This article was originally published in Maclean's Magazine on February 23, 2004
Spam, and How to Protect Yourself Against It
IT'S A THURSDAY EVENING in January, and I'm getting spammed. Unlike most unwanted e-mail that clutters the in-box, I know who's sending it. His screen name is Rogue, a computer expert and self-described "white pirate" from Columbus, Ohio - skilled in the tricks of the spam trade but not a spammer himself. He demonstrates how easy it is to bend the INTERNET to his will and make it send thousands of messages with the click of a mouse. He issues instructions on finding ratware - software to deliver e-mail in bulk and evade traditional filters - and the various techniques for capturing e-mail addresses and masking the sender's origin. And it's becoming clear that no matter how often you change e-mail addresses or switch Internet service providers (ISPs), it's impossible to hide from those unsolicited messages. And that, as the e-mail system creaks under the weight of all the junk, something drastic must be done to rid us of this digital pestilence.
Tired of being bludgeoned with offers of discount drugs, cheap mortgages and life insurance, penis-enlargement pills, instant university degrees, hard-core sex sites and get-rich-quick schemes? You're not alone. Millions of people are fed up with digital junk mail, nicknamed spam after the canned lunch meat and its reference in a Monty Python sketch about a restaurant that served nothing but spam. Just ask one of the 17 million Canadians who are regularly on-line. A 2003 survey found the majority of respondents would rather clean toilets than deal with a clogged in-box. "Suppose a whole gang of people started racing go-karts all over the Canadian highways to the point that no traffic could ever get through," says 68-year-old retiree Rod Anderson. "Well that, to me, is what spam is. It's cluttered up the system and made it almost unusable."
Over the past decade, e-mail has become an indispensible form of global communication. But the volume of unwanted messages has exploded. Today, anti-spam technology company Brightmail Inc. estimates spam accounts for 60 per cent of total e-mail volume, four times more than it was two years ago. Some Internet providers argue the figures are much higher. Tom Copeland, chairman of the Canadian Association of Internet Providers, says the volume directed at his customers is closer to 90 per cent. "People out there are bombarding the system with so much junk," he says. For a few years, Copeland employed staff at his own ISP in Cobourg, Ont., just to manage unwanted messages. But keeping up to date with the latest filtering software and purchasing more server capacity to handle the volume proved a losing battle. He now contracts that task out to Postini Inc., a U.S.-based e-mail filtering service.
It isn't just the commercial e-mail bombardment. There's the clutter of messages from "friendly" sources, too. Your company distributes departmental updates, your co-workers send reminders about bake sales and school charity draws, and friends forward jokes, Web links and articles. It adds up to e-mail overload. An exhaustive survey by the Pew Internet and American Life Project found that a quarter of e-mail users had reduced their overall usage due to spam, and just over half of the respondents said they were less trusting of e-mail because of the intrusion of spam and its often offensive content. It's also driving shoppers away from the Internet, according to consumer group Trans Atlantic Consumer Dialogue.
But few are prepared to log off forever. That would be like giving up on the telephone because of telemarketers. Some have changed their e-mail address in an effort to stop the flood. Jay Strosberg, a 27-year-old lawyer from Windsor, Ont., did that. Four times. "I hate spam. It almost turned me off the Internet altogether," he says. "But that's almost an impossibility. The Internet plays a much greater role in my life than television."
Anderson, from Cobourg, Ont., has been on the Internet since 1995 and uses it for research, to contact support groups for people with a shared medical condition, and for on-line banking. Last year, he grew so frustrated by spam - up to 300 unwanted messages a day - that he began buying a third-party service to filter his e-mail. He no longer needs to hunt through his in-box for hours to find the 20 legitimate messages among all the solicitations, but he'd rather there wasn't the need for extra filtering. "It seems to me the world is going to have to do something about this," he says.
The sheriffs have begun taming the lawlessness of the wild on-line frontier. Recently, music labels began using the courts to squash digital piracy. Privacy laws aimed at protecting the personal information of Internet users have taken effect in Canada. And now government sights are set on spam. In December, President George W. Bush signed the CAN-SPAM Act, legislation aimed at limiting the volume of unsolicited messages. But critics say the law has no teeth. In fact, they argue it actually opens the door for more spam. "This law is horrific," says Neil Schwartzman, anti-spam activist and chairman of the Canadian arm of the Coalition Against Unsolicited Commercial Email (CAUCE). He writes SpamNews, a free regular dispatch from his Montreal home. The way the act is written, Schwartzman says, "means that every company has the right to send you at least one spam e-mail. And there are tens of millions of small- and medium-sized enterprises in the U.S. alone."
Earlier this month, the Organization for Economic Co-operation and Development hosted a meeting in Brussels to discuss the fight against spam. At the conference, the European Union, which has tougher laws, said that since the U.S. is the largest source of unsolicited commercial bulk e-mail, it should be doing more to deal with the problem. "It's going to take some aggressive enforcement of the laws to make life uncomfortable for spammers," says Michael Geist, a University of Ottawa law professor who chaired the law and regulatory panel at the OECD meeting.
