Most spam is sent by zombies -- PCs infected with viruses, which allow spammers to remotely control them. It's a big problem, but one that most ISPs are doing nothing about, with one or two notable exceptions, such as AOL.
ISPs are in a great position to slash the number of zombies operating today, so why the lack of action? Basically, ISPs have little incentive to identify zombies and help their users clean up their PCs. It requires an investment in time and technology for which there's little payback in their business model. Margins are razor-thin in a competitive, commoditiy marketplace. Few consumers will choose an ISP based on how good they are at cutting off infected PCs.
What if governments encouraged ISPs to actively help in this area? Perhaps via tax breaks. ISPs could be encouraged to instrument all outgoing email traffic so that they can spot patterns. If a subscriber appears to be sending spam, the ISP should cut off their ability to send mail until the subscriber can be contacted and remedial action taken. This could be triggered if a PC sends more than, say, 50 messages per day.
With thanks to the participants in the Message'05 spam roundtable and to Ovum's Graham Titterington for chairing the meeting.
Tags: spam, virus, malware.