On the Soapbox

This is an interesting article from the New York Times about the recent escalation in spam. Volume has increased, and now with the pervasiveness of image spam, filtering is starting to break down. The end of the article was the most interesting:

Some antispam veterans are not optimistic about the future of the spam battle. "As an industry I think we are losing," Mr. Peterson of Ironport said. "The bad guys are simply outrunning most of the technology out there today."

It's about time people have realized this. Filtering as a way to combat spam was necessarily doomed to failure. This is because to expect filtering to eliminate spam is much like expecting cold relief medicine to forever eliminate the common cold. Antispam filtering addresses only the symptoms of spam. Furthermore, filtering works by telling the difference between spam and non-spam, which is ultimately an artificial intelligence problem. Since artificial intelligence does not exist (and even if it did exist, it would be costly to implement on a scale large enough to handle spam), filtering relies on a hodgepodge of heuristics that works only because spammers have not done a very good job of disguising spam from non-spam. It is only a matter of time before spammers put enough effort into blending spam with non-spam that these heuristics will break down completely.

The Times article also fails to recognize that spam is not limited to just e-mail. This blog, for example, is bombarded with thousands of comment spams each month. Forums, hosting providers, instant messaging networks, etc. are all targets of spams as well. Even server logs have become the target of referer spam (I get thousands of those each month, too). Even if there was a way to implement effective filtering for e-mail, spammers will just move to another medium. And what will be the cost--in terms of bandwidth, computing resources, and false positives--of continuing this endless arms race in pursuit of a solution?

It is easy for people who look at statistics saying that 90% of all e-mail is spam to despair and to proclaim that spam will destroy the Internet, but such a point of view is missing a critical point: spammers are very few in number, and they are empowered to hog the stage only because of their ability to commandeer vast resources for themselves.

Dismantling botnets is the key to dealing with spam, and from my perspective, it is the only way to "win" and to "save" the Internet. Yet, there was no mention of dealing with the botnet problem in the Times article and recent articles about combating botnets all deal with superficial solutions like tracking botnets and shutting down the command and control for botnets. However, such solutions are themselves doomed to failure because they too deal with botnets only on a superficial level. The reason why botnets get so little attention is because dismantling them ultimately requires tighter security at the level of individual computers, and it is difficult to get Joe Sixpack to properly secure his computer against botnet hijacking, so instead, the publicity and attention is put on mitigating the problems post hijacking. Why are there so sensational articles written about spam and botnets but so few about how easily it is for the average computer user to get his/her computer hacked and taken over by a botnet? So how do we solve the botnet problem?

1. User education: This is difficult and most likely will be limited in its effect, but it won't hurt to try. For starters, ISPs and major computer makers could include a prominent flyer in the products that sell of things not to do (instead of burying this information deep inside a manual that most people will never read). A national awareness advertising campaign would help a lot, too (given how much money is already being spent combating the damages caused by botnets, this will be relatively cheap).
2. Better OS security: Hopefully, Vista will alleviate this problem. However, for the large existing base of XP users, not too much more could be done. Microsoft's WGA encourages people to avoid updates from Microsoft, thus causing many computers in poorer regions like Eastern Europe and China where many computers fail WGA to be unprotected, but the damage from that has already been done, and loosening up on WGA now will only help the future Vista user base (though a loosening up now could help in the future if Vista proves to be just as vulnerable as XP). Speaking of WGA, why not implement something similar, but for security? A WGA-like system that checks to see if the OS has all the latest security patches and then nags the user when that isn't the case?
3. Network monitoring: There are some networks that monitor traffic coming out of a computer on the network for signs of infection and scan computers on the network for known vulnerabilities. If an infected computer is found to be sending botnet-like traffic or if a computer is found to have an unpatched security hole, then the computer is blocked from the network and the owner notified. This is probably the single most promising solution because, by notifying the owner of the problem, it raises the awareness of the botnet problem for the average users who are otherwise oblivious to it, and if a quarantine is used, then it will also ensure that particular computer will remain disconnected from the botnet. Such a system would be automated and could be implemented without action by the end user (unless, of course, the end user is found to be infected and is blocked). Unfortunately, very few networks of importance (i.e., the major ISPs) implement such a solution even though most of the botnet computers in the US are located one of the major consumer ISPs.

Note that government legislation is missing from my list of solutions. Contrary to its favorable description in the Times article, the CAN-SPAM Act was, quite frankly, a useless piece of legislation that did nothing except increase regulatory bureaucracy and gave the illusion that something was being done about spam. Almost all of the things hawked in spams are already covered by various anti-fraud and other criminal laws, and similarly, hacking into and commandeering someone's computer with neither their knowledge nor their permission is already illegal, so any additional botnet legislation would be superfluous. If government were to get involved, the role that it would play would be one of addressing the externality problems of botnets. ISPs currently have little incentive to implement the sort of network health monitoring I suggested above because they would bear the cost while everyone else will reap the benefits. Similarly, a user education campaign that reduces the size of botnets will help everyone who is connected to the Internet and is thus a positive externality. A government subsidy would thus be appropriate here to deal with these sorts of externalities.