Monday, October 02, 2006


On spam: the interview

Recently, a college student interviewed me about spam, for a class project. I hope he aced the class, and I'm glad for whatever small help I could be. Anyway, I want to post his questions and my answers here. So I will. Of course, note that, as with everything else in this blog, these are my views. Others might disagree. And so:

To your knowledge, when did spam originate?
It partly depends upon what you want to call "spam". I have references to junk email from 1975 — one is a Datamation cartoon, and the other is RFC 706. In the early days, spam was off-topic mail posted to Usenet news groups, especially stuff that was cross-posted to many groups. It usually was unwanted promotion of related computer hardware or software, or messages related to job searches or recruiting. At the time, it could usually be dealt with by blacklisting the sender and/or other forms of peer pressure.

When companies like AOL, Compuserve, and Prodigy became popular in the '80s, some of what we now think of as "spam" came around, but not at the level that it was a serious problem — a minor annoyance, but nothing serious. But once the World Wide Web opened things up and many more people started getting email addresses, people figured out that they could "advertise" cheaply that way, and it got out of control. That started in maybe 1992, got worse through the mid-'90s, and hasn't peaked yet.

I use 1975 as the starting date when I make presentations about it. It gets an interesting reaction from the audience.

Is it possible to have a spam-free inbox?
  • Do not post your email address anywhere that's publicly accessible.
  • This means that you can't use it to post to any online discussions or social networking sites.
  • Do not give your email address to anyone who will post it somewhere.
  • Do not use your email address for any online transactions.
  • You can relax the previous item a little if you're very selective, but one slip will expose you.
  • Make sure your email provider will not expose your address.
  • Make your email address relatively long, and avoid common names and dictionary words. "john" is bad. "bluedog" is better, but still iffy. "bluedog29" is probably OK. "blu3dog29john271828" is probably rock solid.

Even if you're careful with all that, the third item may expose you anyway. I tell my friends not to send me e-postcards, and not to use the "send to a friend" links on any online news services, YouTube, or the like — I tell them to copy the URL and paste it into email that they send me. But they don't always listen, and all it takes is for them to put my email address into a web site that doesn't respect it....

I don't worry about it. I get at least 500 spam messages per day, and I just accept that and rely on good filters.

How do spammers benefit from doing what they do.
Uh, they make money. The numbers are unclear — you can find varying figures, and the spammers don't talk very openly — but they're significant. They sell mailing lists, they contract out their spamming services, they rent out their zombie networks, they sell and swap compromised routers and relays, they sell their software, and so on. I think they make less than Tom Cruise, but the good ones make more than you or I do.

And the scams and chain letters are, of course, the same stuff that was done before email, only now it's easy to do it on a much larger scale. Phishing, too, is related to face-to-face, telephone, and paper-mail mechanisms to obtain personal information.

One thing to note, though, about spam — phishing in particular, but also other kinds of spam (especially the shadier kind, like those touting porn and bogus stock tips) — is that much of it also tries to turn your computer into a zombie, either with an attachment that they hope you'll "open" or with a web site they want to get you to visit, which can then infect you if you haven't installed the latest security patches. So in addition to making money directly, they also increase their capacity to send spam and to rent out their services.

Does spam have the same effect on everyone world-wide?
Hm. Different people get more or less spam, so "everyone" is a funny term. But the problem is worldwide, and certainly people in Europe and Asia and Australia and South America all get spam in much the same way as we do in North America. I'm not sure about Africa.

We see spam in all languages: Spanish, French, German, Russian, Hebrew, Chinese, Japanese, Korean.... (In fact, I personally get spam in all those languages, so it's not well targeted, but that's no surprise.)

Do you see a day when spam no longer exists in inboxes (business or personal)?

There are four basic ways to reduce spam (and lots of variations within them, but let's look at it in the broadest way):

  1. Block it at the delivery end.
  2. Block it at the sending end.
  3. Prosecute the spammers.
  4. Increase the cost of sending it.

