The War On Spam - I Was Wrong
Back in 2002, Jeremy Bowers wrote an article asserting that statistical filters for spam were our last line of defense, that they are doomed to eventually fail, and that once they did we would all be buried under an avalanche of unwanted mail. I responded with this post and he responded to me and others with this post.Four years later, statistical filtering nevertheless remains a valuable weapon in the war on spam. At my former day job, I turned off the automatic server-side filtering (based on SpamAssassin) and used Thunderbird's statistical filter because it just worked better. - The Spam War, Jerry Kindall
An alternate interpretation/theory to the one proposed in that post: Spammers aren't smart enough to attack the filters anymore.
I know that there are some spammers that tried to figure out what I was saying (because I got a few emails that were clearly attempts to have me spell it out for them), but as far as I know, none ever succeeded. I've never seen an attack like what I would write if I were out to kill filtering. (Random word padding and taking random phrases from Shakespeare is the closest I've seen, but it's still critically flawed, for reasons I'd prefer to leave unspecified.)
I was still wrong, but I'm not sure it's necessarily because filters are capable of withstanding the theoretically-optimal spammers; I'm still not confident that filters could withstand a well-chosen poisoning attack. It's just that we live in a world of decidedly less than theoretically optimal spammers, who do not seem capable of "well-choosing" anything, and it seems likely that it will continue to be the case that anybody smart enough to kill the increasingly sophisticated filters will be able to find more profitable and legal employment elsewhere.
I'm not sure we're past the worst of it yet, but the war on spam seems winnable to me now, at least in terms of filtering it out. And hopefully if we can win the filtering, we'll kill the economic impetus for it.
The next front will be "botnets", where at least in security terms we're losing, but I wonder what those botnets will do when there's no spam to send?