With mail filters getting better and users becoming more suspicious of mail from unknown sources, spammers need to find ways to get their spam sent for them by third parties that are more likely to be trusted. This will lead to a growth in what I call proxy spam.

To some extent, almost all spam is already proxied: spammers using hijacked PCs to send out spam are counting on the IP of the sending host having a slightly better reputation than the kind of easily-identifiable spammer pestholes that they'd otherwise be forced to use. But when I talk about proxy spam, I'm really thinking of the abuse of services that generate email on behalf of presumed legitimate users.

An obvious example are sites that send out "_____ thought you might like to see this" messages, such as online newspapers, or video hosting sites, or even large e-commerce sites like Amazon. The message comes from a seemingly trustworthy source, the spammer can load up the description field with their chosen text, and it's essentially anonymous; in most cases, the spammer doesn't need to disclose a real identity in order to get the service to send mail on their behalf. Some Chinese 'fake storefront' scammers make heavy use of either real or faked messages of this type. The fact that we don't see more of this kind of spam suggests that the services that allow this kind of messaging have so far done a reasonable job of making it inconvenient for spammers, through posting limits, CAPTCHAs and so forth.

Comment and trackback spam on blogs are both variants of proxy spam. The spammer is using the reputation and resources of another publisher — the blog owner — to deliver their message.

Social networks that generate email are ripe for abuse by proxy spammers. For example, when a user begins following another user on Twitter, a popular messaging service, Twitter sends out a notification email. Spammers count on the recipient being curious to see who is following them and going to visit the spammer's Twitter homepage — where they typically find a Twitter stream full of spam messages, or a 'my website' URL that takes them straight to whatever site the spammer wants to advertise.

This line of reflection was started by a spam that arrived today that appeared to be an invitation to join a newly-created Yahoo! Group. The recipient who goes to visit the group's homepage to find out what the group is about is confronted with a large graphic advertising the "Man strength Viagra online shop", complete with the mandatory thumbnails of pills and picture of a smiling man in a white coat.

Yahoo! Group creation requires the user to fill out a CAPTCHA, but it's been widely reported that spammers have cracked many major CAPTCHA systems. Those they can't crack automatically, they can pass off to third-world 'mechanical turk' farms. It's clear that there are few real obstacles to more widespread abuse.

One law of spam might read: The adoption of a technology by spammers results in lessened utility for everyone else. Notifications from mailing list services such as Yahoo! or Google Groups are now de facto suspicious. If the volume of abuse becomes high enough, filtering systems and users will begin discarding them, at which point useful messages start getting lost.

A service like Yahoo! Groups cannot employ more draconian measures without reducing the popularity of its own services. Requiring users to pay for starting a group would deter spammers (it's been claimed that the $0.20 fee levied by ICANN to discourage domain tasting has already been effective) but would turn away many legitimate users as well. So too would requiring users to submit a verifiable ID, or making the signup process more complicated in some other way. The business model of services like Yahoo! or Google requires them to make the process of using their service as easy and open as possible; unfortunately, this means making them easy and open for abusers as well as for legitimate users. Minor optimizations may be possible — restrictions that don't affect 99% of honest users, but make the system less useful for spammers — but in general, free services are subject to abuse by spammers because the business model that supports them discourages strong anti-spam measures.

Studying my own spamtraps reveals that many of the cute tricks that spammers try to play in order to get past filtering systems — randomizing characters, misspellings, constantly changing subject lines etc — simply don't work. That war is over; the RBLs won. As a result, spammers are likely to be increasingly interested by the possibilities of proxy spam. And that means that if you run a system that generates any kind of messaging on behalf of visitors to your site, now is the time to look long and hard at what you're doing to see how you can make the service less attractive to spammers.