According to a report released by the Federal Trade Commission on April 30 (www.ftc.gov/reports/spam/030429spamreport.pdf), much of the spam mail we receive contains false claims as well as other deceptive, and probably illegal, content. To determine the degree of proliferation and deception in spam, the FTC created what appeared to be private websites containing unique email addresses only used on those sites, and posted material in popular newsgroups and chat areas, again using unique email addresses. During the collection phase, over 11,000,000 spam emails were sent by citizens, or received by the “dummy” email addresses created for this purpose. Since many internet users wonder where and how spammers get their email addresses, the FTC found that 86% of the email addresses used on their websites and newsgroups were harvested and resold by spammers. The FTC also tracked the success rate of the “remove me” links commonly given by spammers, and found that 63% of the remove requests were not honored. The FTC also found substantial misrepresentation in the sample emails analyzed, including false “From:” and “Subject:” lines, often clearly intended to trick the recipient into opening the message. Many of those messages (17% of “Adult” spam with false headers) would then display pornographic images without any regard to the age or emotional status of the recipient.
In the analysis of about 1000 spam emails, the FTC found that 20% of the emails were for what the FTC labeled “Investment or Business Opportunities”, including such offers as work-at-home, franchise opportunities, chain letters, and other non-securities offers. “Adult” spam, consisting mostly of pornography and dating services, accounted for 18% of all spam, while “Financial” spam, consisting of credit card offers, mortgage refinancing, cheap insurance, and other related items composed 17% of spam. Close behind were “Products and Services” (16%), “Health” related spam offering dietary supplements, disease prevention, and physical enhancement (mostly sexual in nature) accounted for 10% of all spam. Only 7% of the spam was for computer or Internet related equipment or services. It should be noted that all of this spam received by the FTC was indeed unsolicited, and not in response to an inquiry made by FTC staffers, even though many of the emails claimed (falsely) to be a reply to an inquiry, or the result of signing up for an “opt-in” service.
The FTC also investigated the accuracy of the email headers, and found that one-third of all spam mail had false “From:” lines in an attempt to disguise the source of the email. Almost half (46%) of the spams with false “From:” lines appeared to be from an acquaintance of the recipient, apparently to trick the recipient into opening the message. Another 13% of these emails appeared to come from an established business relationship, and 14% had blank sources. Some spammers (3%) try to trick the recipient into opening the messages by showing that the message appeared to be from the recipient himself!
The “Subject:” line of spam was only slightly less deceptive; with 22% of spams containing false subject lines, with one-third of those having a stated subject totally unrelated to the content of the message. 42% of these false subject lines alleged to show some existing business or personal relationship with the recipient. Cumulatively, 44% of all spam mail had false “From:” and/or “Subject:” lines. Personally, I do not understand how anyone could transact business, including possibly sending credit card information, to an unknown individual who is lying about his true identity; that is a real setup for fraud and loss.
The body of the message also often contained deceptive information, with 40% of all spam mail containing one or more falsehoods in the content of the message; of those messages touting “Investment or Business Opportunities”, a full 90% contained false information, while 49% of the “Health” spams had falsehoods. 47% of the travel and leisure related spams contained false information. Considering the “From:”, “Subject:” and body of the spam mail, the cumulative number of false emails rises to 66%, with 96% of all “Investment or Business Opportunities” containing misinformation. Again, it amazes me that so many Internet users are gullible and fall for these deceptions. Despite some states requiring commercial email to contain the prefix “ADV” in the subject line, only 2% of all spam complied.
Then there are the chain letters, which often claim to be legal, even to the point of being endorsed by government agencies. According to the FTC, “Nothing is further from the truth.”
It may get worse – spammers are now targeting our cell phones, and most of us pay to receive text messages, shifting the cost of spam almost totally to us, the recipients.
According to a report recently published by Ferris Research, it is estimated that spam will cost American businesses over $10 billion this year, considering computing resources, labor costs, and lost productivity. According to the email filtering service Brightmail, in the month of March 2003, 45% of all email was spam, compared to only 16% in January 2002, a 181% increase!
