e-Mail spam
Online Advertising
e-Mail spam
e-Mail spammers | Spam bait | Word salad | Spamvertising | DNSBL | The Abusive Hosts Blocking List | e-Mail authentication | Sender Policy Framework | Open mail relay | Boulder Pledge
View of a modern spam email, containing an advertising image.
E-mail spam is a subset of
spam that involves sending nearly identical messages to thousands (or
millions) of recipients. Perpetrators of such spam ("spammers") often harvest
addresses of prospective recipients from
Usenet postings or from web pages, obtain them from databases, or simply guess
them by using common names and domains. By popular definition, spam occurs without the permission of the
recipients.
Overview
An inbox filled with spam
As the recipient directly bears the cost of delivery, storage, and
processing, one could regard spam as the electronic equivalent of "postage-due"
junk mail. However, the
Direct Marketing Association will point to the existence of "legitimate"
e-mail marketing. Most commentators classify e-mail-based
marketing
campaigns where the recipient has "opted in" to receive the marketer's message
as "legitimate".
Spammers frequently engage in deliberate
fraud to send out their messages. Spammers often use false names, addresses,
phone numbers, and other contact information to set up "disposable" accounts at
various Internet service providers. They also often use falsified or stolen
credit card numbers to pay for these accounts. This allows them to move quickly
from one account to the next as the host ISPs discover and shut down each one.
Spammers frequently go to great lengths to conceal the origin of their
messages. They do this by
spoofing e-mail addresses (much easier than
Internet protocol spoofing). The e-mail protocol (SMTP) has no authentication by
default, so the spammer can easily make a message appear to originate from any
e-mail address. To prevent this, some ISPs and domains require the use of
SMTP-AUTH, allowing positive identification of the specific account from which an e-mail
originates.
Spammers cannot completely spoof e-mail delivery chains (the 'Received'
header), since the receiving mailserver records the actual connection from the
last mailserver's IP address. To counter this, some spammers forge additional
delivery headers to make it appear as if the e-mail had previously traversed
many legitimate servers. But even when the fake headers are identified, tracing
an e-mail message's route is usually fruitless. Many ISPs have thousands of
customers, and identifying spammers is tedious and generally not considered
worth the effort.
Spammers frequently seek out and make use of vulnerable third-party systems
such as
open mail relays and open
proxy servers. The SMTP system, used to send e-mail across the Internet,
forwards mail from one server to another; mail servers that ISPs run commonly
require some form of authentication that the user is a customer of that ISP. Open relays,
however, do not properly check who is using the mail server and pass all mail to
the destination address, making it quite a bit harder to track down spammers.
Increasingly, spammers use networks of virus-infected Windows PCs (zombies)
to send their spam. Zombie networks are also known as
Botnets.
Spoofing can have serious consequences for legitimate e-mail users. Not only
can their e-mail inboxes get clogged up with "undeliverable" e-mails in addition
to volumes of spam, they can mistakenly be identified as a spammer. Not only may
they receive irate e-mail from spam victims, but (if spam victims report the
e-mail address owner to the ISP, for example) their ISP may terminate their
service for spamming.
Legality
Sending spam violates the
Acceptable Use Policy (AUP) of almost all Internet Service Providers, and can
lead to the termination of the sender's account. Many jurisdictions, such as the
United States of America, which regulates via the CAN-SPAM Act of 2003, regard
spamming as a crime or as an actionable tort.
Article 13 of the
European Union Directive on Privacy and Electronic Communications (2002/58/EC)
provides that the EU member
states shall take appropriate measures to ensure that unsolicited communications
for the purposes of direct marketing are not allowed either without the consent
of the subscribers concerned or in respect of subscribers who do not wish to
receive these communications, the choice between these options to be determined
by national legislation.
Accessing privately owned computer resources without the owner's permission
counts as illegal under computer crime statutes in most nations. Deliberate
spreading of computer viruses is also illegal in the United States and elsewhere.
Thus, some of spammers' most common behaviors are criminal quite
independently of the legal status of spamming per se. Even before the advent of
laws specifically banning or regulating spamming, spammers have been
successfully prosecuted under computer fraud and abuse laws for wrongfully using
others' computers.
