A Short List of SPAM Myths by Alan Fullmer
There are many types of SPAM. (bulk, annoyance, illegal, etc.)
You have everything from body part enhancement, to window replacement, penny stock promotions, virus and Trojan related messages.
It can be tricky to figure out what messages are real, what’s fake and which want to simply steal your identity.
My first rule of thumb is, question everything. If you didn’t ask for it, don’t click on it.
Unfortunately, even that isn’t enough. I’ve received spams that appeared to be from friends, even my wife—but it was nothing more than a link to a phishing website.
I have compiled a few myths that a lot of people think to be true but are in reality—false. These are more targeted at the marketers that fail to acknowledge them, intentionally or otherwise.
Myth #1: Spam isn’t that bad, just hitting the delete key isn’t that hard.
Spam goes beyond the mere annoyance of having to press the delete key. Behind the scenes is an incredible amount of non-stop filtering that happens. Just because you don’t see the spam doesn’t mean it’s not there. I always say to people; “I wish I could let all spam through just for a couple minutes to show you how much you really would get.” Now there are some that get more than others. The jim@, john@, mary@ etc. The names that are commonly known which dictionary attacks are good at guessing. Then there are the people that sign up for everything. Whilst the actual requested emails they asked for are not what we are as concerned about, it’s the ones that come in that have been sold multiple times.
I’ve done tests. I do a lot of tracking when I have to sign up for things. Even companies that promise my email address will not be sold or given to anyone. Certainly we all have concluded that is a lie. In one instance, I gave an email address firstname.lastname@example.org (where the 1234 is the ID I assigned to that company or institution requesting it and misspelled zoobuh.com as zoobah.com) to a car dealership to send me notices when it’s time for service. The terms of this negotiation had language indicating it would not be shared with anyone. Yes, I look at the fine print, it’s just what I do. 5 years later, I am still getting an incredible amount of spam coming in on that address—this after their promise of it not being shared with anyone and I have never used it with any other place. I have since disabled the email address, but they still send spam through it.
I’ve also done the test where you click on any unsubscribe link in a spam message. When it takes you to the unsubscribe page, simply put in a made up address. Similar to my previous test, I will do email@example.com. Of course without checking their records it will say, “Your email will be removed in 24 hours.” And of course, we will see spam coming in on that made up address through the unsubscribe link.
One last test, and in my opinion a very effective way to combat spam, is a spam trap (honeypot). Carefully placed secret email fake addresses scattered around the web. Web scrapers love these. They scour the internet for users’ email addresses from forums, blogs, etc. and then adding them to their spam lists. (Of course they will say you signed up for it. 😉 )
The main reason spam traps are useful and effective is that nobody uses them. They are fake. So if we receive mail on these addresses, we simply block every subsequent request from that server. We know it is spam. Our tests show that it usually takes about a week for these addresses to be harvested and placed onto spam lists ready to be sold. More information on this can be found here: https://en.wikipedia.org/wiki/Spamtrap
Myth #2: Spam isn’t any different than companies mailing you car ads, coupons, house refinancing, etc. through the US Mail.
Companies spend a lot of money, printing, paying for postage and buying lists of addresses to send these to. The burden of cost is on the sender of the ads.
With Email Spam, you can get a billion email addresses for under $50. It’s practically free to send spam. Sure you might pay for your internet connection at home or work, but you’re paying that anyway and it’s a very small cost. Furthermore, Wi-Fi hotspots, libraries, schools and wide-open networks can be tapped into at no cost.
So the burden of cost is now on the receiver (we the ISP) instead of the sender.
Just one domain out of the many available to our customer base, received over 30+ million spams since the beginning of the year (end of June 2014). In one year’s time this particular domain could see over 5 million spams per month, 167k per day, 7000 per hour. This is also assuming the volume stayed static, which it never does. It always grows. Combine all the other domains and addresses we host and that number climbs insanely high.
Myth #3: You signed up for it.
Perhaps there are some that do, but for the majority of people do not.
My favorite line: You are receiving this because you asked to receive offers from _______.
No, I did not. Whatever the “from” equates to, I never asked anything of the sort. I don’t want my mortgage refinanced, I don’t want or need an affair, I don’t want any particular body part enhanced and I don’t want any cheap Canadian meds.
Spammers use this line frivolously. I am unsure if they think it makes it all legitimate, or they assume you’ll say to yourself, “Well golly gee, maybe I did sign up for it.”
Myth #4: Dictionary attacks aren’t bad because it doesn’t go to real users.
