Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Spam Stats IT

Spamming Becoming Financially Infeasible 212

itwbennett writes "Making money in spam isn't as easy as it used to be. 'It's not something financially feasible for anyone to even consider,' said Robert Soloway, who in his heyday made $20,000/day as a spammer. 'Spam — the Internet's original sin — dropped for the first time ever at the end of 2010,' writes IDG News Service's Robert McMillan. 'In September, Cisco System's IronPort group was tracking 300 billion spam messages per day. By April, the volume had shrunk to 34 billion per day, a remarkable decline.' Soloway says spam filters have become too good."
This discussion has been archived. No new comments can be posted.

Spamming Becoming Financially Infeasible

Comments Filter:
  • I don’t buy it (Score:5, Insightful)

    by Anrego ( 830717 ) * on Thursday June 30, 2011 @11:20AM (#36623846)

    It may have hit a slump, but it’ll be back.

    People en-masse haven’t gotten any smarter. There are still enough people who will fall for scams and do business with the kind of people who advertise via spam. Some good tech is currently making an effective barrier between the idiots and the spammers, but the idiots are still there, so the profitability is still there. Give the bad guys a little time. They’ll come up with new ways of getting around our current filters.

    Of course the other theory is that spam has become “less interesting” in light of other new and exciting ways of screwing with people. Once those dry up though, I think the guys with the suits will fall back on classic reliable spam to make their money.

    • by socz ( 1057222 )

      You're right, spam will come back once other avenues of attack are no longer of viable. There are still several ways I can think of that spam can easily get past the filters (I was inspired by the company I work for - they miss some spam that is very questionably border line legit). As long as the spammers don't know think of those things we're good! Spam filters have come a long way!

      • I think you have it backwards. Other avenues of attack will come back now that spam is no longer viable. As far as knowing how to get past filters, the thing is that not all filters are the same. Maybe your company's filter had a hole, but not everyone uses the same techniques. Also, good filters look at more than content. Greylisting, for example, cuts out 80% of spam simply because successful spamming depends on incredibly high volumes and performing the retries required by greylisting is just not feasibl
        • Hell, if you simply block unauthenticated SMTP access to all broadband IPs, you can cut out the majority of SPAM.

          Say somebody is behind an ISP that fails to provide its own reliable SMTP server to its home subscribers. He can't run his own mail server because it'd be confused with a spam zombie. Nor can he switch to a different ISP without either moving or lowering his monthly transfer cap by a factor of ten. Which mail server do you recommend for this person?

          • GMail? SMTP Relay services? It's nearly impossible to actually run your own mail server now-a-days anyways, unless you want to jump through all the hoops required (DNS records, etc). I personally had a need for it not too long ago, I had a connection that was intermittent at best but we needed local e-mail as well. We simply set up our own server on the LAN and paid for an amazon ec2 instance that simply forwarded all incoming and outgoing mail for us.
          • Well, there are a few options.

            The one I go with is that my ISP's SMTP servers are sufficient, so my postfix is configured to route all outbound mail to there. However, I've given some consideration to other options. My top one at the moment is to open up an ssh tunnel to a web host provider, and pump my email through their SMTP server. Why not directly? Because my ISP has outbound SMTP blocked, and I suspect that even if that weren't the case, the confusion with a spam zombie would still arise as your e

            • In other words: "Try the SMTP relay that often comes bundled with your web hosting." Thank you for the suggestion.

              My top one at the moment is to open up an ssh tunnel to a web host provider, and pump my email through their SMTP server. Why not directly? Because my ISP has outbound SMTP blocked

              I know several ISPs block outbound TCP connections on port 25 (SMTP server-to-server communication) outbound, but I've never heard of a notable case of an ISP blocking connections on 587 (SMTP authenticated message submission).

          • It's my case, I'm blocked by Spamhaus' PBL [spamhaus.org].

