Spam

What is it?

So, you’ve received some ad for a get-rich-quick scheme, a soap that makes you lose weight, a perfume that guarantees women will fall at your feet, or that links you to an adult web site, etc. Welcome to the Internet. This unsolicited junk-mail is becoming more and more common.

Unsolicited Commercial Email (UCE) is the proper term for this. Most people call it spam though. Technically, spam refers to cross-posting to a large number of USENET newsgroups. The word spam rolls off the tongue better than the more correct term UCE so we’ll go with the flow and call it spam.

Why is it sent?

The Internet has the potential to reach large numbers of people. It can be done very inexpensively as well. Because of this, marketing paradigms can change. In the past, a popular business motto was, "The customer is always right." With the Internet reaching millions of people, a new way of thinking is, "I don't care if I upset or annoy 99.99% of my potential customers; 0.01% of a few million is plenty of customers for me."

Of course this attitude tells you a lot about the integrity of the company trying to sell you their wares.

Let’s look at an example. I recently received a spam from the TriLink company (their address is a post office box) selling this amazing soap that will dissolve fat, making you lose weight while you are taking a shower. It even had a health warning that it shouldn't be used by thin people because they might dissolve themselves. He was selling the soap in a pack of 3 bars, for $24.00US + $4.95 shipping & handling.

Now most people would say, "Who would be dumb enough to fall for that?" Well try enough people and you'll find someone. Suppose that 99.999% of people are too smart for that. That leaves 0.001% who will fall for it. Assuming that he sends this ad out to 2 million people, that means 20 people paying $30US gives him close to $600; slightly less if he decides to mail out the soap. Not bad when you think that the computer did all the work.

Spam that is a little more believable may result in more money. The guy selling the "World's Best Chili" recipe may get one person out of a thousand to order the recipe at $5.00, resulting in receiving $10,000 worth of orders if he mailed it to 2 million people.

Is spamming expensive?

Not for the person doing the spamming. Most Internet access costs in the order of $20-$25 per month. With the proper software, spam can be pumped out at up to 100,000 messages per hour from a dialup line. The 50 free hours given by AOL allowed plenty of spam to be pumped out before AOL tightened things up. In fact, a special piece of software was written by spammers to automatically sign up and send spam. At that time, AOL did not validate the credit card for at least a day: enough time for a lot of spam to be sent.

The one receiving the spam does most of the paying. It takes up your disk space. It wastes your time. Sure, we're only talking about a fraction of a cent for each user, but the total cost is a lot.

There are/were two other variations of spam in which the user pays. Unsolicited faxes require the user to pay for the paper on which it is printed, as well as preventing your fax machine from receiving important documents at the time. A newer type of spamming is businesses that specialize in leaving a message in your voice mail late at night when they expect nobody to be around.

Technology, which is intended to make it easier for people to get information, is being abused. Would you accept postage-due paper junk-mail?

The University wastes at least several thousand dollars a year on disk space, and on the bandwidth used to send spam. The amount wasted in time of the people cleaning up before/after is probably considerably more.

Spam support: A business on its own

So, we have seen how the spammers are able to make their money. There is also a business springing up to support them. There are companies set up to harvest and sell email addresses. You can buy a CD-ROM with 10 million email addresses for around $50.00. Some companies are more selective and only sell 'good' addresses. Other companies will sell you addresses of people having specific interests.

Along with the companies selling addresses, there are also companies selling software that will pump out email faster, software that will forge your address so that people can't get back to you and software that will relay your software through foreign sites so as to make legal repercussions difficult, if not impossible.

Why is it bad?

Short term, it wastes time and resources. It may be offensive. Even though I know it’s not really sent to me personally, I am insulted when I receive a piece of sex spam that starts off, "We are sending you this because we know you are interested."

Long term however, the effects are much more serious. It lessens the value of email. Just as radio and TV communications measure their quality in terms of signal-to-noise ratio, we can measure the value of email similarly. Spam is considered noise, and useful email is the signal. When the signal-to-noise ratio becomes too low, it isn't worth watching the TV or listening to the radio. Similarly, when you start receiving more spam than anything else, email ceases to be a valuable tool.

Is it legal?

Is it legal to send a piece of email to another person? If you had to get permission before sending, email would be pretty ineffective. There are no laws (except in California) preventing someone from sending spam. California has essentially legalized the sending of spam. "The law says, if you want to spam, you must....."

Imagine a place where spamming is illegal. If you are a spammer living there, all you need to do is connect to a site in a place where spamming is legal and send away.

Not illegal, but....

So it isn't illegal, but all the same, it is disliked by all but the spammer. Most Internet service providers will cancel your account if you use it to send unsolicited email. Many recipients of spam will mail-bomb the sender as well, rendering their Internet account useless.

For these reasons, most spammers find remote machines which will relay their email. They basically send a copy of the email with forged addresses and a list of users to the remote machine. They then disconnect while the remote machine happily chugs away sending out thousands of pieces of mail.

What can be done

We try to block it. There is a never-ending war between spammers and those who try to block it. With each new way of blocking spam, another route is tried.

For example...

When email software started rejecting mail from known sites, the spammers started relaying through innocent third-party sites.

When email software put limits on the number of users mail can be sent to at one time, the spammers used 50 machines, instead of one, to send spam to a thousand users: sending it to 20 users per machine. In addition, lists are sorted so that all mail to a single site is not sent in one batch, but rather in dribs and drabs over a couple of days.

When email software started rejecting mail with invalid return addresses, the spammers started using valid addresses from well-known sites.

When spammers would use a HOTMAIL address for sending spam, their account would be cancelled due to a flooded mailbox. Now, they will use a hundred hotmail addresses, and change the return address with each mailing.

Some sites have email software that will allow a user to receive email only from people on a list. Many spammers will put your address (or someone else's from your site) in the From: line to get by this. In the past, hackers would crack a student's account at a university for "fun and sport". Now, a cracked account can be used to send out a million pieces of junk-mail, potentially bringing the cracker money.

How do they get my address?

I have an address which I have not used for 7 years. Somehow, this address collects spam. It is most likely on a CD-ROM of addresses. I have cancelled the account, then, several months later re-activated it. It received spam within a few hours. This fact tells me that once your address has made it to a CD-ROM, the account is 'useless'. Imagine that there was an account rogert@uOttawa.ca, owned by Roger Tremblay. This account is on a list, and is constantly getting spam. Roger leaves the University, and the account is cancelled. Several years later, someone named Roger Trudeau gets a job at the university, and has the account, rogert@uottawa.ca. As soon as this account is created, it starts receiving spam. Frustrating?

USENET news is a great starting place for address harvesters. A posting to a USENET news group tells them two things. First of all, it gives them your email address, and by looking at the subject of the group that you post to, they get information about your interests. This address may be worth more.

In the past, when people were trusting, many listservs were more open. Anyone could get a list of people subscribed to the listserv. Now it is slightly more difficult. If you want to get a list of email addresses, simply subscribe yourself. Then as a list member, you are able to get a list and then unsubscribe. Popular listservs may have thousands of members.

Did you ever get a piece of spam telling you to reply with UNSUBSCRIBE in the subject if you want to be removed from the list? Replying tells them two things. That the email address is valid, and that you have read it. Your address has now become more valuable.

There are sites offering free services on the Web. They require you to sign up for the service. One example is ICQ, a chatting service. If you have registered with ICQ, look at the fine print in the agreement you signed. Remember, nothing is free. If someone is offering you something for free, ask yourself "What’s in it for them?" An exception to this rule may be universities & researchers. They tend to be more sharing. The Internet was built due to the cooperation and sharing between universities.

Many places have employee directories online. The idea is to make it easy for remote users to get in touch with you. The spammers love this. We have been hit with at least two spammings which were a bit different than normal. Our online directory was read and used to produce a list for spamming directly to us. In one case, Michael Chessman used public access terminals in Libraries at Ryerson, U of Toronto, and the Toronto Public Library, to send us his political spam. Another case was that a site in Australia scanned all of our Web pages for email addresses, and sent an adult-web-page ad to hundreds of users.

In the past, we had two types of information: private and public. We now have a third type: Internet. This new type is easily accessible to millions of people, and can be harvested by machine. Consider this example: our printed University directory was never considered private. We give them away. Anyone wanting one just has to write to us requesting one. There is a big difference between this and the ability of millions of people to get lists of everyone's email address. Think hard about whether you want your email address to be accessible via the Web. It is a double-edged sword.

There are robots which cruise the web, picking out email addresses from all Web pages. I created an account. The account never was used for anything. I put the email address on a Web page (a useless Web page at that) and within 6 weeks, that account received spam.

Have you ever heard of the old trick of subscribing to different magazines using variations in the spelling of your name? That way when you received junk mail, you would know which magazine sold your address. I have been doing similar things with email addresses and spam. This is how I found out about the methods used to harvest email addresses.

In the near future, spamming will only get worse. Major changes will have to occur on the Internet before it gets better.

What can you do?

Be careful with your email address. Don't give it away without asking yourself about the person requesting it. Once your address is on someone's list, it’s there for good.

Back to top