CyberSafety:
Email
and
Spam
Computer
viruses
and
spam
both show up in online user's email inboxes. Viruses
are relatively easily dealt with, using a combination of common sense,
healthy paranoia, and free or inexpensive software. Spam, however, is
harder
for many users to get under control
Spam
is
the
common name for what is sometimes referred to as 'unsolicited
commercial
e-mail'. In other words, e-mail messages are generally trying to get
money
from you-- whether selling products you don't want (herbal ecstasy,
refinanced
mortgages, penis enlargements), get you to visit pay-for-porn websites,
or hoping you'll send money to someone in Africa after being promised
the
chance to make millions of dollars.
Some
users
rarely
receive
spam, others receive dozens of messages a day. Spam is
increasing
in frequency; it has been estimated that it will soon account for 50%
of
all e-mail traffic. While not all spam is sexually-related, many of us
are finding more and more messages including sexually-explicit offers
and
photos.
According
to
antispam
firm Brightmail, in March 2003, scams accounted for 10% of all
spam, while financial offers made up another 17%. 19% was porn or other
'adult-oriented' offers, as was product advertising, with a further 4%
for medical offers. (http://zdnet.com.com/2100-1105-996003.html)
Yes,
you
can
just delete these messages, often without even bothering to open them
up.
But even that wastes time.
How
do they get my address?
Spam
is
not
directly an Internet security hazard, but for many people, it is a
growing
irritant. Many other people, however, seem to rarely get spam.
According
to a study sponsored by the Pew Internet & American Life Project (http://www.pewinternet.org/)
two groups of people are most likely to get spam:
- Internet 'power emailers' who
have posted
their email addresses publicly on web sites, in Usenet groups, etc.
receive
mail because these addresses are harvested by 'spambots', searching the
Net for recognizable email addresses.
- Ordinary users who sign on for free
email
accounts (such as the popular hotmail.com) or use other popular domains
for their email; there is no evidence that such services provide their
users addresses to spammers, rather, they are subject to 'brute force'
attacks, checking for the existence of combinations of common first and
last names on those domains.
- If you've ever entered your email
address
online in a contest, to buy something, registered a product, or
subscribed
to an email newsletter, you may have failed to uncheck an option in the
fine print 'to receive valuable offers from our marketing partners'. In
that case, you allowed the owners of the website to sell or trade your
address-- and the recipients to sell or trade it, on and on down the
line.
You have 'opted-in' to receive spam.
Why
can't the government just outlaw spam?
In
the
US,
there's
ongoing discussion over whether commercial messages like spam are
covered
under Constitutional rights to free speech. In other countries
(including
Canada), such rights are less firmly enshrined in law. But even if a
government
passed a law banning spam, nothing much would change. The Internet
makes
tracking spammers for prosecution extremely difficult, and there are
questions
over what jurisdiction a spammer could be tried under. A US-based
spammer
may have a website on a computer in the Bahamas, but use computers in
Russia
to actually send out millions of unsolicited email messages to users
around
the world. Under what set of laws can he be tried?
Late
in
2003,
the
US Congress passed a so-called Can-Spam Law; critics suggest that
it
simply legalizes spam while making it more difficult to do anything
about
it:
http://www.gripe2ed.com/scoop/story/2003/12/11/9145/0712
Despite my pessimism, in late 2005 the US
FTC reported to Congress that the Can-Spam Law was working; even though
70% of the world's email messages were spam, the percentage was
levelling off. (http://news.zdnet.com/2100-9588_22-6003071.html?tag=zdfd.newsfeed)
How
about making it cost money to send bulk email?
If it cost a few cents for each message,
spammers would be financially discouraged. Yes. But there are at least
two problems with this proposal:
1) How to change the widespread email
system that is currently free for end-users to one where users are
charged
by the message. Who charges these fees? Who gets to keep the proceeds?
How is it administered? Currently, anyone can set up an email server.
