|
Security
Spam
|
|
Statistics
Internet Service Providers (ISPs) takes bribes from spammers
Spammers must have access to send email if the are to conduct "business".
A single spammer can, potentially, send 84 million spam messages per day.
(Though an extreme case, it has been accomplished.)
ISPs all over the online world have publicly vowed to stop spammers.
So why does spam continue to increase dramatically?
Because some ISPs take bribe money from spammers, $10,000 to $100,000 per month,
in the form of "pink contracts" Pink contracts are agreements between a spammer
and an ISP that permit the spammer to use the ISP's system to send out a flood of spam.
To accomplished spammers,
who net $200k - $400k per month, this is a small cost of doing business.
Why isn't the government doing something about it?
The "Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)" Act
that took effect in the United States in January of 2004, doesn't make spam illegal.
It places certain restrictions on what bulk mail senders can do, but provided they comply,
they can still send spam. And CAN-SPAM does not apply to email sent from outside the US,
even though other jurisdictions around the world have some measures in place. Statistics
from email security vendors indicate that the volume of spam intercepted on behalf of their
customers has not dropped significantly since the CAN-SPAM act came into force.
Percentage of total email recognized as spam
before and after the CAN-SPAM act
(Source:
Postini, Inc.)
Read about the Can Spam Act of 2003
on the Wikipedia website.
"How did the spammers get my address?"
Unfortunately, sending spam is very profitable. Consequently, spammers are some of the most devious and persistent
schemers out there, and spend their days coming up with news ways to get email addresses.
-
They buy them:
A single CD with 90 million+ e-mail addresses goes for about $20 on the black market.
At this price, most of the addresses are "low-grade" (invalid), but many are "live".
Subscribe to a new magazine, send in a warranty card, order something from a catalog,
or enter a contest, and your information ends up in the company's database.
These companies are in business to make money, and many will sell your information
to anybody who will buy it. And if it includes your email address, spammers will buy it.
-
They trick you:
They set up websites designed to "grab" your e-mail address if you happen to surf to their webpage.
You'll receive no warning when this happens.
-
They lie:
They put links in their messages giving you the option to unsubscribe,
promising to remove you from their mailing list if you "simply click here".
Instead, they hope you'll expose yourself by confirming that your email address is valid.
Now that they've verified the address is live, they'll target you for more spam.
-
They sell you out:
Verified addresses are worth a lot to spammers, so they sell their confirmed addresses to each other.
-
They leverage technology:
Using "harvesters", computer programs which automatically scan for, and gather, e-mail addresses from websites,
online forums, newsgroups, chat rooms, and other web postings. Even details from ICQ and other instant messaging
programs are not safe. A single harvester can gather e-mail addresses from over 30,000 online sources simultaneously.
-
They steal bandwidth:
Using "dictionary attacks", computer programs which "guess at" addresses by taking registered domain names
from listings on the Internet, and "e-pending" common names and other "alphabet soup".
Because email is virtually free to send, spammers broadcast messages to millions of guessed-at email addresses
in hopes of finding a few valid new ones. And the recipients' email systems even help the spammers fine tune
their list by sending back notifications for the invalid addresses.
-
They use viruses:
Some spam is generated by viruses, as they attempt to propagate themselves across the Internet.
Some viruses are designed to turn the systems they infect into "zombies," controlled by the virus
authors and "hijacked" to distribute more spam.
For more information see
"Email Harvesting Techniques"
from
Network Security Library, or the
original FAQ
(Frequently Asked Questions) (in text format).
"Why Am I Getting All This Spam?"
from the
Center for Democracy & Technology
Guidelines for Reducing Spam
It's much easier to prevent spam, by never giving out your personal email address,
than it is to cure the problem once you're on 100's of junk email lists.
Do not open spam email
Spammers use techniques that track when a message is viewed.
Once your address is "verified", they'll target it for more spam,
and sell it to other spammers, who pay for valid addresses.
If you do not know the sender and the subject line has odd characters
delete the email without reading it.
Turn off your email client's "preview" mode
Some spam messages sent in HTML format (looks like a web page) contain hidden codes.
If such a message is opened via the preview function of your email client software,
the hidden codes can alert the spammer that they've reached a working email address.
So set your email client so that it does not preview messages.
Do not respond to spam email
When a spam email gives you the option to unsubscribe ("opt-out") if you don't want further messages
Don't Do It! Oh sure, they say they’ll take your name off the list, but they’re lying.
What they really want to do is confirm that they’ve got a legitimate address.
If you respond, they’ll flood you with even more spam, AND sell your address to every other spammer on the planet!
