Unless new weapons are designed to keep junk mail at bay, spammers are about to get the upper hand in the war in cyberspace.
Canadian researchers have figured out a way to create spam that could bypass the best filters and trick even the most savvy computer users into opening messages they would normally delete.
Mischief-makers would use this kind of spam -- which employs hijacked computers to make sophisticated e-mail messages that appear to be from people known to computer users -- to release viruses, worms or spyware on unsuspecting users or expose them to theft of personal information.
"It's very much an arms race between the good guys and the bad guys," said study co-author John Aycock, a computer scientist at the University of Calgary.
Spam is always evolving, but the kind of high-tech stuff once thought to be too much work for spammers was easily demonstrated by Prof. Aycock and student-researcher Nathan Friess in their study "Spam Zombies from Outer Space."
The study, which was funded by the Natural Sciences and Engineering Research Council of Canada and has been peer reviewed, will be presented next week at the European Institute for Computer Anti-Virus Research conference.
Alex Leslie, vice-president of technology for AOL Canada Inc., said the researchers have hit upon something that Internet service providers are always trying to prepare for: threats they anticipate, but have yet to see, known as a "zero day attack."
"It's a never-ending battle. It's a cat and a mouse game," Mr. Leslie said.
Spam includes everything from offers to buy fake Rolex watches to stock market tips. It is annoying and offensive, but it can also slow or shut down computer systems and be used to commit crimes such as fraud and identity theft.
Research firms figure spam accounts for about 40 per cent of the billions of e-mails sent each day. Around the world, companies lose nearly $20-billion (U.S.) in productivity and costs associated with combatting spam.
There are additional costs connected to spam-related cyber crime for which there is no good cost estimate, other than the conclusion that it is a growing enterprise.
Individuals and business are fighting back in the courts, and with anti-spam, anti-virus programs, while politicians are making new laws.
In the United States, America Online filed lawsuits against "phishing gangs" who used false AOL websites to trick consumers into giving away their credit card numbers and other personal identification.
Existing spam software is effective, but not foolproof.
It's one thing for a spammer to slip through a filter, but quite another hurdle to get people to open junk e-mail.
Usually, junk mail is easy to spot: It comes from sources users don't recognize, it is hawking stuff they're not interested in, or the e-mails just don't look right.
Spam of the future could be sent from the e-mail accounts of friends or colleagues, the Alberta researchers say. The spam could be so sophisticated that messages may contain abbreviations, personal signatures or misspellings that people would expect to see in e-mail from people they know.
Those tricks would make sure people are more apt to visit a Web link or download an attachment, allowing the spammers to peek into hard drives, grab personal data or infect the computer.
The majority of spam is sent through zombie computers, which are vast networks of hijacked personal computers infected by rogue software, which is used to send bulk e-mail messages.
But the researchers found that zombie computers could be harnessed in a new way, which they showed using two computer programs as well as manually inputted e-mails and e-mail lists from the Enron database that was released when the company tanked.
"Our experiments have told us that this isn't as difficult to do as we might have thought to begin with, which is kind of depressing," Prof. Aycock said.
"The bad guys are very close to this," he said. "What we want to do in our research at the University of Calgary is get out of the cycle of just reacting to new problems we see."
