Facing down the masterminds of unsolicited Internet mail

The Spam Business

Spammers charge real money for their dubious services, and hundreds of advertisers are willing to pay. We'll show you some innovative techniques for controlling and containing spam, including strategies for slowing down spam bots, keeping spammers from getting your address, and separating spam from legitimate email.

By Joe Casad, Ulrich Bantle, and Tobias Eggendorfer

According to the email service provider Postini [1], of some 524 million messages the provider handled worldwide in a period of 24 hours, 88 percent were spam (345 million messages), including 2 million "special offers," 650,000 get-rich-quick schemes, and 2 million messages with sexual content. Just 46 million legitimate emails actually reached their targets.

Despite the best efforts of the experts, the spam glut isn't going away. Most organizations focus on containing the problem to prevent losses in admin time and user productivity. We'll show you some of the latest strategies for fighting spam in this month's cover story. We'll start by examining some techniques for keeping spammers from getting your address in the first place. Then we'll show you how you can throw the spammers off your trail with a tarpit. We'll also review some anti-spam appliances and services, and we'll describe a custom solution for a user-trainable spam filter that operates from the server side.

Know the Enemy

The origins of the term "spam" are not entirely clear. The term was originally coined on Usenet, where it referred to unsolicited advertising. When the phenomenon hit email, people soon starting calling UCE (Unsolicited Commercial Email) spam. Nowadays, most people simply refer to any kind of unsolicited mail as spam.

The anti-spam project Spamhaus [2] estimates that 200 spammers generate 80 percent of all spam in the USA and Europe. As spamming organizations are typically run by groups rather than individuals, Spamhaus assumes that there are somewhere in the region of 600 professional spammers in this field. You'll find a top ten list of the world's most notorious spammers at the Spamhaus website [3].

Although most users despise spam, many companies still resort to it. One reason for the continued existence of spam is that marketing managers can't resist the extremely low cost. Spammers typically charge between US$ 100 and US$ 200 for a spam drop (EUR 80--160). The cost is so low that companies can pay it with hardly a dent in their budgets. Spammers find a steady supply of customers, even though the "messages" go to unknown email addresses in a totally untargeted way.

Spammers operate on the fringes of the legal system, sometimes passing themselves off as legitimate businesses, even though they use tools such as email worms and viruses to build webs of hijacked robot computers for their dirty work. As Spamhaus puts it, "...some countries do little to deter spammers from operating within their borders. These countries become safe havens for the spam operations that plague everyone else, including their own nationals. Countries with the highest number of spammers operating within their networks are usually those with poor or non-existent spam laws."

Spamhaus rates the Unites States as the country with by far the biggest spammer population, but you'll notice from the Spamhaus top ten list that China and Russia are also major spam distribution spots. According to research by the anti-malware Kaspersky Lab, Russian spammers offer a variety of packages with varying numbers of addresses, ranging from 100 to 3.7 million addresses, without any target-group restrictions. Most advertisers opt for the maximum number of addresses, regardless of the audience.

The companies that get involved with spam typically don't care whether the spamming action returns the desired results. In the Kaspersky survey, none of the respondents had actually measured the effectiveness of their spam investment. Some respondents guessed that spamming accounts for something like 0.01 to 0.05 percent of their turnover.

Figure 1: Spamhaus maintains lists of the worst spam countries, the worst spam networks, and the world's most notorious spammers.

The Best Defense

The computer industry has developed a broad collection of strategies for dealing with the spam glut. Anti-spam forces depend on tools such as:

You can expect to see more anti-spam techniques as computer systems change and the spam story continues.

Figure 2: Attempts to trick spam filters are not always as obvious as this.

Figure 3: Microsoft's Sender ID proposal received a cool response from the Debian Project.

More to Come

Despite the big arsenal of anti-spam strategies, spam continues to flood inboxes around the world. Spammers have become quite sophisticated, and they are every bit as resourceful and creative as the good guys. The stock spam campaigns of this past summer show how aggressive and sophisticated spamming methods have become.

Spammers have now turned to new techniques to evade fingerprinting technologies employed by spam filters, for example, introducing animated GIFs to tout their wares. Once a filter has recognized the patterns in the spam message and created a digital fingerprint, the integrated image changes size, color, or position to avoid detection. Minor adjustments that the recipient would never notice from just reading the mail, such as tilting the image by a single pixel, can throw off the spam radar.

So the arms race continues. Don't expect a permanent solution to the spam problem anytime soon. The battle will go on as long as advertisers are willing to pay for it and the worldwide email infrastructure is unable to contain it. The best you can do is filter what you can and try to stop the spammers from getting your address. Read on for more on how you can fight back.

[1] Postini statistics: http://www.postini.com/stats/
[2] Spamhaus: http://www.spamhaus.org
[3] Top ten spammers: http://www.spamhaus.org/statistics/spammers.lasso
[4] Kaspersky Lab: http://www.kaspersky.com/de/