Avoiding spam
Typical spam
Computer users can avoid e-mail spam in several ways:
- End-users can use automated e-mail filtering on their own computers.
- System administrators can use appropriate tools to trap e-mail spam at
the mail server level, either by use of software or special
appliances.
- Spam can be reported to appropriate ISP so that the spamming can be
stopped.
- By giving out one's ISP e-mail address only to closely trusted
acquaintances, friends, and relatives, and using web based e-mail services
for everyone else.
- By ensuring that those acquaintances, friends and relatives who have
been trusted with one's e-mail address do not include the person who wants
to avoid spam's e-mail address in the "To" or "CC" fields when sending
several copies of an e-mail to ensure that, when such e-mails are forwarded,
to avoid one's e-mail addresses from appearing in an ammassing list of
e-mail addresses
- By creating a unique e-mail address for each person or site you wish to
communicate with. This can be done using an online mail forwarding service,
or with administrative access to your own e-mail server. If spam is received
on one of these addresses, you immediately know who leaked or sold your
address to spammers, and you can also cancel the affected e-mail address.
- End-users can take precautions to avoid needlessly publicising their
e-mail addresses or protect them from e-mail harvesting by
spam bots,
such as by using e-mail forms that do not display the address in the webpage
code, or by
address munging.
- Using anti-virus and anti-spyware programs with regularly updated
definitions to avoid having their computers hijacked and used as spammer
tools.
- Users are also advised to configure their e-mail clients to disable rich
content features such as HTML mail and automatic downloading of images.
Downloaded images can be used by spammers to identify valid e-mail
addresses.
- By periodically performing an internet search for one's own email
address, and if necessary getting the appropriate website administrator to
remove it.
Anti-spam programmers have released several tools—intended for both end users
and for systems administrators—which automate the highlighting, removal or
filtering of e-mail spam by scanning through incoming and outgoing e-mails in
search of traits typical of spam. Modern anti-spam systems are usually very
effective at protecting you from spam.
Like other forms of theft, spam should be reported to the appropriate people
so that it can be stopped. Services, such as
spamcop, make
this easy to do. While this may not immediately decrease the amount of spam you
receive significantly, it will reduce the amount of spam that everyone receives.
The best way to avoid spam involves avoiding making one's e-mail address
available to spammers, directly or indirectly.
Basic
computer literacy should include an understanding of the basics of spamming and
spam avoidance. One should never reply to a spam e-mail, or click an "opt-out"
link (this simply confirms that an e-mail address is "live"). Users should not
reveal their e-mail addresses on porn, warez and other
shady sites.
If a web site requests registration in order to allow useful operations, such
as posting in Internet
forums, a user may give a temporary disposable address—set up and used only
for such a purpose—periodically deleting such temporary e-mail accounts from
their
e-mail servers. (Users should notify such forums of the new replacement
addresses if they wish to continue interaction for valid purposes.) For example,
free services such as spamgourmet.com and spamhole.com allow a user to create a
temporary e-mail address which forwards e-mail to you for a set period of time,
and then becomes invalid.
See also:
stopping e-mail abuse
Avoiding sending spam
Anti-spam ISPs and technicians have published a number of resources to help
systems and e-mail users avoid sending spam inadvertently or through
misunderstanding the e-mail system — such as the MAPS
Guidelines for Mailing List Management. These guidelines aim to help
legitimate users of bulk e-mail who wish not only to comply with anti-spam laws,
but also to avoid appearing to customers or Internet partners as spammers.
Broadly, such guidelines promote the idea that e-mail recipients must grant
permission before others may send them bulk e-mail. In effect, senders must not
send bulk e-mail to users who have not opted in to receive it. This
contrasts with the view of e-mail promoted by many bulk e-mailers, who claim
that senders should feel free to send to any user who has not opted out
of receiving it.
Many spammers, however, do not even comply with an opt-out régime. Although
U.S. and other laws require that commercial e-mailers cease sending to
recipients who have opted out, many spam messages contain fraudulent opt-out
instructions. In some cases, spammers have used the opt-out function as a way of
confirming that someone actually read a spam message. In
2004 some spam messages turned out to contain malware for Microsoft Windows which victims triggered by clicking an opt-out link.
