The Spam Tide Rises!
By Gerry Patterson
In 2003, Senator Richard Alston, the minister for Communications IT and
Arts (DCITA) announced Australian anti-spam legislation, which according
to him would rid us of spam in exactly the same way that Aeroguard rids us
of mosquitoes when we are all out-doors in the hot Aussie sun, wrestling
crocadiles, drinking beer and tossing "shrimps on the barbie".
Since then the document in which Senator Alston presented a detailed
explanation of his "mosquito model of spam", has been quietly removed
from the DCITA site. And so has the Senator, who will soon be enjoying
life in London, a nice little reward for all his endeavours in the IT and
Back in Oz, as our sun-burnt country gets drier and hotter, there are
less crocadiles to wrestle, we don't have as many mosquitoes as we used to
... but the spam tide continues to rise ... and rise ... and rise! And not
just in Oz. It is a global phenomenon!
Worst of all, the legislative failure appears to have enhanced the spammer
self-image. It has had the entirely undesirable effect of transforming them
from acne-challenged nerds with poor personal hygiene into made men ...
Genuine villains with links to organised crime.
It couldn't be worse ... or could it?
The failure of anti-spam laws was predicted in an article published on
this site. Now, recent analysis of the PGTS mailhub console logs indicate
that the rising tide could become a tidal wave!
Anti-Spam Legislation: Just How Effective Has It Been?
In 2003, computer users in Australia began to rejoice when the government announced their intention of passing legislation which would make spamming illegal. Later their rejoicing became almost ecstatic when their large and powerful Uncle Sam announced his intention of passing similar legislation. This seemed a case for special celebration, since their Uncle Sam was in fact the major source of all spam that arrived in their wide brown land, girt-by-sea. Now that the legislation is operative, it seems a good time to ask just how effective have the anti-spam laws been?
There is a considerable amount of evidence that suggests that spam is increasing rapidly. Some of these claims show figures that appear to be exponential.
Overall there seems to have been a massive increase in the incidence of spam. In July 2002, the first article on this topic was published in the PGTS journal. Since then the incidence of spam has been monitored along with many samples. The resulting collection was called the Spam Diaries (see bibliography). The following table shows monthly spam incidents at six monthly intervals. The final figure is a projection for the start of 2005.
Month Number Mid Year 2002 8 New Year 2003 2 Mid Year 2003 14 New Year 2004 258 Mid Year 2004 323 Projection 2005 700
Spam Incidents: Table and Graph including Projections
There are a few caveats with these figures. When the first article was published, spam was actually invited to the PGTS site. However after December 2002, many anti-spam measures were implemented. Currently the figures are taken from console logs rather than actual incidents. The console log is a list of attempted spamming incidents rather than actual spamming incidents. Since the PGTS site employs a robust open source MTA with block lists, very little spam gets through. Nevertheless the console logs tell a story of dramatic increase!
Because of the unique circumstances of the PGTS mailhub these figures may be anomalous. In 2002, spam was actually encouraged for research purposes. However, the figures for 2003 and 2004 reflect only natural growth.
Nevertheless figures from many sources confirm this trend. Most of these are anecdotal, however some sources do provide hard data to back their claims. Sydney webmaster and programmer, Brian Robson has provided some statistics on spam. Brian has tracked the spam that arrives to his Eudora client by storing it in a separate folder. Since 2003, however, the amount of spam has grown to such an extent that he now reports it as megabytes (bytes * 1,000,000). The following table summarises the amount of spam his account has received for 2003 and 2004.
Year Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 2003 2.0 2.5 3.3 4.1 4.9 5.2 5.8 6.0 3.7 6.2 7.9 9.0 2004 8.8 7.6 12.6 21.8 7.0 11.3 10.9 11.3 12.3 12.9 14.6 15.9
Spam (MB) for Brian Robson's e-mail account with a small Sydney-based ISP.
These figures tell a story of monumental policy failure. Possibly the most extraordinary since the failure of Prohibition in the USA (if not greater). To date there has been not the slightest shred of embarrassment from governments anywhere. And there is very little discussion in the mainstream media about the extent of the failure. Don't journalists get spam?
And yet, despite the ability of spammers to waste our time, it seems the majority of the population couldn't care less. Otherwise there would surely have been more commotion about this fiasco.
We Just Need To "Make A Few Examples ..."
Of course the most oft-quoted argument is the one suggesting that we merely need to make examples of a few individuals. This argument has been used throughout centuries to justify various enforcement regimes. And the anti-spam laws certainly do provide for severe penalties.