The people plying you with ads range from professional marketers to 21st-century snake-oil salesmen, pornographers and fraud artists. The lure for legitimate marketers is big money, even if less than one per cent of recipients click on a link or make a purchase. The risk for unsuspecting consumers is great, though. Anti-spam activists say organized crime rings have started using spam to launch financial frauds: one, called "phishing," is a form of identity theft in which Web sites designed to look like those of legitimate banks are used to steal log-in names, account passwords and even credit card information belonging to unsuspecting customers.
To capture your e-mail address, some spammers use software to scan incoming and outgoing messages on a server. This sniffer application collects addresses in the "To" and "From" fields and sends the information back to the spammer, who adds it to a database. But the techniques aren't always this surreptitious. Most Canadians on-line are making their contact information freely available to e-mail marketers. If you've made a purchase on-line, entered a contest or signed up for an e-mail newsletter, you may have agreed to allow your address to be sold - a practice normally disclosed in the contract users are asked to accept before they sign up. However, most people don't read the fine print on those agreements.
Some spammers simply set up shop from an e-mail account with a regular ISP. If the operation is a little larger, they can boost output by renting extra computer server space from an Internet provider. Or, if they deal with very large quantities of bandwidth, such as on-line pornographers do, they can afford to purchase their own "server farms." ISPs generally don't monitor the volume of e-mail flowing out from any particular account until they receive a complaint from a user. "We have a zero tolerance policy on spam," says Charlotte Burke, senior vice-president of consumer Internet services at Bell Canada. "If any of our subscribers are reported to us, we can validate that they are sending spam and cut off their service."
Once the spammer is run out of town, he simply moves to the next ISP. If he's been kicked off three services, he can be listed on the Register of Known Spam Operations, a database of the world's worst offenders managed by the Spamhaus Project, a U.K.-based anti-spam organization. Information sheets compiled on each spammer illustrate the lengths to which some go to disguise their identity with false names, addresses and phone numbers. Spamhaus also tracks spam gangs that roam the Internet, trading secrets on how to beat block lists and what's the latest filter technology.
In Canada, unless the content of the e-mail is criminal in nature (such as financial fraud or child pornography) or the spam maliciously targets a computer to cause service disruption, police won't likely lay charges. Some e-mail marketers argue all they're doing is taking advantage of the technology to deliver a commercial message, no different than the hard-copy junk mail that arrives in your mailbox every day. But they are a minority voice. Anti-spammers argue the activity is immoral and should be made illegal.
Even the Canadian Marketing Association supports strict commercial e-mail usage policies. Its 800 members, which include companies such as Canadian Tire Corp. Ltd. and the Hudson's Bay Co., are forbidden from using unsolicited e-mail to acquire new customers. "Our position is that it's appropriate to acquire opt-in consent from customers before sending them any commercial e-mail," says CMA CEO John Gustavson. "We recognize that, with e-mail, the normal economic restraints on advertising are not in place." Meaning the cost of sending hundreds of thousands of advertisements via e-mail is a fraction of the price to print up flyers and pay Canada Post to deliver them.
The most reliable estimate of the worldwide cost of fighting spam - purchasing spam filters, dedicating IT personnel to manage them, and lost productivity of workers who spend hours clearing out junk e-mail - is an astounding US$20 billion. Ottawa wants to see if existing rules, including privacy regulations, are effective before implementing stronger anti-spam legislation. But federal Industry Minister Lucienne Robillard says she will consult with Senator Don Oliver, who reintroduced legislation last week to require Internet providers to install filters to stop unwanted messages. Critics say action is needed now. "My fear is that the legislation void on our end will lead to Canada becoming a safe haven for spammers," says CAUCE's Schwartzman.
A segment of the IT security industry specializing in anti-spam solutions has grown to meet the increased demand. "We're seeing a sort of dot-com boom all over again, but this time in anti-spam technology," says Geist. Revenue generated from global sales of anti-spam software is projected to top US$360 million this year. The technology works - the volume of spam getting past the roadblocks is only a fraction of what people could be seeing. But filtering has its own problems. Anecdotes abound about legitimate messages getting caught in quarantine folders or never getting through to recipients. Most famously, America Online once bounced back Harvard University acceptance and rejection letters that had been e-mailed to students. Filters have become more sophisticated, but Jupiter Research reports mistakenly blocked e-mail is costing legitimate marketers US$230 million a year in the United States. So-called false-positives are a dilemma for companies that depend on e-mail to do business, because which is worse: sifting through the junk mail or possibly losing an order and a customer?
