John Aycock and Nathan Friess of the University of Calgary have been gaining some attention recently with a paper titled Spam Zombies from Outer Space, in which they describe their expectations of how spam may evolve in future. The paper predicts that spammers will start using hijacked home computers as more than just distribution engines: they will actually mine the hijacked machines for information that allows them to craft spam that users are more likely to receive and read.
In some senses, what Aycock and Friess are talking about is a shift to what we could call a K-strategy approach to spam. r/K selection theory is a theory that describes two opposing evolutionary strategies used by living organisms to continue the species. r-strategy species such as fish or insects produce huge numbers of offspring, each of which has a small chance of surviving to maturity; users of K-strategy, such as humans or elephants, produce few offpsring but invest more energy in them, thus increasing the chances of each one reaching maturity.
Spam to date has been almost pure r-strategy; it doesn't cost much more to pump out a million spams than to send one, so spammers send out millions of messages in the hope that a small percentage will lead to sales. Because it only takes a few sales to cover the costs of sending spam, this has worked well so far. The problem is that filters — and spam recipients — are getting smarter. Spam needs to adapt.
Aycock and Friess envision a kind of automated social engineering in which the spamware downloaded to infected computers will mine the email archives of the computer for information about the usual correspondents and writing style of the owner. The software will use this information to construct spams that resemble real messages from the owner of the computer, increasing the likelihood that the recipients will open attachments, visit embedded URLs and so forth. In another neat parallel to r/K selection theory, such 'smart spams' can only be sent in small numbers. Aycock and Friess point out that a spammer can't just blast out a million improved spams, because that undermines the effectiveness of the tactic.
K-spam will bypass a lot of the defenses we currently have — Aycock and Friess list them — making it not only more likely to be read, but also more likely to be delivered. Blacklisting, whitelisting and challenge-response are unlikely to protect against spam that appears to be sent by a known sender, from that sender's own computer. Filtering and authentication strategies may be equally ineffective.
One defense that Aycock and Friess don't mention is blocklist-based filtering that tags messages sent directly from a consumer broadband or dialup machine or a dynamically-allocated IP range, a technique that successfully traps much of the spam currently sent from zombies. It works because current spam zombies send mail directly from the infected machine to the recipient's listed MX host, allowing them to bypass rate-limiting measures at the owner's ISP. But a smart spam zombie only needs to send small numbers of messages. It can use the authorized mail relay provided by the ISP, giving it the appearance of an entirely legitimate message and allowing it to slip past dynablock or dialup/broadband DNSBLs undetected.
The paper presents a plausible model of how spam may evolve. The techniques that Aycock and Friess describe are perfectly feasible — they even describe a proof of concept implementation — and they do offer advantages that spammers will find difficult to resist. They don't lend themselves to every possible spam application — an ad for penis enlargement pills is just as obviously bogus whether it comes to you from "Progression D. Evaporation" or your mother — so r-spam will definitely continue, but smart spam could be used to support a number of spam and malware applications including increasingly sophisticated phishing attempts, drive-by downloads and even 'targeted' advertising.
The implications of this are not encouraging. Spam has decreased the usefulness of practically every part of the Internet that it has touched. Usenet is significantly less useable and useful — some would say moribund — thanks to the efforts of spammers. Web search engines are forced to adopt elaborate measures to protect the integrity of their indexes against spam sites. Tools that search or index the blogosphere have to contend with spam blogs that account for as much as 60-75% of the total. And email itself would be unusable if it weren't for a battery of increasingly sophisticated but always imperfect defenses based on filtering, blocklists and other technologies.
One of our fundamental assumptions as email users is that we can trust messages that come to us from addresses we recognize. A wave of recent viruses has done something to undermine that trust, but viruses with their minimalist broken English messages and their distinctive attachments are easy to recognize and filter. K-spam promises us a world where it's not so easy to recognize spam at a glance. Recent studies have shown that the most sophisticated phishing attempts can fool up to 90% of recipients. A world where we can't be sure whether something is a message from a friend or a sophisticated spam doesn't bear thinking about.
Ultimately, the best defence against K-spam may be to stop machines being turned into zombies in the first place. That's going to require a much bigger commitment to security on the part of OS vendors such as Microsoft and Apple. It may also require a commitment on the part of ISPs to deny access to machines that are known to be infected. The current spam problem exists in large part because OS flaws and the gullibility of users allow machines to be hijacked and, once they have been taken over, ISPs do little or nothing to keep them off the network. It's unclear if even the threat of K-spam will jolt the ISPs and the OS vendors out of their apathy.
There's one bright spot, though. r-spam zombies remain online because the spam they send identifies only a dynamically-allocated IP address and the ISP that owns that IP address is unlikely to take any action. If I get a piece of K-spam with a friend's mail address in the 'From:' line, I can call them to tell them that their computer is infected and that they need to take it offline and fix the problem. Dealing with K-spam zombies doesn't depend on an overworked and understaffed abuse department at an ISP. They can be neutralized using the same thing that threatens to make K-spam effective: personal relationships.