Short Cuts

John Lanchester

Some good news from the airy summits of Davos: ‘Spam,’ Bill Gates told the World Economic Forum, ‘will be solved within two years.’ Great! The problem will be fixed by the creation of a challenge-and-response system to slow down, then block, and finally – and this is the killer – charge money for unauthenticated emails. At the moment, an email can be from anybody: you can fill in the ‘from’ section of an email to claim that it is from anyone in the world, up to and including billg@microsoft.com. (This is one reason why it is a bad idea to bounce spam back to the sender – the sender is quite likely not to have sent it.) Those fake emails are free to send. So the two-step solution to spam is, first, to make sure that it is from whom it says it is from, and then to stop making it free to send in anonymous bulk. This will make spamming uneconomic, and presto, email will go back to being as straightforwardly useful as it once was.

The trouble is, Gates made his prediction/promise about spam on 23 January 2004. Judging by my inbox this morning, three years later – more than a hundred spam emails, with an emphasis on pump-and-dump financial ‘tips’, phishing or fake security announcements, and phoney pharmacies – he was talking total bollocks. (By the way, the subjects of those emails are not random, but are the topics professional spammers find have the highest rate of response. There seems to be less porn, or as wags dub it ‘pr0n’, than there once was – which may reflect the fact that there is now so much free pr0n on the internet that fewer mugs will pay for it.) Gates’s prediction was not just wrong, it is steadily getting wronger, as rates of spam have gone up sharply in the last few months. If you have the impression you have been getting significantly more spam lately, you are right.

The problem is botnets. A ‘bot’ is a piece of software which does a job automatically; most bots are benign, but a botnet is a collection of computers that have been infected with a piece of software which lets someone take over the machine via the internet, without its owner’s knowledge or consent. The controller of the botnet, known as the ‘herder’, can then use the infected computers to do whatever he wants. Almost all affected machines run some version or other of Microsoft’s Windows, the herders’ preferred target and a system known to be critically flawed from the security point of view. Unfortunately, it’s also the most ubiquitous computer operating system in the world. The largest botnet so far discovered was busted by the Dutch police in October 2005: it consisted of 1.5 million infected machines. Your computer could be part of a botnet and you would not know; you could be reading this online while your computer acts as part of a botnet, and you would not know. It is a statistical certainty that many people reading this piece will have a computer that belongs to a botnet.

The herders sell the use of their botnet to anyone who wants to use it – in practice, professional criminals and spammers. (That, most of the time, is a distinction without a difference.) Botnets are sometimes used by blackmailers or saboteurs to perform ‘denial of service’ attacks, bombarding a targeted internet server with so much traffic that it collapses: a tactic which is very hard to defend against, since the machines doing the attacking are scattered all over the world, and have no connection to each other. But the main things botnets do, at the moment, is send spam. Formerly they sent a huge amount from each infected computer, but that would slow down a machine so much that its user might notice, and could also attract the attention of the Internet Service Provider who was forwarding the traffic; so the herders got wise and now are more likely to send smaller amounts of mail from a larger number of ‘nodes’. You can judge the effectiveness of this tactic by the state of your inbox.

All of this makes botnets hard to police and, consequently, makes spam hard to control, since so much of it comes from the computers of respectable citizens who have no idea what’s going on inside their own hardware. The next generation of Microsoft Windows, Vista, just now bursting on a not-all-that-eager world, has technical changes designed to improve the security of Microsoft’s computing out of all recognition. The trouble is that the already-infected machines aren’t magically going to go away; so even if Vista is totally secure, the problem of spam will be a long time in passing. And that is a big, big ‘if’. Hackers who regard Microsoft as evil, and professional criminals who make their living from unsecure computers, were already working flat-out to crack the security of Vista, even before Microsoft started selling it to consumers.

Spam is illegal in the EU – or rather, it is banned by an EU directive, which is not quite the same thing. Not that it matters, since the directive manifestly had no effect. The thing which would make spam go away is if people never, ever, not under any circumstances, clicked on the links in a spam email; and never, ever, ever sent any money to any of the people offering anything for sale via spam. Unless and until people have learned not to reply to spam, as surely as they know not to hand over their credit cards to a stranger in the street, spam will be a fact of life. The risk is that if people don’t, email will become gradually less useful; younger people already show a marked preference for technologies such as instant messaging and texting. If Vista is not secure, and if spam continues to grow, we might arrive at a time when the heroic period of email is as much a subject of nostalgia as carrier pigeons, or those pneumatic tubes which used to whizz messages around central Paris, or the old days when you could rely on the Royal Mail.