          • Gmail.
          • Say somebody is behind an ISP that fails to provide its own reliable SMTP server to its home subscribers. He can't run his own mail server because it'd be confused with a spam zombie. Nor can he switch to a different ISP without either moving or lowering his monthly transfer cap by a factor of ten. Which mail server do you recommend for this person?

            Such an ISP may not provide a static IP address and if they do may not allow the name associated with it via rDNS to be set, so some mail hosts will reject mail from sources hooked up to that ISP anyway (because the PTR record makes the address look dynamic as the name will likely be something like 123.123.123.123.someisp.tld where 123.123.123.123 is the same as the address, or there may be no name set at all). While such a rule is usually not given a high weighting in rule+weight based spam scanning, it is

    • Of course the other theory is that spam has become “less interesting” in light of other new and exciting ways of screwing with people. Once those dry up though, I think the guys with the suits will fall back on classic reliable spam to make their money.

      Like most get-rich-quick industries, this just means its become more profitable to get out of the game and sell people kits to spam their way to fabulous over-night wealth. Not that its anything new in itself; that scam [google.com] has been going on almost as long as spam itself.

    • by poetmatt ( 793785 ) on Thursday June 30, 2011 @11:33AM (#36624016) Journal

      it's humorous, but it's just a market change.

      social engineering, and pfishing are probably a whole lot more "financially feasible", much more results for less effort.

      I mean would profits from info gleaned via a SQL injection be really considered a "hack" these days if it was a script kiddie?

      • My thoughts exactly. Why bother with the iffy strategy of getting people to buy your crap when you can steal their credit card and just steal their money directly?

    • The people using the internet might be just as dumb, but who said the majority of the spam is getting through to these people anymore?

      You have to keep in mind that the bright people who've made most of today's everyday technology possible (to those who don't appreciate this point, maybe teach yourself general relativity prior the next time you poke your TomTom) are also writing spam filters on the server side too nowadays (with great financial incentive for the providers via reduced overhead), not just the

    • There are still enough people who will fall for scams and do business with the kind of people who advertise via spam.

      You don't even need that, really. You just need people with something to sell. You're right, though, that'll always be the case.

    • People en-masse haven’t gotten any smarter.

      No, but filters have. If people don't get the spam, they can't fall for it.

      but the idiots are still there, so the profitability is still there. Give the bad guys a little time. They’ll come up with new ways of getting around our current filters.

      Well, they haven't so far. Unlike other areas like viruses and trojans, spam filters have pretty consistently stayed one step ahead of spammers once people took spam filtering seriously.. I remember maybe 4 years ago there were a couple months where spammers figured out how to embed their messages in images in such a way as to pass filters, but that was fixed and since then filters have been so good that I haven't seen a single spam

    • by Kjella ( 173770 )

      Smarter as in intelligence, no. But people are more Internet-savvy than they used to be. And young people meet the spam barrage before they have a life savings to give to a Nigerian prince. Just like people have gotten quite used to the horseless carriages (read: cars), even though I doubt our IQ is that different from 100 years ago.

    • by Ephemeriis ( 315124 ) on Thursday June 30, 2011 @12:10PM (#36624480)

      People en-masse haven’t gotten any smarter.

      People haven't gotten any smarter, but technology has.

      Outlook has junk mail filtering built-in. Gmail has spam filtering built-in. Pretty much every mail server out there has some kind of spam filtering available. Pretty much every endpoint protection package has a spam filter. There are tons of different filtering systems available for purchase.

      Relatively little spam actually makes it through to the user's inbox anymore. So there's less for the stupid/gullible folks to click on.

      Give the bad guys a little time. They’ll come up with new ways of getting around our current filters.

      Well, of course they will... But the good guys are going to keep developing new filters, too.

      Of course the other theory is that spam has become “less interesting” in light of other new and exciting ways of screwing with people. Once those dry up though, I think the guys with the suits will fall back on classic reliable spam to make their money.

      Spammers go wherever the market is. Right now the market is on the social networks. More people are communicating more often on things like Facebook than through simple SMTP. So there's less profit to be had in spamming SMTP servers.

