Spam, spam, spam: The Cyberspace Wars
Robin Rowland, CBC News Online | November 24, 2003
Updated March 12, 2004
There's a war going on in cyberspace, a war in some ways like the deadlier, shooting wars in the world today.
On one side are the scammers and bandit gangs of cyberspace, often working alone or in small groups in offices that could be found anywhere in the planet, sending out what bureaucrats call UCEM (unsolicited commercial electronic mail) and everyone else calls "spam."
Spam: Messages about get rich quick schemes, sexual enhancement, cheap pharmaceuticals, quick, cheap and easy BA, MA and PhD diplomas, and porn, porn and more porn are flooding the e-mail boxes of people around the world.
From the Pew Survey on the internet and American Life|
25 per cent of e-mail users say the ever-increasing volume of spam has reduced their overall use of e-mail; 60 per cent of that group say spam has reduced their e-mail use in a big way.
52 per cent of e-mail users say spam has made them less trusting of e-mail in general.
70 per cent of e-mail users say spam has made being online unpleasant or annoying.
30 per cent of e-mail users are concerned that their filtering devices may block incoming e-mail.
23 per cent of e-mail users are concerned that their e-mails to others may be blocked by filtering devices.
75 per cent of e-mail users are bothered that they can't stop the flow of spam.
80 per cent of e-mail users are bothered by deceptive or dishonest content of spam.
76 per cent of e-mail users are bothered by offensive or obscene content of spam.
On the other side are the official warriors, the governments and corporations, the internet service providers that run the increasingly jammed information highway and the businesses that say dealing with the junk is costing millions of dollars in administrative costs.
Governments around the world are trying to stop the flood by legislation; internet service providers try technical spam blockers on one hand and lawsuits on the other, consumers try blockers that work on their home or office computers.
There are also the private armies and activists, who take spam personally and are working to hold back the flood of e-junk.
Many countries around the world have enacted legislation to protect internet customers from spam. The law became official in the U.K. in early December 2003. In the U.S., various laws have been enacted or proposed in individual states, principally to require unsolicited emailers to provide cancellation options to recipients. On December 16, 2003 the U.S. implemented its first federal law encouraging the Federal Trade Commission to create a "do-not-spam" list of e-mail addresses.
The new American laws make it illegal for people or companies to disguise their identities when sending e-mails, or to try to mask spam with misleading subject lines or false return addresses.
The new rules also prohibit compilation of spam mailing lists that are based on addresses harvested from websites. And people who send unsolicited commercial e-mail have to make sure that recipients are given a straightforward way to decline future spam from the same source.
In March 2004, the major U.S. service providers Microsoft, America Online, Yahoo and Earthlink joined forces in filing lawsuits against what the companies said were major spammers in the United States and Canada. In their suits, the companies claimed that spam costs business in North America $10 billion US each year in lost productivity, network upgrades and destroyed or lost data. Mike Callahan, Yahoo's general counsel, told reporters in Washington that spam now "threatens the productive use of e-mail."
In its suit, one of Yahoo's targets was Gold Disk Canada, based in Kitchener, Ont. The company is run by Eric Head and members of his family. So far the Heads have not commented on the allegations, which have not been proven in court. Yahoo says in its statement of claim that Gold Disk sent out spam and tried to cover its tracks by inserting random text into messages so spam blockers wouldn't recognize them as identical. Yahoo also says Gold Disk harvested millions of e-mail addresses and provided them to other companies.
Canada has no new anti-spam laws on the horizon.
As soon as one solution is tried, the spammers work to find a way around that solution and the flood continues.
The First Message
If anyone can be said to have invented spam it was a couple of lawyers from Phoenix, Ariz. On April 14, 1994, Lawrence Cantor and Martha Siegel (from a firm called Cantor and Siegel) sent out a message to all 6,000 newsgroups on the internet offering anyone who replied assistance in getting a U.S. green card. The reaction, at a time when the internet was still largely limited to universities, government agencies, computer companies and "early adopters," was immediate. Cantor and Siegel received a lot of responses from potential customers (the reason spam actually works) until their internet service provider (ISP) kicked them off. They also received angry e-mails from thousands, black faxes (where a sheet of black paper is looped through a fax machine to clog the receivers machine) and more pizzas than they could ever eat.
That didn't stop them. After being kicked off three other ISPs, Cantor and Siegel found one that didn't care. Cantor and Siegel also published a book How to Make a Fortune on the Information Superhighway, which told everyone else how to do it.
Spam, spam, spam
It was soon after that some member of the internet community connected the growing number of unsolicited messages with the Monty Python skit that repeated "Spam, Spam, Spam" a reference to the luncheon meat from Hormel, an American packing firm.
