Sign up to our newsletter
We know that spam works: well, it works well enough for spammers to keep devoting time and money into pumping sewage into the arteries of the internet. The interesting question is why does it work?
The Messaging Anti-Abuse Working Group (MAAWG), a global coalition of network operators and messaging providers who do some vital work (and run some pretty good events – I attended one last year, and learned a great deal from it), thought it was worth conducting some research into what people do with their junkmail, and have now published it in a report succinctly ;-) entitled A Look at Consumers’ Awareness of Email Security and Practices I"Of Course, I Never Reply to Spam – Except Sometimes"
There is some sound reasoning behind this investigation into the deceptively obvious: if you have a better understanding of what people do and why they do it, you have a better chance helping them modify their behaviour to make them less vulnerable to the sort of social engineering that spammers, scammers and botherders make use of. That thought might come as a surprise to you, voiced by someone in an industry that is notorious for focusing more on the way that code behaves than on the way that people behave. The fact is, though, that while it’s easier in some respects to detect malicious code than malicious intent or unsafe behaviour, the psychosocial aspects of both user and criminal behaviour can tell us a great deal about how best to implement technical solutions, and you’ll probably be hearing a lot more from this team on that in the coming months, and not just in the context of user education.
However, the MAAWG survey is focused on user behaviour: to be precise, the behaviour described by 800 respondents in the US and Canada who don’t regard themselves as security experts and whose email isn’t managed by a corporate IT team. Well, that sounds pretty much like the group we regard as most likely to be poorly protected in terms of the security software they run, to fall prey to bot infection and antique mass-mailers, and that would have been rather interesting.
Unfortunately, the MAAWG press release also states that about 2/3 of them considered themselves to be "very" or "somewhat" knowledgeable when it comes to Internet security, so they probably don’t really have that demographic covered. And, of course, 800 is a pretty small proportion of the total population of the Internet. (If you want to know exactly what the questionnaire looked like, you need to download the substantial part two (54 pages) of the document, which also includes the detailed findings and charts.)
It probably doesn’t come as a surprise to most people that a lot of people still click on spam messages, even when they know or suspect that they’re spam (whatever you understand by that term: perhaps we’ll skirt round the definitional issue for the moment). If no-one did that, there’d be no spam industry. But given that so many of the respondents consider themselves reasonably security-savvy, you may find a couple of the data points in part 1 somewhat alarming.
In fact, much of the first part of the document is devoted to the observations of David Ferris and Richi Jennings of Ferris Research. As it happens, I know both these guys, having worked with them for a while before I joined ESET: they’re good at analysing data like these, and make some valid points and interesting suggestions. Nonetheless, on a preliminary scan of the detail in part 2, I wouldn’t agree that the data support all their conclusions, and I don’t have their enthusiasm for allowing an ISP remote access for remediation of a bot infection. That’s not a bad idea in principle, but I can see a lot of consumers being badly burned by poor implementations.
Still, part two some really interesting and detailed data that I intend to come back to sooner rather than later. And if you’re at all interested in the part that consumers play in the messaging abuse problem, I recommend that you take a closer look.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET