Skip to comments.Internet Is Losing Ground in Battle Against Spam
Posted on 04/22/2003 5:43:55 AM PDT by Pharmboy
Axel Koester for The New York Times
Albert Ahdoot and Alyx Sachs have operated
the e-mail marketing business NetGlobalMarketing
in Los Angeles for about a year.
Alyx Sachs is no longer sending people e-mail offering to "fix your credit risk free."
Confronted by an increasing number of individuals, businesses and Internet service providers using software meant to identify and discard unwanted junk e-mail commonly known as spam Ms. Sachs has been forced to become more creative in her marketing pitches. The subject line on her credit e-mail, for example, now reads "get a fresh start."
From a small office on Sunset Boulevard in Los Angeles, millions of messages prepared on behalf of others by Ms. Sachs and her partner are still going out to e-mail in-boxes every day, promising not just to restore a poor credit rating but also to sell printer ink, 3-D glasses and, lately, even playing cards with pictures of wanted Iraqi leaders.
In the cat-and-mouse game of e-mail marketers and those trying to stop them, the spammers are still winning.
So far, nothing that has been tried to block spam has done much more than inconvenience mass e-mailers. Just as Ms. Sachs's company, NetGlobalMarketing, has been able to reword its e-mail to evade spam filters, others use even more aggressive tricks to disguise the content of their messages and to send them via circuitous paths so their true origin cannot be determined.
"There is no silver bullet," said Lisa Pollock, the senior director of messaging at Yahoo, the popular Web portal. "There will always be people who can find a way to get around whatever you have in place."
No doubt making a living selling things by e-mail is becoming harder. Not only are more messages being blocked by automated antispam systems, more senders of e-mail are also facing legal action. Last week, America Online and the Federal Trade Commission each filed suit against e-mailers that they say are illict spammers. Congress is seriously considering legislation to crack down on spam.
But the infestation is growing faster than the antispammers can keep up. Brightmail, which makes spam-filtering software for corporate networks and big Internet providers, says that 45 percent of the e-mail it now sees is junk, up from 16 percent in January 2002. America Online says the amount of spam aimed at its 35 million customers has doubled since the beginning of this year and now approaches two billion messages a day, more than 70 percent of the total its users receive.
Indeed, the spam problem defies ready solution. The Internet e-mail system, designed to be flexible and open, is fundamentally so trusting of participants that it is easy to hide where an e-mail message is coming from and even what it is about.
Another reason there is so much spam is that, with a simple computer hookup and a mailing list, it is remarkably easy and inexpensive to start a career in e-mail marketing. Companies that offer products like vitamins and home mortgages as well as those selling items like penis and breast enlargement kits will allow nearly any e-mail marketer to pitch their wares, paying a commission for any completed transaction.
The microscopic cost of sending e-mail, compared with the price of postal mailings, allows senders to make money on products bought by as little as one recipient for every 100,000 e-mail messages. Internet marketing companies typically charge $500 to $2,000 to send a solicitation to a million in-boxes, but the cost goes up if the list is from a reputable source or is focused on people in certain favored demographic groups. Sending the same offer to a million people by mail costs at least $40,000 for a list, $190,000 for bulk-rate postage and more for paper and printing.
Albert Ahdoot, for example, started a part-time business using e-mail to sell printer-ink refill systems while he was in college. When he dropped out of medical school, he hooked up with Ms. Sachs, a former producer with Geraldo Rivera who later worked in marketing at several Internet companies. With her client contacts, his technology and some e-mail lists they acquired, they started their business about a year ago.
Like many in the e-mail marketing business, Ms. Sachs says her e-mail blitzes are not spam because she sends them only to lists of people who have agreed to receive marketing offers over the Internet. These opt-in lists, as they are called, are generated when Internet users enter a contest on the Web or sign up for an e-mail list in which the fine print says the user agrees to receive "occasional offers of products you might find valuable from our marketing partners."
Arguing that no one is forced to sign up for e-mail pitches, Internet marketers say that the attack on spam has already gone too far, interfering with legitimate business.
"We have allowed these spam cops to rise out of nowhere to be self-appointed police and block whole swaths of the industry," said Bob Dallas, an executive of Empire Towers, an e-mail firm in Toledo, Ohio, widely cited on antispam lists used by many Internet companies.
"This is against everything that America stands for," Mr. Dallas added. "The consumer should be the one in control of this."
But activists who oppose spam say that some e-mailers who argue that they have permission to send e-mail to a certain address often do not. Earlier this year, a New York court ruled that a Niagara Falls, N.Y., company, MonsterHut, had violated antifraud laws for misrepresenting opt-in permissions.