Cost-based methods
A number of persons have proposed "e-mail postage" systems, under which
e-mail senders would be required to pay money, perform a resource-intensive
computation, or post a bond, for each message sent. Proponents include
Microsoft's Bill Gates. The intention of e-mail postage is to deter spam by making it too expensive to
send a large number of messages.
However, since spammers already use other people's computers to spam, there
is every reason to believe that they would offload the postage charge onto
others as well.
Confirmed opt-in
One difficulty occurs in implementing opt-in mailing lists: many means of
gathering user e-mail addresses remain susceptible to forgery. For instance, if
a company puts up a Web form to allow users to subscribe to a mailing list about
its products, a malicious person can enter other people's e-mail addresses — to
harass them, or to make the company appear to be spamming. (To most
anti-spammers, if the company sends e-mail to these forgery victims, it is
spamming, albeit inadvertently.)
To prevent this abuse, MAPS and other anti-spam organizations encourage that
all mailing lists use confirmed opt-in (also known as verified opt-in
and (by spammers themselves) as double opt-in). That is, whenever an
address is presented for subscription to the list, the list software should send
a confirmation message to that address. The confirmation message contains no
advertising content, so it is not construed to be spam itself — and the address
is not added to the list unless the recipient responds to the confirmation
message. See also the
Spamhaus
Mailing Lists vs. Spam Lists page.
All modern mailing list management programs (such as GNU Mailman, Majordomo,
and qmail's ezmlm) support confirmed opt-in by default.
Highest Amount of Spam Received
The owner of the domain name acme.com is currently thought to hold the
record, receiving over one million spam emails per day. This is in comparision
with Microsoft founder Bill Gates who, according to Steve Ballmer, receives four million per year.
How spammers operate
Gathering of addresses
In order to send spam, spammers need to obtain the e-mail addresses of the
intended recipients. Toward this end, both spammers themselves and list
merchants gather huge lists of potential e-mail addresses. Since spam is, by
definition, unsolicited, this address harvesting is done without the
consent (and sometimes against the expressed will) of the address owners. As a
consequence, spammers' address lists are remarkably inaccurate. A single spam
run may target tens of millions of possible addresses -- many of which are
invalid, malformed, or undeliverable.
Spam differs from other forms of
direct marketing in many ways, one of them being that it costs no more to send
to a larger number of recipients than a smaller number. For this reason, there
is little pressure upon spammers to limit the number of addresses targeted in a
spam run, or to restrict it to persons likely to be interested. One consequence
of this fact is that many people receive spam written in languages they cannot
read — a good deal of spam sent to English-speaking recipients is in Chinese or
Korean, for instance. Likewise, lists of addresses sold for use in spam
frequently contain malformed addresses, duplicate addresses, and addresses of
role accounts such as postmaster.
[1]
Spammers may harvest e-mail addresses from a number of sources. A popular
method uses e-mail addresses which their owners have published for other
purposes. Usenet posts, especially those in archives such as Google Groups,
frequently yield addresses. Simply searching the Web for pages with addresses —
such as corporate staff directories — can yield thousands of addresses, most of
them deliverable. Spammers have also subscribed to discussion mailing lists for
the purpose of gathering the addresses of posters. The DNS and WHOIS systems
require the publication of technical contact information for all Internet
domains; spammers have illegally trawled these resources for e-mail addresses.
Many spammers utilize programs called web spiders to find e-mail addresses on web pages.
A recent, controversial tactic, called "e-pending", involves the
appending of e-mail addresses to direct-marketing databases. Direct
marketers normally obtain lists of prospects from sources such as magazine
subscriptions and customer lists. By searching the Web and other resources for
e-mail addresses corresponding to the names and street addresses in their
records, direct marketers can send targeted spam e-mail. However, as with most
spammer "targeting", this is imprecise; users have reported, for instance,
receiving solicitations to mortgage
their house at a specific street address — with the address being clearly a
business address including mail stop and office number.