Your response will also contribute to their "response rate", which will help them market their spam services to clients.
(Note that this does not necessarily apply to the "unsubscribe" option in advertisements from reputable companies.)
Do not enable auto-responders
Auto-responders are out-of-office messages. Be aware that if your auto-responder is active when you receive spam,
the auto-responder will confirm the existence of your email address to the spammer.
Use an e-mail address that contains both numbers and letters
Using an address that is easily predictable means that if spammers get hold of your domain name,
they will soon be able to guess your email address.
Many spammers use "dictionary attacks" to e-mail many possible name combinations, hoping to find a valid address.
The combination of letters and numbers (j123smith@) makes it more difficult for the spammers
to guess your email address than if it were letters only (jsmith@).
Use a fake address
If you don't need the online form you are filling out to send you anything,
then don't give them your real address. But make sure that the domain you use
doesn't actually belong to anyone, otherwise you'll just be sending spam to an innocent third-party.
Try using none@privacy.org instead.
It is a real e-mail account created by the folks at privacy.org that goes straight to the trash.
"Munge" (purposely distort) your email address
If you chat online, use a screen name that is not associated with your e-mail address.
Spammers can harvest 35,000 e-mail addresses per hour from chat rooms, online forums, and newsgroups.
If you want people on forums or chat rooms to be able to e-mail you, but don't want to have your e-mail
address harvested, try "munging" (purposely distorting) your e-mail address.
Instead of "yourname@yourdomain.com", use "yourname at yourdomain dot com".
It fools the harvesting software and still lets people figure out what your real e-mail address is.
Refer to "Address Munging FAQ"
for more information.
Use multiple email accounts
When you must provide a valid email address, do not use your primary email address.
Use a secondary mail account devoted to online transactions
in order to prevent your primary e-mail address from being harvested by spammers.
Set up one email address for private use (business, friends , and relatives).
Set up a second, "disposable", address for public use (merchants and online).
When you begin to receive unwanted e-mail at this "throw-away" address,
you can delete that account and establish another,
without affecting your primary address.
Your Internet Service Provider may offer additional addresses for little or no fee,
or you can obtain one free from
mail.com,
Hotmail,
or a multitude of others.
Another solution is to set up an email address which forwards to your primary address.
Free disposable forwarding e-mail accounts, with spam blocking, are available from
Despammed,
Spam Motel,
Bigfoot.com
and Spam Gourmet.
More information about disposable email addresses
is available from SpamEx.
Do not post your email address on web pages
Spammers use "spiders" (software) that "crawl" (search) web pages throughout the Internet looking for the pattern
"someone@someplace.com" and "harvests" (collects) them into an address database.
(For more information on email harvesting, refer to BestPrac.Org's
SpamBot article.)
If you must display "mailto:" links within your web pages,
encoding them may prevent spam harvesters from recognizing the email address:
As well as obfuscating your email address in the "mailto:" tag, do not display your actual email address on the web page.
Instead, use your name, or "contact me", or another identifier. When the viewer clicks the identifier, the associated hyperlink will populate
the email with the correct "mailto:" address.
To compensate, spammers have created smarter robots that can interpret encoded email addresses.
So consider using an image of your email address, which is only readable by humans.
Another alternative is to have web site administrators use a program like
Wpoison
to redirect the spammers' email harvesting engines down a dead end, away from the website and your email addresses.
Do not give your primary e-mail address to anyone that you do not trust
Read the privacy policy and "terms of use" statements of any website or organization before giving them your e-mail address.
Opt-Out
When filling out anything online, always look for the check box that indicates you want to be on their mailing list.
Many times these "opt-in" check boxes are pre-checked. Look for any check box that's already checked, and uncheck it.
Leaving it checked gives them permission to sell, loan or trade your info, including your email address.
Use a spam filter
Change your address
If you start getting inundated with SPAM and it doesn't look like it's going to go away,
you can close the e-mail account and get a new address. First, be sure to alert your friends, family,
and coworkers that you are changing your address. Then follow these tips to keep your new address free from spam.
Report any spam that you receive
Do not purchasing products or services from spam ads
If no one buys the things advertised in spam,
companies will quit paying spammers to advertise their products.
And since you were such a good "mark", you will be targeted for even offers (spam).
Also, many companies that use spam for advertising have shown questionable ethics,
so you are risking theft of the financial information you provide for your purchase.
Terminology
E-mail:
A contraction of Electronic Mail.
