Spam is one of the greatest annoyances on the Internet today. Also known as UCE, bulk e-mail, e-mail marketing, and a host of other less favorable names, spam is a byproduct of the commercialization of the World Wide Web. The word 'spam' has more or less entered the general lexicon as meaning 'that e-mail I don't want'
ISPs contend that spam ties up disk space, wastes bandwidth, and annoys customers. ISPs argue that they must waste time and money implementing filters; and even those aren't very effective. Spammers, for their part, maintain that they are providing the user with opportunities. Outlawing spam, they argue, is de facto censorship. Advertising is everywhere, and there's no reason why e-mail marketing shouldn't exist. In the United States, several states have passed anti-spam laws.
If e-mail marketing is legitimate, by comparison the methods most spammers use are shady. Spammers almost always forge headers to avoid ISP scrutiny and the inevitable surge of complaints after a batch of UCE is sent out. They also utilize open relays, which are mail servers configured to send mail from any source. Most often, these open relays are in foreign countries; for this reason communicating with the mail server's admin is often difficult.
Most spam is fraudulent. The most notorious sales pitches include penis enlargement devices, herbal Viagra, the infamous Nigerian mail scam, "Work at Home", methods to get a college degree Quick and Easy, porn, MAKE MONEY FAST, Ponzi schemes, and weight loss pills. The Federal Trade Commission has set up an e-mail address for you to forward spam that you believe is fraudulent; the address is firstname.lastname@example.org.
The fuel of a spamming operation is e-mail addresses. Spammers utilize a variety of methods to get e-mail addresses, some of the most common being:
- WWW spiders. These spiders are configured to pick out e-mail addresses from WWW pages, whether it be mailto: links or plaintext addresses like email@example.com. Some also correct address munging: for example, uceNOSPAM@ftc.gov will be corrected to firstname.lastname@example.org.
- Usenet spiders - By and far the quickest way to recieve spam is to post to Usenet without munging your e-mail address, especially in an active newsgroup. Many harvesters scan newsgroups, looking for e-mail addresses.
- Dictionary attacks. In this sort of attack, spammers play a guessing game. Common words from the dictionary are used in an attack on a specific high-traffic site; if the mail server replies with an invalid address, the address is no good. If the mail server DOESN'T reply, the e-mail address is good. Sites with short domain names are frequently the victims of these sort of attacks - somehow, www.WeightWatchersofSaltLakeCityInc.com is just too long.
- CD-ROMs Spammers will burn CD-ROMs full of these addresses and sell them to one another, ensuring that your daily deluge of spam is kept up.
A spammer obviously needs Internet connectivity to spam. Most ISPs prohibit spamming of any sort, and will usually clamp down on a spammer the second he starts to spam. The ISPs that tolerate spamming are called spamhausen; as word spreads that the ISP tolerates spam, more spammers use it. Spamhausen are usually blocked at the router level by organizations like MAPS and ORBS; however, this has the side effect of blocking legitimate sites as well, with Peacefire being a notorious example.
Of course, a 'live' e-mail address is worth far more than a dead e-mail address which the owner rarely checks. To verify that you are actually opening your spam, a number of tricks are used:
- The classic 'REMOVE ME' scam. This is one of the oldest tricks spammers use to verify e-mail address; it consists of a small note at the bottom of the e-mail saying, "If you do not wish to recieve further mail from us please reply to this e-mail with the subject line 'REMOVE'" The assumption behind this is that the reciever will be so fed up with spam that he will actually reply to the message.
- The 1x1 GIF With the onset of HTML e-mail comes HTML spam. HTML spam will often contain a 1x1 transparent GIF. When you open an e-mail with this GIF, a request is sent by the e-mail client to download the GIF, thus telling the spammer that you have been reading spam
- False subject lines are often used with the method described above. These can be disguised as a 'failed message' notice from Postmaster, your friend telling you to check this out, blank subject lines, and a lot more
Lawsuits have been filed against spammers, with the most famous being Cyber Promotions vs. AOL. Cyber Promotions was run by a man named Sanford ("Spamford") Wallace, who sent out a staggering amount of spam. AOL, of course, blocked his domain name, but Wallace constantly circumvented AOL's blocking system by registering different domains (cyberpr0m0.com, cybrpromotions.com). Eventually, AOL sued and won in court. However, lawsuits are a time-consuming and costly option. In some cases, the spammer actually sues the ISP, claiming censorship.