Spam, Spam, Costs, Spam, Risks, Spam, Solutions and Spam

Steve Champeon
2003-04-1
Reprinted from The Triangle Technical Journal

Spam, also known as unsolicited bulk (and/or commercial) email, is not only annoying, but costly - and the problem is getting worse. Beware, however: the tools we use to fight it often introduce new risks and costs. Recognizing the nature of the problem and its risks is necessary in order to minimize these risks and fight back effectively.
One of our clients got her first email address in 1997. Posted on her company's Web site, it quickly landed on the lists of "millions" of known addresses spammers use. A newbie, she replied to the first few spams that she received, asking to be removed from their listings. But instead of ending the solicitations, she had just confirmed to the spammers that her address was "live".

By last year, the address was getting nothing but spam, and she asked us to shut it down. Instead, we used the old address as a spamtrap - a mailbox that never gets any legitimate email. We have hundreds of these spamtraps, all either inactive or fictional accounts. We keep all the spam these address get, for statistics, tracking and blocking future spam from the same sources.

During one recent two week period, the spamtrap archive received 4077 messages. Over 42 percent of those were addressed to our client's account. That's over a hundred messages a day, to just one victim.

But it could be worse - America Online (AOL) recently announced that they block at least 780 million spam messages every day. And the number is growing. If you use AOL, think about this the next time you can't get to a Web site - who do you think is using that bandwidth?

Imagine getting a hundred spam messages a day, each taking five or ten seconds to view and delete, or longer if you report the spam to appropriate authorities. Many of us deal with such a load already. Now imagine getting a thousand a day, just ten times more spam. That's two hours, or more, in an eight hour day, spent dealing with unwanted email. Now multiply it across your company. That's what we have to look forward to, if we don't get better at fighting back.

So why are our inboxes and disk drives cluttered, with offers for pornography, home loans, work at home scams, and so forth?

Nearly ten years ago, a husband and wife pair realized that they could reach millions of people cheaply, by simultaneously sending thousands of copies of their marketing message to Usenet newsgroups.

Sadly, that's all many wanna-be Internet millionaires remember. They forget that the introduction of spam to the Internet resulted in a variety of system issues and downtime, and near-universal hatred of the senders. Never mind that few, if any, users of the Internet at that time needed their service. The senders didn't get rich, either.

The ones getting rich off spam are those who get paid by suckers to send it, in ever-increasing quantities.

The future of email as a medium is threatened. But recognizing the value of email to our ability to efficiently communicate and conduct business, we can, and must, fight back.

Nowadays, many consumers request occasional email from vendors. This solicited email is a great way for companies to reach their customers. For various reasons, not all respectable, the legitimate mail is often lumped in with the illicit, and disposed of as just another annoyance. In many cases, without ever reaching the intended, requesting recipient. We are all at risk due to those who abuse email.

Those who say "just hit delete" miss the point. By the time spam gets to your inbox, it has already wasted resources and others' time, and not reporting the spam just encourages the spammers to send more, to step up their efforts to reach you.

What can be done? Besides necessary efforts to secure "open relays", proxies, and other sources of spam, there are several common tactics.

Volunteer-run "blackhole" services let sysadmins check mail servers against known spam sources. The admins may then refuse, or treat as suspect, mail from those servers.

The problem with refusing mail based on its source is that a few bad eggs (say, abusers of a freemail service) can ruin it for everyone. And if you block a given domain, the legitimate users of that service can't get mail through to you. And this just escalates tech support costs and exposes customers to risks of lost mail or business.

"Tagging" suspected spam with headers or modified subject lines, rather than rejecting the message, is a popular option. Such mail may then be filtered by the end user, for later inspection. The advantage is that legitimate mail is not lost due to overzealous blacklists, but it merely transfers the burden of identifying spam onto the end user.

Specific networks, domains, and addresses may be blocked. Messages can be blocked based on keywords or patterns in the headers or body.

SpamAssassin, CloudMark's SpamNet, and built-in antispam capabilities of newer mail clients and services are also popular. These let the end user identify spam, or use advanced techniques such as Bayesian analysis to "teach" the filter how to recognize spam, or use complex pattern matching, in order to identify common phrases used only by spammers. Once a message has been identified, these modern systems allow users of the same service to identify other, similar messages.

Anyone looking to protect themselves against spam should investigate, or work with others to explore, the available methods and mechanisms, and set an explicit spam policy, based on their needs and on the economics of risk and lost time.
We can win this fight, and we must, for if we do not, email will continue to drown in noise and vulgarity, instead of remaining the important and powerful communications medium that it is.