Spammers sometimes use various means to confirm addresses as deliverable. For
instance, including a
Web bug in a spam message written in HTML may cause the recipient's mail client to transmit the recipient's
address, or any other unique key, to the spammer's Web site.
[2]
Likewise, spammers sometimes operate Web pages which purport to remove
submitted addresses from spam lists. In several cases, these have been found to
subscribe the entered addresses to receive more spam.
[3]
Delivering spam messages
Internet users and
system administrators have deployed a vast array of techniques to block, filter,
or otherwise banish spam from users' mailboxes. Almost all Internet service
providers forbid the use of their services to send spam or to operate
spam-support services. Both commercial firms and volunteers run subscriber
services dedicated to blocking or filtering spam, such as AppRiver, Brightmail,
Postini, and the various DNSBLs.
Using Webmail services
A common practice of spammers is to create accounts on free webmail services,
such as Hotmail,
to send spam or to receive e-mailed responses from potential customers. Because
of the amount of mail sent by spammers, they require several e-mail accounts,
and use web bots to automate the creation of these accounts.
In an effort to cut down on this abuse, many of these services have adopted a
system called the
captcha: users attempting to create a new account are presented with a
graphic of a word, which uses a strange font, on a difficult to read background.
Humans are able to read these graphics, and are required to enter the word to
complete the application for a new account, while computers are unable to get
accurate readings of the words using standard
OCR techniques. Blind users of captchas typically get an audio sample.
Spammers have, however, found a means of circumventing this measure.
Reportedly, they have set up sites offering free
pornography: to get access to the site, a user displays a graphic from one
of these webmail sites, and must enter the word. Once the bot has successfully
created the account, the user gains access to the pornographic material.
Using other people's computers
Early on, spammers discovered that if they sent large quantities of spam
directly from their ISP accounts, recipients would complain and ISPs would shut
their accounts down. Thus, one of the basic techniques of sending spam has
become to send it from someone else's computer and network connection. By
doing this, spammers protect themselves in several ways: they hide their tracks,
get others' systems to do most of the work of delivering messages, and direct
the efforts of investigators towards the other systems rather than the spammers
themselves. The increasing broadband usage gave rise to a great number of
computers that are online as long as they are turned on, and whose owners do not
always take steps to protect them from malware. A botnet consisting of several
hundred compromised machines can effortlessly churn out millions of messages per
day. This also complicates the tracing of spammers.
Open relays
In the 1990s,
the most common way spammers did this was to use open mail relays. An
open relay is an
MTA, or mail server, which is configured to pass along messages sent to it from
any location, to any recipient. In the original SMTP mail architecture, this was
the default behavior: a user could send mail to
practically any mail server, which would pass it along towards the intended
recipient's mail server.
The standard was written in an era before spamming when there were few hosts
on the internet, and those on the internet abided by a certain level of conduct.
While this cooperative, open approach was useful in ensuring that mail was
delivered, it was vulnerable to abuse by spammers -- and abused it soon was.
Spammers could forward batches of spam through open relays, leaving the job of
delivering the messages up to the relays.
In response, mail system administrators concerned about spam began to demand
that other mail operators configure MTAs to cease being open relays. The first
DNSBLs, such as
MAPS RBL and the now-defunct ORBS, aimed chiefly at allowing mail sites to
refuse mail from known open relays.
Open proxies
Within a few years, open relays became rare and spammers resorted to other
tactics, most prominently the use of open proxies. A
proxy
is a network service for making indirect connections to other network services.
The client connects to the proxy and instructs it to connect to a server. The
server perceives an incoming connection from the proxy, not the original client.
Proxies have many purposes, including Web-page caching, protection of privacy,
filtering of Web content, and selectively bypassing firewalls.
An open proxy is one which will create connections for any
client to any server, without authentication. Like open relays, open
proxies were once relatively common, as many administrators did not see a need
to restrict access to them.
A spammer can direct an open proxy to connect to a mail server, and send spam
through it. The mail server logs a connection from the proxy -- not the
spammer's own computer. This provides an even greater degree of concealment for
the spammer than an open relay, since most relays log the client address in the
headers of messages they pass. Open proxies have also been used to conceal the
sources of attacks against other services besides mail, such as Web sites or
IRC servers.