2) How to avoid putting legitimate
mass-mailers
out of business. Free email has permitted the blossoming of huge
numbers
of electronic publications using email for distribution to people who
choose
to subscribe. Some of them are commercial-- I choose to get sale
notices
from the Future Shop electronics chain. Others are computer-related,
political,
social, literary, or what-have-you. Charging for email would quickly
put
most of these out of business, or force currently free publications to
charge a subscription, in either case, dramatically affecting them for
the worse. One of the rare areas of a truly free press would be brought
to a sudden halt.
What
about black lists?
A
number
of
anti-spam tools rely on blacklists-- an example is SpamCop
(http://www.spamcop.net). When
users
receive messages they don't want, they send them to a website, which
uses
them to compile blacklists of spammers; future messages from the
sending
computer's IP address are banned. It sounds promising, but these lists
are problematic; real spammers can change addresses frequently,
defeating
black lists. Moreover, users often mistakenly send blacklists messages
from valid email publications-- rather than unsubscribe from the list,
they get their anti-spam tool to block future issues. But that means
that
everyone who subscribes to that publication no longer receives it,
whether
they want to get it or not! Publishers of email publications have
described
how they're having to spend increasing amounts of time untangling their
legitimate mass-mailings from black lists that have mistakenly listed
them.
Whitelists,
too...
Whitelists work (not surprisingly)
just the reverse of blacklists... instead of having a service make a
list
of addresses to block, they set up a list of email addresses to allow-
the contents of your address book, for instance. Obviously this cuts
down
on mistakes, but it isn't a solution by itself.
Human
interaction
ZDnet commentator David Coursey
wrote in March 2003 that he had 'finally found a cure for spam (for
now)'
(http://www.zdnet.com/anchordesk/stories/story/0,10738,2913158,00.html)
with
a
service called Mailblocks which, when suspicious-seeming
messages
were identified, wouldn't let the message through until a real human
went
to a website, and replied to a numeric puzzle embedded in a graphic
image.
Nice, but I suspect it would again cause problems for legitimate
e-mailing
lists and other non-spam bulk mailings.
Roll
your own
Email programs include the ability to
filter messages, and automatically do a variety of things to them. In
Outlook
Express, this involves setting up what are called 'rules', in Eudora, a
similar capability is called 'filters'. You could make a set of rules
or
filters that, if they encounter specific words or phrases in the
subject
or body of a letter, automatically routes that message to a Spam folder
you've created, for instance. Periodically, you would review the
contents
of that folder, trashing the real spam, and saving the
wrongly-identified
messages. According to the Wired article (referenced at the end of this
tutorial):
What's
the most obvious spam tip-off? Ask SpamArchive.org. Its parent, email
security
firm CipherTrust, combed through more than 250,000 junk emails for Wired
and identified the telltale signs that you've got spam.
Top
25 subject-line words and symbols:
Fwd,
Free, Get, FREE, $, !, SPAM, You, Your, Norton, Credit, Save, 000, Now,
Check, Year, Make, Sale, Money, DVD, just, now, Lose, software, Earn
Top
25 phrases in body text:
opt-in,
now!, offers, most, partners, 999, fulfillment, yamato, naviant,
partner,
removal, recurring, mailings, free!, assistant, enjoy, grocers,
mailing,
subscriber, cash, sun, rewarding, buy, today!, marketing
More
on
setting
up
your own filters in Outlook, Outlook Express, Netscape Mail, and
other
email programs can be found In the Feb 2003 PC World article at: http://www.pcworld.com/howto/article/0%2Caid%2C107864%2C00.asp
Cecil
Williams
has
posted
an article online on creating and using Eudora filters that
he claims can block up to 99% of spam; his website:
http://www.cecilw.com/eudora/ includes sample filter-sets for
downloading.
Users of other email programs may want to look at it for examples of
how
to create filters in their preferred programs. Alternatively, Robin
Keir's
free K9 (http://www.keir.net/k9.html)
is
a
free email filtering application that works with Outlook Express
and
other standard POP3 email programs.
However,
spammers
have
started responding to this sort of filtering, adding junk
characters, mis-spellings, replacing letters like 'E' with '3' all in
an effort to out-wit relatively simple filters.
Another
useful
way to help limit spam
(and some potential virus problems) is to turn off the preview pane.
This helps because when you view (or preview) a message, when it goes
online to grab graphics, it reports your location/email address, thus
letting the spammers know that they've reached a real e-mail address...
the result will be more spam coming to your address.
With
the
preview pane turned off, you can
delete obvious spam (and virus-infected) messages without having to see
them first.
In Outlook,
click View -> Preview Pane
and remove the checkmark. In Outlook
Express, clickView->
Layout
and remove the checkmark beside Show
preview
pane. In Eudora,
you could turn off display of HTML-formatted mail clicking Tools
-> Options -> Display and uncheck Automatically
download HTML graphics. Now you can delete obvious spam without
viewing it.
You
may
also
be able to turn off automatic previewing of messages in some webmail
services.
Antispam
software
Antispam products typically use
some combination of blacklists, whitelists, checking for circuitous
delivery
routes, looking for suspicious keywords in subject lines and body text,
and more. Receiving a lot of attention recently are so-called Bayesian
analysis-- sophisticated ways of looking at message content.
Software
or services combining all these techniques are being sold to large
corporations
or ISPs to protect groups of users-- either installing software on the
network server (such as Vancouver-based ActiveState's PureMessage) or
as
a service that organizations contract to filter all the email entering
their domain (such as FrontBridge -- formerly known as BigFish).
Other
antispam
software
is
aimed at individual email recipients. PC Magazine and PC
World
spring 2003 reviews of a range of such products are listed at the end
of
this article; the PC Magazine article notes: "...even with training,
some
spam gets through. The consumer products we tested typically blocked
about
75 percent of spam; the corporate products, 85 percent. Worse, these
tools
can block legitimate messages." Products have to deal with two types of
errors: false negatives, where real spam is not caught, and more
awkwardly,
false positives where mail that is not spam is mistakenly blocked.
PC
Magazine's
favorite
program
for personal use was the US$20 (per year) SpamCatcher
(http://www.mailshell.com/spamcatcher)
which
integrates
with Microsoft Outlook 2000 or 2002. (The company also
has a 'Universal' version for Outlook Express, Eudora, Netscape, etc.).
PC World's May 2003 best buy was the US$20 IHateSpam
which also integrates with Outlook. (http://www.sunbelt-software.com/
The company also makes a version for Outlook Express). There are
downloadable
30-day free trial versions of both SpamCatcher and IHateSpam, though in
each case, users must register with the company to receive registration
keys).
In
its
05-19-03
issue,
Infoworld was very impressed with the free add-in for Outlook
(not
Outlook Express): SpamBayes
(http://spambayes.sourceforge.net/index.html), rating it 9.4 out of 10.
For best results, you should have a set of messages that you consider
spam
along with another set that is non-spam, so the software can learn to
work
the way you do; afterwards, check its proposed results for a while. It
can be used with non-Outlook mail clients, but requires complicated
setup/installation
in that case. Another Outlook add-in that's free for personal use
is SurfSecret
SpamDrop (http://www.surfsecret.com/products/product-SDROP.html)
In
Febrary
2004,
PC
Magazine revisited Spam Blockers: http://www.pcmag.com/article2/0,4149,1474449,00.asp
reviewing 11 antispam utilities. Their favourite this time around was
Symantec's
Norton AntiSpam 2004.
PopFile
(http://popfile.sourceforge.net/)
is
a
free, open-source, cross-platform anti-spam program that works
with
most email software (in includes detailed instructions for Outlook,
Outlook
Express, Eudora, and Pegasus, and can be made to work with other
programs
as well). When first set up, it's stupid, but over time, will learn
from
what you consider spam.
If
you use PopFile with Outlook, you may want to check out the free
(donations
accepted) Outclass (http://www.vargonsoft.com/Outclass/
) which simplifies PopFile setup.
The
free
version
of No-spam-today
(http://www.no-spam-today.com/)
intercepts your mail before it gets to your email software, and is good
for up to 10 e-mail addresses (for personal use).
Another
popular
product
is
MailWasher (http://www.mailwasher.net),
with
a
free version and a US$20 Pro version. I found it awkward
to
use, as it must be run as a separate program, prior to opening your
mail
software, rather than integrating directily into your email software.
