Business-like, isn't he?


 

 



CyberSafety: Email and Spam


by Alan Zisman (c) 2003, 2005

Computer viruses and spam both show up in online user's email inboxes. Viruses are relatively easily dealt with, using a combination of common sense, healthy paranoia, and free or inexpensive software. Spam, however, is harder for many users to get under control

Spam is the common name for what is sometimes referred to as 'unsolicited commercial e-mail'. In other words, e-mail messages are generally trying to get money from you-- whether selling products you don't want (herbal ecstasy, refinanced mortgages, penis enlargements), get you to visit pay-for-porn websites, or hoping you'll send money to someone in Africa after being promised the chance to make millions of dollars.

Some users rarely receive spam, others receive dozens of messages a day. Spam is increasing in frequency; it has been estimated that it will soon account for 50% of all e-mail traffic. While not all spam is sexually-related, many of us are finding more and more messages including sexually-explicit offers and photos. 

According to antispam firm Brightmail, in March 2003, scams accounted for 10% of all spam, while financial offers made up another 17%. 19% was porn or other 'adult-oriented' offers, as was product advertising, with a further 4% for medical offers. (http://zdnet.com.com/2100-1105-996003.html)

Yes, you can just delete these messages, often without even bothering to open them up. But even that wastes time. 

How do they get my address?

Spam is not directly an Internet security hazard, but for many people, it is a growing irritant. Many other people, however, seem to rarely get spam. According to a study sponsored by the Pew Internet & American Life Project (http://www.pewinternet.org/) two groups of people are most likely to get spam:

  • Internet 'power emailers'  who have posted their email addresses publicly on web sites, in Usenet groups, etc. receive mail because these addresses are harvested by 'spambots', searching the Net for recognizable email addresses. 
  • Ordinary users who sign on for free email accounts (such as the popular hotmail.com) or use other popular domains for their email; there is no evidence that such services provide their users addresses to spammers, rather, they are subject to 'brute force' attacks, checking for the existence of combinations of common first and last names on those domains.
  • If you've ever entered your email address online in a contest, to buy something, registered a product, or subscribed to an email newsletter, you may have failed to uncheck an option in the fine print 'to receive valuable offers from our marketing partners'. In that case, you allowed the owners of the website to sell or trade your address-- and the recipients to sell or trade it, on and on down the line. You have 'opted-in' to receive spam. 
Why can't the government just outlaw spam?

In the US, there's ongoing discussion over whether commercial messages like spam are covered under Constitutional rights to free speech. In other countries (including Canada), such rights are less firmly enshrined in law. But even if a government passed a law banning spam, nothing much would change. The Internet makes tracking spammers for prosecution extremely difficult, and there are questions over what jurisdiction a spammer could be tried under. A US-based spammer may have a website on a computer in the Bahamas, but use computers in Russia to actually send out millions of unsolicited email messages to users around the world. Under what set of laws can he be tried?

Late in 2003, the US Congress passed a so-called Can-Spam Law; critics suggest that it simply legalizes spam while making it more difficult to do anything about it:
http://www.gripe2ed.com/scoop/story/2003/12/11/9145/0712

Despite my pessimism, in late 2005 the US FTC reported to Congress that the Can-Spam Law was working; even though 70% of the world's email messages were spam, the percentage was levelling off. (http://news.zdnet.com/2100-9588_22-6003071.html?tag=zdfd.newsfeed)

How about making it cost money to send bulk email?

If it cost a few cents for each message, spammers would be financially discouraged. Yes. But there are at least two problems with this proposal:
1) How to change the widespread email system that is currently free for end-users to one where users are charged by the message. Who charges these fees? Who gets to keep the proceeds? How is it administered? Currently, anyone can set up an email server.
2) How to avoid putting legitimate mass-mailers out of business. Free email has permitted the blossoming of huge numbers of electronic publications using email for distribution to people who choose to subscribe. Some of them are commercial-- I choose to get sale notices from the Future Shop electronics chain. Others are computer-related, political, social, literary, or what-have-you. Charging for email would quickly put most of these out of business, or force currently free publications to charge a subscription, in either case, dramatically affecting them for the worse. One of the rare areas of a truly free press would be brought to a sudden halt.