Besides relays and proxies, spammers have used other insecure services to
send spam. One example is the now-infamous FormMail.pl, a
CGI script to allow Web-site users to send e-mail feedback from an HTML
form.
[4] Several versions of this program, and others like it, allowed the user
to redirect e-mail to arbitrary addresses. Spam sent through open FormMail
scripts is frequently marked by the program's characteristic opening line:
"Below is the result of your feedback form."
As spam from proxies and other "spammable" resources grew, DNSBL operators
started listing their IP addresses, as well as open relays.
Today, spammers use infected Windows PCs to deliver spam. Many still rely on
Web-hosting services on spam-friendly ISPs to make money.
Spammer viruses
In 2003, spam investigators saw a radical change in the way spammers sent
spam. Rather than searching the global network for exploitable services such as
open relays and proxies, spammers began creating "services" of their own. By
commissioning computer viruses designed to deploy proxies and other spam-sending tools,
spammers could harness hundreds of thousands of end-user computers.
Most of the major
Windows e-mail viruses of 2003, including the Sobig and Mimail virus
families, functioned as spammer viruses: viruses designed expressly to
make infected computers available as spamming tools.
[5]
[6]
Besides sending spam, spammer viruses serve spammers in other ways. Beginning
in July 2003,
spammers started using some of these same viruses to perpetrate
distributed denial-of-service (DDoS) attacks upon DNSBLs and other anti-spam
resources.
[7] Although this was by no means the first time that illegal attacks have
been used against anti-spam sites, it was perhaps the first wave of effective
attacks.
In August of that year, engineering company Osirusoft ceased providing DNSBL
mirrors of the SPEWS
and other blocklists, after several days of unceasing attack from virus-infected
hosts.
[8] The very next month, DNSBL operator Monkeys.com succumbed to the attacks
as well.
[9] Other DNSBL operators, such as
Spamhaus, have deployed global mirroring and other anti-DDoS methods to
resist these attacks.
Obfuscating message content
Many spam-filtering techniques work by searching for patterns in the headers
or bodies of messages. For instance, a user may decide that all e-mail she
receives with the word "Viagra"
in the subject line is spam, and instruct her mail program to automatically
delete all such messages. To defeat such filters, the spammer may intentionally
misspell commonly-filtered words, use
Leetspeak
or insert other characters, as in the following examples:
- V1agra
- Via'gra
- V I A G R A
- Vaigra
- \ /iagra
- Vi@graa
The principle of this method is to leave the word readable to humans (whose
pattern-recognition skills make them remarkably adept at picking out the true
meaning of misspelled words), but not recognizable to a literally-minded
computer program. This is effective up to a point. Eventually, filter patterns
become generic enough to recognize the word "Viagra" no matter how misspelled --
or else they target the obfuscation methods themselves, such as insertion of
punctuation into unusual places in a word.
(Note: Using most common variations, it is possible to spell "Viagra" in at
least
1,300,925,111,156,286,160,896 ways.)
HTML-based e-mail gives the spammer more tools to obfuscate text. Inserting
HTML comments between letters can foil some filters, as can including text made
invisible by setting the font color to white on a white background, or shrinking
the font size to the smallest fine print.
Another common ploy involves presenting the text as an image, which is either
sent along or loaded from a remote server. This can be foiled by not permitting
an e-mail-program to load images.
As
Bayesian filtering has become popular as a spam-filtering technique,
spammers have started using methods to weaken it. To a rough approximation,
Bayesian filters rely on word probabilities. If a message contains many words
which are only used in spam, and few which are never used in spam, it is likely
to be spam. To weaken Bayesian filters, some spammers now include lines of
irrelevant, random words alongside the sales pitch. A variant on this tactic may
be borrowed from the Usenet abuser known as "Hipcrime" -- to include passages
from books taken from Project Gutenberg, or nonsense sentences generated with
"dissociated press" algorithms. Randomly generated phrases can create spamoetry
(spam poetry) or spam art.
