Wednesday, November 4, 2009

In Depth: Why hasn't spam been stamped out yet?

In Depth: Why hasn't spam been stamped out yet?: "

Your inbox is full of mail that casts aspersions on your man/ladyhood, wants you to buy prescription drugs online or promises to show you how to make money fast.

Latest figures from McAfee suggest that a massive 92 per cent of all email is spam. That's a lot of luncheon meat.

What's more, 67 per cent of American email users say that junk mail actively puts them off going online at all. Those aren't good statistics for 'email marketers'. So, who's doing it? There's no easy answer.

Spam is delivered by many dubious characters, from email harvesters to black-hat marketers. We've delved into the murky world of the spammers to find out more.

Taking names

Spam begins and ends with lists. First, there are the mailing lists that spammers use, which are culled from a variety of sources. These can be compiled in one of three basic ways.

When you're prompted to enter your email address into a form, the company behind it will be using that data to build a mailing list. Less-reputable outfits may sell that information on.

Then there are automated search spiders that crawl the web, harvesting email addresses from a variety of sources. They slurp up names from personal websites, forums and social networks – anywhere that email addresses are on display.

The third tactic is a more brute-force technique that's akin to the tactics hackers use to crack passwords. Lists are automatically generated for popular domains using word and number combinations. In any of the above examples, the populated lists may then be used by the spammer or sold on for profit.

There are companies that claim to sell 'opt-in' mailing lists – email addresses for folks who apparently enjoy a bit of spam with their eggs in the morning. Email marketing expert Mark Brownlow disputes the legitimacy of such outfits.

'With very, very few exceptions, purchasing a bulk list like this is a shortcut to email marketing hell,' says Brownlow, webmaster at www.email-marketing-reports.com. 'If somebody offers to sell and send you a bulk list of email addresses, 99 times out of 100 you're getting a spam list.'

Spammers even have tactics to refine the targeting and accuracy of these lists. For example, a marketer will buy a list of email addresses from the kind of dodgy source we've already discussed.

Spamhaus

WATCHING THE SPAMMERS: The Spamhaus Project tracks spam activity and provides a blacklist for the internet community

At the bottom of the spam advertising message there'll be a paragraph of legal-sounding jargon saying that the sender is acting within the law because you opted to receive their advertising – even if you didn't. Below that will be a link enabling you to 'opt out' of receiving messages in future.

However, when you reply using that link, you're simply confirming to the spammer that your email address is live. If your mail client previews HTML messages, you may not even need to click a link to confirm your existence. A 'web bug' – an embedded bit of code in the email – can do that automatically.

An even sneakier technique used to confirm that an address is active is when the spammer sends a blank or nonsense message. How do the spammers use these to confirm that addresses are live? Non-functioning email addresses generate bounce messages.

In this case, the same automated program used to send out messages also collates bounced replies and strikes unsuccessful attempts off the list. The result is a more valuable commodity: a list of guaranteed live addresses.

The fight against spam is similarly replete with lists: lists of the countries that generate the most spam, lists of websites that spam directs its victims to, lists of banned IP addresses from which junk mail originates, lists of those responsible. These lists – the black lists banning senders and the white lists that allow them – are all that really stands between us and them.

The kings of spam

That's one place spam comes from. When you join mailing lists, enter your address into forms and post to online forums, you're fuelling the spam economy.

More practically, though, we can track the origin of spam down to several regions of the world.

Ahead of the pack, with double the spam 'incidents' of any other country, is the USA, with one in every six spam emails originating there. After that, every company has its own batting order – Sophos puts Brazil and Turkey in second and third place, while Trace Labs has China and Russia as runners up.

These statistics are supported by the fact that many of the biggest names in spam have come from America. At the top of The Spamhaus Project's Worst Spammers list is Canadian Pharmacy, which despite its name spams the world from the US.

In a month, a standard mail account will receive around 2,500 junk emails, four per cent of which are attributable to this outfit.

Increasingly, following the introduction of stronger American antispam legislation in 2003 (the CANSPAM Act), a set of identifiable names and faces can be associated with the darker side of digital marketing.

Sanford Wallace is one of those names. Rising to notoriety in the late '90s, Wallace has a history of exploiting marketing loopholes in new technologies. Before the net went mainstream, he sent junk mail by fax.

Recently he attracted the attention of MySpace, who took Wallace to court over his use of automated software to create thousands of fake profiles promoting gambling and porn services on the social networking site.

The company won a $234million judgement against Wallace and his business partner in May 2008. In February 2009, Facebook filed a similar complaint against Wallace for sending unsolicited marketing to its database of users.

