«« Back

Email Spam

Spam is an interesting, if highly technical, topic. Understanding spam will help you in your attempts to deal with it. If you like to read and you are curious, I recommend a little light reading: http://en.wikipedia.org/wiki/E-mail_spam. For the rest of you here is a synopsis:

What is spam?

E-mail spam is defined as "unsolicited commercial e-mail", also known as "bulk e-mail" or "junk e-mail". It is characterized by nearly identical messages sent to numerous recipients by e-mail. E-mail spam has existed since the beginning of the Internet, even before web sites "as we know them" came into being, and has grown to about 90 billion messages a day.

Who is generating all this spam mail?

Fewer than 200 spammers send about 80% of the spam. The people mostly responsible are criminals in the US, Russia, China, South Korea, Nigeria, and Eastern Europe.

Why do they send spam?

Spam is primarily a medium for criminals to defraud users. Many different scams are tried. You may wonder how anyone could make money with spam since these scams are public knowledge and people have learned to avoid them. However, spam fraud is a numbers game, and if hundreds of thousands of attempts can be made for very little cost and effort, even if only a small percentage of the scams actually work, that translates into significant money. Spam can also be used in "denial of service" attacks on a particular company's email servers. Such attacks send so much email to the server that it is overwhelmed and cannot service its intended clients. This could be simple maliciousness, or someone with a vested interest in the failure of a company could hire a hacker for this purpose.

Is it just me or is it getting worse?

In absolute numbers:
- 1978 - An e-mail spam is sent to 600 addresses.
- 1994 - First large-scale spam sent to 6000 newsgroups.
- 2005 - (June) 30 billion per day
- 2006 - (June) 55 billion per day
- 2006 - (December) 85 billion per day
- 2007 - (February) 90 billion per day
Yes, spam is getting worse in terms of volume of sent emails and in other ways as well. Efforts to control spam are usually based on distinguishing between legitimate email and spam email. Spammers continually circumvent these efforts by making their spam look more like legitimate email with new delivery methods and smarter software. Some efforts to control spam actually tend to make things worse by blocking legitimate email accidentally, making it harder for average folks to use email effectively.

Could I be contributing to the spam problem?

- Newsletters and distribution lists:
Sending out mass emails to people who have not asked to receive your emails is technically spamming. If you do this, you are contributing to the problem (albeit in a very minor way).

- Carbon Copy:
Including multiple addresses in the "CC" field allows everyone who receives the email to see all of the other addresses. Others could then use these addresses illegitimately. This is definitely a practice to avoid for this reason. As well, some people receiving messages sent in this manner will get very upset with you for exposing their email address in this way.

- ISP Level Blocking:
Allowing or even demanding that your ISP block spam on your behalf encourages ISPs to take drastic measures that may in fact block legitimate email, contributing to the overall email delivery problem.

- Viruses and security:
Botnets are groups of virus-infected computers, they account for about 80% of all spam. This means that if your computer is infected, it could be sending out email spam messages while it is connected to the Internet. As well, spammer viruses may scan your computer's disk drives for email addresses and return them to the spammer. Therefore, if you have a computer connected to the Internet that is not adequately protected from viruses using a firewall and anti-virus software, you could indeed be part of the problem.

Efforts to control Spam:

There are efforts to control spam on three fronts:
- Governmental/legal, laws and punishment
- Professional security measures, filtering, blacklisting
- Individual precautions, security measures, and filtering

Obviously it is in the interests of all governments and lawmakers to take measures to control spam and the criminal elements that propagate it. Unfortunately, spammers have gotten very good at hiding themselves, and international cooperation in law enforcement - at a level not currently available- would be needed to make a significant impact.

ISPs, email service providers, and hosting companies are all working to reduce and control spam in various ways with limited success. Keeping email servers protected from use by spammers, through security, source authentication, and other measures is standard practice these days. Most email service providers require that their clients abide by anti-spamming rules for out-going email. Trapping spam and blocking the sources with the use of blacklists is a common practice. Filtering of incoming emails by detecting indicator content is also often employed. It may be useful to note that email is usually provided as a free service to clients who are ostensibly paying for another service such as an Internet connection or web site hosting. It is therefore not motivating for these companies to spend a lot of time or resources on solutions to email problems.