The question arises as to how many spammers have we made an example of with these tough new national laws?
Well none actually. There have been some legal actions. But not using the new law.
In a recent case, a Sydney spammer was indeed prosecuted and sentenced to five years jail. However he was convicted of fraud, not spamming.
In a notable USA case, a person was convicted of spamming, but it was as a result of local state laws, which in the state of Virginia are reputed to be harsh. (see bibliography). And he could (and should) have been convicted of fraud!
Australian spammer "Mike from Pillmedics" is being pursued in a court in the USA (see bibliography). This occurred as a result of articles published after investigations of PGTS spam logs. However this action is a civil action. There are numerous other civil actions pending.
Despite a phenomenal increase in the amount of spam, the much-touted US and Australian spam laws don't seem to have actually been used to prosecute spammers. In fact spammers are at far greater risk of being struck by lightning than they are of being prosecuted under the Australian Anti-Spam Act (or the American Can-Spam Act).
This does not stop some proponents from confidently predicting that legislation is on the verge of really starting to bite ... and when it does the spam problem will fade away! (see bibliography for an optimistic assessment from the vice-president of the ACS).
But a closer examination of the figures would seem to indicate that the spammers started to do some serious spamming around about the time the legislation was passed.
It is difficult to find another example where a law has been flouted to such an extent.
At the very time that law-makers have laid down the gauntlet and talked their toughest talk, spammers appear to have brazenly accepted the challenge. Of course they were never going to play by the rules, so they didn't bother picking up the gauntlet. The didn't even say En guarde!. They just delivered the bureaucrats a good hard kick in the crotch. And while they are doubled over the spammers just might follow up with a swift kick to the fat bureaucratic backside! (see predictions for 2005).
To date governments have quietly ignored this spectacular policy failure. Not to mention the outrageous cheek of spammers all around the globe! No doubt the authorities would prefer to surreptitiously sweep the matter under the carpet. How long will they be able to just pretend that it hasn't happened? ... As long as they are allowed to.
Of course the use of tough penalties is as old as civilisation, but now that we no longer "hang draw and quarter" serious offenders, penalties today often take the form of fines. In any case, the use of propaganda and/or Draconian laws to change human behaviour has had mixed results. At various stages of human history authorities have tried to ban or modify various types of behaviour, speech or even language. Success (or failure) usually depends on:
- How widespread is the behaviour that is to be eliminated/modified?
- How effectively can laws against the behaviour be policed?
- How willing are the authorities to enforce the penalties?
A classic example of a policy failure would be the attempt to eliminate alcohol consumption, last century in the USA, which failed on all three counts. That attempted prohibition remains a benchmark for all such policy failures.
A notable recent effort was the Taliban's attempt to ban fun in Afghanistan. True to form, the dour regime tried to eliminate laughter, music-making and any form of gaiety or frivolity, which it seems fair to suppose was not a total success. For even though the Taliban had an effective police force and the will to enforce brutal penalties, the behaviour (laughing, singing or enjoying oneself) is such an intrinsic part of human behaviour that it would not be possible to eliminate altogether, even though on the surface they seemed to have been successful.
The problem for the Taliban was ... were some of the populace still laughing or singing to themselves?
No doubt the Taliban Thought Police would have seethed endlessly about miscreants who flouted the law by laughing or singing on the inside ... (?) Those deviates would have suffered the most extreme penalties ... Such is the conundrum that bedevils totalitarian regimes everywhere. And it is something that the citizens of the USA should consider as their nation totters towards a new form of Christian McCarthyism that could have been scripted by George Orwell.
On the other hand the Chinese effort of stamping out opium smoking appears to have been quite successful. The penalty of a bullet in the back of the head was administered on the spot, without the right of appeal, and proved quite effective. After being shot in the head, it is true to say that no Chinese drug addict ever resumed the habit. So in that respect it was one hundred percent effective! One can almost hear right-wingers in the USA saying aloud -- if only ...
Of course it is to be hoped that we are not contemplating such extreme measures here ...
What Went Wrong?
If anything the spammers seem to have increased their activity since the laws were passed. Most disturbing is a trend towards organisation amongst spammers. Many of the cases investigated by PGTS, show evidence of organisation. Spammers are getting together to create their own spammer-friendly ISPs and creating toolkits and selling lists for other spammers.
Since spamming has been outlawed, many spammers are becoming audacious about their new outlaw status. Recent samples of spam have been received which purport to be able to provide terrorists with weapons and to provide lists of credit card numbers to criminals. They boldly declare that they can evade legal authorities.