We're mostly doing number 1, and there are lots of different approaches to that — block lists, content filters, sender verification, challenge/response systems, and so on. There's some stuff being done for number 2, such as port-25 blocking (and some other stuff too), but most of this is handled post-hoc, by terminating their service after it's determined that they sent spam. So that stops another round, but just means that they use an account for one blast, and then walk away from it and use another for the next. 3 has been working a bit, using fraud statutes and now CAN-SPAM, and also getting them for things like trademark infringement. But it's clear that none of those will make spam "no longer exist."

Unless we can turn the financial equation around, so that it's not profitable, we'll never get rid of it. You get junk mail on paper too, and that costs lots more to send. It's just a question of return on investment, right? What does the cost have to be to make them stop. Or at least to make them target their spam so they get a better return.

There's also the factor that no one wants "regular" email to cost anything, so any mechanism for increasing the cost has to still let you send me mail for free — otherwise people won't accept it. What allows spammers to work is this aspect plus the one where people want to be able to receive mail from someone they've never been in touch with before (like you contacting me). If we were willing to have all email cost money or we were willing to close down our mailboxes and be very restrictive, we'd have cleaner inboxes. But we'd also have much less useful inboxes.

I think we'll continue to do better, and so will the spammers, and we'll manage to keep things at a level that we can live with. Where, for instance, for me "can live with" means that I get something on the order of 500 spam messages a day, but I only ever see about 5. (But note that this 99% block rate can't stay at a fixed percentage — when I get 5000 spam messages a day, I won't like seeing 50 of them.)

What's the best program one can use to limit the flow of spam in their inbox?
I'm not going to suggest specific software.

I'll say that I don't like challenge/response systems. I won't use one, and I won't respond to challenges from recipients who do (so they'll never get my mail). C/R systems are nothing but recipient-generated spam, and can be as irritating to many recipients as Viagra ads are.

How does spam affect businesses?
There's lots of literature on this one. Unchecked spam fills mailboxes and makes email difficult for employees to use to do their jobs, so businesses must spend money on spam-blocking systems, and that (plus any support costs) can be significant. Blocking spam brings the risk of false positives, so businesses have to deal with occasional loss of real mail from customers and associates. That costs lost business and loss of good will. There's the cost of the employees' dealing with the spam they do get, and the costs associated with coping with and disinfecting computers that get turned into zombies. There's the work environment being polluted with inappropriate and offensive messages, and the risk of lawsuits because of that. There's the cost of infrastructure needed to handle the message rates for junk coming into large companies that do their own email. There are probably damages and costs that I've missed.

Just how harmful can spam really be?
Well, apart from the costs above, consider the money people lose to scams and in buying bogus products. In the worst case, it could cause illness or death if it convinces someone to buy fake medicine. And it erodes people's trust in email and its usefulness, and in e-commerce in general, which is also a big issue. Pew has studies that show that many people do less business online because of this trust erosion, and that hurts business in general.

What is your advice to people who have problems with spam?
  1. Use an email service with good spam blocking.
  2. Get a new email address and follow my suggestions above.
  3. Use a separate address for buying things from the one you use for talking with people.
  4. Use free throw-away addresses for things where you have to "sign up". If they start getting too much spam, abandon them.
  5. Don't ever let your address appear on a web page. If it has to be posted somewhere, studies show that it helps to obfuscate it (hide it behind javascript, do something like "bluedog29 at aol dot com", that sort of thing).

The main thing here is to get a new email address and start fresh... and then protect that address from the start.

How prevalent is spam on the mobile phone.
I don't know. I've heard some anecdotes, but not enough to have anything useful to say about it. I've not gotten any myself.

How easy is it to get rid of spam on the phone, or is it possible at all.
For "regular" phone service it seems in hand with costs and laws. Voice over IP makes this lots more difficult, by distributing the problem, making things harder to track down, adding more jurisdictional issues, and making it easier to automate the junk calls. I've heard talk about VoIP spam and techniques for it, but, again, not enough to have anything more useful to say about it.

Can just anyone be a spammer?
It would seem so. Can just anyone be a car thief, a bank robber, or a street thug? I guess some are better than others, but the barrier to entry seems small. As with other crime, most people are dissuaded by morals. Some aren't.

No comments: