Spam, Spam, Spam, Email, and Spam

Security - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

I'm happy to see that the outsourcing cause is taking root nationwide. Our own editor in chief, Tom Stockwell, has written a number of particularly effective articles, and politicos and personalities across the country, from Senator Chris Dodd to television commentator Lou Dobbs, are taking up the argument. I'll give you a couple of updates on that issue in a later article.
Today, however, I want to embark on a new agenda: ridding our mailboxes of spam. If you are reading this article, you probably have email, and if you have email, you have spam, and most people with spam have some sort of spam filters in place. So, chances are good that you have a spam filter. However, spam filters may be the wrong way to address the issue; they may be treating the symptom rather than the disease.

Let's explore the dark side of spam: a place nobody talks about. In this macabre world of multimillionaires and offshore accounts, deals are made that stifle simple innovations that could clean up the spam mess almost overnight. Hackers and spammers conspire to create technological chimeras that threaten to swamp the Internet, while Congress passes bills that make it easier and easier for them to do so. And the reason, as in so many things we see today in the IT industry, is simple greed.

A Brief History of Spam

In the earliest days of the Internet, there were really two kinds of spam: personal spam and mailing list spam. Personal spam was those cute little jokes you got from your friends, and the worst offenders were the email addicts (you know these people) who insist on forwarding every email they get--from jokes to chain letters to MPEG movies--to every email address in their contact list. It really never got to be anything more troublesome than a bit of a productivity waster. Had spam remained at this level, we probably wouldn't even be discussing it. In fact, the very first spam caused all kinds of interesting backlash, and I think it would have been pretty much self-limiting.

Spamming Mailing Lists

But then came the commercial spammers. The first vehicle for spam was the Usenet mailing lists. Spamming these was something like putting up posters in public places or maybe sticking fliers under windshield wipers. Since there weren't many email address lists available, it was up to the spammers to do all the dirty work. And once again, there was still a certain agreed-upon civility in the Internet. It even had a name: "netiquette." Read the furor surrounding the first Usenet spammers, Laurence Canter and Martha Siegel (who, ironically, were lawyers).

But this has a pretty simple workaround: You simply shut off the posting capabilities of the spammers. Since mailing lists are centrally controlled, it's easy to identify the source of spam and shut it down. (This is a little different than the mailing list trolling, which I'll talk about in a second.)

The Rise of the Bulk Email

Both of the previous items were examples of what we today call "opt-in" email. Technically, you opted in by either sending an email to somebody (thus supplying them with one more email address for their chain letters) or by joining a mailing list and specifically asking them to send you email. The fact that the email you received is not what you intended is secondary, and in either case, there were ways to avoid it, even if it meant telling someone nicely to stop sending you pictures of their adorable little kitty.

In any case, there was no real money to be made. Even though there was no direct cost, the indirect cost of labor and the fact that you could be shut down in an instant made such practices too expensive for all but the most limited uses.

And then came the email address list and the concept of bulk email. In the first days, bulk emailers were really like direct advertisers. They got lists of people from various places, like online marketplaces and Web magazines. There was even the occasional scandal when a company was found to be selling email addresses that it shouldn't have been. Privacy rules were enacted, and had it remained at that level, we'd probably still not have the problem we're having today.

Remember, genuine email address lists are not cheap. Because of the cost, you need a relatively high success rate to get a return on your investment, so without a tightly focused mailing list, you can't justify the cost. And a focused mailing list requires information about the user, which means they have to opt in, so you can't cheat. Thus, bulk email really never was the cash cow many thought it might be. The cost structure just didn't support it.

Trolling for Dollars

But as the Internet grew, and as it became clear that the number of subscribers would continue to rise at a nearly exponential rate, certain enterprising souls started doing the basic math: If I send out 500,000 emails, and I only get a .01% success rate, then I end up with 50 paying customers. If the email burst costs $100, and I make $10 profit per sale for my product, then my profit is $400. That may not seem like much, but if I sell more products or I raise the number of emails or the price of the product or the buy rate, then I can quickly grow that number.

And as a bulk emailer, if I charge you a certain percentage off the top for providing the bulk email service, I in effect can make money for virtually nothing. As long as there are ways to effectively send unsolicited email to millions of people, there is room for people like Alan Ralsky, who lives in an 8,000 square foot house purchased with the proceeds of spam.

This spawned the concepts of email address trolling and bulk email bursts. Address trolling involves subscribing to mailing lists and then scanning the posts for email addresses. That's why you often see people posting their email address as something like This email address is being protected from spambots. You need JavaScript enabled to view it.. Another method is to use a Web spider, software that follows hyperlinks on Web pages to find other related Web pages and then grabs information from them, including email addresses. This is a good way to target businesses.