Spam:
Electronic junk mail, also referred to by professionals as "Unsolicited Commercial E-mail" (UCE)
and "Unsolicited Bulk E-mail" (UBE). Spam got it's name from the Monty Python skit in which every item
on the menu came with SPAM (the canned meat) whether you
wanted it or not. In this performance, the word spam was mentioned so loudly and so many times that all attempts
at normal conversation were drowned-out, which is what spam will do if it is not stopped.
More information about spamming from
the Wikipedia website.
Email Domain:
The "@domain.com" part of an email address
Spoofing:
The practice of forging the mail header (information section) of an e-mail to make it appear
that it came from somewhere else. This lets spammers get past your ISP by using an address appears legitimate,
who allow it through. Often the recipient doesn't exist ("dummy return addresses"), so replies to spam messages
bounce back.
“Joe-Jobs”:
Spammers forge email headers to conceal their identity and location, leaving some hapless admin
at the real email domain to get a bunch of nasty complaints about the spam it looks like he sent.
A “Joe-job” is when a spammer does this maliciously, in order to damage another company’s reputation,
and possibly trick their provider into revoking their Internet access.
Joe-jobs are named after Joes.com, which was victimized in this way by a spammer some years ago.
"Murkogram" or "Murk":
A disclaimer at the end of a spam email assuring that the spam complies with Bill S.1618,
which claims to make the spam legal.
The term comes from Frank Murkowski (R-AK), the senator who wrote S.1618.
Sen. Murkowski thought the ideal solution to the plague of unsolicited advertising email
was to make it a legal, regulated activity instead of empowering the victims to stop it.
This would have made certain types of spam illegal, unless the message
included full contact info at the start and made no attempt at hiding its origin.
Spammers use "Murks" to give their messages an air of legitimacy,
or soften negative responses, by including references to Bill S.1618:
"This message is sent in compliance of the U.S. Bill regulating email communications,
per Section 301, Paragraph (a)(2)(C) of S. 1618 ... "
Bill S.1618 did not pass and is not a law in the U.S. If this disclaimer is actually
found in an email, it is obviously spam, and the spammer is trying to avoid complaints.
Munging or Mangling:
Purposely distorting an email address so that it cannot be automatically
harvested by spammers. For example, using "yourname at yourdomain dot com" instead of
"yourname@yourdomain.com", fools the harvesting software and still lets people figure
out what the real e-mail address is.
Open (Mail) Relays:
Insecure email servers whose configuration allows anyone to send messages anywhere.
Open Relays will route mail for any third party to any other third party, no questions asked
Spammers often search for and exploit open relays to distribute their messages for free, and to cover their tracks.
Open Proxy (Server):
Proxies are used in a local area network (LAN) for control over Internet access.
Properly configured, they route data from a LAN to the Internet. However if they are misconfigured,
they may be able to route data from the Internet into a LAN, or perhaps to another part of the Internet.
Using an open proxy, spammers can find internal mail servers and use them to route mail,
or they can anonymously abuse email servers elsewhere on the Internet.
Proxy servers can be installed without administrator’s knowledge. In January 2003, the
virus Sobig.a was released. This virus downloads a Trojan executable that, as part of its
payload, installs a specially modified proxy server that is hidden, runs on non-standard
ports, and does not generate a log. It is not known whether this virus was developed by a
spammer for practical reasons or simply by a hacker for malicious reasons.
Blacklist:
A list of email addresses of known spam-sources. Used by anti-spam software to prevent email
from these addresses from entering your inbox.
False Negatives:
Spam which is not caught by anti-spam software, and slips through.
False Positives:
Legitimate, non-spam, email which is incorrectly filtered out by anti-spam software.
Settings which stop 100% of spam conversely cause important messages to be lost (false positives),
so erring on the side of false negatives is strongly preferred.
Whitelist:
A list of "trusted" email addresses. By configuring anti-spam software to always allow email from these "trusted"
sources to pass through unfiltered, false positives are minimized.
Filter Busters:
Spammers also add "filter busters" (strings of nonsense characters) to the subjects and
bodies of their messages or send HTML graphics, in the hope of confusing filters that look
for known spam messages. Many spammers actually buy filtering software to test and fine-tune
their messages to get around the filters.
Directory Harvest Attack:
An attempt, by spammers, to learn valid addresses by using automated-address-guessing software
to broadcasting millions of messages against a single email domain.
Addresses that are not rejected by the receiving mail server are determined as valid.
“Drive-By” Spamming:
An interesting new tactic is called drive-by spamming. Spammers drive around and find unsecured wireless networks.
Sitting in a van with a laptop, spammers can send mail from “inside” the network to the email server. Any messages
sent by the spammer would appear to come from within the company's network.
Anti-Spam Resources
|
|