What about black lists? 

A number of anti-spam tools rely on blacklists-- an example is SpamCop (http://www.spamcop.net). When users receive messages they don't want, they send them to a website, which uses them to compile blacklists of spammers; future messages from the sending computer's IP address are banned. It sounds promising, but these lists are problematic; real spammers can change addresses frequently, defeating black lists. Moreover, users often mistakenly send blacklists messages from valid email publications-- rather than unsubscribe from the list, they get their anti-spam tool to block future issues. But that means that everyone who subscribes to that publication no longer receives it, whether they want to get it or not! Publishers of email publications have described how they're having to spend increasing amounts of time untangling their legitimate mass-mailings from black lists that have mistakenly listed them.

Whitelists, too...
Whitelists work (not surprisingly) just the reverse of blacklists... instead of having a service make a list of addresses to block, they set up a list of email addresses to allow- the contents of your address book, for instance. Obviously this cuts down on mistakes, but it isn't a solution by itself.

Human interaction
ZDnet commentator David Coursey wrote in March 2003 that he had 'finally found a cure for spam (for now)' (http://www.zdnet.com/anchordesk/stories/story/0,10738,2913158,00.html) with a service called Mailblocks which, when suspicious-seeming messages were identified, wouldn't let the message through until a real human went to a website, and replied to a numeric puzzle embedded in a graphic image. Nice, but I suspect it would again cause problems for legitimate e-mailing lists and other non-spam bulk mailings.

Roll your own
Email programs include the ability to filter messages, and automatically do a variety of things to them. In Outlook Express, this involves setting up what are called 'rules', in Eudora, a similar capability is called 'filters'. You could make a set of rules or filters that, if they encounter specific words or phrases in the subject or body of a letter, automatically routes that message to a Spam folder you've created, for instance. Periodically, you would review the contents of that folder, trashing the real spam, and saving the wrongly-identified messages. According to the Wired article (referenced at the end of this tutorial):

What's the most obvious spam tip-off? Ask SpamArchive.org. Its parent, email security firm CipherTrust, combed through more than 250,000 junk emails for Wired and identified the telltale signs that you've got spam.

Top 25 subject-line words and symbols:

Fwd, Free, Get, FREE, $, !, SPAM, You, Your, Norton, Credit, Save, 000, Now, Check, Year, Make, Sale, Money, DVD, just, now, Lose, software, Earn

Top 25 phrases in body text:
opt-in, now!, offers, most, partners, 999, fulfillment, yamato, naviant, partner, removal, recurring, mailings, free!, assistant, enjoy, grocers, mailing, subscriber, cash, sun, rewarding, buy, today!, marketing

More on setting up your own filters in Outlook, Outlook Express, Netscape Mail, and other email programs can be found In the Feb 2003 PC World article at: http://www.pcworld.com/howto/article/0%2Caid%2C107864%2C00.asp

Cecil Williams has posted an article online on creating and using Eudora filters that he claims can block up to 99% of spam; his website: http://www.cecilw.com/eudora/ includes sample filter-sets for downloading. Users of other email programs may want to look at it for examples of how to create filters in their preferred programs. Alternatively, Robin Keir's free K9 (http://www.keir.net/k9.html) is a free email filtering application that works with Outlook Express and other standard POP3 email programs.

However, spammers have started responding to this sort of filtering, adding junk characters, mis-spellings, replacing letters like 'E' with '3' all in an effort to out-wit relatively simple filters.

Another useful way to help limit spam (and some potential virus problems) is to turn off the preview pane. This helps because when you view (or preview) a message, when it goes online to grab graphics, it reports your location/email address, thus letting the spammers know that they've reached a real e-mail address... the result will be more spam coming to your address.

With the preview pane turned off, you can delete obvious spam (and virus-infected) messages without having to see them first.