These trends have in part come about from the failure of anti-spam laws and they were predicted in an article published on this site in September 2003. This article contained a list of the reasons why the laws would not succeed. Here they are again (more or less):
- Spamming is not a serious offence. The general lack of public
concern seems to bear this out. Spamming is impolite. But spammers hardly
compare to axe-murderers. The earliest spammers were just nerds with a bad
attitude. The few geeks who understand just how serious a breach of
courtesy this was, and is, remain outraged. Principally because the
practice (spamming) undermines some of the fundamental philosophies of
courtesy and etiquette that set the agenda for the original Internet. (see
the bibliography for W.R. James' classic
anti-spam rant on this topic). Apart from this minority of geeks the rest
of the population don't care that much. Although some non-nerds and
non-geeks have picked up on the sense of rage
Of course these days, most spammers are employed by criminals. The crimes that they commit can range from fraud and forgery to slavery, child-abuse and even murder. All of the misdemeanours and/or crimes that they commit are covered adequately by existing laws. There is no need for a law against spamming. If these criminals cannot be prosecuted under existing statutes, despite the copious electronic evidence (spam) that they pump hourly into the public domain, another law will not help bring them (or them spammer employees) to justice. It will only bring further attention to how little effort law-enforcement agencies have put into such investigations. (As if we needed reminding).
- There Is No International Law About Spam. There are still no universal agreements about spam. And if there were it would be cumbersome, bureaucratic and very expensive ... which leads us to the next point ...
- The Legal System Is Cumbersome. Prosecuting spammers is more difficult and complex than than prevention. It would require a large number of employees to carry out investigations of alleged incidents, and a considerable effort to prosecute the accused parties. This would actually take more effort than prevention!
- It only encourages them. Rather then dissuading spammers, the current laws embolden them and enhance their reputations. Spammers used to be considered low-life scum, lower than the humblest invertebrate on the computer geek scale (and many of us still feel that way). In the past, the threat of potential legislation may have caused some spammers to feel uneasy. Now that it is apparent that such legislation is a toothless paper tiger, these mental midgets can assume the digitally-enhanced roles of outlaws and/or buccaneers. They can also feel a quite unjustified sense of superiority at their own cleverness because they have so easily and skilfully evaded the law, or so they think.
- It will only get worse. Unfortunately it will get a lot worse ... as the authorities plumb new depths of ineptitude, spammers will be scaling the heights of smug self-satisfaction. The achievements that are yet to be realised in the coming New Year, will add a further boost to their already over-inflated egos.
And Anyway ... We Can't Afford It!
People just don't want to spend money on stopping spam. Some people might purchase a simple $100 dollar solution that is a once-only personal solution, and even if there was such a product (there isn't), not everyone would be willing to pay for it. By and large people are not interested in anything that resembles geek-speak. Mention the words headers, open source, MUA, MTA, DNS-block lists, Port 25, etc and watch their eyes glaze over. And yet if one really does want to stop spam, those are the very words that must be learned and spoken often.
And if we cannot afford to prevent spam, and it seems we can't, we certainly cannot afford to prosecute spammers. Because prosecution is much more expensive than prevention.
To a large extent the ill-considered legislation that we are burdened with has resulted from poor judgement and unsound technical advice. Much of this has been from "experts", who unfortunately have been motivated more by indignation and frustration rather than reason. Almost everyone is annoyed by spam. However harsh prohibition is not likely to achieve anything. This is especially true if the prohibition is not enforced.
Most of the "advice" regarding spam has been either emotive or self-serving. Too many of the "experts" in this area have either a vested interest in a particular "solution" that they are trying to market, or they are blinded with "spam rage".
As stated above, we seem to be unable to prevent spam. This is because society at large seems unwilling to bear the cost of prevention. And thus it is unlikely that we will be able to prosecute spammers. Since prosecution would be considerably more expensive, requiring, as it would, highly skilled investigators, with skills and knowledge of Internet Mail and the law.
Of course the people who would be employed to carry out the investigation would be the same people who are currently not being employed to engage in prevention, because businesses and governments have been too stingy to spend money on it.
It seems that when the legislation was framed, nobody considered how the laws would be enforced. Who will investigate the alleged breaches of the law? Who will foot the bill?
Some people are prepared to invest in this area however. Unfortunately they are mostly criminals.
