Spam Trends in 2009: McAfee’s Report

I came across McAfee's Spam Trends in 2009 article, as reported by  In the article, they summarize some of McAfee's predictions about where spam is going to go in 2009.  Most of the predictions are actually extensions of trends that we saw in 2008:

  • Free web-hosting and blogging services will be increasingly attacked by spammers.

    We already see this as I see spam for products that link to Google Groups and the like.  Windows Live Spaces and Blogspot accounts get abused all the time.

  • Cyber-criminals will increasingly be using botnets that spread into corporate networks and financial data centers.

    Yes, and we have spent the better part of the past 14 months addressing this on our side.
  • "Legitimate" home business scams are also going to attack our inboxes more often than we would like this to happen. Such kind of scam usually involves "either a pay up front and Do-It-Yourself kit, or a pay-to-play shell game of training and certification."

    This is actually an old technique and has been around since I started this job 4.5 years ago.
  • McColo, a network hosting provider that had a wide range of cybercriminal activity emanating from its networks, is likely to be replaced by hosting companies in countries that are powerful enough to fill this market.


There is one additional point I need to respond to that doesn't make sense.

Spammers are also going to abuse free email services more often and more severely than they used to do before. As a result, the need for Domain Keys Identification Mail (DKIM), PGP key signing and secondary authentication mechanisms will become more important to a basic business security model.


What does authentication have to do with combating the abuse of free email services?  If a free email provider like Hotmail, AOL, Gmail or Yahoo get compromised, DKIM won't save you.  The recipient spam filter already knows that the message is coming from these services.  In fact, that's the inherent weakness of reputation filters; if someone with a good reputation is compromised and spam leaks through it (in small volumes) you cannot rely on reputation to block the mail.  Instead, you need to rely on content filtering to examine the message's contents to make judgements upon whether or not it is spam or should be delivered.

Indeed, in this case, a reputation filter can weaken your spam filter if you apply it incorrectly.  How?  If you assume that all mail that comes from Gmail, as authenticated using DKIM, is good and enter them into a safe senders list, then any spam coming from there will get a free pass to the user's inbox.

You may reply "No, no, we'll only apply safe senders to known good senders and be extra aggressive on the other stuff."  This is the Holy Grail of spam filtering, but unfortunately, it doesn't work in practice.  The whole point of email is that it allows you to hear from people you have never heard from before.  All I have ever found is that if you increase a spam filter's aggression, you simply apply higher spam scores to spam you would have caught anyhow and much more legitimate mail gets filtered as false positives.  The spam that you were trying to catch still gets through because it evades your filters.  The components that your spam filters are looking for haven't been updated to look for this new type of spam.

Skip to main content