Until recently, spammers were in an ugly war of attrition. As spam filters got better and better, spammers bumped up the volume of messages they pumped out. If a fraction of one percent of a million messages get through, that's not profitable. Make that a billion messages and the money starts to add up. But it now seems as though this war of escalation has subsided; not because the spammers have given up, but because the game is changing.
U.S.-based spammers have all but disappeared, scared off by prison sentences handed down to the likes of Soloway under the 2004 CAN Spam act. Even overseas there has been progress. In the past year a series of spam-spewing botnets -- Waledac, Pushdo, and most recently Rustock -- have been taken offline thanks to the efforts of law enforcement and private security researchers. And in October 2010, an affiliate marketing website called Spammit closed its doors. It was used by spammers pushing online pharmaceuticals, and was a major source of income for many spammers.
That's taken a big dent out of spam, but the nature of the business has evolved. Once a source of irritating commercial marketing messages, unsolicited mass emails are increasingly being used by scammers and criminal hackers to ply their trade.
No longer is spam just a way to sell pornography or cheap pills. Spam messages are being used to install malicious software, and for a targeted form of spamming called spearphishing that has become a particularly effective hacker technique. A spearphishing attack opened the door to RSA security and helped hackers to compromise the security of RSA's SecurID tokens.
Spammers may be getting more crafty, too.
"There has been a decline in what we're getting in our traps, but what we're seeing that's out there is smarter spam," said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham. Warner helped set up a massive database at the university that vacuums up as many as a million spam messages per day.
Take Feb. 14, for example; Valentine's Day. Instead of the usual Viagra or Rolex spam, Warner saw a flood of messages advertising a legitimate florist -- FTD. That's a more targeted form of spam than what his team would typically have seen a couple of years ago. And the spammers were directing people to a legitimate Web site -- FTD Flowers -- making their money from Web marketing referral fees. If the spammers succeeded in reminding just a few absent-minded spouses to order flowers, they could make money.