Lower on the marketing totem pole than opt-in mailing is what the industry calls bulk e-mailing: blasting a message out to any e-mail address that can be found. CD-ROM's with tens of millions of e-mail addresses are widely available advertised by e-mail, of course. These addresses have been harvested by software robots that read message boards, chat rooms and Web sites.
Others use what are called dictionary attacks, sending mail to every conceivable address at major e-mail providers first, say, JohnA @example.com, then JohnB @example.com, and so on to find the legitimate names.
Such distinctions, however, are usually lost on users who, in recent years, have found unwanted marketing pitches are overwhelming their legitimate e-mail.
As dissatisfaction has risen, the big Internet service providers, like AOL, and purveyors of free e-mail accounts, including Yahoo and Microsoft's Hotmail, have all greatly accelerated efforts to identify and block spam. Among other things, they have created prominent buttons for users to report offending e-mail as spam.
There is little that Internet services can do to keep spammers from gathering e-mail addresses directly from users. Many people still will type virtually their life history into an unknown Web site that claims to be offering a chance to win a Lexus.
But some Internet providers have built systems to identify when they are being subject to dictionary attacks and cut them off quickly before valid e-mail addresses are deduced.
To identify phrases and other patterns that occur in spam, the Internet service providers look at what is received in thousands of so-called honeypot e-mail accounts those that have no legitimate reason to receive e-mail messages.
The spammers quickly caught on to this technique, however. So they have varied their messages morphing, they call it often by simply appending random words or characters, so the filtering systems no longer see millions of identical solicitations.
At the same time, e-mail users now receive spam that is not only unwanted but cryptic, too. In an attempt to avoid automatic filters that search for certain phrases, marketers offer, for example, "Her bal V1agra" and ways to make "F*A*S*T C*A*S*H."
So the Internet companies now look for unusual spelling as well. "Some people have jobs that change day to day," said Charles Stiles, the technical manager of AOL's postmaster team, which looks after spam blocking. "Ours changes from minute to minute. A filter that works one day will likely not work the next."
Another way spammers avoid detection is to send mail using the HTML format, the language mainly used to display Web pages. Spammers and major advertisers alike think that e-mail with varied type and inserted graphic images is more persuasive than ordinary text. But the spammers also find that this format makes it easier to evade the filtering programs.
A lot of spam now puts the actual sales pitch in an image that is only displayed when the user reads her e-mail. The filter reads merely some random text and the Web address of the image to be displayed.
Spam filters are now being adjusted to be suspicious of e-mails that only have links to Web images. But it is still hard for any program to distinguish, say, a pornographic come-on from a baby picture, especially when processing hundreds of millions of messages a day.
Tom Williams for The New York Times
Charles Stiles, center, technical manager for
America Online's antispam team, says a "a filter that
works one day will likely not work the next."
At the same time, the argument is intensifying over what represents legitimate e-mail, particularly when it ends up being blocked by an antispam filter. Last November, AOL threatened to block e-mail from Gap. Even though Gap said it only sent e-mail to people who explicitly signed up for its mailing list, AOL said that many of its members reported Gap mailings as spam. When it investigated, AOL found that Gap had been offering people a 10 percent discount for providing their e-mail address. Nearly a third of the addresses collected were fake, but they often belonged to other people who did not want the Gap e-mail.
"You can't underestimate the power of people to make up an e-mail address to get a 10 percent discount," said Matt Korn, AOL's executive vice president for network operations.
The other major approach to preventing spam is to block any messages sent from computers and e-mail addresses known to be used by spammers. This is harder than it seems because the spammers are constantly changing their accounts and are adept at methods to make up fake return addresses and hide behind private accounts. That does not prevent the big service providers, and an army of spam vigilantes, from creating blacklists of offenders.
These blacklists, however, often also block legitimate companies and individuals from sending e-mail. That is because the spammers find ways to hijack unprotected computers to relay their messages, thus hiding their true origins.
In the earlier, more innocent days of the Internet, many computers were set up to relay e-mail sent by any other user, anonymously, just to give a helping hand to those with connection problems. Now there still are computers set up to be what is known as an open relay, even though such machines are largely used by spammers.
Another approach to limiting spam, which is favored by big marketers, is to create a "white list" of approved senders, but this raises the question of who will compile such a list. A group of the companies that send e-mail on behalf of major corporations will put forward another proposal tomorrow that would allow senders to certify their identities in every e-mail message they send and report a rating of how much they comply with good mailing standards. Users and Internet service providers would then decide what sort of mail they choose to accept.