In Outlook, click View -> Preview Pane and remove the checkmark. In Outlook Express, clickView-> Layout and remove the checkmark beside Show preview pane. In Eudora, you could turn off display of HTML-formatted mail clicking Tools -> Options -> Display and uncheck Automatically download HTML graphics. Now you can delete obvious spam without viewing it.

You may also be able to turn off automatic previewing of messages in some webmail services.

Antispam software
Antispam products typically use some combination of blacklists, whitelists, checking for circuitous delivery routes, looking for suspicious keywords in subject lines and body text, and more. Receiving a lot of attention recently are so-called Bayesian analysis-- sophisticated ways of looking at message content. Software or services combining all these techniques are being sold to large corporations or ISPs to protect groups of users-- either installing software on the network server (such as Vancouver-based ActiveState's PureMessage) or as a service that organizations contract to filter all the email entering their domain (such as FrontBridge -- formerly known as BigFish).

Other antispam software is aimed at individual email recipients. PC Magazine and PC World spring 2003 reviews of a range of such products are listed at the end of this article; the PC Magazine article notes: "...even with training, some spam gets through. The consumer products we tested typically blocked about 75 percent of spam; the corporate products, 85 percent. Worse, these tools can block legitimate messages." Products have to deal with two types of errors: false negatives, where real spam is not caught, and more awkwardly, false positives where mail that is not spam is mistakenly blocked.

PC Magazine's favorite program for personal use was the US$20 (per year) SpamCatcher (http://www.mailshell.com/spamcatcher) which integrates with Microsoft Outlook 2000 or 2002. (The company also has a 'Universal' version for Outlook Express, Eudora, Netscape, etc.). PC World's May 2003 best buy was the US$20 IHateSpam which also integrates with Outlook. (http://www.sunbelt-software.com/ The company also makes a version for Outlook Express). There are downloadable 30-day free trial versions of both SpamCatcher and IHateSpam, though in each case, users must register with the company to receive registration keys).

In its 05-19-03 issue, Infoworld was very impressed with the free add-in for Outlook (not Outlook Express): SpamBayes (http://spambayes.sourceforge.net/index.html), rating it 9.4 out of 10. For best results, you should have a set of messages that you consider spam along with another set that is non-spam, so the software can learn to work the way you do; afterwards, check its proposed results for a while. It can be used with non-Outlook mail clients, but requires complicated setup/installation in that case. Another Outlook add-in that's free for personal use is SurfSecret SpamDrop (http://www.surfsecret.com/products/product-SDROP.html)

In Febrary 2004, PC Magazine revisited Spam Blockers: http://www.pcmag.com/article2/0,4149,1474449,00.asp reviewing 11 antispam utilities. Their favourite this time around was Symantec's Norton AntiSpam 2004.

PopFile (http://popfile.sourceforge.net/) is a free, open-source, cross-platform anti-spam program that works with most email software (in includes detailed instructions for Outlook, Outlook Express, Eudora, and Pegasus, and can be made to work with other programs as well). When first set up, it's stupid, but over time, will learn from what you consider spam. If you use PopFile with Outlook, you may want to check out the free (donations accepted) Outclass (http://www.vargonsoft.com/Outclass/ ) which simplifies PopFile setup.

The free version of No-spam-today (http://www.no-spam-today.com/) intercepts your mail before it gets to your email software, and is good for up to 10 e-mail addresses (for personal use).

Another popular product is MailWasher (http://www.mailwasher.net), with a free version and a US$20 Pro version.  I found it awkward to use, as it must be run as a separate program, prior to opening your mail software, rather than integrating directily into your email software. The US$30 Pro version (again, there's a 30-day free trial version) supports multiple mail accounts and Hotmail accounts. 

Rather than adding a 3rd party anti-spam program, some users may prefer to move to an email client with built-in spam filtering. Apple's Mail (included in its OS X 10.2 and later) and Mozilla Thunderbird email software (http://www.mozilla.org for Windows, Linux, and Mac OS X) both include built-in optional anti-spam filtering. Outlook XP (but not Outlook Express) and Eudora Pro 6 (paid US$29 version only) now include antispam filtering; I'm currently using Eudora Pro 6, and finding it's catching about 90% of the spam coming into my accounts. Outlook 2003, included in the October 2003 release of Microsoft Office 2003, reportedly also includes reasonably effective spam filtering. 

