Slapped in the Face

If you use email, it's likely that you've recently received a piece of spam--an unsolicited, unwanted message sent to you without your permission. Spam is the Internet's version of junk mail, telemarketing calls during dinner, crank phone calls, and leaflets pasted around town, all rolled up into a single annoying electronic bundle.

Spam is not democratic. If you are new to the Internet, you've probably seen only a few of these annoying messages. If you've been using the Internet for more than a few years, or if you participate in online discussion groups, you might receive a dozen or more of these messages each day. And if you administer a network for a business or university, you might be bombarded with hundreds.

Here's a typical message that we received while working on this book:

Received: (from mail@localhost)
	by apache.vineyard.net (8.8.5/8.8.5) id LAA01663
	for <simsong@vineyard.net>; Sat, 16 May 1998 11:57:57 -0400 (EDT)
From: charles7713@yahoo.com
Message-Id: <199805161557.LAA01663@apache.vineyard.net>
Received: from 209-142-2-72.stk.inreach.net(209.142.2.72) 
	by apache.vineyard.net via smap/slg (V1.3)
	id sma001626; Sat May 16 11:57:27 1998
Date: Sat, 16 May 1998 05:18:34
To: <simsong@vineyard.net>
Subject: Search Engines, 400 for 5.75 (1)

  ***  LIMITED TIME SPECIAL OFFER  ***

 For Only $5.75 (1) We Will Submit Your
 Web Site To Over 400 Of The Net's Hottest
 Search Engines, Directories & Indexes.

 If you're site isn't listed in the Search
 Engines, how can people find you to buy your
 products or services?

* Your Competition Is Getting Noticed - 
   Are You?  Get Noticed By Your Prospects.

Visit Our Web Site To Learn More:

 http://www.tiffiny.com/sitesubmissions

 Thank You

 (1)
The price for this service is $69 prepaid which
covers the cost of submitting your site every
three months for an entire year.  We have shown
the price of $5.75 to show you how inexpensive
this program really is when the overall cost is
annualized. Minimum 12 month term and full 
prepayment required.
======================================
Name removal requests.
Send to:
TO:	webmaster@tiffiny.com
SUB:	remove
======================================

This email from tiffiny.com has all the elements of a typical spam message:

• The message came from a business with which we had no prior relationship.

• It was sent from an email address (charles7713@yahoo.com) that either is fictitious or was created solely for the purpose of sending spam messages and has long since been discarded.

• The message advertises a service that is illegitimate, shady, or misleading at best. (The service being advertised is not $5.75, as the subject line says, but $5.75 per month, with a "minimum 12 month term and full prepayment required." Furthermore, there simply aren't 400 "hot" search engines, directories, and indexes on the Internet.)

• The message does not clearly identify the person or group that has sent it.

• Removal requests sent to the address listed at the bottom, webmaster@tiffiny.com, were ignored.

• The company that's doing the advertising is not well known and typically isn't trying to establish a reputation or a loyal consumer following.

If you've ever gotten a piece of spam mail, you've probably experienced a wide range of emotions. At first you were probably confused. What is this message? you might have asked yourself. Where did it come from? Where did these people get my name?

Once your confusion passed and you received your second or third spam, you may have become angry. Perhaps you wrote letters of complaint to the spammer and were further angered when your complaints bounced back to you because the spammer had disguised his email address.

Finally, you may have passed through anger to helplessness once you began receiving spam on a daily basis. Reading your email, once a source of fun or information, was reduced to a time-consuming process of weeding out junk mail with no end in sight.

Don't give up hope. There are powerful tools for fighting back against spam. In this book, we'll show you how.

What's Wrong with Spam

Most spam messages on the Internet today are advertisements from individuals and the occasional small business looking for a way to make a fast buck. Spam messages are usually sent out using sophisticated techniques designed to mask the messages' true senders and points of origin. And as for your email address, spammers use a variety of techniques to find it, such as "harvesting" it from web pages and downloading it from directories of email addresses operated by Internet service providers (ISPs).

But spamming today could well be undergoing a revolution. Over the past year, AT&T, Amazon.com, and OnSale.com all have experimented with bulk email. Although the companies clearly identify themselves in the mail messages, these bulk mailings can cause many of the same problems as spam messages from less scrupulous individuals and companies. If these companies continue their experiments, and if they are joined by others, we'll surely see a dramatic increase in the amount of spam on the Net.

The people who send these messages say that the email is a form of electronic direct marketing--the cyberspace equivalent of radio advertisements and newspaper inserts. But there are important differences between electronic spam and conventional marketing techniques--differences that could ultimately destroy the usefulness of the Internet if spam is not stopped.

