Does the Security Industry Care About Email Anymore?
Spam. It’s the problem that you can’t stop talking about when looking at your inbox, and the problem that you don’t hear a peep about otherwise.
Globally, spam is still a big problem. According to Symantec’s February 2011 Intelligence Report, spam accounted for 81.3% of all email traffic in January. McAfee’s Q4 2010 Threat Report states that spam volumes are down a whopping seventy percent since the middle of 2009 and is still reported in the billions of messages per day and trillions monthly, dwarfing the approximately 55,000 new pieces of malware they see daily.
In its glory days spam regularly accounted for ninety percent or more of global email traffic, so with these numbers spam is considered by some to be a solved problem. If it were truly solved, why do criminals still use it as a vehicle to do everything from sell enhancement products and online brides to lead users to infected web sites? The reality is that the spam problem isn’t solved. It’s evolving.
In looking at the conference agenda for RSA there were many sessions around topics like cloud security, virtualization, and malware, but nary a session to be found on email spam. So, why doesn’t the security industry seem to care about email spam anymore? The answer is simple. As Bill Clinton frequently stated during his presidential campaign in 1992, “It’s the economy, stupid.”
Although there are still some areas, like phishing, where email filters still struggle, email filtering has largely become commoditized by freemail providers like Gmail, Yahoo, and Hotmail who provide filtering that is considered by many to be anywhere ranging from “good enough” to “really good.” The real money (legitimately and illegitimately obtained) has migrated to other platforms such as social media and mobile where the number of users continues to increase daily, and the amount of time spent using applications, games, chat, and messaging over these platforms extends beyond the amount of time people are spending in their traditional email inboxes. It is because of this that cyber criminals have spread their wings beyond just email and have quickly figured out how to exploit users’ trust in these mediums. Unsolicited and malicious private and SMS messages are becoming more problematic for users as filtering mechanisms are not nearly as mature for these environments as they are for email. This is one of the primary reasons why social and mobile platforms are receiving so much attention in the security industry.
The focus of the security industry will continue to shift to where the biggest problems and moneymakers lie, because that is also where the criminals will spend most of their time trying to trick you out of your sensitive information. As this evolution continues, however, it is important to not lose focus on the technologies that paved the way for that evolution — especially when they are still as widely used and as ripe for attack as email.