Sign In

Communications of the ACM

Research highlights

Technical Perspective: They Do Click, Don't They?

You never click on advertisements received in spam or in phishing messages, do you? Of course you don't! Nobody does. At least, that's the typical response one hears. So, if that is true, why are we still getting an enormous amount of unsolicited email messages? How can this advertisement business be profitable if no one follows any links; if nobody buys anything?

This is a fascinating piece of work. Not only does it help debunk some unscientific claims related to the underground economy, but also, and more importantly, it is very likely to become a seminal reference for a new area of research.

The following paper by Chris Kanich et al. addresses these issues in very concrete terms, thanks to an impressive experiment that enables the authors to offer us to look at some real-world spam campaigns from the inside. This is a fascinating piece of work. Not only does it help debunk some unscientific claims related to the underground economy, but also, and more importantly, it is very likely to become a seminal reference for a new area of research.

This work could have led to a disaster. The authors could have opened Pandora's Box by infiltrating a botnet as they did. The dark side of the force is so strong. Fortunately, these authors are well known for their ability to carry out scientific experiments with all the rigor, precision, and discipline required. They have taken great care addressing the legal and ethical issues linked to the measurement campaign they wanted to carry out. As a result, this paper is a must-read for all those who will be tempted in the future to assess quantitatively the various Internet threats or the motivations and the modus operandi of the organizations launching daily attacks. I do sincerely hope this work will stimulate other teams to carry out more, and similar, experimental work.

"Security by obscurity," that is, keeping vulnerabilities secret in the hope that malicious actors will never find them, is fortunately a concept of the past. However, 15 years ago the issue was still controversial. Today, numerous forums exist where information is shared on the latest exploits, tools, and techniques to break in to systems. But, it is still rare to see someone openly discussing, in very precise terms, the dynamics of these threats. Who is doing what, how often, against whom, why? Few actors have unbiased and usable information on these topics. Those who have such a goldmine are usually unable (for legal reasons) or unwilling (to preserve some competitive advantage) to describe their assets and the lessons they learn when mining them. Experiments such as the one presented in this paper highlight the fact that it is possible, even within the context of a limited experiment, to learn a lot about these hidden markets. Of course, I am not underestimating the amount of effort the authors have invested in this study. Indeed, if anyone else has a great idea for measuring the negative forces we are facing on the Net, if they define their experiments very carefully, and are really cautious when interpreting their results, then they can also contribute to a better understanding of the malware economy.

As computer scientists in general, and computer security researchers in particular, we do not have a long tradition of running and presenting experiments in such a way that others can repeat. This should change. Other scientific communities do much better than us and we should probably learn from them. The following paper offers a unique opportunity to start working in that direction. Its contributions are twofold. First, it gives us new insight on the spam market, its dynamics, its actors, and so on. Second, the precise presentation of the whole experimental processbefore, during, and after the experiment itselfis a masterpiece of how to do things the right way. This second contribution is probably as important, if not more, than the first in a domain where the greatest care must be taken. Before being tempted to play the sorcerer's apprentice, you should definitely read this paper.

Back to Top


Marc Dacier is the director of the Symantec Research Labs in Europe.

Back to Top



©2009 ACM  0001-0782/09/0900  $10.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: