The Unintended Consequences of Attacking Spam

In what Wired calls a botnet “explosion,” botnets have taken control of about 12 million new IP addresses since the beginning of the year. (That’s according to a report by the anti-virus firm McAfee.) The number of zombie computers — those overtaken by a hacker, trojan horse, etc. — have increased 50 percent since last year. What spurred the increase? McAfee researchers say the catalyst was the shut-down of a major spam-hosting facility last year that dropped spam levels to about 60 percent but sent botnet controllers out to collect new zombies for their networks — which, the report predicts, should bring spam levels back up in no time. [%comments]


This again shows that people should be charged some small amount for each email sent, say 1 cent or less.

Right now people are lax about security on their systems, but wait until they realize that they can be billed for all the spam they (unwittingly) send. Then promptly installing security updates will suddenly seem like not such a huge hassle after all.

Jeremy Robinson

The rise in botnet-produced spam could be contained if providers of high-speed Internet connections got into the fight. They could do so by insisting that their clients install firewall software and by monitoring the outgoing email from their accounts.

As an Internet host with hundreds of website clients using email services through our servers, we are automatically alerted to unusual amounts of email being generated by our clients, and take steps to shut down their outgoing email until they correct the problem or explain why the outgoing email is legitimate.

Unfortunately, the major providers of high-speed Internet connections do not do this, since bandwidth is apparently cheaper than taking the necessary steps to reduce spam.


@Clifton A big part of the problem is the (in)security of email. The messages being sent are probably not being sent through the account of the infected PC. There may be no account at all, the PC may be connecting directly to the receiving mail server. If we could change the email protocols sufficiently to charge for each email, then we wouldn't need to because we'd have enough power to stop spam.

The interesting thing here is that if everyone who had an infected PC, heeded the specious data described here:

then there would be significant electricity savings. Not so much from their individual PCs, but from the thousands of spam emails that each machine would no longer be sending, which would not have to be processed by mail servers and spam filters.


The suggestion to combat spam by charging for emails is as old as spam itself (I'm sure I've heard it over 10 years ago), and it can and will never work. It would hurt legitimate users (mainly those running high-volume discussion mailing lists) far more than illegitimate ones. Also, the required beaurocratic infrastructure just isn't there, and if it were, you could use it just as well to prevent those illegitimate emails from being sent in the first place.

Steven Surowiec

Personally I think the real crux of the matter is that people actually buy stuff from spammers. Spammers don't do what they do for fun, they do it because it's hugely profitable. And we aren't talking 100k/yr profitable, we're talking a few MILLION a year profitable. If it wasn't so profitable, they wouldn't do it. Fix that, fix spam.

Paul Franceus

I have to agree with Jeremy. I just had a cable internet connection hooked up and it's totally irresponsible that they simply hooked my computer directly to the cable modem without any router or firewall at all. I immediately moved the connection over to my wireless router, which provides me with protection, but had my machine been vulnerable, there's a good chance that I could have gotten infected in the very short time I was directly connected to the internet. I'm sure that millions of less tech savvy folks are unwittingly open to all kinds of infections through this practice.


There should be some minimal "authorization" scheme for being able to send SMTP email - either a fixed IP address or a Digital Certificate or something along those lines. My small 15 person company gets about 300K spam attempts a day (most killed at the initial SMTP connection) and 99.9% of them are coming from theze zombie PCs (not real servers) conencted to the internet on DSL or Cable connections.


Establishing causality is an issue here since using botnets for such attacks seems to be more of an inevitable situation than anything else.

Either way, the solution to combating spam is by filtering messages. That method has done a decent enough job at keeping my inbox spam-free.

Eric M. Jones

If I were an anti-spam company (and had no conscience). I would sell anti-spam-virus-worm software and simultaneously support hacker-botnet-virus-writer groups and supply the hospitality suite at hacker conventions with plenty of goodies. I would also support legislation that would keep me in business.

So you have to wonder whose ox gets gored in this fight.


#- Jeremy Robinson

"Unfortunately, the major providers of high-speed Internet connections do not do this, since bandwidth is apparently cheaper than taking the necessary steps to reduce spam."

Those providers don't think it is cheap as they want to start charging people for high use- ie the secret Comcast cap, and other companies trying to "trottle" price their services...

Alan Young

Random spam is a lousy marketing tool - how many people actually respond to it? A fraction of 1 percent? In order for the spammers to get something back they either need massive quantities (the traditional botnet), or else intelligently targeted email campaigns by infecting your computer with a trojan and sending a 'personal' email to the contacts in your address book. This last one can be pretty embarassing! The only sure-fire way to combat it is if individuals take responsibility for their own computer security and get a decent antivirus or Internet Security package.

Check out the reviews and download links for the latest software from the major antivirus companies on All of them do free trials, so why not download one and do a system scan to make sure your system is OK? The software is 100% functional until the end of th etrial (15, 30 or 60 days) when you need to buy a licence.


Carl Zetie

@Steven Surowiec #5: Actually I read a study recently that said that serving spam is now essentially a minimum wage occupation.

And when you think about it, given that it requires minimal skill (along with minimal ethics), that's pretty much what you'd expect. If it (still) were as profitable as you suggest, new entrants would quickly get into the field, since the barriers to entry to low and their alternative prospects so poor, only stopping when the incentive falls to what these people could make elsewhere -- which turns out to be roughly minimum wage.

And that, in a nutshell, is why spam levels are so high even though filtering is so good and response levels so low. It's actually a beautiful study in the power of incentives :)

David Weibe

The difference in opinion about the profitability of spam is because the spammers and the botnet makers tend to be distinct groups. The botnet makers gather machines and rent them out at fairly low cost and huge revenue. (This process is not nearly as trivial as many people seem to think - for one thing, most viruses these days actively defend against other viruses, so as not to decrease the value of their resource.) The spammers rent out time on the machines to send spam at fairly high cost and very low revenue. (The cost for this arises from the high price the botnet makers charge and the fact that this is, indeed, a minimal skill job - the botnet makers have made the process, once you've given them lots of money, very streamlined.)

Regarding encouraging people to install anti-viral programs, yes, it's an extremely good idea in principle. Unfortunately, it can have some unintended consequences - first you have to convince people they're not secure (which is true), and then you get them to install software by convincing them it will make them secure (which is not true). This is a problem, especially for small businesses. I'm not sure decreasing spam at the expense of increasing online theft and fraud is a good thing.