A research team from two Californian universities has developed what it believes will be a game changing approach to defeating spam.

The researchers used a captured spam bot to analyze a sample of the spam emails that it produced and then used this information to reverse engineer the template that the spam emails were based upon.  Once this template was known 100% of further spam emails from that bot were successfully blocked while avoiding any false positives on one million genuine email messages in the test.

Leading anti-spam products in the market today claim up to 99% accuracy for spam detection and use sophisticated analysis techniques such as Bayesian filtering to reduce false positives.  However a large part of the fight against spam remains reactive.

Adding this new technique into the protection mix may tilt the playing field in the good guys’ favour for a little while but the constantly evolving threat landscape online will find a way to get around it soon enough.  Fighting spam comes down to a numbers game – if there are more people who want to send spam than there are researchers and professionals fighting it then the war will go on for a very long time.

The spam and malware industry has already become well known as a sort of underground marketplace where anyone can buy the software and email lists they need to begin a spam campaign.  The business model behind these ventures has become so well established that ongoing maintenance plans are even available for the spam tools and malware available.  For a fee a malicious coder will develop a new variant of a tool for you that circumvent any detection that has been implemented by security vendors.

It is easy to expect this same type of service offered to botnet operators who will need a constant supply of new email templates to avoid detection by any vendor who uses this new spam analysis technique.  In fact it is also easy to expect that bot software will no longer contain all of the template information in its code and will instead regularly download new variations from other sources to hamper attempts reverse engineer it.  Most bots are already self-updating and constantly evolving into new variants anyway.

The full details of this new research will be unveiled in March and it will be very interested to see just how practical it will be to integrate this new technique into current anti-spam products.  The turnaround time required to discover and capture a new bot, analyse it, create detection signatures, and then deploy those to a global customer base may be more than enough for spammers to successfully send out their campaigns.   By the time protection is achieved the next bot variant already exists.

As far as the overall impact on spam this technique may have little to no impact at all.  Although it may prevent some spam that is sent directly from the computers compromised by bots it will not have any effect on bots that serve other purposes such as taking over webmail or social networking accounts for use by spammers.

As an anti-spam development this research is interesting but I have some doubts about its practicality and effectiveness.