Spam Considered HarmfulJohn S. Quarterman <email@example.com>
Copyright © 1997
From Matrix News, 7(4), April 1997
A version of this article also appeared in MicroTimes.
Paper junk mail is often bad, but spam is worse. The big difference from paper junk mail is that the per-copy cost of spam to the sender is much lower. And the cost is often higher to the recipient. Some people pay per message received or per disk block. Combined with the global reach and speed of the Internet, this means that spammers can send out far more messages to far more people far more quickly using the same amount of money as they might have used for a paper mailing.
But there are costs; they're just borne by the intermediate transfer networks, servers, and hosts, and by the recipients. Paper junk mail has to have postage. Even if it's postage at a bulk mail rate, it's supposedly set high enough for the Post Office to recover costs of delivery; I've even seen claims that it's junk mail that really pays the operational costs of the U.S. Postal Service. There is no such postage for Internet mail messages. The lack of such postage is a huge boon for productive uses of the Internet, such as research, commerce, and personal messages. It is, unfortunately, also a huge boon for con artists, thieves, and spammers.
In this column I address electronic mail spam. There is also USENET spam, defined as any message sent to 20 or more newsgroups. Spam is spam in either case, and much of what applies to electronic mail spam also applies to USENET news spam. This column doesn't explain every possible point about mail spam, either, and something has to be left out to keep it from getting even longer than it is. See <URL:http://spam.abuse.net> for more information.
Pyramid schemes are offers to buy into marketing rackets where you can sell a piece of the action to still more people, who in turn can do the same. Those who get in early make some money. Those who get in late spend money and get nothing back when the whole thing collapses because it's run out of people to scam. This is the kind of thing that just brought down the government of Albania. In the United States and many other countries, it is illegal. As spam, pyramid schemes are usually gussied up as MLM, or Multi-Level Marketing, and sometimes they're thinly disguised as chain letters; not that either mask makes them any prettier.
Another common kind of spam is offers of software to send spam; sort of meta-pyramid schemes. It's pretty amusing that most of these things don't claim to do anything you couldn't write a five line Bourne shell script to do. But it shouldn't be surprising that people who use and sell these things usually aren't very technically sophisticated. After all, learning technology might take work, which is harder than stealing.
Kinds of things you don't usually see in spam offers are computer hardware, vehicles, real estate, furniture, or other items that normally require identity checks and stability on the part of the buyer and the seller. Spammers are usually fly-by-night operators. They get kicked off of most systems they abuse as quickly as they are discovered, both because part of what they are stealing is resources on the system they are sending from, and partly because few self-respecting ISPs want to be known as platforms for spammers to use to steal from others. Spammers often disguise their return address and include only a telephone number or a postal address. This isn't surprising; thieves often disguise themselves.
Spammers also often push their mail through other people's systems; this allows them to offload the real costs (CPU time, disk space, etc.) onto other innocent third parties. When they do this, spammers usually forge mail headers to make it look like the spam originated on the system they're abusing so as to also offload the blame. Most mail recipients don't know enough about the guts of the Internet mail system to be able to recognize such forgeries, and so such recipients complain to the abused ISP, even though they were not the cause of the problem and were as much a victim (arguably more so) than the recipient of the mail.
I know I see at least 5 spams a day, so the total cost of spam would be at least $350,000 a day. Supposing spammers were tasteful enough to only spam on weekdays (ha!), that would come to $87,500,000 in wasted time per year.
Others tell me it takes at least 10 seconds to deal with each spam, and they see 12 or even 50 spam messages a day, so the real cost in wasted time could easily be an order of magnitude more than that. We know of one computer vendor who has had an engineer doing nothing but fighting spam for the last six months. That's at minimum $75K in salary and overhead per person costs. And that's not counting the productivity in her not doing the job she was hired to do. Then there are costs such as newsletter articles and mail messages about spam, not to mention legal fees and management time for all this. And we haven't figured in anything for wasted bandwidth, CPU time, or disk space. The total cost of spam is easily in the hundreds of millions of dollars a year.
Still, even though the above dollar estimates are extremely conservative and easy to defend, the number of dollars isn't the main issue. The main issue is that spammers are stealing from recipients and carriers so they can make a shady buck.
USENET newsgroups are particularly vulnerable, because they
are by their nature open to postings by anyone.
Various cancelbots have been deployed that spot and cancel spams,
but they can't catch all spams, and there is some elapsed time
during which even the spams the cancelbots catch are visible
and thus get in the way of some people reading their news.
Spammers also collect addresses from postings to newsgroups
and then spam those addresses directly by electronic mail,
so even cancelling spams posted as news doesn't stop spam
related to newsgroups.
Various specific spams and strategies for stopping spam are
discussed in the newsgroups under
But far too much spam still gets through, and lots of people
are finding their favorite newsgroups unusable because of it.
Mailing lists are easier to secure against spam, as discussed below, but some of them have to be open, and spam is damaging to them.
New people are often reluctant to join mailing lists or USENET newsgroups because they fear being spammed. People are also less likely to great mail from strangers with hospitality anymore, and far more likely to assume anything unusual is a spam.
Spam sent to individual mailboxes is the worst problem, because it can make electronic mail itself unusable. Subscribers to some of the larger ISPs, such as AOL, already report receiving more spam than real mail. While one could argue that that is yet another reason that overinflated services such as AOL are too big, there is danger of the problem extending to the rest of the Internet. The current spam plague is caused by relatively few spammers; maybe a few hundred of them. If even a fraction of a percent of all Internet users started spamming, the amount of spam we all would receive would be worse than what AOLers see now. One could hope that such a pandemic would cause a reaction that would inoculate the net against spam by making those who do it completely unacceptable. But it is more prudent to do what we can now to stop it.