In the last four years, the computing and information sector has gone through the worst recession ever. And although there are signs of a recovery, it may turn out to be only a weak temporary rally. In times such as these there is a great danger that silly unenforceable laws may persuade skilled people to work for criminals, since they seem to be the only ones willing to put serious money on the table.
What Can Be Done To Fix It?
There are practical solutions for people who want to solve the spam problem. It's a bit like maintaining a garden. There may be some spray-on fixes for some problems, but ultimately there is no substitute for getting out in the yard starting up the mower and then after mowing the lawn maybe pulling up some weeds ...
The people who know better realise that there is no magic bullet for the spam problem.
Unfortunately this does not include anyone who is involved with framing or recommending legislation. But if you are a politician or law-maker who is genuinely concerned about the problem there are some steps that might go towards solving the spam problem. First we should eliminate some things that will not work.
- Legislation (by itself) will not work. Although the concept of a law against spamming is popular, it will only be effective if it is enforced! Unless incidents of spam are investigated and prosecuted swiftly and efficiently, people's respect for that particular law and the law in general will diminish. The current laws against spam are not working! It would be better to repeal them. In any case, the penalties are too severe. If the penalties were a mere fraction of their current level they would still be effective -- if they were enforced! It doesn't matter how harsh the penalties are, if the law is not enforced it is a farce! It also creates resentment amongst law-abiding individuals and businesses.
- Any scheme which proposes to re-engineer the basic protocols of The Internet is fantasy. If the proposed solution contains the words ... "All we have to do is change the way that e-mail is sent" ... don't waste any more time considering it!
- Content Filtering (by itself) is not an effective solution. This only puts the user into a perpetual spiral of maintenance. The most enthusiastic supporters of content filtering are corporations who wish to provide support for the content filters. These corporations view spam-filters as a potential revenue stream that could be as rich as the "anti-virus" solutions have been. They are more concerned with maintaining those revenue streams than they are with finding a permanent solution.
Having dispensed with those, let's consider what does work:
- DNS-Block Lists. This is a proven technology that is 98% effective. Spammers cannot forge their IP address. A 98% reduction in spam is quite significant! Here at the PGTS domain, we have never received more than four spam e-mails in a single week. An example is the 680 spamming incidents logged by the PGTS mailhub in November 2004. Of these only seventeen were delivered. Moreover if the process were promoted and adopted on an even wider scale it could be 99.99% effective. There are some organisations that make valuable contributions to maintaining these lists and investigating incidents of spam. Most of these organisations depend on good will and volunteer labour These organisations could be encouraged by governments. This encouragement could be financial or it could be in the form of policies that promote free markets in these areas.
- Open Source. The most obvious free market involves open source which is the cornerstone of The Internet. Open source contributors and proponents are committed to maintaining and sustaining the intellectual commons that makes up the Internet. The open source community has the greatest depth of expertise about The Internet, email and spam and are willing to share this knowledge. Open Source software is secure, reliable and less susceptible to spam and malware in general. All of the volunteers who contribute to the DNS-block lists (mentioned above) are also involved with the Open Source community. Furthermore Open Source markets will be genuine free markets that will encourage participants to sell their services in a genuine competitive market. The revenue generated by such markets stays in the local economy. The Open Source Community have the resources, the knowledge, commitment and will to defeat spam. And the community is willing to contribute to projects that strengthen open standards. Governments can (and should) promote and encourage Open Source.
- Business Education. Computer administrators need to be encouraged to find out how their products work. If someone is administering a mail server or any type server, they should have a good idea of how the system works. Open Source Software is superior to proprietary software for running servers, especially Internet servers. If you own a business, open source servers are a better choice. They are cheaper, more secure, more reliable and the administrators are often more knowledgeable about the Internet. In almost every business application an open source Mail Transport Agent (MTA) will be superior to a proprietary solution. Governments can promote Education in this area.
- User Education. Computer users should learn some basics about the operation of computers and The Internet. The current emphasis on "computer literacy" is structured to impart skills with a mouse and how to click on certain menu items in a particular type of software in a cookbook fashion, rather than imparting some understanding of the systems. A computer user who understands some of the basics of computing and how the Internet works would realise that normal people do not send emails offering you sixty million dollars, and they will realise that you should not blindly and stupidly click on everything that is clickable like a trained rat. Governments should promote and encourage user education (quite aside from the fact that they are supposed to use our taxation dollars to do just that).
Spammers, formerly the lowest in the e-pecking order used to have an image of pimple-faced, pizza munching nerds with bad attitude, bad eyesite, bad judgement and bad breathe. Low in status and self-esteem they used to skulk around the dim recesses and back alleys of cyberspace, universally despised, and persecuted.