When turned on, each tries to identify spam messages. A toolbar icon allowing users to correct their initial opinions lets the program 'learn' better what you consider spam. 
 

Eudora 6's Junk Mail options
Here are the Junk Mail options for Eudora 6.0. Note the user can define mail as not spam if the user is in the address book, and can automatically add all non-junk senders to the address book (which I didn't do). This would create a white list of designated non-junk addresses.

Users can adjust the Junk Threshold to catch more junk mail (but probably accidentally junk more legitimate mail) or let more junk through but mis-label fewer legitimate messages.

Junk messages can be automatically moved to an automatically created Junk mailbox, or left in the Inbox for manual inspection. Messages in the Junk Mailbox are automatically removed after a user-configurable amount of time. (By default, they're not erased, but moved to Eudora's Trash, where they can still be retrieved until the Trash is emptied).

How Antispam filters work
(From PC World May 2003, referenced below):

  1. Spam filters look hard at the return address, which is often fake. In this case, the address consists almost entirely of numbers, a common component of machine-generated spam. 

  2.  
  3. A filter may examine the IP address where the e-mail originated and compare it against lists of addresses known to be sources of spam. If it finds a match, that e-mail is usually blocked. 

  4.  
  5. Some antispam software compares the date on the message against the time it's actually received; spammers will either delete the date or assign one in the future so that the e-mail lands at the top of its victims' mailboxes. 

  6.  
  7. Common catchphrases in the subject line (like as seen on TV and free gifts) are another giveaway; many spammers also insert garbage characters, misspellings, or odd letter spacing in an attempt to fool simple text filters. 

  8.  
  9. Lines entirely in capital letters--or oversize fonts in HTML mail--are a common spam tactic, so some filters flag messages that contain them.
Antispam tips

These are adapted from PC Magazine's list (http://www.pcmag.com/article2/0,4149,849443,00.asp)
  • Only give out your email address to people you plan to correspond with. For web-based forms, see below.
  • Use free email accounts (HotMail, YahooMail, etc) to create an email address to use to correspond with Web-based merchants etc. When the free account gets clogged with spam, abandon it and create another.
  • Use a disposable email address, again abandoning it when it starts to get spam. See: Disposable Email Services: http://www.pcmag.com/article2/0,4149,849410,00.asp)SpamGourmet (http://www.spamgourmet.com) or Mailinator (http://www.mailinator.com/mailinator/Welcome.do) are free services.
  • Use fake email addresses-- in other words, on Web forms feel free to lie!
  • Don't post your email address on web pages, guest books, contact lists, newsgroups, contact lists, etc. If you need to, add an extra something that real humans will understand: alan@nospam.zisman.ca or alan at zisman dot ca
  • Many spam messages claim you can get them to stop pestering you by replying to them. Don't! Replying to a spam message simply confirms that they've reached a valid email address and will only increase the amount of spam you receive.
  • When you buy anything online or fill in an online form, check for options to opt out of receiving email or giving permission for the company to share your address with others. Be sure that these are checked appropriately.
  • When buying online or filling in forms, look for links to a privacy policy, and read it. If there is no obvious policy, use free or disposable email or a fake address.
Fight Back
A number of organizations are working against spam, including CAUCE (Coalition Against Unsolicited Commercial E-mail: http://www.cauce.org),Spam Cop (http://spamcop.net), and JunkBusters (http://www.junkbusters.com).