Spammers often say that spam isn't a problem. "Just hit Delete if you don't want to see it." And many spam messages carry the tagline "If you don't want to receive further mailings, reply and we'll remove you." But spam is a huge problem. In fact, junk email and junk postings to Usenet newsgroups are one of the most serious threats facing the Internet today.

Spam messages waste the Internet's two most precious resources: the bandwidth of long-distance communications links and the time of network administrators who keep the Internet working from day to day. Spam also wastes the time of countless computer users around the planet. Furthermore, in order to deliver their messages, the people who send spam mail are increasingly resorting to fraud and computer abuse.

How Much Spam Is There?

Just how much spam is out there? Although it's hard to come up with exact numbers, the initial reports from the field show that there's a lot and that the problem is getting worse:

• According to America Online, which testified about spam in front of the Federal Trade Commission in 1997, roughly a third of the email messages AOL receives on any given day from the Internet are unsolicited spam.

• According to the first academic study of spam, by Lorrie Faith Cranor at AT&T Labs-Research and Brian A. LaMacchia at Microsoft, between 5% and 15% of the email received by AT&T Research and Bell Labs Research between April 1997 and October 1997 was spam.

  Lorrie Faith Cranor and Brian A. LaMacchia, "Spam!," Communications of the ACM, Vol. 41, No. 8 (Aug. 1998), pp. 74-83, http://www.acm.org/pubs/citations/journals/cacm/1998-41-8/p74-cranor/>.

• According to Spam Hippo (http://www.spamhippo.com), an automated Usenet anti-spam system written by Kachun Lee for PathLink Technology Corporation, roughly 575,000 articles were posted to Usenet in June 1998, of which roughly 200,000, or 35%, were spam. (That's down from a high of 60%, or 300,000 spam messages out of 500,000 postings, before Spam Hippo began operation.)

These numbers don't tell the whole story. Although they show that there is a lot of spam on the Internet today, they don't explain why it is a threat. Indeed, if the only problem with spam were the sheer volume, one could make equally urgent arguments about the number of advertisements in your daily newspaper, commercials on TV and radio, and even billboards in subways and on buses. Nobody is saying that advertising is about to bring newspaper journalism to an end. Indeed, most newspapers, broadcasters, and even public transit authorities rely on advertising to pay their bills. What's so different about spam?

The answer to this question lies not in technology, but in economics. The fundamental difference between spam and other forms of advertising has to do with cost and price.

The Low Cost of Spam

With most forms of advertising, the cost of sending each message is significant--especially when compared to the cost of the item being sold and the size of the market. An advertisement in a newspaper can cost anywhere from $24 for a typical classified ad to $25,000 for a full-page advertisement in a major newspaper. Sending a catalog to 100,000 people can cost anywhere from $50,000 to $150,000, depending on the size of the catalog, the quality of the printing, and the type of postage used.

Compare these costs to the cost of sending an email message or posting an article on Usenet. A typical computer connected to the Internet over a 28.8 kbps dial-up modem can send more than 100 email messages a minute, which translates to 864,000 mail messages a day, or 26 million in a typical month. With ISPs offering "unlimited" dial-up access to the Internet for $20 per month or less, and a dedicated phone line costing another $15, a spammer can send roughly 10,000 email messages for a penny. Even if you add the cost of buying a computer (perhaps $1,000), electronic advertising is an incredibly cheap way to reach an audience.

This low cost encourages spammers to send huge numbers of messages. Businesses that advertise using traditional media normally make some kind of effort to target their messages. Common sense dictates that there's no reason to send an advertisement to somebody who can't buy the product being advertised--there's no reason to spend the money to advertise dog food to cat owners. But spammers have no motivation to target their messages, because the cost of sending out electronic messages is so low.

Merge/purge

The low cost of email encourages spammers to forsake another practice that's common among conventional direct marketers, a technique known as merge/purge. When a merge/purge is performed, a mailing list company merges several lists and then purges the duplicates. Because of the cost of sending messages, marketers normally try to avoid sending the same message again and again to the same consumer. Spammers, operating in a medium that's essentially without cost and frequently unconcerned about their reputation, don't care.

Because there is no merge/purge, it's common to log in to your email and see many copies of the same spam message awaiting your perusal--especially if you have several email addresses that all forward to the same location:

Id# From               To                           Subject               
1   plan@earthlink.net simsong@apache.vineyard.net  Dental/Optical Plan
2   plan@earthlink.net simsong@vineyard.net         Dental/Optical Plan
3   plan@earthlink.net simsong@vineyard.net         Dental/Optical Plan
4   .@earthlink.net    simsong@acm.org              Dental/Optical Plan
5   .@earthlink.net    simsong@mit.edu              Dental/Optical Plan
6   .@earthlink.net    simsong@mail.vineyard.net    Dental/Optical Plan

The clever spammer

Spammers realize that it's pointless to send email that's not going to get read, so they're increasingly resorting to new, deceitful techniques to get you to read their mail before you delete it. Some tricks are designed to make it seem as if the message came from a new business partner:

From: Bob Brown <bob@gdi4.gdi.net> 
Subject: RE:To selected new clients

Or the spammer might try to make it look as if he or she is an old friend:

From: Jane <jane234@yahoo.com>
Subject: What's up?

