Access Controls, User Permissions and Privileges
How Far Will Email Operators Take Blocklisting to Prevent Spam?

Spam: The Security Threat You Easily Forget

About this time last year, I spoke at a Cybersecurity conference in Krakow. I was asked during a video interview to identify security threats that I believed were most pressing. (Ignore the suit...)

Yes, I said spam.

Not DDoS? Not ransomware? Not breach of personal data? Not IoT? Are you daft, Dave?


My thinking has not changed a full year later.

Spam is a criminal infrastructure enabler

Spam may have been merely annoying, unsolicited messages in your inbox at one time, but that was a millennia ago. The average spam volume reported to the Cisco Talos Email and Web Reputation Center for September 2017 was 367 billion. To date in October, volume is up fifteen percent. Due to the near ubiquitous adoption of reputation block lists, you see very few of these. Be thankful that most spam is not delivered, because spam is the preferred delivery infrastructure for phishing, ransomware or malware, and many other threats.

Spam is also more pervasive today than ever, affecting not only your email experience but texting and social media as well. Social spam infrastructures are now allegedly used to influence or control political expression.

You've perhaps been lulled into complacency about spam because you don't see it. The ubiquity of reputation block lists is the reason average every user isn't inundated with spam, and the reason why security professionals don't spend all of their waking hours remediating infected devices of co-workers, friends or family.

The Strategic Asset Value of Spam Networks

Today, spam infrastructures are as important a weapon in the cyber attacker arsenal as nuclear submarines are to warfare. Spam infrastructures have similar operational properties to submarine fleets:

Operational stealth is "the ability to operate in a medium generally unfavourable to counter-detecting sensors". Spam networks operate below the "sea surface" as a highly geographically distributed armada of compromised devices and servers that can be engaged in cyber attacks through a command infrastructure.  A spam network is also like a submarine force in the respect that it can operate in a location- and numbers-independent fashion: the bots that use fast flux techniques to provide the underlay network for a spam infrastructure such as Avalanche exhibit this uncertainty of presence.  

Operational Survivability is the ability to operate in hostile environments. Infected devices (bots) that support spam infrastructures operate malware that may defeat, modify or remove security measures and dismantle communications between the bots and their "Force Commander" (in bot-speak, command-control or C2).

Operational Endurance is the ability to sustain operations for long periods of time without support. Spam infrastructures employ domain generation algorithms, fast flux, and persistent bot recruitment to sustain availability. They also typically infect devices on a scale that requires global or multi-jurisdictional cooperation to contain or dismantle. 


The most frightening strategic asset value of a submarine is its ability to bring considerable lethal force to bear on targets. Increasingly, cyber attackers are employing spam infrastructures to deliver ransomware or to censor or influence political expression.  These, too, are "lethal", in the context of being extremely dangerous attacks, capable of causing serious harm or damage.

Spam is no longer unsolicited communications or content. It is a prolific threat that we must monitor, report, and learn to better mitigate.  I'm cautiously optimistic that projects like our Domain Abuse Activity Reporting at ICANN will help diverse communities to understand and respond to defang spam. 


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.