Why spam works
Spam works because of volume. A spammer sends out millions of messages, and enough people respond so that spammer and the customer the spammer represents makes a profit.
The Wall Street Journal estimated that a response rate of 0.001 per cent is enough to making spamming work. (That means if a spammer sends out two million messages, 2,000 positive replies are enough to make it worthwhile.)
In most cases, the only cost for the spammer is the cost of belonging to a shady ISP that permits the spammer to send out the millions of messages.
Unlike other forms of junk mail, which are paid for by the sender, for both printing and distribution, the receiver pays for the spam through the time they spend on their ISP, whether it is a big corporation with thousands of employees or an individual user at home.
Unsolicited e-mail from perhaps more legitimate sources than spammers also seems to work. An October, 2003 survey from the Pew Research Center showed:
15,000,000,000 and growing
- Seven per cent of e-mail users in the United States reported that they had ordered a product or service that was offered in an unsolicited e-mail, although not all of this is pure "spam."
- One-third of e-mail users have clicked on a link in unsolicited e-mail to get more information.
The latest estimates, from the Pew Center and Radicati Group say that each day 15 billion spam messages cross the wires of the internet.
According to Pew's research most spam messages are diverted and never reach the inboxes of users for a variety of reasons. Two of the biggest U.S.-based ISPs, AOL and MSN, both report they block a daily deluge of 2.4 billion spam messages from reaching the inboxes of their customers. AOL reports that this equals about 67 spam e-mails per inbox per day, or up to 80 per cent of its incoming e-mail traffic.
Another research company, Gartner Inc, estimates that spam will make up 60 per cent of internet traffic by the middle of 2004.
The Pew report says various research firms peg the price per worker at anywhere from $50 US to $1,400 per year. Others estimate the annual cost just to American business to be between $10 billion and $87 billion.
Turning to crime
Spam is not just unsolicited e-mail anymore. Increasingly spammers are turning to criminal activity and criminals are adopting the spammers' methods.
Some schemes and scams include:
Stealth spam: Spammers use the vulnerability of some e-mail programs by sending out a type of computer virus worm called a Trojan. Virus designers once used the Trojan style worm to take advantage of vulnerabilities in some e-mail programs to reproduce and redistribute the virus.
Now spammers are using viruses like the Sobig for similar reasons, harvesting the mailboxes of vulnerable users and then sending out spam to those addresses. The smarter spammers are limiting the numbers of messages from each individual, a way of avoiding blocking software, but if many users are victims of the worm, the numbers still add up to the huge volumes of mail that spammers need to make their profits.
Identity theft: Spammers are using phony addresses and old scams often used by crooked telemarketers to attempt identity theft. Users are asked to input personal information such as credit card numbers or social insurance numbers into what appear to the unwary to be legitimate requests from legitimate companies. These messages often ask a user to "verify" their information or say that someone else is using a user's credit card.
Fraud: The United States Federal Trade Commission estimates that two thirds of all spam messages contain deceptive or false statements. Often those people who reply to spam messages and send money will never receive the product they ordered. Others respond to phony offers of self-employment, such as stuffing envelopes. All these require some money up front and the victim gets nothing or perhaps a few pieces of worthless photocopies and no chance of a job.
So far, the cyberwar against spam has been largely technical.
Spam can be blocked at three stages:
1. Companies such as Brightmail work for ISPs tracking spam and watching for the tactics spammers use to get around blocking. These blockers stop the spam from reaching the ISP itself.
2. ISPs such as Telus and Sympatico in Canada also offer spam blocking to their customers, as do web-based mail services such as Yahoo and Hotmail. These systems allow the user some control over identifying what is and isn't spam.
3. Individual users can use built-in filters on their e-mail software to block e-mail they consider spam.
And how do the spammers get around the blockers? When all three levels of blocking picked out words in the subject line, for example "sex," the spammers then would try to get around it by using unusual characters such as s*E*x*. Now subject lines have even more unusual characters. Spammers also still using old tactics such as including "hi," "about last night" or "good to see you" as deceptions to get users to click on the message.
Spam blockers can also go overboard. Although a recent news release from Canada's Telus says its control filter "is highly accurate, with only one out of one million messages expected to be falsely identified," some surveys put the amount of legitimate e-mail blocked as high as 15 per cent.
November 26, 2003:|
On CBC Newsworld, David Gray interviews media lawyer Michael Geist from the University of Ottawa Law School about how to tackle spam.
On CBC Newsworld, Christopher Thomas interviews Ontario privacy commissioner Ann Cavoukian about how Canada is fighting spam.