Or the spammer might even try to make it look as if the message came from you:

From: Jason Sears <jason@netcom.com>
To: Jason Sears	<jason@netcom.com>

As spammers get more clever, it's becoming harder to delete these messages without reading them first. Unfortunately for us, the more people there are who send spam, the more likely it is that some of them will be quite clever.

The High Price of Spam

Spam may be cheap to send, but bulk email and newsgroup postings come at a high price to recipients of the messages and to the Internet through which they travel. It's because of this price that "simply clicking Delete" isn't a good solution to the spam problem.

The price users pay

Under normal circumstances, computers can't tell the difference between spam messages and normal, important messages--the kind that we want. Each message, spam or otherwise, is treated with care and speedily carried to its appropriate destination (or destinations).

It may take a spammer just five or ten minutes to program his computer to send a million messages over the course of a weekend. Now it's true that each of these messages can be deleted with just a click of the mouse, which takes only three or four seconds: a few seconds to determine that the message is in fact spam plus a second to click Delete. But those seconds add up quickly: one million people clicking Delete corresponds to roughly a month of wasted human activity. Or put another way, if you get six spam messages a day, you're wasting two hours each year deleting spam.

The price users pay for spam increases if you include the cost to the business or organization that operates the computer that holds your mailbox. These computers, called mail servers, require full-time connections to the Internet that can cost anywhere from $250 to $2,000 per month or more. The cost of the connection is determined, in part, by the amount of data it can carry. If a company's Internet connection is filled with spam, that company will be forced to spend more money on a faster Internet connection in order to handle the rest of its email traffic. Likewise, the company will be forced to buy faster computers and more disk drives. These costs must eventually be passed on to end users.

This scenario is not theoretical. In July 1997, spam mail overwhelmed AT&T WorldNet's outgoing mail system, delaying legitimate email by many hours.

The price administrators pay

System administrators pay for spam with their time. The Internet's email system was designed to make it difficult to lose email messages: when a computer can't deliver a message to the intended recipient, it does its best to return that message to the sender. If it can't send the message to the sender, it sends it to the computer's postmaster--because something must be seriously wrong if the email addresses of both the sender and the recipient of a message are invalid.

The well-meaning nature of Internet mail software becomes a positive liability when spammers come into the picture. In a typical bulk mailing, anywhere from a few hundred to tens of thousands of email addresses might be invalid. Under normal circumstances these email messages would bounce back to the sender. But the spammer doesn't want their bounces! To avoid being overwhelmed by the deluge, spammers often send messages with invalid return addresses. The result: the email messages end up in the mailboxes of Internet postmasters, who are usually living, breathing system administrators.

System administrators at large sites are now receiving hundreds to thousands of bounced spam messages each day. Unfortunately, each of these messages needs to be carefully examined, because mixed in with these messages are the occasional bounced mail messages from misconfigured computers that actually need to be fixed. As a result, spam is creating a huge administrative load.

As the spam problem grows worse, system administrators are increasingly taking themselves off their computer's "postmaster" mailing lists. The result is predictable: they're deluged with less email, but problems they would normally discover by receiving postmaster email are being missed, as well. The whole Internet suffers as a result.

The price bystanders pay

In their attempts to distribute their ads and avoid complaints, spammers often engage in fraud or other kinds of system abuse.

For example, in 1996, America Online started blocking email from many domains associated with spammers. To bypass AOL's filters, some spammers started sending email with false "return addresses." Some of these return addresses were purely fictitious. Others were for existing businesses that had no connection with the spamming activities, but were nevertheless tarnished by them.

Another technique spammers have used to send email is to relay their messages through other computers on the Internet--often without the knowledge or the consent of those computers' owners. This practice constitutes a theft of service. It also can result in problems for the unsuspecting relay, as people mistakenly think that the relay is the spammer.

Attacked by a Spammer

The attack started at 2:30 a.m. on January 15, 1997. But I didn't know that something was amiss until 4:20 p.m. or so, when I tried to check my mail. Strangely, there were 25 mail bounces from MAILER-DAEMON. Somebody had tried to send a whole bunch of mail; the mail that bounced had ended up in my inbox.