The main thing to remember in all countermeasures is not to sink to the spammer's level. Don't spam them back, don't flood their networks with SYNs or pings or whatever, and don't threaten them with anything you're not willing to carry out, and not with violence at all. You can't fight robbers by becoming one. If you send complaints, send polite ones.
procmailor some other such incoming mail filer to automatically delete spam. Unfortunately, spam is hard to recognize automatically, because spammers go to great lengths to make it so, precisely to avoid such a countermeasure. You can try filtering on subjects, to trap such things as MONEY in all caps or multiple exclamation points or golf balls, but you always risk filtering out legitimate mail (such as complaints about spam with those subjects) and you will never get rid of all spam that way. Short of only accepting mail from a set list of known addresses, automatic incoming mail filtering doesn't really work well. Although you can, of course, filter out spam from spammers who are stupid enough to repeatedly use the same From: address.
Spam often tries to tease you into making a negative response, by offering that if you reply with the word "remove" in the Subject: header you will be "taken off our list". Many people have conducted experiments as to the real results of doing this, which are that you will get more spam.
firstname.lastname@example.org, just for handling such complaints. AOL, by the way, is a particularly popular location for spammers to use to send spam, because it's so easy to get an AOL account, do the dirty deed, and vanish. To its credit, AOL is also one of the more active opponents of spam.
Anyway, a good way to find the right complaint address for a domain is to use the facilities of <URL:http://spam.abuse.net> that are available for that purpose. There are also scripts for this purpose, such as <URL:http://www.mids.org/nospam/>, as well as others that are available through abuse.net.
Whenever you send a complaint, always include the entire spam message, including the headers.
It's probably worth noting at this point that not all spammers are hardened sociopaths. Some are people who don't know that spamming is bad. Some of them just don't understand the difference between paper junk mail and spam. Some of them got a spam offer of software to send spam, and accepted it, not understanding that the use of it would be considered bad by the recipients. Some of them bought mailing lists from spammers, with similar lack of understanding. Some such people are educable, and a slap on the wrist from a postmaster may be what it takes. Unfortunately, most spammers are not such misguided puppies. Nonetheless, you will do well to always make your complaint messages polite, if only because such a puppy isn't going to be converted by invective.
If you can determine where the message actually originated, another recourse is to use a tool such as WHOIS, dig, or nslookup to determine the domain name servers for the domain, and complain to postmaster or abuse at the domains of the nameservers. Or use traceroute to determine the Internet connectivity provider for the origin domain and complain to them. In particularly bad cases of abuse, the ISP or domain server organization (often one and the same) may kick the spamming organization off the net. Such a defenestration often isn't permanent, since the spammer will usually just go buy access from somebody else, but every even temporary inconvenience to a spammer is that much less spam sent out.
Sometimes it's worth debating a spammer in public, although this should be done with care, since even debating a spammer can be seen as legitimizing spam. Be prepared in a debate, as in a court case, for the spammer to try to shift the burden of proof onto you. Have facts and figures at hand, but remember the basic problem: spam is stealing resources from many people for no purpose but profit to the spammer.
Spammers often try to argue that those who oppose spam are simply opposing commerce. That is nonsense. MIDS, for example, publishes the oldest for-pay non-academic newsletter on the Internet, Matrix News <URL:http://www.mids.org/mn/>, as well as other periodicals, one of which has advertising. Advertising is a mainstay of web crawlers such as Yahoo <URL:http://www.yahoo.com> and Altavista <URL:http://www.altavista.digital.com>, for example, without which most of us would find life much more difficult. The problem with spam is not that it is advertising or commerce, nor even that what it advertises is almost all trash; the problem with spam is that it damages the Internet because of the way it is distributed, which forces everyone involved except the spammer to pay for the spam. That is not commerce; that is theft.
Furthermore, while there is a fairly clear technological difference between spam and socially-acceptable uses of the Internet, namely that spam is broadcast, ill-targeted, and unsolicited, these features may not be nearly so clear to lawmakers and courts. It's much easier to focus a law on the content of messages. That would result in a law prohibiting specific content on the Internet. And that is precisely what we are already fighting against in the battle against the Communications Decency Act (CDA). <URL:http://www.mids.org/mn/607/phila.html>. Remember, the real problem with spam is not the content, rather the distribution methods.
Even as long ago as October 1995, MIDS got some complaints to the survey forms for the Third MIDS Internet Demographic Survey ( MIDS ids3 <URL:http://www.mids.org/ids3/>), even though we were careful to send one and only one per domain. One respondant told us ``you're building a list to send mail to, and that's what spam is, isn't it?'' I don't think so, but it's easy to see how someone might think so. The difference I think is in how the list is built and how it is used. The list for MIDS ids3 was very carefully constructed to reach only just the people it needed to reach. Furthermore, the survey form did not ask for money, and the survey did supply a clear benefit to the recipients and to the Internet at large: composite information about the composition of the Internet and its users. Spam has none of these characteristics. But spam has polluted the conceptual space of electronic mail to such an extent that it is the main reason we have not yet done MIDS ids4; we haven't yet been willing to contend with false impressions of spam.
The year before that, by the way, in October 1994, we got no complaints claiming that the survey questionnaires were spam. The spam problem has built up that quickly. And it has increased drastically just this year, since about January 1997.
I consider such junk to still be spam. The only real advantage is that such customization does require more work at the spammer's end, not only in pulling out the salutations, but in that each message must be sent out separately. Thus the per-message cost to the spammer is higher, and there is incentive for the spammer to turn into something more savory by actually researching lists of people who want to receive mail on given topics!