In my previous article, I introduced you to the differences between viruses, worms, and trojan horses. In this article, I'll explain today's most common computing pest - spam - and how its dangers go beyond just wasting your time.
Almost everyone who has an email account gets spam and suffers from it. Spam is so bad that IDC recently reported that 38% of all email sent so far in 2004 is spam. Spam is unsolicited bulk email. Unsolicited means you didn't ask for it. You didn't sign up for a mailing list, you didn't opt in to receive product announcements. Notice that this definition doesn't require spam to be of a commercial nature. While most spam is commercial in nature (advertising goods or service of mostly questionable legitimacy) spam could be political, it could appear to be personal, or essentially any message someone wants to get out to thousands or millions of users. Generally speaking, the "bulk" part of the spam definition means that the same or similar message is sent to many people although if you send an email solicitation to one recipient that doesn't have some clear business connection to receive, that could be considered spam.
How does spam work? Because of the way internet email works, most email sent can't be verified to be from who the "sender" in the email claims to be. So, spammers fake their sender address then hijack email servers (taking advantage of flaws or poorly configured servers - a later article will cover these kinds of attacks) to send out thousands or millions of emails that can't be traced to them. Most spam isn't looking for a response by email, the content usually directs you to a web site, so a faked return or sender address doesn't render the spam ineffective.
Spam content is tricky too. Originally, a lot of spam advertised products or services that legitimate business really wanted to sell. But, that sort of advertising was quickly frowned upon by internet users, so most spam today is actually some kind of fraud. If you respond to a spam in attempt to buy something, chances are all the web site you order from is actually doing is collecting your credit card and other personal data to attempt to place other unauthorized charges on your account or commit some other kind of identity or credit fraud to your information. Plus, once you respond, you'll mark yourself as a target for more spam. The bottom line is: spam is more than annoying and time wasting, it can be a personal or financial hazard.
Protecting yourself from receiving spam is hard. If you have a business email account with an email address you distribute widely (especially if you list your email address on a web site), you will receive spam. If you post messages in USENET newsgroups, web based forums, or any other online forum and include your email address, you will receive spam. Spammers have sophisticated web search engines that scour the internet for email addresses to add to their spam databases. Spammers also hack into internet service provider databases to steal lists of email accounts. Or with services like Hotmail, spammers guess at email account names from public member lists.
So, most email accounts are prone to receiving spam, the issue for you is how you deal with it and block or divert it. Most businesses running email servers on Microsoft Exchange or Lotus Notes and Domino use thirty-party server software to block spam at the server. Most email users also have limited spam blocking capabilities built into their email clients, plus there are many inexpensive add-on products to block spam for all the common email programs. And most major web based email services include spam blocking options.
Spam blocking uses several ways to determine if a message is probably spam. It looks for an email with a sender address that isn't legitimate and it looks for keywords (sexual terms, financial promises, and so on). It compares words in the email with the common frequency of words in normal communication. It looks for other clues like messages with very little original content and a lot of forwarded or replied content. Every time the spam blockers get more sophisticated (like blocking keywords), so do the spammers (like substituting misspelled words or non-alphabet characters to try to fool keyword rules), then the rules get more sophisticated (like using common word frequencies to eliminate message messages with a lot of words like s*x or phrases like "nat:ural p:ll" that don't occur frequently in real text or common misspellings). It's a never ending cycle and spammers have the edge most of the time. Any blocking system that can be written can be circumvented.
But, these rules are imperfect and in many cases still let a lot of spam into your mailbox. Spam blockers also unfortunately mistakenly block a lot of legitimate email. So, many email users with spam blockers in place end up looking in their spam or junk folder for legitimate email, negating most of the spam blocker benefit. If your email account is a business account, you have to be wary of the potential cost of one lost real business email (missing a new customer or not responding to a message from a current customer) versus the time cost of manually deleting spam. If you use an ISP for your email though, you may never even see all of your email. If you elect to be on a mailing list ("opt-in") one opt-in mailer reports that almost 20% of legitimate opt-in email is erroneously blocked as spam by ISPs.
The other big problem with spam blockers is that they all work at either the email server or your desktop email client. Either way, the spam is still arriving and wasting bandwidth to get to your email server or desktop.
There are more novel ways of dealing with spam. One method responds to any new email you receive with a "challenge" for the sender, requiring them to enter a word or phrase. The "answer" is often hidden in a graphic file in a way that human eyes can see it, but an automated computer system couldn't pick out the text from the surrounding dots. So, the complete system works like this:
- You send an email
- The recipient's spam blocking challenge automatically sends a challenge to the sender, without the recipient being involved.
- The sender gets the challenge and responds with the answer.
- The recipient's challenge system receives the correct challenge response and OKs the sender and the original message, which the recipient then receives.
- The sender is added to the recipient's safe sender list so future messages won't be challenged.
This system works because the time it would take a spammer to manually respond to challenges would eliminate the value in spamming. Spamming requires sending 10,000s of messages an hour to be effective. The downside of this system is that it puts more burden on the sender and requires more effort to get a message through. And, it still allows a spam to arrive at the destination even though the recipient wouldn't see it.
More sophisticated spam blocking techniques are being designed that are designed to prevent bulk forged email address mails from being sent. But to eliminate the main spam techniques (forged sender addresses and the low cost of sending spam) will require a basic reworking of internet email standards and that could take years to reach industry consensus and longer to reach universal adoption.
Jim Minatel is a freelance writer for Developer.com in addition to working with Wiley and WROX publishing.