      Sure, if SMTP suddenly becomes crazy-popular again you'll see the spammers head back in that direction... But all our existing filters will still be there to curtail that crap.

      the profitability is still there.

      I don't know about that...

      Sure, it's probably pretty cheap to send out a few thousand emails... But how many of those actually make it in front of somebody's eyes? And how many of those actually get read? And how many of those are actually clicked-on?

      The real money these days is in malware. Dropping bots on computers and grabbing their credentials for various websites... Or sending out some kind of fake antivirus scanner that scares people into paying $50 to clean up the fake infection... Or using those bots to hack some big, important website...

      I really don't know that there's all that much profit to be made in sending out spam these days.

    • Yeah, they'll just buy off legislators to make effective spam prevention illegal.

    • I do buy it - spam has to hit an equilibrium sooner or later, and the equilibrium is always reached after a final peak,
  • by hedwards ( 940851 ) on Thursday June 30, 2011 @11:20AM (#36623850)

    People have been working on increasing the cost and decreasing the reward from spamming for some time now. From discouraging people from buying from spam messages to grey listing, to shutting down botnets, all of that has been largely for the purposes of making it less attractive to spam.

    I'm just a bit surprised that it's starting to have an effect, it's hard to compete with basically free server capacity and bandwidth.

    • I suspect that it's not so much that these techniques are effective as that they are largely concentrated on email. This means that they drive the relative cost of email spam up and make message board and put-your-face-in-the-book spam a lot more attractive. The latter, of course, is designed to send targeted spam and for a small fee will actively target your spam for you to the most gullible, sorry, appropriate audience.
    • I'm just a bit surprised that it's starting to have an effect, it's hard to compete with basically free server capacity and bandwidth.

      It still takes resources to secure those resources. Botnets are not free. Lists are not free. Spammer time is not free.

      I'm surprised it has taken this long. There's no reason why the average person should even be getting spam in their inbox at all. If you're still getting spam, you need a new email provider. My gmail address is published all over the goddamn place, including usenet of all places, and I haven't seen spam in months. Even if the cost of sending me spam is next to nothing, it is still wasted.

      • I think your success story about spam is actually Gmail, which seems to be better than a lot of COTS and OSS spam filters. It's amazing how well you can filter out spam based on that broad of a user base's opinion of what is spam. On the other hand, I'm running a well known commercial email product with an equally well known spam filter at work, and it isn't blocking spam nearly as well.
        • by olau ( 314197 )

          The first line of defense in Gmail is some kind of filtering of the server sending the spam. We used to run email through another server first, then route it to Gmail. When we stopped doing that and just let it go straight through to Gmail, the number of spam messages fell an order of magnitude.

          Still, I don't trust the Gmail filter. I still sometimes find legit messages labeled spam. But it's so good at the server filtering that I only have to skim through a pageful of spam per day, so it's not bad.

  • by Kenja ( 541830 ) on Thursday June 30, 2011 @11:22AM (#36623882)
    Not everyone needs $20,000 a day. Average income in China for example is only a couple thousand dollars US. Costs are lower over sea and profits can be lower while still maintaining financial feasibility.
    • Not if the profits are negative. The thing is, spammers are already operating on a really thin profit margin; so even a small rise in the cost of spamming could have a devastating effect.

    • No kidding. Could have fooled me about the decrease in SPAM.

      I run my own MTA for my vanity domain. I check spam twice, once before accept to reject outright SPAM and once after accept to take into account user preferences. My aggressive ACL checks against forged and black addresses, I have an up to date spamassassin and custom rules, and use greylisting services and such. SPAM to my mailboxes has not declined by the massive amount Cisco is reporting. It has gown decreased slightly, about 7% since Janua

      • I suggest you save yourself the hassle and just host your mail domain with Google. It is free and they have excellent filters and support IMAP. While it is neat to tinker with filters and see the tactics first hand, it s really not worth your time.