The FTC has created a website with good information on spam, including tips on reducing the volume received, as well as ideas on preventing spam. This site is online at www.ftc.gov/spam, and contains much helpful information.
As has been stated previously in this column, email addresses are typically harvested from websites, newsgroup postings, chat rooms, and other sources. Many web merchants also sell lists of customers, and there are also some Internet Service Providers (ISPs) and email providers that sell subscriber lists. Many of the free email subscription services offering jokes, recipes, news, and other information, support themselves by selling subscriber information. Many software publishers sell lists of registered users. Some viruses, worms, Trojans, and spyware may harvest the users’ personal email addresses, and possibly even hijack an address book. Once harvested, email addresses, often millions of them, are compiled and sorted, and then sold and resold countless times.
Some spam mail is sent using even more insidious means, such as by software installed by some of the popular file sharing programs, concealing the real source of the spam. Another method, recently reported on securityfocus.com, in an article “Rise of the Spam Zombies”, is the rapidly spreading use of worms and viruses as a means of sending spam mail from infected computers. One especially nasty Trojan is the “Proxy-Guzu”, which makes the infected computer and Internet connection available to spammers, who can then send spam from that computer, again obscuring the real source. If the source is traced, it will point back to the infected computer. “Proxy-Guzu” may be installed on the victims’ computers after the users open emails claiming to have images from an “adult” webcam, or other forms of pornography. Another backdoor Trojan worm, “Jeem”, has been around for about a year, and enables unauthorized access to the victims’ computers for the purpose of “laundering” spam email, again making the true source undetectable, and showing the source as the infected computers. This again emphasizes the oft-stated necessity to have updated antivirus software installed, as well as the need for a firewall and anti-spyware software.
The FTC has suggestions on making your email address less vulnerable to harvesting. The FTC suggests that your email addresses not be posted to the public. Many users have public email addresses used on websites, newsrooms, and chats, and private email addresses only given to family and trusted friends, but never publicly used. Another FTC suggestion is to be careful about submitting your email address to a web merchant or other website; read the sites’ privacy statements, being sure that your email address will not be sold or used for other purposes. Refuse to give your email to any site that will not protect it, and opt-out of any sites that have previously been joined. Of course, once an address is available and harvested, it can never be totally removed from spam lists. If a site with a privacy policy also offers to share your information with “selected partners”, be sure to refuse such sharing.
Many ISPs now offer some form of email filtering, which can offer a varying quality of protection from spam (and viruses). If your ISP offers it, sign up for it; some ISPs offer active filtering, while others simply subscribe to one of the many “blacklists” that block emails from all senders in a block of addresses. Many blacklists also stop large amounts of legitimate email along with the spam, and often block innocent senders who are blacklisted, as 46% of spam (according to the FTC) has forged “From:” headers.
There are now many spam filtering software products that can be installed on personal computers. Some are from the leading antivirus publishers and other major software publishers, and others are independently produced. Much of the technology is immature, and some of the products are of dubious utility, but most offer some degree of protection from spam. I have tried several, and had mixed results, none being totally accurate. The highest success rate I found when experimenting with spam filters was the commercially available Brightmail service. Brightmail is no longer available directly to individuals (used to be free), but many ISPs subscribe to its service. Emails are routed through the Brightmail server, where each message is electronically scanned for spam, and sorted. “Clean” email is forwarded to the subscriber, and the email filtered out is available on the Brightmail site for a limited period, where the user can inspect it, and approve it for receipt, if desired.
Federal legislation controlling spam is making its way through Congress, but there is a powerful lobby resisting the measure. Federal legislation will also be ineffective in stopping spam from foreign sources, but something needs to be done to decrease the rate of spam. Some pundits are currently calling spam the biggest threat to the Internet, even worse than viruses, worms, and Trojans.
For more information on the Tulsa Computer Society click here