The
US$30 Pro version (again, there's a 30-day free trial version) supports
multiple mail accounts and Hotmail accounts.
Rather
than
adding
a 3rd party anti-spam program, some users may prefer to move to
an email client with built-in spam filtering. Apple's Mail
(included in its OS X 10.2 and later) and Mozilla Thunderbird email
software (http://www.mozilla.org
for
Windows, Linux, and Mac OS X) both include built-in optional anti-spam
filtering. Outlook XP (but not Outlook Express) and Eudora Pro 6 (paid
US$29 version only) now include antispam filtering; I'm currently using
Eudora Pro 6, and finding it's catching about 90% of the spam coming
into
my accounts. Outlook 2003,
included in the October 2003 release of Microsoft
Office 2003, reportedly also includes reasonably effective spam
filtering.
When
turned
on,
each tries to identify spam messages. A toolbar icon allowing users
to correct their initial opinions lets the program 'learn' better what
you consider spam.
|
|
Here
are
the Junk Mail options for Eudora 6.0. Note the user can define mail
as not
spam if the user is in the address book, and can automatically add
all non-junk
senders to the address book (which I didn't do). This would create
a white
list of designated non-junk addresses.
Users can adjust the Junk
Threshold to
catch more junk mail (but probably accidentally junk more legitimate
mail)
or let more junk through but mis-label fewer legitimate messages.
Junk messages can be
automatically moved
to an automatically created Junk mailbox, or left in the Inbox for
manual
inspection. Messages in the Junk Mailbox are automatically removed
after
a user-configurable amount of time. (By default, they're not erased,
but
moved to Eudora's Trash, where they can still be retrieved until the
Trash
is emptied).
|
How
Antispam filters work
(From PC World May 2003, referenced
below):
- Spam filters look hard at the return
address,
which is often fake. In this case, the address consists almost entirely
of numbers, a common component of machine-generated spam.
- A filter may examine the IP
address
where
the e-mail originated and compare it against lists of addresses known
to
be sources of spam. If it finds a match, that e-mail is usually
blocked.
- Some antispam software
compares the
date on
the message against the time it's actually received; spammers will
either
delete the date or assign one in the future so that the e-mail lands at
the top of its victims' mailboxes.
- Common catchphrases in the
subject
line (like as seen on TV and free gifts) are another
giveaway;
many
spammers also insert garbage characters, misspellings, or odd letter
spacing
in an attempt to fool simple text filters.
- Lines entirely in capital
letters--or oversize
fonts in HTML mail--are a common spam tactic, so some filters flag
messages
that contain them.
Antispam
tips
- Only give out your email address to
people
you plan to correspond with. For web-based forms, see below.
- Use free email accounts (HotMail,
YahooMail,
etc) to create an email address to use to correspond with Web-based
merchants
etc. When the free account gets clogged with spam, abandon it and
create
another.
- Use a disposable email address,
again abandoning
it when it starts to get spam. See: Disposable
Email Services: http://www.pcmag.com/article2/0,4149,849410,00.asp)SpamGourmet
(http://www.spamgourmet.com)
or Mailinator (http://www.mailinator.com/mailinator/Welcome.do) are
free services.
- Use fake email addresses-- in other
words,
on Web forms feel free to lie!
- Don't post your email address on web
pages,
guest books, contact lists, newsgroups, contact lists, etc. If you need
to, add an extra something that real humans will understand:
alan@nospam.zisman.ca
or alan at zisman dot ca
- Many spam messages claim you can get
them
to stop pestering you by replying to them. Don't! Replying to a spam
message
simply confirms that they've reached a valid email address and will
only
increase the amount of spam you receive.
- When you buy anything online or fill
in an
online form, check for options to opt out of receiving email or giving
permission for the company to share your address with others. Be sure
that
these are checked appropriately.
- When buying online or filling in
forms, look
for links to a privacy policy, and read it. If there is no obvious
policy,
use free or disposable email or a fake address.
Fight
Back
A number of organizations are
working
against spam, including
CAUCE
(Coalition Against Unsolicited Commercial E-mail:
http://www.cauce.org),
Spam
Cop (
http://spamcop.net),
and
JunkBusters
(
http://www.junkbusters.com).