This is very wrong. Just because we receive messages for users that don’t exist, doesn’t mean we don’t still process it. The system has to verify the user even exists. This means it has to access it from some type of database, compare to any RBL filters and honeypots—at the very least. Compound that with a decision to discard it, or bounce it. I particularly like the fact that if I flub the address, I get a response back from the server telling me that there is no person there, rather than wondering if the recipient ever got my message. That said, an extremely high percentage of spams come from addresses that are not real. So a bounced message (backscatter) will generally ping pong between servers, or sit in the queue for days until it expires, or even worse—if the domain is something like @yahoo.com, the bounces end up being received by Yahoo and they decide to blacklist your IP. This puts a lot of work on additional employee(s) to create rules and configuration to prevent backscatter. http://en.wikipedia.org/wiki/Backscatter_(email)
Myth #5: it’s just part of a company’s budget. It’s not a big deal.
In the past, the IT budgets never included money for spam filtering. Surprisingly, even today, most budgets still don’t include it. It never shows up as a line item or issue. I think because it’s just assumed you get to deal with it and is part of the email system. But usually the people making those decisions don’t get to see how much spam they are really getting. Out of sight, out of mind. But they do seem concerned at times about the constant upgrading and purchasing of heavier duty servers and equipment “just for email.” Hard disk use, power consumption due to processing, bandwidth can be very costly.
If you were to track the time you spend sorting through the few spams that made it through the filtering system for a year. I think you would be surprised at the time spent.
Processing Spam used to be simple. Install an off-the-shelf anti-spam product and you’re set. Today, it’s become a science. Marketers are trying harder than ever to bypass filters. One cannot simply rely on any one technology. You can’t simply look for words and phrases. Marketers try everything from obfuscation of text, replacing English letters with Greek or German because they are still readable. Adding Bayesian checks helps, but even still marketers try to poison the database with random words, texts or phrases. Personally, I’ve yet to see this method very successful, I’m sure it works to some degree. This is easy to spot. Most of the time the random words are hidden in HTML text or CSS code. Other times you’ll see excepts from random poems or news articles at the bottom of the message.
The CAN-SPAM Act of 2003 is pretty black and white when it comes to this stuff. A lot of the wording is based around false and misleading information.
If you have to wonder about how legitimate the company is that’s trying to sell you something, you don’t need to go further than looking into how hard they try hiding their marketing identity. Allow me to elaborate;
There are two main domains associated with the emails. The domain that the sender’s email comes from, and the link(s) in the body of the message. There are many “whois” lookup services that can get you this information for free.
- When you look at the record of the domain holder, is it private? Does it have any wording like Domain Protected or Privacy Protected.
- Are any of the domains .us, .info, .biz, or .pl? (Not limited to only these extensions)
These are “disposable” domains. They are cheap. Usually they are only a few dollars compared to .com and others that are closer to $12 for a year.
Spammers will register them for one year—fully knowing that they won’t be renewed and will quickly be blacklisted. But by that time, they’ve already sent the billions of spam. It’s an easy investment.
- Are there patterns in the domain name? For example, someword-joe23.us
- Do the domain names reflect anything from the content/advertiser?
Somewhere the message must indicate it’s an advertisement. It should be a simple sentence that should read “This is an advertisement, unsubscribe here” but instead you’ll see every attempt to disguise it by using words like “advert,” “admsg,” etc., even going as far as to use every variation of a word found in a thesaurus. The fact is, they aren’t being upfront and honest. Lately there has been a lot of images that have this wording to try to bypass context filters. The main problem with this is these images are generally remotely hosted. This has two main benefits for the spammer. It doesn’t get picked up by the filter and second they can track and verify you’ve viewed that image.
Since most email programs now require a step to view remote images, you’ll probably never see it. Also, if the remote image is removed or broken, the unsubscribe language will never be seen.
Another common thing a spammer does is use a PO Box or a UPS store box to hide their real identity.
I personally would never want to do business with anyone that can’t be upfront and honest with their ads and/or marketing. You would never allow this in a newspaper ad, why would email be any different? The fact that they are trying to deceive should be the only red flag you need to know to stay away.
Dan Hates Spam (http://danhatesspam.com/whyspamsucks.html) sums it up perfectly:
“The Internet offers tremendous potential for marketers to deliver precisely targeted and customized information and offers to consumers who truly want to receive them, but all too often, spammers abuse the potential of the technology and instead take advantage of zero-variable-cost nature of email to blast their unsolicited advertisements at every email address they possibly can. Let me repeat this point – there is no financial incentive for a spammer to do any kind of list management that a traditional (offline) marketer would use. That’s why men get spammed for breast enlargement pills and women get spammed for penis enlargement pills; why people with regular plumbing get spammed for septic tank solutions; why children get spammed with prostitution ads, etc.”
I hope you find something useful in this article. I am not a writer or really care to be one so forgive my mistakes. I just want to lay out some facts for you. If you do find this article useful, feel free to share it. Also, if you have any comments, leave them below.
PS. I am going to do a test and report back with the results in a month or so. I am going to create a fake address. Let’s call it firstname.lastname@example.org and see how many unsolicited emails we receive on this address in a month’s time due to spam scraper utilities… but please readers, don’t add it manually to any lists, that would defeat the purpose of the test 😉