Five years ago today, I started this blog (and ~seven years ago I started fighting spam).  I’ve seen a lot of trends in the past five years and have written over 850 posts (which doesn’t sound like that much). 

When I first started, spam was the biggest abuse issue that I was aware of, and it was probably the biggest abuse problem on the web (except for possibly malware).  During that time, I have observed the following big 5 trends:

  • Spam was the biggest avenue for abuse but is less prominent now.  It is a player but not the major one.  Spammers have shifted to malware, black search engine optimization, and spear phishing.

  • Malware has exploded.  Viruses have always been around, but they really took off in the past couple of years. This has coincided with the above.  Email is not the only way to target someone’s money – there’s Facebook, Twitter, and web browsing, too.  In fact, the browser may be supplanting spam as the preferred infection method.

  • There has been a shift in who is doing the spamming.  It used to be regular joes trying to make money, and it still is. But the degree of cyber abuse that is now mingled with organized crime has greatly increased.

  • Botnets have proliferated.  They have been around a long time but they really increased during the last half of the past decade.  This is driven by necessity.  As spammers discovered that they couldn’t send mail because their netblocks were listed in DNSBLs, they resorted to using bots instead.  Now that sending spam by bots is less effective, they are increasing their use of stolen accounts for created-for-spamming-only accounts.

  • Authentication never really caught on.  Yes, there are lots of organizations that set up SPF records, but most of them use ~all which isn’t that useful for combating spam (though one could argue that’s not what SPF is for).  Lots more organization (especially in Europe and Asia) have no SPF records at all.  DKIM is a good standard but is only used by a minority of organizations, years after the feature became an RFC standard.

    Don’t get me wrong, authentication is used by a great deal of parties but it’s the most useful if everyone uses it.  We are not anywhere near the point of everyone uses it.

Those are some of the big observations I have made over the past.  In five years time, I’ll compare what I wrote here with the next big five trends.