IM Spam
Slightly different is spam in Instant Messenger programs or chat rooms. Read about it and what you can do to control it at: http://www.pcmag.com/article2/0,4149,1401423,00.asp

Advanced
If you are designing a webpage and are tempted to include your email address to make it easy for readers to contact you (as I've done on this page), think again. You're also making it easy for spam harvesters to get your address (as I've also done). Instead, use javascript to hide your address from the spam-bots, while letting humans still contact you. See the tutorial at: http://www.insideoutmarketing.com/index.php?p=pages&pid=15. The Center for Democracy & Technology report cited above suggests that steps to hide email addresses are (at least for now) effective against spam harvesters.

An alternative way to hide your email address on posted webpages is using a free product called Natata Anti-spam encoder (http://natata.hn3.net/antispam_encoder.htm).

Further Reading

Tips for Dealing With Junk Email - https://www.bookyourdata.com/tips-for-junk-email
How antispam software works: 
Wired Magazine April 2003: http://www.wired.com/wired/archive/11.04/start.html?pg=6
Natural-Born Spam Killers: PC World May 2003: http://www.pcworld.com/reviews/article/0,aid,109698,pg,1,00.asp
Corporate Antispam Tools: PC Magazine Feb 25, 2003: http://www.pcmag.com/article2/0,4149,849558,00.asp
Personal Antispam Tools: PC Magazine Feb 25, 2003: http://www.pcmag.com/article2/0,4149,849389,00.asp
Find out where spammers get your address: IDG News Service Mar 19, 2003: http://www.pcworld.com/news/article/0,aid,109884,00.asp
Spam, Inc. PC World August 2002: http://www.pcworld.com/howto/article/0%2Caid%2C101769%2C00.asp
Spam, spam, spam, spam Globe and Mail Report on Business May 2003: http://www.globeandmail.com/servlet/ArticleNews/TPStory/LAC/20030425/RO5SPAM/TPBusiness/ROBM
Why Am I Getting All This Spam? Center for Democracy and Technology March 2003: http://www.cdt.org/speech/spam/030319spamreport.shtml
Info on African money appeals: The 419 Coalitionhttp://home.rica.net/alphae/419coal/
Who profits from spam: August 2003 MSNBC article http://www.msnbc.com/news/940490.asp?0ql=c9p&cp1=1
Confessions of a Spam King: September 28 2003 NY Times article takes you inside the spam industry (free registration required): http://www.nytimes.com/2003/09/28/magazine/28SPAMLT.html
Big Companies Add to Spam: October 28, 2003 NY Times shows how spam is not always low-down and dirty http://www.nytimes.com/2003/10/28/technology/28SPAM.html
Detecting Spam: May 4, 2004 PC Magazine article on how Bayesian filters work: http://www.pcmag.com/article2/0,1759,1567368,00.asp
Delete: Bathwater, Undelete: Baby- August 5 2004 NY Times article on the ongoing 'battle' between spam and spam filters: http://www.nytimes.com/2004/08/05/technology/circuits/05filt.html
Microsoft Tracks Zombies to the Source- October 2005: How Microsoft set up 'honeypots' to catch hackers taking over computer on behalf of spammers: http://www.aunty-spam.com/microsoft-tracks-zombies-to-the-source-sues-zombie-seeders-and-spammers/

Homework

  • Download and install one (or more) of the free or trial antispam utilities listed on this page or listed at: http://www.pcworld.com/downloads/file_description/0%2Cfid%2C22343%2C00.asp and or try out Mozilla Firebird (or the paid version of Eudora 6) see how well it works for you
  • Sign up for a free email account with Hotmail or Yahoo mail
  • Sign up for a disposable email address from SpamGourmet
  • Look at the options for creating rules (Outlook Express) or filters (Eudora) and think how you could filter out much of the spam you receive
  • Check the website of one of the listed organizations trying to fight against spam.
  • Learn to make sense of the information in Email headers: http://www.stopspam.org/email/headers.html

The CyberSafety course includes the following modules:

Introduction
Know your PC
Computer Viruses
Email and Spam
Firewalls
Spyware
Networks and wireless issues

Links
 
Or cut to the chase with 7 Steps to Internet Security!

(Last updated 21 December 2005)

Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan


Google

Search WWWSearch www.zisman.ca

Ad: Safeguard online communications with the best email security software.