Is This the Solution to Spam?
Published 11:30, 02 February 09
I think I may have come up with a possible solution for spam. But first, some background.
I have read somewhere (can't find the reference, unfortunately) that when intercontinental ballistic missiles (ICBMs) were first introduced in the US, a test was conducted early on to assess how the defences would work in practice.
On the warning systems there appeared to be an attack originating from Russia (although in fact there was none). According to their orders, those operating the ICBMs were supposed to launch their missiles immediately in response to just such an eventuality. But it turned out that very few did: the problem was, they had never faced this situation, and most were paralysed by doubts and fear, which made them hesitate to take such an extreme step.
The solution was ingenious. Instead of battling – probably in vain – against human nature, and hoping that things went better next time, the military powers decided to cause multiple apparent attacks to occur every day. Gradually, the doubts and fears about pressing the launch button wore off thanks to the repeated nature of the exercise, and the response to these fictive attacks approached 100%.
The beauty of this approach is that should a real attack be launched, the response will be just as good, since those responding will have no way of knowing that it is not just another practice alert to keep them on their toes.
So how about applying this to spam? Here's how it would work.
A number of government security organisations around the world – think national spam centres – would routinely send out what looked like spam to all email users.
In appearance, these would be identical to the real thing: they would offer all the improbable improvements to parts of your anatomy, or access to multi-million pound bank accounts for very little effort. All the usual – and highly-effective - tricks of social engineering would be deployed in order to persuade users to respond.
Most people would simply ignore these fake spams, as they do other junk that they find in their inboxes. But a few – as always - would respond. That's good: for these are precisely the people who make spam viable, providing enough incentive for spammers to send out billions of mails to the rest of us.
These are also the people who click on infected Word documents, or visit dodgy Web sites and infect the rest of the ecosystem. So it is precisely these people that need to be educated.
The fake spam would allow that to happen. For instead of receiving information about wondrous pills, or large sums of money, those who succumb to the siren-like call of the spam would, instead, receive a gentle warning – by email or from special Web sites the fake spam respondents would be directed to - from the national spam centres explaining that had this been a real spam email, they would have suffered various negative consequences, and that maybe it would be best to ignore such offers in the future.
Some of those receiving these messages might take note, and resolve never to fall for spam again (or at least be more sceptical). Others will not. But those who do not will then fall for *more* fake spam in the future, and receive yet more warning messages. This will carry on until one day the penny drops, and even they become at least more resistant to spam (since no one is *completely* immune to the clever ploys employed).
You may think that the idea of official government departments sending spam is an outrageous proposal, and that it would never be allowed. But it's actually been going for some years, albeit discreetly, and on a small scale:
A U.S. Department of Justice e-mail that phished for sensitive information from federal workers was a hoax that the agency sent out to test its own security awareness, according to a report.
The e-mail, sent two weeks ago to Justice Department employees, directed recipients to a Web site that prompted them to supply account information related to the federal retirement savings program, the Associated Press reported.
"We have learned that the messages are part of a hoax invented and distributed by DOJ to test employee security awareness," Ted Shelkey, assistant director for information systems security, wrote in an e-mail to the AP on Wednesday.
the DOJ's Gina Talamona called CNET News and said the test was conducted from January 25 to January 27. "We conduct periodic exercises to test the security posture of our information users...as a tool to train and educate employees." The DOJ has been doing it for about three years, she added.
A particular virtue of this approach is that it would be cheap – indeed, that's one of the problems with spam: it's so efficient. It could also use existing spam as templates for the fake spam, changing format as new tricks and content evolve.
One argument against this approach might be that it adds stress to an already overloaded email system. Although that's true, it should be a relatively short-term additional load.
As more and more people ignore spam, and the response rate drops, the likelihood is that many companies will find it uneconomical and cease to employ it. Moreover, at present, spam shows no signing of abating, and so the system is most certainly going to be stressed even more if we do nothing.
The virtue of the approach I'm suggesting is that it does not try to stop the spammers, but the help the spammed.
It removes the most problematic link in the chain – the end-user – rather than simply ratcheting up the unwinnable arms-race with the increasingly-sophisticated spammers. Every other system adopted in an attempt to throttle spam has failed: maybe it's time to try something different?
an email-based anti-phishing training system in which training messages are designed to look like phishing messages. When users "fall" for our messages, we take advantage of the "teachable moment" and immediately teach them how to avoid falling for real scams. Our studies demonstrate that PhishGuru effectively teaches people what cues to look for to distinguish scams from legitimate email.
The advantage of PhishGuru is that it is less intrusive than the system I was proposing; the disadvantage is that it would need to be rolled out to all email users, which would be pretty hard. Interesting, though.