Another method used to masquerade spam as legitimate messages is the use of
autogenerated sender names in the From: field, ranging from realistic
ones such as "Jackie F. Bird" to (either by mistake or intentionally) bizarre
attention-grabbing names such as "Sloppiest U. Epiglottis" or "Attentively E.
Behavioral". Return addresses are also routinely auto-generated.
Spam-support services
A number of other online activities and business practices are considered by
anti-spam activists to be connected to spamming. These are sometimes termed
spam-support services: business services, other than the actual sending of
spam itself, which permit the spammer to continue operating. Spam-support
services can include processing orders for goods advertised in spam, hosting Web
sites or
DNS records referenced in spam messages, or a number of specific services as
follows:
Some Internet hosting firms advertise bulk-friendly or bulletproof
hosting. This means that, unlike most ISPs, they will not terminate a
customer for spamming.
[10] These hosting firms operate as clients of larger ISPs, and many have
eventually been taken offline by these larger ISPs as a result of complaints
regarding spam activity. Thus, while a firm may advertise bulletproof hosting,
it is ultimately unable to deliver without the connivance of its upstream ISP.
However, some spammers have managed to get what is called a pink contract
(see below) — a contract with the ISP that allows them to spam without being
disconnected.
A few companies produce
spamware,
or software designed for spammers. Spamware varies widely, but may include the
ability to import thousands of addresses, to generate random addresses, to
insert fraudulent headers into messages, to use dozens or hundreds of mail
servers simultaneously, and to make use of open relays. The sale of spamware is
illegal in eight U.S. states.
[11]
[12]
[13]
So-called millions CDs are commonly advertised in spam. These are
CD-ROMs
purportedly containing lists of e-mail addresses, for use in sending spam to
these addresses. Such lists are also sold directly online, frequently with the
false claim that the owners of the listed addresses have requested (or "opted
in") to be included. Such lists often contain invalid addresses.
[14]
A number of DNSBLs,
including the MAPS RBL, Spamhaus SBL, and SPEWS, target the providers of
spam-support services as well as spammers.
Related vocabulary
- Unsolicited commercial e-mail (UCE)
- The most common type of spam, e-mails sent to recipients who did not
request them, promoting a commercial service that makes money for the
spammer.
- Unsolicited bulk e-mail (UBE)
- E-mail viruses (worms) sent by infected computers. Also forwarded hoaxes
(e.g. virus warnings), political advocacy spam, and
chain letters sent by a person to many other people.
- Pink contract
- A service contract offered by an ISP which offers bulk e-mail service to
spamming clients, in violation of that ISP's publically posted acceptable
use policy. Not used by reputable ISPs (if they want to remain reputable).
- Spamvertised
- Adjective that describes a website "advertised" by spammers.
Current Events
On November 4, 2004, Jeremy Jaynes, rated the 8th most prolific spammer in
the world by Spamhaus, was convicted of three felony charges of using servers in
Virginia to
send thousands of fraudulent e-mails. The court recommended a sentence of nine
years' imprisonment, which was imposed in April 2005 although the start of the
sentence is deferred pending appeals. Jaynes was claimed to have an income of
$750,000 a month from his spamming activities.
On December 31, 2004, British authorities arrested Christopher Pierson in
Lincolnshire, UK and charged him with malicious communication and causing a
public nuisance. On January 3, 2005, he pleaded guilty to sending hoax e-mails
to relatives of people missing following the Asian tsunami
disaster.
On July 25, 2005, Russian spammer Vardan Kushnir was
found dead in his Moscow apartment, having suffered numerous blunt-force
blows to the head.
See also
References
External links
- Anti-spam organizations, with Resources for e-mail users and
administrators
- Major media sites, with current news on Spam e-mail
- Government reports and industry white papers
Home | Up | History of spamming | Stopping e-mail abuse | e-Mail spam | e-Mail fraud | Messaging spam | Mobile phone spam | Newsgroup spam | Spit (VoIP spam) | Honeypot | Spamware | Pills porn and poker | Joe job | Spam Prevention Early Warning System
Online Advertising, made by MultiMedia | Free content and software
This guide is licensed under the GNU
Free Documentation License. It uses material from the Wikipedia.
|