30 years of Spam - and we ain't finished yet

Why 30 years of spam? Because it works..

The sad truth of the matter is that we are blighted with spam because it works for the bad guys.

We may all roll our eyes at yet-another-letter-from-NIgeria, the endless waves of fake Rolex offers, weight loss pills, and unwanted mortgage loans.. but the only reason these things get sent is because *some* people *occasionally* respond to spam and make a purchase.

What we really need to do is educate more people to NEVER buy, try or reply to spam. The dudes at SophosLabs put a little video together today hoping to raise awareness of the need to never buy goods advertised via spam:

http://www.youtube.com/watch?v=3-E6hkOuEiI

Maybe the readers of The Register are immune from the lure of spam emails, but can we say the same of everyone in our family? Is it our Aunty Hilda's innocent clicking and purchasing of penny stocks what is perpetuating the spam problem?

green card lawyers

I still have my Green Card Lawyers -- Spamming The Globe T-shirt from the first organized effort to stop spam by denying spammers a UUCP connection. This was back in the days when system admins thought they could cut off spammers air supply. 1993 I think. But there was always someone willing to forward spam for money. Sigh.

Sophos's 95 percent spam stat @Gordon Fecyk

Hi Gordon.

Sophos's figure of 95% of email is spam comes from our spam filtering software and appliances at companies worldwide. We count the amount of legitimate email they receive, and we count the amount of spam they receive. And then do the maths to get a percentage.

Of course, individuals may have varying experiences.

11 percent of people admit to having bought from spam

http://www.sophos.com/news/2007/12/spam-buyers.html

We polled 390 people in November 2007. 11% said that they had bought goods advertised via spam.

Hope that helps.

11% of who?

The 11% does come from an online poll of 390 people. How they were selected / asked to participate isn't clear.

Also, I'd wonder how many of the kind of people who might answer "Yes!" to "Have you bought spam advertised products?" entirely understand the difference between spam emails and marketing emails resulting from them handing their details out to a legitimate company (who might have passed them on to an associate).

11% of people who came to Sophos's website

The poll was run on our website. According to the marketroids, the typical make-up of people who come to our website are IT specialists and system administrators (as we don't have a consumer product).

I expect they know the difference between spam and "legitimate" marketing emails - but who knows..

We've published links and more information on the Sophos Spam Pledge page at http://www.sophos.com/pledge

Not scientific

"Please bear in mind that this poll is not scientific and is provided for information purposes only. Sophos makes no guarantees about the accuracy of the results other than that they reflect the choices of the users who participated"

So that's 11% of people who responded to an email invitation to do a poll - sounds like the gullible being led by the nose and a vast overestimation.

By the way, if it's not scientific it has no information content, so there is no 'information purpose' - pay some researchers to do it properly.

11 percent?

The 11% will be of those surveyed, all of which would have to be internet users to qualify. Therefore it doesn't follow that 50% of internet users respond to spam.

I completely agree with David Wilson's comment that quite a few of those respondents wouldn't be able to distinguish between spam and opted-in retail communications (whether opted in intentionally or not).

We just have to accept that some people are just so stupid that they either don't care or don't realise that responding to the spam makes the problem worse. Education is the only way to go, and even that's not going to go that far.

11% of *WHO*?

>>"The poll was run on our website. According to the marketroids, the typical make-up of people who come to our website are IT specialists and system administrators (as we don't have a consumer product)."

>>"I expect they know the difference between spam and "legitimate" marketing emails - but who knows.."

So something like 11% of *IT specialists and sysadmins* buy as a result of actual spam emails, not just legitimate marketing stuff?

Unless there's a fair chunk of BOFHs there buying stuff on the boss's credit card, or people deliberately mis-answering the survey for joke or darker reasons, those *would* be pretty scary figures.

RMS sure changed in the past 30 years

A quote from his message:

"Must I advertise in a paper in every city in the US with population over 50,000 and then go to all of them to interview, all in the name of fairness? Some people, I am afraid, would think so. Such a great insistence on fairness would destort everyone's lives and do much more harm than good."

Here RMS is complaining about people forcing their fairness on others, yet what does the GPL do?

re: And where did Sophos get this 95% number from

I would guess that 95% is a pretty accurate number. I have one client who is averaging 99.468% spam. From 17 Mar to 15 Apr, they received 2,283,349 messages. Of those, GFI MailEssentials detected 2,271,209 as spam (which still isn't all of them, because there are still spam messages which get past the filters). That leaves 12,140 possibly legitimate messages.

Of those 2,271,209 spam messages -- 2,179,780 were directory harvesting (non-existing recipient addresses); 7,098 failed SPF; 2,338 failed spam URL blacklist; and 74,233 failed Bayesian analysis.

If you exclude the directory harvesting messages and only include properly addressed and received messages, that's 103,569 total messages minus 12,140 possibly legitimate messages, resulting in 91,429 spam messages (88.27%).

