The “End of Spam” (and publicity?)

First off, I see this report. Of course, it’s a reference to a report of a report, the kind of self-referential thing that we see all the time in security. I get the INFOCON mailing list (, which re-sends the Security in the News mailing list (, which was reporting a story on SecuritySearch/, reporting on a report from Ferris Research.

Anyway, the story on SecuritySearch in a new report, “Top 10 Messaging & Collaboration Issues of 2006,” Ferris Research says viruses, spam and phishing will be down from 2005, but this year expect secure archiving, risk management and layered threat prevention will become more important. Spam and phishing still exist, but “increasingly sophisticated antispam software” is reducing the problem to the point where it is going to “implode.” Spam will be dead in 18-24 months, although phishing may take a little longer. With these problems relegated to trivial status, email archiving and retention is going to become the major issue. SOX, doncha know.

Now, I couldn’t recall anything about Ferris Research, off the topic of my head, so I went and looked for them. Lo and behold, I found them at, and what do you know? They just happen to sell consulting services (and probably resell products) on “email archiving and compliance.” It seems like a fairly small outfit: the president used to install LANs, and before that did some programming.

I can’t see the report itself (you need to get a subscription), but the abstract isn’t consistent with the story on SearchSecurity. The abstract does push archiving, but also says that viruses and phishing are going to be big problems.

Now, ultimately, this sounds like yet another small fish trying to generate some splash in the big pond. But I think the important thing is that it is. This report is being re-broadcast, and will undoubtedly catch other eyes, like it caught mine (and, admit it, my subject line “made you look,” right?). And there are going to be a number of people who read the report and think a) we don’t have to pay as much attention to spam, since it is going away, and b) maybe we should have a look at this email retention thing. There is the possibility of a self-fulfilling prophecy here. (I doubt that this particular issue will have legs, but we’ve all seen similar “media issues” in the past, yes?)

I suppose it isn’t the company’s fault: they are trying to sell themselves. And it isn’t necessarily the media’s fault: they are just reporting, and while I’d like to see a bit more care and analysis, we all know how likely that is while the media outlets need to be “firstest with the mostest” and bankruptcy court take the hindmost. I suppose, ultimately, what I am saying is that the price of security awareness is constant media/mailing list/all sources vigilance–as well as serious skepticism, thought, and many grains of salt.

  • Matthew Murphy

    This can be sliced two ways:

    1) The company is doing shoddy research if their paper actually says (or suggests) that spam will be anywhere near dead in the next decade, let alone two years. It’s just too damn profitable.

    2) If their paper doesn’t say that, then the media is embellishing the facts to make their story sound good.

    Which one is true decides which party should end up in bankruptcy court.