Spam

Summary

The volume of unwanted commercial email, known as spam, is now greater than that of other mail. Spam is drowning out legitimate mail and decreasing the usefulness of email in general. It also makes people less likely to shop online because they are reluctant to give out their email address.

The goods or services being offered in spam are often of dubious taste or legality. Much spam is offensive to many people, and causes particular concern when sent to minors.

Mechanism

Spammers use specialist software to send millions of e-mail messages at once. E-mail addresses are harvested from web sites and chat rooms, and potentially from product registrations at corporate websites. Addresses can also be deduced by the so-called dictionary attack in which a spammer's server tries all likely names and common email conventions at a remote mail server seeking live addresses.

Sending spam requires special techniques. Spam is a violation of ISPs' terms of service and spammers' accounts are often terminated for this reason, but because of the volume of mail they represent an otherwise good customer for an ISP. Despite stated policies to the contrary there is evidence that certain large US ISPs act as gateways for spammers.

There are other ways to send large quantities of spam. In particular, spammers often use misconfigured mail systems belonging to unsuspecting third parties to copy a single message to a large mailing list. There is also concern that viruses which convert users' PCs to spam servers may be written.

Spam emails almost invariably contain false "from" addresses, and other false header information designed to obscure their origins. It is difficult to trace much of it despite its volume.

There are free and commercial products to filter spam. These may take some effort to install and maintain, although this is increasingly being done by ISPs. Spammers respond by trying to create their messages so that they will not trigger filters. Spam filters and spammers are engaging in a kind of arms race. This explains spammers' frequent use of odd punctuation and nonsense words in an attempt to evade filters while their messages remain readable by humans.

Various sites offer real-time facilities to help identify spam. They are designed for use by ISPs, and effectively answer the question: is this piece of mail coming from a site known to host spammers. Many ISPs use services like these to cut down the amount of spam their users receive. Recently, these sites have been the targets of denial of service attacks intended to hinder their operations.

Comment

For a long time, many companies and industry bodies resisted the classification of all unwanted commercial e-mail as spam. One person's spam, they argued, is another's marketing material. This attitude has changed over the last twelve months and most legitimate businesses now make very clear what use is intended of customer e-mail addresses, and allow opting out of communications.

An opt-out regime has problems. Critics point out that this would permit every business to email every individual at least once until asked to desist. Also, unscrupulous senders may use the opt out reply as evidence that the mail address is active and send yet more spam. For this reason, people are encouraged not to opt out. A preferred alternative is opt-in, in which people have to ask to receive communications. Some go further and insist on double opt-in, in which the user must reply positively to a test message, as is practised on many e-mail lists.

Spammers sometimes claim that all the addresses on their lists have opted in. This is unprovable at best, and highly unlikely.

Example Mitigations

Educate people to never buy things from spam

Keep improving filters

Legislate in line with other governments

More filtering at ISPs

Encourage wider implementation of greylisting?

Whitelisting and blacklisting