It's become an arms race. "Spammers are getting smarter. They're working hard to get past the filters," says Vancouver's Jesse Dougherty, director of development for the anti-spam task force of Sophos, a developer of security software. He points to a dangerous new trend: an unholy pact between spammers and virus writers. They are unleashing viruses that deliver spam payloads, capture new e-mail addresses and turn unprotected computers into "zombie" machines that can be used to send out more spam.
A number of solutions have been floated: super-filters, digital postage stamps for e-mail, and a DNA-like signature applied to each e-mail to verify the sender. Some have suggested issuing bounties and letting volunteer hunters smoke out the spammers for authorities. Bell Canada's Burke also says that end users must take steps to halt spam's spread. But if recent history teaches us anything, spammers will always have an edge on computer users' defences.
"Spam has cluttered up the system and made it almost unusable."
ROD ANDERSON
The head of the association of Internet providers says spam accounts for nearly 90 per cent of e-mail traffic. "People out there are bombarding the system with so much junk."
TOM COPELAND
Firms in the CMA are forbidden from sending unsolicited messages. "Opt-in consent is required from customers before sending them any commercial e-mail."
JOHN GUSTAVSON
UNSOLICITED COMMERICAL E-MAIL BY CATEGORY
(as of January 2004, in per cent)
Product 22%
Financial 20%
Adult 17%
Scams 8%
Health 7%
Leisure 6%
Internet 5%
Fraud 4%
Political 2%
Spiritual 2%
All other e-mail attacks 7%
Source: Brightmail
How Spammers Find You
DICTIONARY ATTACKS
Spammers will target an e-mail provider and bombard the domain with every letter combination possible. If any of the recipients reply to a spam, their addresses are considered active and added to the "clean" list.
HARVESTING
Indexing software similar to that employed by search engines such as Google and Alta Vista trawls the Internet collecting e-mail addresses posted on Web sites, newsgroups and forums.
VIRUSES
Once the virus, which typically arrives as an attachment in an e-mail, is downloaded to your computer, it rifles through your hard drive collecting e-mail addresses. It then sends itself to all the people named on your contact list and back to the spammer with a haul of fresh addresses.
SIGN-UP LISTS
Some Web sites sell their subscriber lists to preferred partners, which in turn sell them to their preferred partners, and so on until the list finds its way into the hands of a spammer.
5 Types of Workplace Spam
Annoying, unwanted e-mail comes in all shapes. In her book Managing Your E-mail: Thinking Outside the Inbox, University of Western Ontario business professor Christina Cavanagh identifies a set of "workplace spam" that drives a frustrating wedge into our productivity on a daily basis. She also argues it's high time we instituted some e-mail etiquette at work. "Companies need to develop e-mail policies in the workplace," she says, "that suggest what's an appropriate e-mail and what isn't." Cavanagh breaks down the at-work e-mail onslaught into five categories:
CORPORATE SPAM
People who work for mid- to large-sized corporations know this one all too well. These messages are often addressed to everyone in the company regardless of relevance to the recipient. Cavanagh suggests the information be posted to a company intranet Web site where employees can peruse it at their discretion.
PROFILE SPAM
These e-mails are designed to keep the sender's name front and centre with the recipient - usually a manager or someone higher up the chain - to achieve greater career visibility.
CAMOUFLAGE SPAM
Also known as "cover your butt" spam, these are notes recorded from conversations and forwarded to co-workers with the sole purpose of protecting the sender.
FRIENDLY SPAM
Personal requests for donations, reminders of cookie sales, office events, and raffle ticket sales circulated on company e-mail.
INTUITION SPAM
A message forwarded by a co-worker or friend who thinks you would be interested in the content, whether it's a joke, chain mail, a Web link or article chock full of "interesting" information.
7 Ways to Reduce Spam
Avoid purchasing products from unsolicited e-mail. The economic incentive encourages them to continue spamming.
Never respond to any spam messages or click on links in the e-mail. Often spammers use an "unsubscribe" link to verify your e-mail account is live.
Do not open an unsolicited message if you don't recognize the sender. Viruses embedded in e-mails can install an application on your computer to be used by spammers or to damage your system.
Avoid using the preview function on your e-mail software. Often spammers can track whether a message has been viewed even if you haven't actually opened it.
Create and use more than one e-mail address. Distribute your primary address to family and friends only. Other addresses can be used for making purchases on-line, subscribing to e-mail newsletters, posting to newsgroups and forums, and registering for Web sites. This should reduce the volume of spam to your main account.
Protect your computer. Install spam filters and anti-virus software, or find a third-party service to filter your e-mail. If you have high-speed Internet access at home, consider purchasing and installing a firewall to prevent spammers from turning your computer into a "zombie" system, which they can use to send out more spam.
Contact the Internet service provider. Once you've identified a spam message, report it to both your own ISP and that of the spammer. It will help yours provide better filtering capabilities, and the spammer's ISP will kick that user off its system.
Maclean's February 23, 2004