Now, having weird mail show up in my inbox isn't an unusual occurrence for me. That's because I'm on postmaster@vineyard.net, the mailing list for my small ISP located on the island of Martha's Vineyard, Massachusetts. Over the past 18 months I'd seen quite a bit of bounced mail from folks who hadn't set up computers properly. In each case I would have sombody call up the customer so they could fix their system.

There was something different about these bounces. For starters, there were a lot of them. And they had all bounced from a computer called empty.cabi.net--a computer, I later learned, that had an invalid IP address. But the big giveaway was the content of the mail messages, hidden beneath more than 80 lines of bounced mail headers.

"Customers For You!" the message read. "CV Communications BULK EMAIL ADVERTISING SERVICE."

It didn't take me long to piece together what was happening. Somebody calling himself CV Communications had connected to the mail server on vineyard.net, and was using my computer to send his unsolicited bulk email. The nerve! This guy was using my Internet connection to further his commercial ends, and sticking me with his bounces. I had been spammed by a spammer advertising spamming services.

It got worse. Further on down in my mailbox I noticed the complaints. Across the Internet, people being hit by this fellow's spam were blaming me and vineyard.net. Most thought CV Communications was one of our customers.

I logged on to my computer and typed the mailq command to see how much mail this spammer had piled up on my machine. I was horrified: there were more than 2,000 messages waiting to go out. Nearly all of them were being shipped to AOL and CompuServe.

The good news, I thought wryly, was at least this guy hadn't broken into my system. He was slowing down mail for all my customers, giving me a bad name, and making lots of work for me, but at least he hadn't broken in. Nevertheless, he had still caused plenty of damage. It took us more than two weeks to clean up from the incident.

--Simson Garfinkel

The price society pays

There are nonmonetary costs to spam as well. Unwanted postings destroy the community spirit on which Usenet is based. When newsgroups are inundated with spam, fewer people read the groups, and they are less effective as a resource for discussion, problem solving, and information dissemination. And when Usenet traffic becomes too high, ISPs are forced to cut back on the number of newsgroups they carry, damaging Usenet's usefulness in the process.

Some unwanted postings, like chain letter pyramid schemes, are illegal in themselves. Spam makes it easy for scam artists and hucksters to prey on some of the most vulnerable members of society.

The Dirty Dozen Spam Scams

In July 1998, the U.S. Federal Trade Commission (http://www.ftc.gov>) issued a list of the 12 most common scams promulgated by spammers:

• Pyramid schemes that promise a big return for a small investment.

• Scams that suggest that money can be made by becoming a spammer, and offer to sell address lists or bulk mailing software. The lists are often of poor quality, and spamming usually violates the victim's contract with his ISP.

• Chain letters.

• Work-at-home schemes that offer money for stuffing envelopes or building handicrafts. Often the victims never receive payment for their work.

• Health and diet scams--snake oil by email.

• Currency exchange scams that aren't legitimate.

• Scams promising free merchandise in return for a membership fee; victims discover (after paying the fee) that they don't qualify for the freebies until they sign up other members.

• Bogus investment opportunities.

• Offers of cable descrambler kits, which are illegal if they work--and most don't.

• Bogus home-equity loans or unsecured credit cards that never materialize.

• Credit repair scams in which the victim is promised a completely clean credit record upon payment. Establishing a new credit identity is illegal in the United States, and bad credit can't be magically removed.

• Vacation prize promotions that offer luxury vacations at discount prices. Victims find that the vacation accommodations aren't deluxe--unless they're willing to pay to upgrade.

Nearly all these scams predate email, but spamming makes it easier than ever for con artists to recruit victims.

Much spam is simply offensive to the recipients. On July 21, 1997, for example, a spammer appropriated CNN Interactive's CNN Plus mailing list and sent pornographic email to thousands of CNN customers. The incident was offensive to many of the subscribers and a terrible embarrassment to CNN.

Is it acceptable for a company representative--or a scam artist--to interrupt a productive discussion you're having with your colleagues, solicit business using a false name and address, and then leave you with the bill?

The price the Internet pays

The biggest problem with spam is that if it continues to grow unchecked, its electronic deluge threatens to crowd out all other legitimate messages, making the electronic commons of the 21st century an unusable cesspool of useless marketing messages. This is a problem whether the spam messages are sent from shady operators or legitimate businesses. It is simply so cheap to send spam that every business can send it to all of us. And if this happens, there will be a deluge.

Remember what happened to CB radio in the 1970s? Although CB was designed as a low-power two-way communications medium, as radios became more popular, a few spoilsports started broadcasting music, political messages, and advertisements with 10 and 20 times more power than the law allowed. It didn't take long for the CB radio waves to become a vast wasteland. Today CB is useful only to very small, specialized groups of people. The same thing could happen to the Internet unless spam is stopped--and stopped soon.