In those days many Internet denizens used to hunt down spammers for sport. In the uncertain legal situation of those earlier days ISP would often terminate spammers promptly.
Since then, ill-considered, poorly-framed and ineffective laws have enhanced the reputation of spammers.
ISPs now respond to spam incident reports with verbose confused and confusing form letters written mostly in weasle-words (no doubt drafted by bureaucrats in consultation with lawyers).
And spammers are now organised. The walk tall, on the dark side of the street. They wear black hats, and a pistol in their belt. They are on the bad guys' team. They can feel pride in their new found status as outlaws, and forge new alliance with heavy hitting bad-guys like terrorists, drug-dealers people-traders and paedophiles.
Although the century is only five years old, the spam legislation is a strong contender for the most under-achieving legislation of the century. It has so far managed to transform a bunch of losers like spammers into genuine villains. And they are currently set to build on the well established base.
Current indications are that the remarkable upward trend in the amount of spam will continue until it reaches saturation level. Based on the observed data, it is expected that the amount of spam will continue to rise dramatically in the new year.
2005 will be the biggest year yet for spam!
The Spam Tide Is Rising! But does anyone really care? Politicians may soon stop talking about the fine new legislation they have introduced. Law-enforcement agencies will continue to do nothing. And the majority of the population will look on with tired boredom. Meanwhile the small minority of geeks, who felt so passionate about the matter, might finally give up feeling enraged about spam ... and sit back and watch the show in a state of bemusement.
This is the seventh in a series of articles on spam, which have been collected rather loosely into The Spam Diaries. Some of the better known articles are cited below.
There is considerable anecdotal evidence which supports the contention that spam is increasing. There are some people who provide figures. Here are some personal accounts of figures for 2001 - 2003, 2001 - 2002.
|ABC Science|| Spam makes up half of CSIRO emails.
According to this article the CSIRO is being swamped with spam.
|WR James|| Thank The Spammers.
Classic Anti-Spam Rant. This will strike a deep chord of sympathy with
many geeks. Possibly even a little bit of rage? Those of you who
remember the good old days will be able to cry in your beers and
reminisce ... Ahh Nostalgia just ain't as good as it used to be!
It's hard not to agree with the sentiments, but we live in a brave new
|PGTS|| How Will Laws Against Spam Work?
A little article by (ahem) yours truly, in which I predict that laws
against spam will fail. Although the magnitude of the failure has taken
even me by surprise.
|Spam Incident|| Bold Spammers
And get a load of these guys! There have been a number of these doing
the rounds. The email implies that they have links with organised
crime. Are they real villains or just spam turkeys talking tough?
|ABC News|| Email scammer jailed for 5 years.
Aussie spammer Nick Marinellis, has been convicted on 11 counts of
fraud. No anti-spam legislation was required. Fraud is fraud. Nick was
running the well known 419 scam. Although it is difficult to feel
sympathy for them, there are, apparently, lots of potential victims for
this ancient scam ... so ancient it pre-dates The Internet!
|PCW|| US spammer facing nine years in jail.
Jeremy Jaynes is the first person to be convicted of spamming. However,
he has been convicted under Virginia state laws, which are reputed to be
extremely tough. Considering that the perpetrators defrauded their
victims of over $24m, it would seem that a perfectly good case could
have been constructed without resorting to Draconian anti-spam laws.
|PGTS|| A Few Inches More Please ...
One of the original documents in the spam diaries. This article has
attracted international attention and been cited by Spamhaus. It
led to a
civil court case in the USA naming Aussie spammer "Mike Van Essen".
|Philip Argy|| Spam case a hopeful sign.
Here, we don our rose tinted spectacles and gaze dreamily at the
vice-president of the ACS, who tells us that although there is still a
fair bit of spam around, the overall outlook is peaches and cream ...
Soon we will be rid of spam altogether! We just have to wait for those
finely crafted anti-spam laws to kick in ... Oh goody! We can hardly
wait! Nevertheless the most significant increases seem to have occurred
since the Anti-Spam Legislation came into effect. All the present data
seems to indicate that there is little justification for Philip Argy's
About The Author: Gerry Patterson has written many articles on spam and spammers as well as over the last three years. Apart from expressing opinions on the topic, he has tested his opinions against findings from research, and modified them accordingly. Most of the articles are collected as The Spam Diaries.
Thanks to Dan Byrnes for editorial input. Thanks also to Brian Robson
for proof-reading and contributing data, and suggestions.