"We wanted to come up with a way of shining a big bright light on all those that want to stand in the light and say, `This is who I am, and I was that person yesterday, and I'll be that person tomorrow,' " said Hans Peter Brondmo, a senior vice president at Digital Impact, a major e-mail company and one of the developers of the proposal, known as project Lumos.
Rather than such a self-regulatory approach, the antispam legislation in the Senate would try to make many deceptive e-mail practices illegal. It would force commercial e-mail messages to identify the true sender, have an accurate subject line and offer recipients an easy way to remove their names from marketing lists. And it would impose fines for violators.
For her part, Ms. Sachs, the e-mail marketer, says that any such move would only end up making it harder to run a legitimate business.
"These antispammers should get a life," she said. "Do their fingers hurt too much from pressing the delete key? How much time does that really take from their day?"
By contrast, she said, "70 million people have bad credit. Guess what? Now I can't get mail through to them to help them."
Best way is for ISP's to require a special application and checks for any user who sends more than 100 or so e-mails a day.
Now that the technique to do this is becoming known, expect products in the next year or two to take advantage of it.
This is clearly an attempt to evade the security of the target computer, and should be punished under the computer "cracking" laws. (Kevin Mitnick went to jail for five years. Since I'm in a very good mood today, I'll consider than an acceptable penalty for a first-offending spammer.)
Two faces down, 53 to go. Anybody know a good manufacturer of custom playing cards?
That is a good idea. I could help out with 400-500 a day, and I don't use AOL or any of the other free services.
Insert joke here.
Anyway, this article just proves that Ms Sachs and Mr Ahdoot are very, very stupid people. There are a lot of extremely angry people out there that will now be aiming spam at THEIR private email accounts, signing them up for magazine subscriptions, etc ... and they deserve every bit of what they get.
It would take a few months to implement, but in the end it would reduce spam by 95-98%.
Oh yeah, two other laws would be needed: 1) Anyone who sends unsolicited commercial email gets fined $250 per email. 2) No ISP could offer trial accounts (this means you, AOL) that allowed users to send more than five emails per hour.
Combine that with Apple's new Safari browser--which blocks pop-ups and is compact and elegant and faster than IE--and the Mac platform's near-absence of viruses and you have hassle-free Internet surfing and communications.
Also easy C program: Get the headers off your server (presuming you don't use AOL, but people that slow aren't here), delete the obvious there, and then open up your favorite e-mail client for stuff you want to look at. It's working so far, but is getting worse. Pretty soon, I'll be doing more heavyweight filtering.
I shouldn't have to. And it's becoming noticeably higher volume.
They look like mimes, which are almost as irritating as getting 485 pieces of junk in your bulk mail folder.
I do a lot of mailing, and get a lot of mail - just extremely rare to get stuff I don't want.
Maybe I'm just lucky!
Did you see the story about Alan Ralsky getting buried in junk snail-mail and whining about it? Hey, Al -- karma's a bitch!
But that's just the point - she is NOT running a legitimate business. She's stealing bandwidth and space that others pay for.
I want to see a "Do Not Spam" list like the do not call lists, and fat fines for those who violate them.
Spammers are scum.
The filtering improves with time, but I think I have probably approached its peak after about 3 weeks of use. It's about 95% effective in detecting spam and sending it to the spam folder automatically.
But there is a downside, of that 95% it thinks is spam perhaps 3% is not spam. So in order to not delete e-mails you want you have to review what it thinks is spam. You can do this quickly because it puts it all together for easy review, but its still a problem! It still wastes a lot of my time.
The only solution I think can be 100% effective yet consume almost no user time is TMDA (www.tmda.org). It's a 'white list' solution. Unfortunately my ISP doesn't yet offer it.
Mozilla also has an e-mail client with Bayesian filtering built in.
Some ISPs are restricting who they'll take mail from on this basis. AOL and Earthlink won't take your mail if you're on an IP addy which resolves to a DHCP block, or something other than the domain you present to their server. RoadRunner runs scans and tests on incoming mail servers and won't accept mail from open relays or proxies. Does this help? Not from where I sit, as I'm still getting spam from folks with American-sounding (mostly spoofed) domains, but with IPs which originate in places like China, Hong Kong, Romania, etc. So it's still getting into RoadRunner's network from somewhere, somehow.
The problem with this is that many people are running open relays and proxies and don't even know it. And if they never use it to send mail, it won't ever be detected -- except by spammers running scans. I see several episodes per month, where overseas spammers try to send test e-mails through my mail server. Thus, some misconfigured user gets penalized, while the spammer gets away.
And to stop people from merely moving their email harassment operations outside US borders, make it illegal for US internet companies to accept ANY connections from sites that have open relays ... no web connections, no telnet, no nothing.