What's different about these approaches? Well, there are two. First, the users do not opt in. This is completely unsolicited mailing that is currently impossible to stop (I'll have more on that shortly). Second, the market is almost limitless. There are hundreds of millions of email addressees out there, and the number is growing. By making it virtually free to access these people, the current Internet email system almost assures that we will only see more spam. Think of it this way: I'm sure you get large amounts of junk mail today, even though it costs the senders a pretty penny (paper is not cheap, and postage keeps going up). Think of how much more junk mail would be sent if it only cost a hundredth of a penny per letter. We'd be picking up our daily mail with forklifts.

But even so, that's not the dark side of the equation.

Can Spam Be Stopped?

Today, a number of methods can be used to stop spam. However, as you'll see, they all focus on the problem after the fact--that is, they try to determine whether email that has been sent to you is indeed spam. There are a couple of widely used techniques for doing this, and I'll introduce each one and explain its weaknesses.

Filters

Filters attempt to analyze the content of an email to determine whether it is spam. The problem with this approach is that spammers have the time to analyze the filters and devise ways around them, and thus it's a continual cat-and-mouse game. For example, some of the first filters searched for a specific subject line. The spammers quickly recovered and simply added a random phrase to the subject line, which is why you see message like "VIAGRA CHEAP clrk41". The "clrk41" is designed to confound subject line checkers. The next iteration was the keyword search. For example, a heading with the word "Viagra" in it is pretty likely to be a spam message. This is why you see things like "/|@gr@ CHEEP". The current top-of-the-line filter is the Bayesian filter, which is supposed to heuristically analyze the text of the message, apply weightings to various phrases, and then come up with a score that determines whether a message is spam or not. Spammers have already devised an answer to that, which is to include lots of words chosen from a list of "safe" values; this lowers the overall score of the spam in order to allow it to pass the Bayesian filter. You've probably seen emails that have seemingly random words at the bottom:

"yarrow discipline hausdorff sullen idea eject absolution morphism thaw bloomfield drastic mescal leadsman chameleon fillip butane botulin depression hypocritic"

This email is designed specifically to pass Bayesian filters.

Blacklists

Because of the rather simple text-based nature of email, it's easy to spoof the sender--spammers can put whatever name they want in the "from" address. However, TCP/IP communications are not nearly so easy to spoof, so it's almost impossible to disguise the originating IP address of an email. In the days of simple bulk email, what happened was that the bulk emailers found a willing ISP who would transmit their huge amounts of email (for a fee), or else they searched the 'net and found unprotected computers that were attached to the 'net and then co-opted them into service. What is an "unprotected" computer? Given the generally anarchic nature of the original Internet programmers, the default setting for many mail servers allows them to be used to forward mail from anyone to anyone; servers configured this way are called "open relays" and have been the target of a concerted and largely successful effort to remove them from the 'net.

While it was difficult to stop the spammers from sending the spam, it was relatively easy to identify offending computers and/or ISPs. Some enterprising groups such as Spamhaus.org then collected these offending IP addresses or ranges of IP addresses and made them available as "blacklists." So now you can configure your email software to check the IP address of an incoming email message against the blacklist, and if the IP address is found, you can quarantine the message (or simply delete it).

This quickly became a very effective tool against spammers, although it is occasionally a little controversial. Sometimes companies get onto the blacklist inadvertently (through contracting an email bomb virus or through installing a new server and forgetting to reconfigure it to no longer act as an open relay). And once they are on the blacklist, until they are able to "clear their name" with the blacklist provider, nobody who uses that service will get mail from them.

And wherever human beings are involved, there are politics; the politics of spam is no different from any other. One side shouts "invasion of privacy" while the other answers "freedom of speech." However, unless you are directly involved in making money from spam, you recognize it as the nuisance it is. Not to mention that some of the spam is actually fraudulent in nature, such as the Nigerian scams, and people have lost pensions, college funds, and even their lives in some of the more pernicious swindles circulating the 'net.

The Ugly Mutation--Worms, Viruses, Proxies, and DDoS

So a few spammers dump spam in my in-box. So what? I get a nice filter, subscribe to a service like Spamhaus, and my troubles are all solved, right? Unfortunately, it's not that simple. Since spam is a multi-billion dollar business, it's not going to go quietly. In fact, the spammers may be starting to fight back. Read on...

Worms and Viruses

The Internet worm is a dangerous and powerful thing. The first worm was created nearly 20 years ago, back in 1988, and this simple 99-line program brought the fledgling Internet to its knees. A quick bit of information: There is a distinct difference between a virus and a worm. A virus is a program that needs some manual operator action to be activated, while a worm is a program that takes over a machine and uses that machine to spread itself to other machines entirely without human intervention. However, the newer Internet intruders blur the line, since they contain characteristics of both types of attacks, as well as other, newer variants. These newer, more virulent invaders may try to spread like a worm to other machines on your network, while at the same time emailing virus-laden messages to unsuspecting people, attempting through social engineering to get them to open the disastrous payload attached.

