internet Crime Complaint Center, says spam zombies are one of the agency's biggest challenges. And not only are more spammers employing the technique to increase spam volumes, but the e-mail itself has become more sinister and potentially more lucrative, Larkin says.

"Spam has grown from annoying to, in some cases, dangerous," he adds.

In 2005 more than half of the 15,000 complaints filed each month to Larkin's group related to phishing, the use of e-mail disguised to look as if it comes from a bank or other financial institution in an attempt to trick the recipients into disclosing personal information, thereby exposing them to identity theft.

A new variant of phishing, called , involves fraudulent messages that appear to come from an individual, company, affinity group, or organization the recipient might have dealings with. The idea is that people are more likely to respond to an e-mail from the alumni association of their alma mater, for example, than to an e-mail from eBay asking them to update their billing information.

And so the spam war goes: Even as advances are made on one front, wily new tactics open up another.

Brian Sullivan, America Online's senior technical director of mail operations, is resigned to the likelihood of long-term combat. "We'll just keep our guard up so the next place it pops up, we'll be there to knock it down again."

Joe ZeffMike is a small-time spammer with big-time problems. Sending junk e-mail, he says, isn't paying the bills the way it used to because of better spam filters. In addition, arrest is a constant threat as authorities get more aggressive in enforcing antispam laws.

So Mike is trying to change with the times: Today he says he makes $500 a week in the spam trade by selling lists of IP addresses of compromised computers, sometimes called zombie PCs, which the list buyers use to send spam. The money isn't as good as it was when he did the mailings himself, but Mike believes that this way, he's less likely to get caught.

PC World found Mike through a Web site where spammers meet and share tips. He agreed to an interview on the condition that his real name be withheld.

Q: Do you think what you do is wrong?

A: I don't care what people think.

Q: Why don't you send bulk e-mail legally? The CAN-SPAM [Controlling the Assault of Non-Solicited Pornography and Marketing] Act allows you to.

A: Playing by the rules is bad for business. The only way spammers can sneak by an ISP's antispam filter these days is by tricking them, and the techniques to trick antispam filters are illegal, according to CAN-SPAM. So if you want to be sure you don't end up in a court, don't let them find you.

Q: Are antispam laws and better filters succeeding?

A: Yes, they are. Today, big ISPs block e-mail from suspicious sources. They filter out spam based on e-mail addresses, words, links in the e-mail, pictures, or anything. But the better filters get, the more determined we will get. It's not as if spammers really want to break the law. It's just that we are looking for any edge possible to get past the filter.

Q: So why are you still involved in the spam business at all, if it's becoming both riskier and less profitable?

A: For me, it's what I know how to do. And I just would hate to give up. It's like admitting defeat.

Q: How does the future of spamming look to you?

A: Not good. The capital investment in computers and software required to make it worth the risk is enormous. A lot of people younger than me are spamming. But for a lot of people like myself, it's no longer easy money. We are throwing in the towel.

Q: So you are seeing a changing of the spam guard, so to speak?

A: Spammers today are diverse. They work with adware; they control botnets of computers; they are virus writers. Today's spammers don't just want to sell you Viagra; they want to trick you into handing over your credit card number, or infect your system and turn it into a zombie.

Q: Will spam ever go away?

A: Spam will never go away. If nobody was really interested in spam and people never bought anything that was advertised to them, spam would go away. That's simply not the case.