This ignores the fact that many overseas ISPs are nothing more than spam relay houses. Now we're talking international commerce. And RoadRunner is taking some heat for doing its port scans.
I think the e-mail users are going to have to combat this problem themselves, as with banners and pop-up ads, with mail filtering and tactics... such as:
They mainly do this to reduce the size of the e-mail; it's generally impossible to resolve an IP addy in a web server log to an e-mail addy, however if they're using anonymous FTP to retrieve the images, they could learn your addy that way... therefore, DO NOT enter your real e-mail addy into your web browser for anonymous FTP.
I think we'll eventually get to the point where you'll have to have sender confirmation. There are already some systems in place to do this. If we eliminate fake/forged return addresses, it will get rid of a lot of spam. Of course, then spammers will just randomly pick a valid address to send from. Some already do this. A lot of thought is currently being put into how to deal with mail in a better way. The POP protocol was fine back in the day, but it doesn't quite satisfy anymore. It is going to be hard to replace though, as there are also legitimate uses of anonymous mail that should be honored. I've used anonymous remailers before and have found them to be useful tools.
One thing that I'd like to see a lot more of is encrypted/digitally signed mail. I still don't understand the resistance so many people have to encryption.
Its a whitelist with lots of additional features to make it more practical. I would really like to use it, but my cable internet provider seems uninterested..at least so far. Probably not enough complaints yet.
I've already run into this. I use sendmail at home to post outgoing mail. I don't accept mail, so can't be a relay, (other than for local users, but that's the way it's supposed to work), but I still can't send mail to a couple of people. I'd rather have the ISPs getting rid of all the jacka$$es that are still beating on my server with code red infections.Rather than just blatantly block all DSL/Cable IPs, it would make more sense to check for open an open relay and accept if it's not present.
Maybe we can turn the tables on them like people did to Alan Ralsky.
One interesting thing about manual whitehat filtering is that you get a good feel for how many people/orgs you are actually communicating with. I get so much spam now that it was almost impossible to deal with my inbox in an efficient manner prior to implementing a whitehat list. This is the down side of having the same email address for 6+ years.
Not true, you spam villains. I hereby certify that I have never agreed to receive marketing offers over the Internet. Spam is not what America stands for, spam is obnoxious and vile and someday we will come up with a reply weapon that will seek out and damage these creeps. I had to change ISP's because I was getting over 50 spams a day for porn, diet pills and get-rich-quick scams. I dreaded getting my mail because it took so long to download and delete this crap.
It's easy to redirect mail bound for Earthlink/AOL through your ISP's server, using these rules in the "mailertable" file.
aol.com esmtp:your.isp.smtp.server earthlink.net esmtp:your.isp.smtp.server
They'll accept mail from your ISP every time.
For RoadRunner, the only answer is to tighten up your server and/or firewall them out.
Spam and e-mail virii weren't a problem back in the day; as uses for e-mail have evolved over the years, so must the tools. If we can limit what gets injected and transported through the network to begin with, there will be less crap that the users need to filter out.
DOES EMAIL ADVERTISING WORK? It just did. Email advertising is the most effective method of marketing your product. No guess work about how many people will see your ad. They all will. Your ad delivered directly into the inbox thousands, even millions of people. We can help you advertise your service or product from as ow as $399. We can send your ad to up to 55 million email users. 250,000 - $499 *Special $399 500,000 - $649 *Special $499 1 million - $999 *2 million for $1000 3 million - $1999 *Special $1499 10 million - $4999 *Special $3499 Specials end on Friday at 1 pm Pacific. ATTENTION NETWORK MARKETERS: Let us help you generate biz op leads. We can help you generate quality leads. When the sales rep calls you ask for details. Want your own opt in list? We are selling a double opt-in list of 185,000 people who have opted in and are known to have purchased through direct email marketing. We are only selling this list to 10 people for the very low cost of $3500. Won't last. Note: This is national advertising only. We cannot target or segment in anyway. To learn more about email advertising, print this form and fax back to: (702) 447-5895 and a representative will contact you shortly. Name:_______________________ Telephone:(_____)_____-_________ Fax #(_____)_____-__________ Email address:____________________ ----------------------------------------------------------------------------------------- To be removed please send an email to firstname.lastname@example.org Please note this is the only way to be removed. Removal request via fax or telephone will NOT be honored. ----------------------------------------------------------------------------------------- esutrust jdgfd yi bzcnbccn
By the way, this string, variations of which you see on most spam,
and which I changed to protect the innocent, identifies the spam batch, or what?
esutrust jdgfd yi bzcnbccn