Email Proxies

The most prevalent of the new strains is the email proxy. Once a bug of this type infects your machine, it turns into an "email zombie," scouring your machine for email addresses and sending spoofed mail with virus payloads. "Spoofed" messages are messages that are disguised to look as if they come from you. The recipient gets the message, sees that it is from you, opens the attachment, and the virus is now spread to another machine. Or the virus may be hidden in an official-looking email designed to look like it came from Microsoft or from some other legitimate source. Given the clever and ruthless nature of these viruses writers, the most basic advice nowadays is to never open an unsolicited attachment from anyone.

Distributed Denial of Service (DDoS)

While there is a certain annoyance level with the email proxy type of virus, and it threatens to help clog the Internet, there is an even murkier side to the story. Please note that we're now starting to delve into the world of black helicopters and conspiracy theories; I'm simply reporting the news as I see it, and I leave it to you to draw your own conclusions.

One of the more recent virus variants has been the Distributed Denial of Service (DDoS) attack. The idea is simple: infect as many machines as possible, and then, at some set time, deluge specific Web sites with garbage packets. The sites spend so much time dealing with these packets that they cannot service legitimate requests; for all intents and purposes, you have denied their ability to service valid users. A few DDoS attacks made the news, notably the attack on SCO, which has been trying to assert intellectual property rights on Linux. I mentioned the anarchic tendencies of Internet developers; the Linux subculture is even more libertarian in their views, and they took the SCO suit as an affront. And some of us who read about the attack might even have said to ourselves, "Ha! That's what those greedy buggers deserve!"

However, there's a more insidious story that doesn't get much airplay. Many of the DDoS attacks are being directed toward the spam blacklist sites. In fact, one of the major blacklists, Osirusoft, actually shut down its business because of DDoS attacks. In fact, it seems as though the newest viruses are taking advantage of spam techniques to get themselves out into the world. So now we have viruses using spam techniques to launch DDoS attacks against anti-spam blacklists. Is it getting scary yet?

Is There Any Hope?

The question is whether spam can be stopped, and the answer is a qualified yes, but it will take a major revolution in how we view the Internet and email. In Europe, you must "opt in" in order to receive spam. Unless you specifically ask for mail from someone, you cannot legally receive it. This, together with authenticated email sourcing, would virtually eliminate spam. So we should begin with an opt-in bill, such as the one passed in California.

Detractors Say that U.S. Laws Won't Stop Spam

Some spam advocates insist that so much spam originates from countries other than the United States that U.S. laws will have little effect. The problem with this argument is that currently over 90% of all spam originates in the United States. And so while tough U.S. laws might ultimately lead to a massive outsourcing of spam to other countries, this is one industry I don't mind seeing offshored.

Unfortunately, the United States government is passing laws that actually move us in the wrong direction. For example, Congress recently passed the CAN-SPAM act, which is being almost universally panned as actually being a pro-spam bill because it effectively shuts down the much tougher laws being enacted by individual states. A couple of Spamhaus.org articles on the US policy can be found here and here. An excerpt follows:

"With all of Europe set to implement Opt-in legislation by October, Europe has taken the lead in banning spam. But the United States is going in the opposite direction, legislating Opt-out instead of Opt-in and looks set to explode the spam problem many times worse than it is today, incredibly by actually legalizing spam instead of banning it. US Congress is just months away from giving Unsolicited Bulk e-mail the green light and unleashing the spamming power of 23 Million American businesses onto an Internet which already can not cope with the billions of unsolicited bulk mailings sent by just 200 businesses. As spammers applaud the introduction of pro-spam Bills, we look at why spammers now cheer so loudly for Congressman Billy Tauzin."

It's All About the Money

You can be certain that it's all about the money. There is simply no good reason not to start enacting strong anti-spam laws, except that such laws will shut down a lucrative advertising vehicle. But just as we have regulations on things like billboards, so too should there be regulations on spam, and it's up to us to make sure our elected officials listen to us. We're making headway on outsourcing; now, let's turn up the heat on spam.

Joe Pluta is the founder and chief architect of Pluta Brothers Design, Inc. He has been working in the field since the late 1970s and has made a career of extending the IBM midrange, starting back in the days of the IBM System/3. Joe has used WebSphere extensively, especially as the base for PSC/400, the only product that can move your legacy systems to the Web using simple green-screen commands. Joe is also the author of E-Deployment: The Fastest Path to the Web and Eclipse: Step by Step. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$0.00 Raised:
$