        That $20 a day is a very good job in China. That's $7k a year (spam is a 24/7 business after all) compared to the $3k you'd get working in Foxconn [telegraph.co.uk], for example.

        Even $20 is pretty optimistic. You're certainly not going to make that as a casual spammer.

      • by plover ( 150551 ) *

        "Pi ckOutYo urPr ef er enceTa bl etsEs sen ti alsWe bsto re" (Pick Out Your Preference Tablets Essentials Webstore)

        Here's the thing, I don't even initially understand what they're trying to sell with that message. It takes a few seconds of thought to parse the words, but before that time my internal mental gibberish recognition filter has kicked in, and my brain is already saying "gibberish == spam, hit delete".

        I suppose if someone is desperate to figure out every word that's emailed to them, they'd spend the time, but what kind of person responds?

        • by jimicus ( 737525 )

          Here's the thing, I don't even initially understand what they're trying to sell with that message. It takes a few seconds of thought to parse the words, but before that time my internal mental gibberish recognition filter has kicked in, and my brain is already saying "gibberish == spam, hit delete".

          I suppose if someone is desperate to figure out every word that's emailed to them, they'd spend the time, but what kind of person responds?

          I heard a rumour some time ago - don't know how true it is - that they aren't selling anything. The whole thing is essentially a big scam, which works like this:

          1. Company advertises a "way to make money fast". What the victim is buying is an application to send bulk email, a list of email addresses and a list of companies willing to dropship generic viagra. The list of email addresses may or may not be any good, ditto the list of companies - I daresay many have already gone to the wall or aren't even prepared
  • While this is great news, I really think that reducing the volume of physical spam needs to be a high priority as well. I get nothing but junk in my physical mailbox these days. Well, that and bills. I should have the option of automatically refusing anything sent to me that is addressed to 'Our friend at' or 'Resident'.
    • I'm still surprised at all the scam commercials I see on tv, and am amazed they are still around, and haven't been persecuted (i.e. MyCleanPc which has been running for over a year now at least).

    • by glwtta ( 532858 )
      http://www.ecocycle.org/junkmail/index.cfm [ecocycle.org]

      Works surprisingly well.
    • That is totally possible. For example, I will outright reject mail that is 99.9999% guaranteed spam (10 times the "spam score" threshold) before even attempting to deliver it to my user's mailbox. It doesn't save on bandwidth or anything, but it cuts down on SPAM by close to 60%.

      Most mail admins aren't going to do that by default however, because there is that one in a million chance it isn't SPAM.

      The war is still ongoing, and I don't care what the "Spam King" says. Spammers from the 3rd world are perfe

    • by jfengel ( 409917 )

      At this point, the junk is subsidizing the bills. You don't like the bills, but you need to get them.

      Unlike spam, the cost of sending a piece of mail is very high, and the Post Office is always broke. As long as they're going out, though, carrying the extra junk mail is a small marginal cost, and their willingness to carry the junk means that the price of stamps remains relatively low. (It astonishes me that you can send a letter thousands of miles in a day or two for less than half a buck.)

      The "Resident

  • Easier Ways (Score:5, Insightful)

    by Kamiza Ikioi ( 893310 ) on Thursday June 30, 2011 @11:25AM (#36623922)

    It's not that they've gone legit. It's that there are easier ways to scam people out of their money for higher profit returns, such as spear-phishing.

  • by ShavedOrangutan ( 1930630 ) on Thursday June 30, 2011 @11:29AM (#36623958)
    Yeah. Half my email ends up in a SPAM bucket. Thanks, you bastard. If I want someone to actually receive a message I have to send it through Facebook or SMS.
    • by tgd ( 2822 )

      Tell your friends to stop talking about your penis and talking in MiX3d c4SE l33t 5p34k.

      Or get a new spam filter? I may have one false positive a month on my GMail account.

    • Half my email ends up in a SPAM bucket.

      What kind of e-mail service do you use? Or what kind of e-mails do you get?

