Brian Krebs recently posted on his blog, Krebs on Security, that spam has decreased significantly in recent years. Using data from Symantec’s MessageLabs, Krebs created a graph that shows spam volumes since 2007, and the peaks and valleys associated with bot takedowns and other major events are clearly visible. What’s also clear is that spam volumes are as low as they’ve ever been, and have been consistently low for over a year.
So, shouldn’t we all go celebrate? Has our blood, sweat, and tears finally resulted in user inboxes that are full of wanted email, free of spam, as well as safe and secure? Regrettably, no, that’s not the case. Anybody in the anti-abuse business knows that volume numbers never tell the whole story. Sure, users receive less of the blast spam of yesteryear – pharmaceuticals, stock tips, xxx – but that’s not where the story ends. On the plus side, getting rid of that junk means users have a better experience in their inboxes. Unfortunately, this makes them more trusting of the mail they receive each day, less able to tell the good from the bad. Add to this the fact that cybercriminals have become more sophisticated and phishing email is no longer reliably going to be from a bank you don’t even do business with.
Modern phishing campaigns are more targeted, and cybercriminals are less interested these days in getting your banking credentials. No, these days they want more. They are compromising individual user accounts, using those to gain the credentials of more accounts, to send spam, and to distribute malware. As the volume of spam goes down, the threat level seems to go up.
The anti-abuse industry should be be thrilled at the progress they have made in fighting email spam. As Krebs mentioned, coordinated industry efforts have led to disconnecting rogue ISPs and taking down major botnets. But there is still much to do. Mailbox providers and senders need to work together to authenticate mail and reject suspicious mail that fails authentication. This protects users from receiving at least some of the phish email. And mailbox providers need to take it a step further and increase their efforts to curb outbound abuse by protecting users from compromises and stopping the creation of fake accounts. The more mailbox providers we can get to implement authentication and outbound abuse, the safer email users will be.