% fortune -ae paul murphy

SPAM: the next wave

I've been reviewing spam - and my conclusion is that spammers aren't very smart. So, in order to help the poor fools along I'd like to offer some humble suggestions.

First, humor sells - if you want more people to click on your stuff make it funny. Enough already with the puerile enhancement and related financial fantasies, go for the laugh with subject lines that will make people want to learn more: "Re: George Bush, a monkey, and a democrat discuss taxes in Heaven.."

Second, you've got to start thinking about your market. Nobody likes to be told they have problems, especially not people with problems. You know, every time I tell Wintel people that they're victims rather than users because it's Microsoft's needs, not theirs, that take precedence, they turn off in droves. Seriously, take a hint from the cigarette people: don't tell your targets that they don't measure up, tell them the stars use your product to exceed expectations.

Third , you've got the bucks to get access to major bits of the internet so instead of wasting time trying to steal people's email lists why not just intercept enough email to start mapping the regular contacts between everyone in sight? If you grab a few million emails off a busy link a simple Perl script will construct lists of hundreds of thousands of email relationships - and once you know that Dick and Jane often discuss Spot by email you can put anything you want on both of their PCs.

Fourth, if you were any good at this you would simply attach your payloads to legitimate email - I mean, why bother creating interesting subject lines and fake messages when real people send each other lots of stuff they actually want to read? Route email traveling from A to B through C to pass through your host D instead and you can do anything you want with it - because none of the currently popular "solutions" will do their users the least bit of good.

This may seem hard to you, but it isn't - there are many options besides just writing a check. Instead, for example, of subverting some company's server to send email to third parties, just attach your stuff to email it forwards legitimately.

Sure, there's a risk, I mean, lets face it everyone knows how to stop all SPAM and phishing in its tracks: just recognize that every point of access to the internet is paid for by somebody and hold that person or organization responsible when the access is used to put SPAM or phishing material on the shared network. It's easy enough to automate - but I doubt the risk will materialize because nobody wants to kill the multi-billion dollar "solutions" industry.

That's odd, though, isn't it? I mean, given that the security industry's continued existence depends entirely on its own continued failure, you'd think the customers would figure it out - but hey PC people, go figure.

Number five, and in that same vein, I think you've widely missed the potential offered by those blacklist operators. You think of them as the enemy, but a little intelligent spoofing can make them your best friends - and, don't forget, pretty much the same technology applies to PC telecom suppliers like Skype.

So what's the non spammer's take on all this? SPAM and its nastier relatives exist in a precarious balance with PC "security" industry: joined at the hip in a battle over ecommunications sent by idiots to idiots, generally full of sound and fury but ultimately signifying nothing beyond the extortion of a few billion dollars a year from the complaisant Microsoft masses --and that's the real bottom line because it means you can't get rid of one without also getting rid of the other.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.