Prevention -If spammers do not have your email address then they cannot use it. Spammers may harvest email addresses from a number of sources. To prevent unauthorised use, be careful to verify the receiver when giving out your address, especially on the web.

The role of the web site:
Many spammers use programs called web spiders to find email addresses on web pages. Instead of printing your email address on your site, use a web form, which will send visitor's emails to you while hiding your address from the spam bots.

However, some spammers have software that can use these email forms on web sites to send their spam to you. In an effort to cut down on this abuse, many web sites have adopted a system called captcha. Users attempting to submit the form are asked to perform a task that is easy for a human but very difficult for automated software to do. You can see an example of this here: http://www.markhamlaw.com/060~Contact_Us/ (See the "Are You Human?" question, just before the submit button).

Prevention should be viewed as a temporary solution since eventually, if you ever use your email address, a spammer is likely to find it. Because of this, some people routinely change their email address every few years just to avoid spam.

Personal Detection and filtering:
It is easy for humans to detect spam email - just by looking at the "subject line" and the "from" attribute you can often detect it instantly, and looking at the content confirms it easily. But for automated software (your email filters) it is a much harder job.

Filters sort email into spam and "real email" based on the content of the e-mail, either by detecting keywords such as "viagra" or by statistical means. Such methods can be very accurate when they are correctly tuned to the types of legitimate email that an individual gets, but they can also make mistakes such as detecting the keyword "cialis" in the word "specialist". The content also doesn't determine whether the email was either unsolicited or bulk, the two key features of spam. So, if a friend sends you a legitimate email that mentions "viagra", content filters can easily mark it as being spam even though it is neither unsolicited nor sent in bulk. You may think that you can easily set up a filter for the word Viagra and you will no longer get any spam for viagra, but the difficulty is demonstrated when you consider that there are 600,426,974,379,824,381,952 ways to spell Viagra (according to cockeyed.com 7 April 2004.) in a way that humans can still read, for example:
- V1agra
- Via'gra
- V I A G R A
- Vaigra
- \ /iagra
- Vi@graa
With so many combinations it is difficult to set up a filter successfully. Bayesian filtering has become popular as a spam-filtering technique for this reason. Bayesian filters rely on word probabilities, not just key word detection. If a message contains many words which are only used in spam, and few which are never used in spam, it is likely to be spam. Many current email programs use Bayesian filtering, however spammers are working to get around this type of filtering also.

Image spam is an obfuscating method in which the text of the message is stored as a GIF or JPEG image and displayed in the email. This inhibits text based spam filters from detecting and blocking spam messages, since only the headers have text in them.

Our recommendations:

Notwithstanding these limitations, at Back2Front we are recommending to our clients to obtain and learn to use email-filtering software and to upgrade it often. This is by far the best way currently available to control the impact spam has on your computing life.

When you get a spam email, you identify it as spam. In this way the software learns your patterns of email use and can become better at detecting real spam as you use it. It is vitally important under this system to only identify real spam in this manner. For example, if you get joke email from a client, although to you it may be spam, do not identify it as spam - just delete it. That way you will still get the next email your client sends you (maybe a purchase order!). It is also important when using these systems to check for false positives. Learn how to look inside your "junk" box and check for legitimate email that accidentally got transferred there. When you find one, you identify it as NOT spam and the software will learn for next time.

There are companies who specialize in filtering email for a monthly fee. This may be a viable option depending on the price and your email spam burden. Only use companies who allow you to control the level of filtering and that do not delete spam immediately but keep the it so that you can check the messages caught by their filters for legitimate email as needed.

Email Spam and the future:

The core problem with spam is that the email system was never set up in the first place to verify the senders. Anyone can send messages to anyone as long as they have a valid email address to send to. Criminals have exploited this weakness and the spam problem is the result.

The only sure way to eliminate spam is to "retool" the whole system to require the authentication of the sender; spammers could not function successfully under such a system. Such a "retooling" would be a massive project. It would take a large company like Google or Microsoft to decide to take it on, and they would need to get a buy-in from email software vendors, service providers, and ISPs to have a hope of success. But with the headaches that these people as well as the rest of us are currently experiencing due to spam, I expect that someone will step up to this plate soon.

Candace Carter, Back2Front - The Web Site People, April 2008.