Are botnets really the spam problem?

Over the last few years I’ve been hearing some people claim that botnets are the real spam problem and that if you can find a sender then they’re not a problem. Much of this is said in the context of hating on Canada for passing a law that requires senders actually get permission before sending email.
Botnets are a problem online. They’re a problem in a lot of ways. They can be used for denial of service attacks. They can be used to mine bitcoins. They can be used to host viruses. They can be used to send spam. They are a problem and a lot of people spend a lot of time and money trying to take down botnets.
For the typical end user, though, botnets are a minor contributor to spam in the inbox. Major ISPs, throughout the world, have worked together to address botnets and minimize the spam traffic from them. Those actions have been effective and many users never see botnet spam in their inbox, either because it’s blocked during send or blocked during receipt.
Most of the spam end users have to deal with is coming from people who nominally follow CAN SPAM. They have a real address at the bottom of the email. They’re using real ISPs or ESPs. They have unsubscribe links. Probably some of the mail is going to opt-in recipients. This mail is tricky, and expensive, to block, so a lot more of it gets through.
Much of this mail is sent by companies using real ISP connections. Brian Krebs, who I’ve mentioned before, wrote an article about one hosting company who previously supported a number of legal spammers. This hosting company was making $150,000 a month by letting customers send CAN SPAM legal mail. But the mail was unwanted enough that AOL blocked all of the network IP space – not just the spammer space, but all the IP space.
It’s an easy decision to block botnet sources. The amount of real mail coming from botnet space is zero. It’s a much bigger and more difficult decision to block legitimate sources of emails because there’s so much garbage coming from nearby IPs. What AOL did is a last resort when it’s clear the ISP isn’t going to stop spam coming out from their space.
Botnets are a problem. But quasi legitimate spammers are a bigger problem for filter admins and end users. Quasi legitimate spammers tend to hide behind ISPs and innocent customers. Some send off shared pools at ESPs and hide their traffic in the midst of wanted mail. They’re a bigger problem because the mail is harder to filter. They are bigger problems because a small portion of their recipients actually do want their mail. They’re bigger problems because some ISPs take their money and look the other way.
Botnets are easy to block, which makes them a solved problem. Spam from fixed IPs is harder to deal with and a bigger problem for endusers and filters.

Related Posts

CRTC fines Compu-Finder $1.1 million for CASL violations

The Canadian Radio-television and Telecommunications Commission (CRTC) is the principle agency tasked with enforcing Canada’s anti-spam law. Today they issued a Notice of Violation to Compu-Finder  including a $1.1 million dollar fine for 4 violations of CASL. The violations include sending unsolicited email and having a non-working unsubscribe link. According to the CRTC, complaints about Compu-Finder accounted for 26% of all complaints submitted about this industry sector.
This is the first major fine announced under CASL.
One of the first things that jumped out at me about this is the action was taken against B2B mail. There are a lot of senders out there who think nothing of sending unsolicited emails to business addresses. In my experience, many B2B senders think permission is much less important for them than B2C senders. I think that this enforcement action demonstrates that, at least to the CRTC, permission is required for B2B mail.
The other thing that jumped out is that given the extent of the complaints (26%) the financial penalties were only slightly more than 10% of the $10M maximum penalty. It seems the CRTC is not blindly applying the maximum penalty, but is instead actually applying some discretion to the fines.
I’ve looked for the actual notice of violation, but haven’t been able to find a copy. If I find it, I will share.
 
 
 
 

Read More

Don't like opt-outs? Target your program better.

I get a LOT of spam here. Most of it is marked and trivial to get rid of. Some of it is what I would call semi-legitimate. It’s a real product, but I never asked to receive any information from this company and am not actually part of their demographic. For one time things I just hit delete and move on. Life is too short to complain or opt out of every spam I get. (Tried that, got more mail)
But sometimes if the same sender keeps bothering me, I will send back an email asking them to cease contact. I recently had an occasion where someone sent an initial email trying to sell me bulk SMS, online video and other services. I ignored it because we’re not in the market for any of these services. A week later I get a followup asking why I hadn’t provided feedback to them and if there was a better person to talk to at the company. I looked for a way to opt-out of this message stream, but there wasn’t one. I send a reply telling them we were not interested in speaking to them and to please cease all communication. (“You didn’t receive feedback because I have no interest in talking to you. Please cease all future contact.” Admittedly that was terse, but it was polite.)
My request to cease communication was not well received, nor was it honored. Mind you, they first contacted me trying to sell me services that are totally off what we offer. When I asked them not to contact me, they turned it around that we’d lost business.

Read More

Email problems are costly

Last week Zulily released their quarterly earnings. Their earnings’ report was disappointing, resulting in a drop in their stock prices. The chairman of the company told reporters on a conference call that part of the reason for the drop in earnings were due to deliverability problems “at a large ISP.”

Read More