Re: RMS sure changed in the past 30 years

"...RMS is complaining about people forcing their fairness on others, yet what does the GPL do?"

A tad unfair, methinks. You don't *need* to use GPLed software. Most of us do need to put up with spam.

That 90% share of the market that Windows has? Nearly all have got email addresses (pumping spam, worst luck) and hardly any have GPLed software. I'll go out on a limb and say that the average computer user finds it dead easy to live without GPLed software but living without an email address would defeat one of the principal reasons for their having a computer.

UCE vs spam?

I always thought the first spam (vs UCE) appeared on Usenet (early '90s?) where two US lawyers cross-posted advert-laden messages across thousands of groups. Cross-posting on its own is a capital offence on Usenet but advertising as well! Regardless of the flame war they created, the two mother lovers were proud of their stunt.

My point is at the time there was differentiation between UCE (what is now email spam) and Usenet spam. I don't really see the need myself but some pedants at the time were quite adamant about insisting on the correct terminology...

Oh yeah, clicking on and/or buying from a spammed link should be punishable by public boilng.

Mechanics of Spam....

Lets break it down here.

Cost of sending a single spam e-mail: $0.00. Building a botnet doesn't cost money, just takes some coding skill and time. Even if it costs $10,000 you can then use that net to send out billions upon billions of e-mails.

If your spam generates $2 per "sale" you only need 5,000 people to fall for it to make profit. Then until your botnet is caught (months? years?) you can keep sending any veriety of junk e-mail you want for effectively no cost.

There is no effective "retalliation" for spam. E.g. lets say us "smart" net users agreed that every time we recieved a spam e-mail we would feed the domain into a script that just hammers the site to death thus preventing sales....all it takes is one person to put "www.theregister.co.uk" into their spam and no more register.

I'm all for the charge $0.01 per e-mail idea suggested before. make people buy $10 of credit, and once they send 1,000 e-mails they need to top up the account. No more spam.

my servey says

I just polled the pepol in my office and I can confendly say that 0% of the populatoin respond to spam emails buy this logic spam will be dead b y next mounth I will pridect with certainty

I reply to all my spam

It usually consists of:

Dear Sir or Madam,

Thank you for your nice email. However, I am completely happy with the size of my penis, and therefore have no need for your product.

------------

As for the term SPAM, I though it was an acronym for something. can't remember what "S" stood for, but the rest was "Processed Automated Mail".

@11% of people...

Maybe we need an annual spam Day, when all ISPs switch their filters for a day so that instead of blocking spam emails they let them through and just change the subject line to "Buying products advertised in spam emails is why there is so much spam." Or leave it like that permanently. People who know how to set up their own local filters based on the subject line are probably more likely to know not to buy from spammers anyway.

Sophos's 95 percent spam stat @Gordon Fecyk

We use Pure Message and our email admin said that it was running at about 95%, Last year it was about 90%, or about 97,000 out of 105,000 messages received.

Really, spammers are deluging the net with a tsunami of spam. Problem is that, due to filtering, the users see few of the spams and think that the amount is actually much lower.

@Allan, I meant things like 0user@example and such

In one client's logs, prior to implementing ML, I saw a massive number of dumb things like "12345_validuser@example" and "0validuser@example" and "aliduser@example" (missing first character) -- this was what I meant. I don't know about businesses outside my scope of influence, but no one I knew had addresses like that on their own domains.

Of the 95% of e-mail that Sophos claims is spam, how much of it is destined for addresses that never have and never likely will exist?

We used to stop these with a 550 Invalid User response, until spammers started using automated guessing bots against them. Then we started accepting them and bounced them later, only to cause a reverse flood to some hapless soul whose address happened to be in the MAIL FROM command. Now we're eating messages we'd normally bounce. I still don't want to include such messages that are "permanently undeliverable" in any realistic spam statistic.

Nowadays I'm fine with giving spammers a 550 response, because anything that gets past ML has to look so un-spammish that, if I deemed it to be spam, I could put the sender in the "go away and don't come back" list and have it work.

By the way, who in Hades is "Doron Pely" and why is she trying to sell me on Homeland Security related stocks? To a Canadian, no less?

Re: And where did Sophos get this 95% number from?

A quick look at today's logs shows 722 (attempted) message deliveries, 37 of which were legit, the rest rubbish: which works out at 94.87%.

Spam works...

From SANS' "NewsBites" email newsletter:

"Edward Davidson has been sentenced to 21 months in federal prison for tax evasion and sending spam. Davidson sent hundreds of thousands of spam messages with falsified header data over a period of nearly five years. According to authorities, Davidson made US $3.5 million sending the spam for a number of companies;" It goes on to say he has to pay $700K to the IRS.

So his tax rate is less than mine, AND his income is substantially higher to boot? Now all we need to be told is that his prison time won't be spent in the "pound me in the..." prison the guys in Office Space feared so much.