Why Is There Spam?

Or... Why do I keep receiving junk e-mail?

Unfortunately, there is nothing funny about Spam. We have all experienced the frustration of having to clear out dozens (or perhaps hundreds) of unwanted e-mail messages each morning.

XPMsoftware's own research consistently shows that, on average, unwanted and malicious e-mail makes up more than 75% of all mail server message traffic. Spam marketing is a numbers game... To make money, spammers need to get their message out to as many people as possible. And they are willing to do whatever it takes to get their message into your in basket.

Getting the Message Out

• Prey on those with health issues by promoting placebos as cancer cures, prescription drugs, herbal cures and more.
• Victimize people in financial distress by offering seemingly legitimate loans and mortgages at very attractive interest rates. For this scam, an up front finders fee is requested - but no loan is provided.
• Indiscriminately promote adult content to millions of people, regardless of their age, gender or desire to receive such content
• Attempt to dupe unsophisticated Internet users through social engineering (Phishing) scams for the purpose of committing identity theft
• Take advantage of people's greed through Pump & Dump stock scams, Nigerian bank scams, bogus lottery scams, lost bank account scams, or other get rich quick scams.

The size of reported fraud is immense. PhoneBusters statistics for the month of April, 2006 (from the RCMP and OPP) report losses in excess of $7,202,248.00 CDN. It is important to note that this is reported fraud and doesn't include unreported activity or those victimized without their knowledge (through bogus drugs, etc.).

Spamming Pays

Mr. Jaynes marketed and sold snake oil to thousands of unsuspecting victims, but he wasn't the only one. According to the National Readiness Survey (NRTS) conducted by the Center for Excellence in Service at the University of Maryland's Robert H. Smith School of Business, spam now costs the United States $21.58 billion annually in lost productivity. The School found that:

• 78% of adults receive spam on a daily basis and 11 percent of the online population receive at least 40 spam e-mails a day
• Of those online adults who do receive spam, 14 percent open it to see what it says
• In the past 12 months, 4 percent of online adults purchased a product or service advertised by spam
• Two-thirds (68 percent) of online users sweep their accounts clean of spam at least once a week. More than one-quarter (27 percent) delete spam on a daily basis.

An in depth analysis conducted by the Canadian Institute of Chartered Accountants in 2005 found that the cost of spam is high for businesses of all sizes. In their study, they determined that without the proper protection, a company with just 100 users can easily waste $190,000 per year battling spam.

Why Doesn't Somebody Stop It?

Spammers purchase facilities (servers, network bandwidth) from network providers who are more interested in making money than policing their customers. Many people are under the impression that ask no questions providers operate primarily in south-east Asia, Russia or other jurisdictions with few laws and lax enforcement - but that's only partially true. In 2004, North America was responsible for more than half of the worlds' spam. Today Asia accounts for 42.8% of spam according to one monitoring service.

Spammers are also on the look out for insecure PCs or mail servers to use in spam delivery. As early as October, 2004, the Christian Science Monitor reported that Spammers and Virus writers were cooperating to take over Internet connected machines. Virus writers develop code to penetrate computer security defenses and install spam engines. Then they lease infected machines to spammers who use these computers to relay messages to your in basket. An infected PC with a cable connection can send out 500,000+ spam e-mails per day.

Tracking spammers through foreign jurisdictions or through infected PC spam relays is nearly impossible, providing spammers the anonymity they need to hawk their wares. Furthermore, most ISPs do not believe it is their job to sift your e-mail traffic for unwanted messages.

What Can My Company Do?

There are literally hundreds of products on the market that purport to stop spam. They are all successful (more or less) but each comes with its own burden in terms of cost, effectiveness, administrative overhead, licensing fees, etc. One comparison of antispam products, prepared by the author, can be found here.

Selecting an antispam solution requires careful consideration of your organizations budget, technical capabilities, tolerance for risk, tolerance for spam, etc. You should look for products that:

• Provide the best accuracy
• Have the lowest false-positive (legitimate e-mail marked as spam) rate
• Consistently deliver e-mails from established peers
• Are fast and easy to implement
• Do not require excessive user or e-mail administrator involvement

• Require you to to pay unreasonable monthly fees on top of the purchase price
• Do not provide complete protection without the purchase of expensive, add-on products
• Require you to purchase other items before deploying the product (i.e.: hardware, operating systems, software modules)
• Impose restrictions on the number of users and/or domains that can be protected
• Will place an additional processing burden on your mail server

What Can I Do?

• Never reply or unsubscribe to spam
  Spammers want to know that their message was seen by a person (and not a machine). Never reply to, or click the unsubscribe link in, a spam message because this is their cue to send you more!
• Use hard to guess e-mail addresses
  If policy permits, use full names as e-mail addresses rather than abbreviations. CharlesMBrown@myWebSite.com is harder to guess than cbrown@myWebSite.com
• Don't participate in chain letters
  We've all seen chain letters with hundreds of e-mail addresses in the To: field. Spammers get these messages too, and harvest e-mail addresses from them.
• Forward messages without recipient Lists
  If you like to forward humor, tell your mail client to mask the recipient list. This will prevent future recipients from harvesting e-mail addresses as your joke gets passed around the 'net.
• Don't exchange e-mail with people who include recipient lists in their messages
  All of your good work can be undone by a well meaning friend who includes your e-mail address in their distribution list. Get these people to mask distribution lists, or else ask to be taken off their list.
• Don't post your e-mail address on newsgroups or forums
  Anecdotal evidence shows that spammers harvest e-mail addresses from newsgroups and forums. It is OK to participate in newsgroups and forums, just be sure that you don't include your e-mail address with your post.
• Take care when placing e-mail addresses on your web site
  Spammers harvest e-mail addresses from websites. If you have to post an e-mail address on your website, try the following:
  1. Use a generic e-mail address like info@myWebSite.com.
  2. Use a disposable e-mail address such as JohnDoe123@myWebSite.com. Change the e-mail address often (you'll have to!).
  3. Mask your e-mail address so that people can understand it but machines can't. For example, JohnDoe (at) myWebSite DOT com is easily understood by people but not machines.
  4. If you must post an e-mail address to your website, create an image file with your e-mail address in text. People will be able to read it but machines can't. Here is an example I made with Microsoft™ Paint:

• Get effective spam protection
  There is only so much an individual can do to avoid spam. Ultimately, the team in charge of your mail server will need to take action to stop spammers. Effective antispam solutions are available that are designed to deal with the full spectrum of spam threats.

Summary

Adopting safe e-mail practices will reduce the likelyhood that an individual could become a spam target, but there are limits. For the best protection, your organization will need to acquire and implement an effective antispam solution.

© 2006 by Larry Karnis and XPMsoftware. All rights reserved. Permission is hereby granted to quote from this article in whole or in part, or to reproduce this article by any means as long as the the author and XPMsoftware receive appropriate attribution.

About the Author

Comments on this article should be directed to lkarnis@xpmsoftware.com.