      I'm using Gmail, and maybe 2 or 3 spam emails per month get through to the inbox (of around 1000 spam emails per month in the spam folder). On top of that maybe 1 or 2 legit e-mails are classified as spam per month. With one exception from two years ago (flight confirmation e-mails), none of these false positives are critical; they are usually just advertising from companies I bought something at some point.

    • What service are you using? I know gmail's filter is good. I haven't lost any email that I'm aware of. Or do you mean the messages you're sending end up in spam buckets? Do you run your own MTA or something?
  • This has nothing to do with filters. I repeat, nothing. Filters are just an act of throwing good money after bad money, in the hopes that the good money will somehow stop the flow of the bad money. It's like saying that installing a new toilet in your house in the suburbs will stop homeless people from pissing on the street downtown.

    Spam volume naturally rises and falls. Anytime someone congratulates themselves for a reduction in spam volume, they are proven wrong shortly later when it comes back up.
    • But better filters have a big impact on the economics. If you cut down the number of spam e-mails that reach the inbox, you cut down the number of readers, which in turn cuts down the number of customers. This means lower or even negative profits.
      • But better filters have a big impact on the economics.

        No, they don't. Filters don't help, for several reasons:

        • Many users don't use filters anyways
        • The cost of sending an email is so trivial that it doesn't matter how many get through
        • The people most likely to use filters are the least likely to buy from spam anyways
        • The filters have to be maintained to be relevant, which only increases the cost of internet access for everyone

        So in the end, filtering does not help the problem. Indeed an argument could be made that it makes it worse because we just end up thro

        • Most users aren't even aware of the filters. Gmail, Hotmail, and Yahoo all have good enough filters that seeing a true spam message is rare. Even ISPs filter for their normal users without an opt-in. Maintenance of filters is not an issue, just give people a 'spam' button to press and the filter can learn. I was using spamassassin about 10 years ago, it's free and feeding it a few days' worth of spam messages got it to the level where it was correctly identifying over 99.9% of the spam coming into the a
    • You have no idea what you're talking about. Very few spammers of any volume use a single relay. Any known relay of spam gets blacklisted in a matter of hours. Bulk of spam is delivered through botnets and between greylisting and SPF, most of that spam doesn't even get through to end users. Less and and spam is getting to end users. Meanwhile, botnets don't come cheap. While this kind of decrease in such a short period of time probably isn't due solely to filtering, I would expect rates to begin a decline.

  • but in my accounts it still comes in as a flood. Some of it is clearly malware coming in - others are questionable scans plus the usual Nigerian nonsense.

  • Yeah, can't see how that happens. Of course, if I were writing the ultimate spam filter the logic would go something along the lines of this when it receives a new message:

    Has the guy emailed you before? (continue test if no)
    Is there a reference to a site selling watches, drugs, or online degrees? (continue test if yes)
    Is the site from a known legit source, based on popularity of the 'unspam' button for this user? (move to spam folder if no)

    Poof, there goes 99% of all the spam that I've ever received in my

    • Has the guy emailed you before? (continue test if no)

      Greylisting. THough it is a little more complicated than this. There has to be a way to allow people to email you for the first time. So what a greylisting filter does is deny first delivery once with a temporary failure and it keeps denying until a certain time has elapsed. Then it allows the message in. The idea is that most spammers won't bother retrying the delivery, or at least not with the same "From" field and the same botnet node. It is actually pretty effective. Although the initial delay can be a

  • by wcrowe ( 94389 ) on Thursday June 30, 2011 @11:35AM (#36624042)

    It depends on your definition of "spam". By my definition, I get more spam than ever. The difference is that much of it is from legit companies who comply with the CAN-SPAM law. I can opt out, but I'm getting about 100 or more of them a day, and I can't spend all day opting out of every single one of them. It may be legal, but it's still spam, as far as I'm concerned.