Then there's Alan Ralsky, who received 87 months in prison and a $1million fine after pleading guilty to contravening the CAN-SPAM act in June 2009.

Ralsky is also the star of our favourite 'spammer gets his comeuppance' story when, back in 2002, an article posted on Slashdot containing his home address came to the attention of the general public. Enthusiastic web users turned the tables, signing Ralsky's address up for mailshots, catalogues and coupons.

'They've signed me up for every advertising campaign and mailing list there is,' he told the Detroit Free Press at the time. So incensed was the convicted spammer by the flood of real junk mail coming through his letter box that he claimed he was looking for ways to sue – but no action ever reached court, nor apparent irony his brain.

Not all spammer stories have a funny ending, though. Eddie Davidson's spam business Power Promoters was among the most prolific online. This all came to an end in June 2007, when he was prosecuted under the same CAN-SPAM Act that tripped up Wallace and Ralsky.

Eddir davidson

EDDIE DAVIDSON: Eddie Davidson's Power Promoters company used botnets to send out unsolicited mail selling penny stocks

Sentenced to 21 months in a minimum-security prison by the federal grand jury, Davidson escaped on 20 July 2008 and was found dead in his car four days later, alongside the bodies of his wife and three-year-old daughter.

The UK is number four in Trace Labs' current league table of spam transgressors. We're covered by an EU antispam directive in the 2003 Privacy and Electronic Communications Regulations and have a regulatory body devoted to digital data protection and spam control, the Information Commissioner's Office.

Despite this, there have been few successful prosecutions in the UK, and the ICO complains that they're left toothless in the face of hundreds of complaints a year. We were only able to find one successful prosecution under these rules– and that was brought by an individual rather than a state body.

How spam is sent

We've talked about the list makers and the spammers. The final link in the chain is the middlemen – the hosting companies who allow spam to travel through their networks.

Spammers use two broad methods to launch their electronic assault. The first is the use of 'bulletproof' or 'bulk-friendly' hosts. These outfits turn a blind eye to the activities of spammers and, in return, command a premium price.

There's even a phrase describing the amended terms and conditions extended to spammers by such outfits: they're called 'pink contracts' in reference to the fleshy colour of spam. Though many bulletproof hosts are found in China or Russia, where the laws governing junk mail are less stringent, the most famous bulk-friendly host of recent times was McColo – a Californian company.

When it was finally shut down by its own service providers in November 2008, the company was estimated to account for up to 75 per cent of the internet's spam traffic. There was an immediate and sustained dip in global junk mail for several months after McColo was taken offline, but Symantec reports that the levels are now back to their previous peak.

Some of that resurgence is due to the widespread use of botnets for distributing spam. A botnet is a collection of computers controlled remotely by a host. The most insidious aspect of many spam botnets is that they use machines hijacked by malware: a trojan client that can be installed on any PC via an infected website.

Whitelist request

THE WHITELIST: ISPs sometimes blacklist IP addresses by mistake. If that happens to you, you'll need to put in a 'white list' request

In this way, the Srizbi botnet created in March 2007 is able to distribute up to 60 billion spam emails a day. The more recently discovered Rustock botnet accounts for an impressive 28.3 per cent of all spam traffic monitored by Trace Labs at the moment.

Why do they do it?

This might seem an awful lot of labour and subterfuge for what is – as we're sure you'll agree – one of the net's most reviled practices. Why don't spammers just use advertising instead?

The answer is that spamming is cheap. Sending email to lots of addresses doesn't cost any more than sending mail to one address does. With 80 per cent of spam generated by botnets, there's very little overhead to account for anyway.

The majority of spam may end up in junk folders and electronic trash cans, but the truly gobsmacking fact is that – in pure marketing terms – it actually works. As the Messaging Anti-Abuse Working Group recently revealed, 12 per cent of email users have bought stuff that was being touted via unsolicited email.

Considering the negligible cost of distribution to the spammers, that's not a bad conversion rate at all. Perhaps more worrying is the fact that about half of the respondents to the MAAWG's survey had clicked on links in spam messages or had responded to them just as they would to solicited messages.

Outlook plugin

BLOCK IT: Free Outlook plug-in Spamihilator (www.spamihilator.com) compares keyword combinations to filter out most junk mail

In other words, many people treat spam as though it is legitimate email marketing. Despite all the efforts made on our behalf by the law enforcement agencies, it's here that the real problem lies.

As long as the population of the net make it pay, spammers have an incentive to continue their dodgy trade. Perhaps the real solution lies in simply making people more aware of the dangers of spam.



"



(Via TechRadar: All latest feeds.)

No comments: