SPAMisconceptions - 5 Misconceptions About Spam
A Short List of SPAM Myths by Alan Fullmer
There are many types of SPAM. (bulk, annoyance, illegal, etc.)
You have everything from body part enhancement, to window replacement, penny stock promotions, virus and Trojan related messages.
It can be tricky to figure out what messages are real, whats fake and which want to simply steal your identity.
My first rule of thumb is, question everything. If you didnt ask for it, dont click on it.
Unfortunately, even that isnt enough. Ive received spams that appeared to be from friends, even my wifebut it was nothing more than a link to a phishing website.
I have compiled a few myths that a lot of people think to be true but are in realityfalse. These are more targeted at the marketers that fail to acknowledge them, intentionally or otherwise.
Myth #1: Spam isnt that bad, just hitting the delete key isnt that hard.
Spam goes beyond the mere annoyance of having to press the delete key. Behind the scenes is an incredible amount of non-stop filtering that happens. Just because you dont see the spam doesnt mean its not there. I always say to people; "I wish I could let all spam through just for a couple minutes to show you how much you really would get." Now there are some that get more than others. The jim@, john@, mary@ etc. The names that are commonly known which dictionary attacks are good at guessing. Then there are the people that sign up for everything. Whilst the actual requested emails they asked for are not what we are as concerned about, its the ones that come in that have been sold multiple times.
Ive done tests. I do a lot of tracking when I have to sign up for things. Even companies that promise my email address will not be sold or given to anyone. Certainly we all have concluded that is a lie. In one instance, I gave an email address alan1234@zoobah.com (where the 1234 is the ID I assigned to that company or institution requesting it and misspelled zoobuh.com as zoobah.com) to a car dealership to send me notices when its time for service. The terms of this negotiation had language indicating it would not be shared with anyone. Yes, I look at the fine print, its just what I do. 5 years later, I am still getting an incredible amount of spam coming in on that addressthis after their promise of it not being shared with anyone and I have never used it with any other place. I have since disabled the email address, but they still send spam through it.
Ive also done the test where you click on any unsubscribe link in a spam message. When it takes you to the unsubscribe page, simply put in a made up address. Similar to my previous test, I will do jibberish5678@zoobuh.com. Of course without checking their records it will say, Your email will be removed in 24 hours. And of course, we will see spam coming in on that made up address through the unsubscribe link.
One last test, and in my opinion a very effective way to combat spam, is a spam trap (honeypot). Carefully placed secret email fake addresses scattered around the web. Web scrapers love these. They scour the internet for users email addresses from forums, blogs, etc. and then adding them to their spam lists. (Of course they will say you signed up for it. ;) )
The main reason spam traps are useful and effective is that nobody uses them. They are fake. So if we receive mail on these addresses, we simply block every subsequent request from that server. We know it is spam. Our tests show that it usually takes about a week for these addresses to be harvested and placed onto spam lists ready to be sold. More information on this can be found here: https://en.wikipedia.org/wiki/Spamtrap
Myth #2: Spam isnt any different than companies mailing you car ads, coupons, house refinancing, etc. through the US Mail.
Companies spend a lot of money, printing, paying for postage and buying lists of addresses to send these to. The burden of cost is on the sender of the ads.
With Email Spam, you can get a billion email addresses for under $50. Its practically free to send spam. Sure you might pay for your internet connection at home or work, but youre paying that anyway and its a very small cost. Furthermore, Wi-Fi hotspots, libraries, schools and wide-open networks can be tapped into at no cost.
So the burden of cost is now on the receiver (we the ISP) instead of the sender.
Just one domain out of the many available to our customer base, received over 30+ million spams since the beginning of the year (end of June 2014). In one years time this particular domain could see over 5 million spams per month, 167k per day, 7000 per hour. This is also assuming the volume stayed static, which it never does. It always grows. Combine all the other domains and addresses we host and that number climbs insanely high.
Myth #3: You signed up for it.
Perhaps there are some that do, but for the majority of people do not.
My favorite line: You are receiving this because you asked to receive offers from _______.
No, I did not. Whatever the from equates to, I never asked anything of the sort. I dont want my mortgage refinanced, I dont want or need an affair, I dont want any particular body part enhanced and I dont want any cheap Canadian meds.
Spammers use this line frivolously. I am unsure if they think it makes it all legitimate, or they assume youll say to yourself, Well golly gee, maybe I did sign up for it.
Myth #4: Dictionary attacks arent bad because it doesnt go to real users.
