I'm in Washington, DC, yesterday and today, for the Federal Trade Commission Spam Summit. The first day was fairly interesting, with four sessions of panel presentations and discussions:
- Defining the problem.
- Evolving methods for sending spam and malware.
- Uncovering the malware economy.
- Emerging threats.
In the first session, we heard some statistics from the Pew Internet & American Life Project, which does surveys and studies of Internet issues, including spam. We also heard from an FBI agent in charge of a project to prosecute spammers, and from marketing people whose aim is to see that “legitimate marketing mail” is not blocked as spam (and, of course, the question is then one of defining what is “legitimate” and what is spam).
In the second session, we heard about methods of obtaining lists of addresses to send spam to, and ways of sending out spam — which is mostly, at this point, through use of “botnets”, networks of “zombie” computers (see my series on zombies, starting with this entry). The panelists also talked about spamming techniques to get around spam filters, and about legal aspects of addressing spam (through the CAN-SPAM Act, fraud laws, and such).
The third session told us about how spammers develop, buy, and sell software, and how they make their money. This was clearly the weakest session of the day, and, while the panelists did a reasonable job of presenting their material, I definitely wished we'd had Rob Thomas of Team Cymru, who presented the topic at the Conference on Email and AntiSpam last summer.
For the fourth session, we got a discussion of probable future difficulties, including spam in instant messaging, voice over IP, and social networking sites such as MySpace. It was here that we had our official IBM speaker, Chris Rouland, the CTO of IBM Internet Security Systems. Chris sees voice over IP as the upcoming and diffcult spam problem, and gave his prediction that over the coming years the telephone "do not call" registry will become obsolete, as the adoption of VoIP makes the registry essentially unenforceable and useless.