    • by Kjella ( 173770 )

      Here's my solution using yahoo, they offer 500 aliases for you. Make a new one, sign up with the alias, redirect that to your "legal spam" folder. If you ever want to get rid of a company and its business partners and whoever else got their hands on that email, delete the alias. That is a very final opt-out. I wished I had done that long ago, because it saves you tons of spam. Of course you need to have a normal email as well and if others get that it can be spammed, but that problem would be a lot smaller.

    • by drb226 ( 1938360 )
      Details: CAN-SPAM [wikipedia.org]
    • WTF? 100 a day? That's crazy. You must be very active on the internet, signing up for a lot of services.
      • by wcrowe ( 94389 )

        I imagine that it is coming from my email provider and/or Facebook. For example: I responded to a friend's post about their broken air conditioner and suddenly I started getting spam from companies offering air conditioner repair. I responded to a golf tourney invitation via email, and within hours I started getting solicitations to subscribe to Golf World magazine. It might be coincidence, but the fact that these are legitimate companies who are sending me the email (JC Penney, Radio Shack, Conde Nast,

  • Why bother spamming when the cost of advertising threw normal services have gotten so cheap. Back in the spamming hay day the cost for a banner add was thousands of dollars Now it cost as little as a few bucks. Sure we have Add block tools but most of us don't use them. So the previous spammers are going the more legit route and making their adds to look like articles on CNN.

    • Or they are just spamming CNN discussions. For a while there was some awful company that kept spamming the discussions for some work from home site with a convoluted URL to make it look it came from CNN or was hosted by CNN. The worst I ever saw it was one time when close to 1/3 of the messages were spam from this company.
    • Mod Parent up!

      The best solution to SPAM has to also be the best solution to music/movie piracy. Adjust incentives until it is eliminated.
    • Because the things they're selling in spam are not things most people want advertised on their site.
  • by Medievalist ( 16032 ) on Thursday June 30, 2011 @11:53AM (#36624296)

    Aren't most of the spam kings either dead, retired, or in jail at this point? I hear it's lonely in Boca Raton these days.

    And wasn't there a wave of murders in the former Soviet Union when Microsoft and Time-Warner/AOL decided they were no longer going to ignore spammers? Bunch of free-lance software developers with connections to organized crime found dead, as I recall; the rumor was that the spam kings were eliminating people who knew too much.

    Well, regardless of the truth or falsehood of any of these tales and rumors, if corporate pressure has made spamming unprofitable, I'm certainly not complaining. It's about time the f***ing invisible hand did something besides j***ng off US Congressmen.

  • So this guy, back in the 90s, spammed people to sell his spamming services. (insert yo dawg joke here)
  • I thought the reduction in spam was just because some of the spammers are using their botnets to mine bitcoins instead.

  • If this keeps up this could be the end of western society as we know it. I really hope the powers that be can come up with a reasonable bailout strategy for the spammers. They are to big to allow to fail.

  • Dealing with spam is like dealing with snot. Nothing you can do to stop it, but it's easy to dispose of.

  • Apparently the article's author has not used Twitter, Facebook or hosted a WordPress blog. The spammers have just changed from email to focusing on social media, forums and blogs.

  • The cost of advertising on television has fallen to the point where they can sell penis enlargement in the mainstream media. Spam used to be the only way I could find out how much women prefer a confident man, now they can tell me on TV, on radio. Soon I expect to see Nigerians on History Channel telling me I have won a lottery.
  • end of November/early December, I noticed a significant decrease in the number of emails that were blasted to invalid email addresses.

    Still getting spam, of course.. and more of it is professional stuff hawking products from American companies like Gevalia, Shari's Berries, etc...

  • It's much harder to filter phone spam, and in America, you often get charged for the pleasure of receiving phone spam.

  • Yesterdays spam is todays botnets.

    Just because your Inbox might be a little cleaner or safer doesn't mean the 'net is...attacks are merely changing vehicles, that's all...

    Gullibility will always be profitable.

Truly simple systems... require infinite testing. -- Norman Augustine

Working...