acm - an acm publication


Sam Spam the flimflam man

Ubiquity, Volume 2001 Issue January, January 1 - January 31, 2001 | BY Shannon Jacobs 


Full citation in the ACM Digital Library

You can't stop him -- No one can! (But we'd like you to try.)

Spam is bad. But you knew that. Still, I'm going to write a bit about why it's bad and then consider what can be done to stop it. However, my sad conclusion is that we can't. Everyone complains about the weather too, but no one does anything about it. All the better if you can prove me wrong with your contribution (by clicking on the Forum link below).

How bad is spam? It so overrunneth with badness that this is the hardest part to write. The amazing thing is that even though there are only a few spammers out there, they can intrude on and annoy so many people. A 50-cent CD-R can hold millions of email addresses and Sam would gladly hit all of them if he could only stay connected long enough.

Sam's only message is "I think you are stupid enough to send me money." As an example, consider a mailbox Yahoo created on my behalf as a spin-off from one of the services they acquired. I have never used or published this email address. I do not know how it got onto the spam email CDs. This mailbox currently contains 261 pieces of spam. Looking at the subjects of the first 50 items, I see 34 get-rich-quick scams, 5 snake-oil sales (diet pills, Viagra substitutes, etc.), 5 invitations to steal (personal information, satellite services, etc.), 2 probes (validity tests of the email address), 2 ads for cheap phone services, and one X-rated Web site. I suppose the last three could be considered advertising -- if the companies they tout exist long enough to deliver anything. That accounts for 49 of the messages. The other one was cubic spam -- the spam that tells how you too can become one of the most detested beings on the planet. (Some of the 34 spams in the first category were probably cubic spam, too, but it wasn't obvious from their subjects.)

The clear goal is to transfer our money to Sam's pocket. Sam wants us to front his expenses, too. Even if you personally don't fork it over, you pay for Sam's efforts to find the few suckers who will. Sam thinks nothing of sending messages to millions, hoping that a tiny percentage will take the bait. In the strange math of the spammers, it seems inevitable that they must someday concoct the spam that works. Just because all of their previous efforts have produced a few peanuts doesn't mean the next one won't be the mother lode! Broadcasting millions of spams is no problem -- the rest of us pay for the resources Sam needs.

SMTP relay service is a good example to discuss in public because it's mostly been cured, thanks in part to the efforts of the ORBS folks. Back in the old days, it was convenient to use a relay when your local SMTP server was having problems. This was a good neighbor policy that Sam found really nifty. With a suitable envelope, one spam message to any SMTP server would be relayed to a thousand targets. Why should Sam squander his limited network bandwidth when he could help himself to yours?

Network bandwidth is only one of the resources the rest of us pay for. How about storage? Sam has one source message taking a few kilobytes on his machine, but as the spam spreads, it becomes millions of copies taking up millions of kilobytes all over the world. How about time? Sam invests a few minutes in a message and, barring interference, goes to lunch and a movie while a few million copies are spammed out. If you work fast, you can recognize and kill a spam message in two seconds. A man-year is about 750,000 seconds. Sam's afternoon effort just consumed several man-years of Delete keys -- but he isn't paying any salaries.

Spam has a number of characteristics that make it easy to recognize and dispose of. Of course Sam "works" hard to disguise his spam by fudging the headers and disguising the subjects, but it's still obvious. From the reader's perspective there is always some contact information -- some way to get the money to Sam. Getting your money is the point; virtually all spam is somewhere on the scale from shady to illegal. From the perspective of the network administrators tending to their SMTP servers, only legitimate list servers have reason to broadcast email. The broadcast pattern of spam is obviously abnormal. If it's so easy to spot, why does it still exist?

It's easiest to start on the technical side. The Internet was designed around good neighbor policies and spammers are supremely bad neighbors. There are many anti-spam tools available. One of my user-level favorites is the Spam Combat page, which has a number of tools conveniently collected in one place. Delivery-level filtering is also popular, though I oppose it because spammers like it -- Sam knows that people smart enough to set up filters aren't likely to send cash. Sam would much prefer their silence rather than their pursuit -- and all the better to resell their email addresses to the next spammer. However, at the endpoint where filtering happens, the costs have already been incurred.

It is possible to escalate filtering. For example, large SMTP servers like ACM's mail forwarding server could spool all mail and search for spam. If it was a settable parameter lots of folks would set an email delay against spam -- but most of the waste would survive. The extreme escalation would be to invert the MX-record system. Instead of getting the true IP address of the destination and allowing for direct delivery, local MX requests would always return the IP address of a local SMTP server -- a machine designated by the backbone providers to provide spam filtering with hair on it. Only the backbone SMTP servers would know how to get the remote MX records and how to relay the real email, sans spam. Faster filtering closer to the sources would at least reduce wasted network resources.

Even though the backbone providers talk about stopping spam, the obvious truth is that they don't really care. As long as someone pays for the packets, it's just more business. The variation from the ISP's perspective is that delivering spam is a cost passed down to customers. Hey, even for free email systems there can be reasons to tacitly ignore spam, as with the Yahoo example already mentioned. Remember that they defray the costs of free email service by selling ads -- and the value of the ads is supposedly linked to the quantity of email flowing through the system. Why should the paying advertisers be told how much of the email is unread spam?

So what about the non-technical perspective? From that angle it seems nothing needs to be done -- all those obviously illegal spam scams are publicly visible, with phone numbers or even physical addresses, so here come the cops, right? Wrong. One exception is spam for pump-and-dump stock scams, which seems to have mostly disappeared. The SEC apparently reads their [email protected] email and acts on it. I had some hopes for the state attorneys-general, but those hopes were misplaced. They have Web pages and you'd think it would be easy and politically popular to go after local spammers, but they don't. I can well understand why the USPS wants to ignore chain mail scams, even though they do pursue the ones without email support -- anything that makes email look bad is a hope for their bleak future. I even checked to see if the IRS was interested in spam with obvious tax evasion. Hard to tell which is better hidden -- their interest in e-tax evasion or their email address. However, the IRS email address bounces in a loop, so at least no one will be spamming them.

Some of the "competent authorities" may be comfortable thinking spam is someone else's problem. They seem willing to sit back and wait for the politicians and lawyers to give them specific laws and detailed instructions -- and the tagged funding, too. Anyway, they have plenty of other crime to investigate and most spam is in the minor nuisance category. The "primary victims" are the least likely to complain -- the few who send money to the spammers feel distinctly awkward complaining about their own foolishness. For the rest of us, it's a minor nuisance multiplied by the millions. I like email and I'd like to share my email address widely -- but you can bet your spam I won't. The bottom line is that the spam continues. It's a testimony to the ingenuity of fools, I suppose. Some ingenious fools even tried an email spam protection racket recently, but that's another story.

Maybe you have a better idea? Can you see a solution? Feel free to click on the Forum link and discuss it. You might even add a few words about how you feel about spam. But please don't forget that this is a family-oriented Web site.

Shannon Jacobs is a technical editor for a subsidiary of IBM, with concentration on software-related research reports.


Leave this field empty