IM Spam
Slightly different is spam in Instant
Messenger programs or chat rooms. Read about it and what you can do to
control it at: http://www.pcmag.com/article2/0,4149,1401423,00.asp
Advanced
If you are designing a webpage
and are tempted to include your email address to make it easy for
readers
to contact you (as I've done on this page), think again. You're also
making
it easy for spam harvesters to get your address (as I've also done).
Instead,
use javascript to hide your address from the spam-bots, while letting
humans
still contact you. See the tutorial at: http://www.insideoutmarketing.com/index.php?p=pages&pid=15.
The
Center
for Democracy & Technology report cited above suggests
that
steps to hide email addresses are (at least for now) effective against
spam harvesters.
An alternative way to hide your email address on posted webpages is
using a free product called Natata
Anti-spam encoder (http://natata.hn3.net/antispam_encoder.htm).
Further
Reading
How
antispam software works: Wired Magazine April 2003:
http://www.wired.com/wired/archive/11.04/start.html?pg=6
Natural-Born
Spam Killers: PC World
May 2003: http://www.pcworld.com/reviews/article/0,aid,109698,pg,1,00.asp
Corporate
Antispam Tools: PC
Magazine Feb 25, 2003: http://www.pcmag.com/article2/0,4149,849558,00.asp
Personal
Antispam Tools: PC
Magazine Feb 25, 2003: http://www.pcmag.com/article2/0,4149,849389,00.asp
Find
out where spammers get your address: IDG News Service Mar
19,
2003: http://www.pcworld.com/news/article/0,aid,109884,00.asp
Spam,
Inc. PC World August
2002: http://www.pcworld.com/howto/article/0%2Caid%2C101769%2C00.asp
Spam,
spam, spam, spam Globe and
Mail Report on Business May 2003: http://www.globeandmail.com/servlet/ArticleNews/TPStory/LAC/20030425/RO5SPAM/TPBusiness/ROBM
Why Am
I Getting All This Spam? Center
for Democracy and Technology
March 2003: http://www.cdt.org/speech/spam/030319spamreport.shtml
Info
on African money appeals: The 419 Coalitionhttp://home.rica.net/alphae/419coal/
Who
profits
from spam: August 2003 MSNBC
article http://www.msnbc.com/news/940490.asp?0ql=c9p&cp1=1
Confessions
of a Spam King: September 28
2003 NY Times article takes you inside
the spam industry (free registration required): http://www.nytimes.com/2003/09/28/magazine/28SPAMLT.html
Big
Companies
Add to Spam: October 28,
2003 NY Times shows how spam is not always
low-down and dirty http://www.nytimes.com/2003/10/28/technology/28SPAM.html
Detecting
Spam: May 4, 2004 PC Magazine article on how Bayesian filters
work: http://www.pcmag.com/article2/0,1759,1567368,00.asp
Delete: Bathwater, Undelete: Baby-
August 5 2004 NY Times article on the ongoing 'battle' between spam and
spam filters: http://www.nytimes.com/2004/08/05/technology/circuits/05filt.html
Microsoft Tracks Zombies to the
Source- October 2005: How Microsoft set up 'honeypots' to catch
hackers taking over computer on behalf of spammers:
http://www.aunty-spam.com/microsoft-tracks-zombies-to-the-source-sues-zombie-seeders-and-spammers
Homework
- Download and install one (or more)
of the
free or trial antispam utilities listed on this page or listed at: http://www.pcworld.com/downloads/file_description/0%2Cfid%2C22343%2C00.asp
and or try out
Mozilla
Firebird (or the paid version of Eudora 6) see how well it works for you
- Sign up for a free email account
with Hotmail
or Yahoo mail
- Sign up for a disposable email
address from
SpamGourmet
- Look at the options for creating
rules (Outlook
Express) or filters (Eudora) and think how you could filter out much of
the spam you receive
- Check the website of one of the
listed organizations
trying to fight against spam.
- Learn to make sense of the
information in Email headers: http://www.stopspam.org/email/headers.html