This is very wrong. Just because we receive messages for users that dont exist, doesnt mean we dont still process it. The system has to verify the user even exists. This means it has to access it from some type of database, compare to any RBL filters and honeypotsat the very least. Compound that with a decision to discard it, or bounce it. I particularly like the fact that if I flub the address, I get a response back from the server telling me that there is no person there, rather than wondering if the recipient ever got my message. That said, an extremely high percentage of spams come from addresses that are not real. So a bounced message (backscatter) will generally ping pong between servers, or sit in the queue for days until it expires, or even worseif the domain is something like @yahoo.com, the bounces end up being received by Yahoo and they decide to blacklist your IP. This puts a lot of work on additional employee(s) to create rules and configuration to prevent backscatter. http://en.wikipedia.org/wiki/Backscatter_(email)
Myth #5: its just part of a companys budget. Its not a big deal.
In the past, the IT budgets never included money for spam filtering. Surprisingly, even today, most budgets still dont include it. It never shows up as a line item or issue. I think because its just assumed you get to deal with it and is part of the email system. But usually the people making those decisions dont get to see how much spam they are really getting. Out of sight, out of mind. But they do seem concerned at times about the constant upgrading and purchasing of heavier duty servers and equipment just for email. Hard disk use, power consumption due to processing, bandwidth can be very costly.
If you were to track the time you spend sorting through the few spams that made it through the filtering system for a year. I think you would be surprised at the time spent.
Processing Spam used to be simple. Install an off-the-shelf anti-spam product and youre set. Today, its become a science. Marketers are trying harder than ever to bypass filters. One cannot simply rely on any one technology. You cant simply look for words and phrases. Marketers try everything from obfuscation of text, replacing English letters with Greek or German because they are still readable. Adding Bayesian checks helps, but even still marketers try to poison the database with random words, texts or phrases. Personally, Ive yet to see this method very successful, Im sure it works to some degree. This is easy to spot. Most of the time the random words are hidden in HTML text or CSS code. Other times youll see excepts from random poems or news articles at the bottom of the message.
The CAN-SPAM Act of 2003 is pretty black and white when it comes to this stuff. A lot of the wording is based around false and misleading information.
If you have to wonder about how legitimate the company is thats trying to sell you something, you dont need to go further than looking into how hard they try hiding their marketing identity. Allow me to elaborate;
There are two main domains associated with the emails. The domain that the senders email comes from, and the link(s) in the body of the message. There are many whois lookup services that can get you this information for free.
- When you look at the record of the domain holder, is it private? Does it have any wording like Domain Protected or Privacy Protected.
- Are any of the domains .us, .info, .biz, or .pl? (Not limited to only these extensions)
These are disposable domains. They are cheap. Usually they are only a few dollars compared to .com and others that are closer to $12 for a year.
Spammers will register them for one yearfully knowing that they wont be renewed and will quickly be blacklisted. But by that time, theyve already sent the billions of spam. Its an easy investment.
- Are there patterns in the domain name? For example, someword-joe23.us
- Do the domain names reflect anything from the content/advertiser?
Somewhere the message must indicate its an advertisement. It should be a simple sentence that should read This is an advertisement, unsubscribe here but instead youll see every attempt to disguise it by using words like advert, admsg, etc., even going as far as to use every variation of a word found in a thesaurus. The fact is, they arent being upfront and honest. Lately there has been a lot of images that have this wording to try to bypass context filters. The main problem with this is these images are generally remotely hosted. This has two main benefits for the spammer. It doesnt get picked up by the filter and second they can track and verify youve viewed that image.
Since most email programs now require a step to view remote images, youll probably never see it. Also, if the remote image is removed or broken, the unsubscribe language will never be seen.
Another common thing a spammer does is use a PO Box or a UPS store box to hide their real identity.
I personally would never want to do business with anyone that cant be upfront and honest with their ads and/or marketing. You would never allow this in a newspaper ad, why would email be any different? The fact that they are trying to deceive should be the only red flag you need to know to stay away.
Dan Hates Spam (http://danhatesspam.com/whyspamsucks.html) sums it up perfectly:
The Internet offers tremendous potential for marketers to deliver precisely targeted and customized information and offers to consumers who truly want to receive them, but all too often, spammers abuse the potential of the technology and instead take advantage of zero-variable-cost nature of email to blast their unsolicited advertisements at every email address they possibly can. Let me repeat this point there is no financial incentive for a spammer to do any kind of list management that a traditional (offline) marketer would use. Thats why men get spammed for breast enlargement pills and women get spammed for penis enlargement pills; why people with regular plumbing get spammed for septic tank solutions; why children get spammed with prostitution ads, etc.
I hope you find something useful in this article. I am not a writer or really care to be one so forgive my mistakes. I just want to lay out some facts for you. If you do find this article useful, feel free to share it. Also, if you have any comments, leave them below.
-Alan Fullmer
PS. I am going to do a test and report back with the results in a month or so. I am going to create a fake address. Let's call it art0717@zoobuh.com and see how many unsolicited emails we receive on this address in a month's time due to spam scraper utilities... but please readers, don't add it manually to any lists, that would defeat the purpose of the test ;)