Original

Spam Considered Harmful

John S. Quarterman <jsq@mids.org>

Copyright © 1997
Matrix Information and Directory Services (MIDS)

From Matrix News, 7(4), April 1997
<mids@mids.org>, http://www.mids.org
+1-512-451-7602, fax: +1-512-452-0127

A version of this article also appeared in MicroTimes.

The Nuisance

Every evening around 6PM various Teasing TIDBITS!!! and GURLS 4 U!!!!! and MAKE MONEY FAST offers appear in my electronic mailbox like pages torn out of some supermarket tabloid. Same in the morning and the middle of the night. Spam and more spam. It's a nuisance. But it's worse than that.

What is Spam?

It's an attempt to send out so many solicitations for money that even a tiny fraction of a percent of responses is enough to make a profit. It's electronic junk mail.

Paper junk mail is often bad, but spam is worse. The big difference from paper junk mail is that the per-copy cost of spam to the sender is much lower. And the cost is often higher to the recipient. Some people pay per message received or per disk block. Combined with the global reach and speed of the Internet, this means that spammers can send out far more messages to far more people far more quickly using the same amount of money as they might have used for a paper mailing.

But there are costs; they're just borne by the intermediate transfer networks, servers, and hosts, and by the recipients. Paper junk mail has to have postage. Even if it's postage at a bulk mail rate, it's supposedly set high enough for the Post Office to recover costs of delivery; I've even seen claims that it's junk mail that really pays the operational costs of the U.S. Postal Service. There is no such postage for Internet mail messages. The lack of such postage is a huge boon for productive uses of the Internet, such as research, commerce, and personal messages. It is, unfortunately, also a huge boon for con artists, thieves, and spammers.

In this column I address electronic mail spam. There is also USENET spam, defined as any message sent to 20 or more newsgroups. Spam is spam in either case, and much of what applies to electronic mail spam also applies to USENET news spam. This column doesn't explain every possible point about mail spam, either, and something has to be left out to keep it from getting even longer than it is. See <URL:http://spam.abuse.net> for more information.

What's in Spam?

Spam messages are almost always offers to sell something. What is for sale ranges from computer software to sex to magazine subscriptions to cheap vitamins to pyramid schemes.

Pyramid schemes are offers to buy into marketing rackets where you can sell a piece of the action to still more people, who in turn can do the same. Those who get in early make some money. Those who get in late spend money and get nothing back when the whole thing collapses because it's run out of people to scam. This is the kind of thing that just brought down the government of Albania. In the United States and many other countries, it is illegal. As spam, pyramid schemes are usually gussied up as MLM, or Multi-Level Marketing, and sometimes they're thinly disguised as chain letters; not that either mask makes them any prettier.

Another common kind of spam is offers of software to send spam; sort of meta-pyramid schemes. It's pretty amusing that most of these things don't claim to do anything you couldn't write a five line Bourne shell script to do. But it shouldn't be surprising that people who use and sell these things usually aren't very technically sophisticated. After all, learning technology might take work, which is harder than stealing.

Kinds of things you don't usually see in spam offers are computer hardware, vehicles, real estate, furniture, or other items that normally require identity checks and stability on the part of the buyer and the seller. Spammers are usually fly-by-night operators. They get kicked off of most systems they abuse as quickly as they are discovered, both because part of what they are stealing is resources on the system they are sending from, and partly because few self-respecting ISPs want to be known as platforms for spammers to use to steal from others. Spammers often disguise their return address and include only a telephone number or a postal address. This isn't surprising; thieves often disguise themselves.

Spammers also often push their mail through other people's systems; this allows them to offload the real costs (CPU time, disk space, etc.) onto other innocent third parties. When they do this, spammers usually forge mail headers to make it look like the spam originated on the system they're abusing so as to also offload the blame. Most mail recipients don't know enough about the guts of the Internet mail system to be able to recognize such forgeries, and so such recipients complain to the abused ISP, even though they were not the cause of the problem and were as much a victim (arguably more so) than the recipient of the mail.

The Cumulative Cost

I keep saying spam is theft; how much does it actually cost? Let's be very conservative. If a single spam message takes only 5 seconds for a recipient to deal with and it goes to 10,000,000 people (which is the size of list many spammers claim to have), we're talking around 14,000 person-hours of wasted time. Suppose you've got part-time student help dealing with it at $5/hour: that's $70,000 wasted by one spam message. And many of us charge more than that for our time.

I know I see at least 5 spams a day, so the total cost of spam would be at least $350,000 a day. Supposing spammers were tasteful enough to only spam on weekdays (ha!), that would come to $87,500,000 in wasted time per year.

Others tell me it takes at least 10 seconds to deal with each spam, and they see 12 or even 50 spam messages a day, so the real cost in wasted time could easily be an order of magnitude more than that. We know of one computer vendor who has had an engineer doing nothing but fighting spam for the last six months. That's at minimum $75K in salary and overhead per person costs. And that's not counting the productivity in her not doing the job she was hired to do. Then there are costs such as newsletter articles and mail messages about spam, not to mention legal fees and management time for all this. And we haven't figured in anything for wasted bandwidth, CPU time, or disk space. The total cost of spam is easily in the hundreds of millions of dollars a year.

Still, even though the above dollar estimates are extremely conservative and easy to defend, the number of dollars isn't the main issue. The main issue is that spammers are stealing from recipients and carriers so they can make a shady buck.

Social Costs

Even theft isn't the biggest problem with spam. Spam wastes so much time and makes real messages so hard to find that it can destroy the usefulness of online forums.

USENET newsgroups are particularly vulnerable, because they are by their nature open to postings by anyone. Various cancelbots have been deployed that spot and cancel spams, but they can't catch all spams, and there is some elapsed time during which even the spams the cancelbots catch are visible and thus get in the way of some people reading their news. Spammers also collect addresses from postings to newsgroups and then spam those addresses directly by electronic mail, so even cancelling spams posted as news doesn't stop spam related to newsgroups. Various specific spams and strategies for stopping spam are discussed in the newsgroups under news.admin.net-abuse. But far too much spam still gets through, and lots of people are finding their favorite newsgroups unusable because of it.

Mailing lists are easier to secure against spam, as discussed below, but some of them have to be open, and spam is damaging to them.

New people are often reluctant to join mailing lists or USENET newsgroups because they fear being spammed. People are also less likely to great mail from strangers with hospitality anymore, and far more likely to assume anything unusual is a spam.

Spam sent to individual mailboxes is the worst problem, because it can make electronic mail itself unusable. Subscribers to some of the larger ISPs, such as AOL, already report receiving more spam than real mail. While one could argue that that is yet another reason that overinflated services such as AOL are too big, there is danger of the problem extending to the rest of the Internet. The current spam plague is caused by relatively few spammers; maybe a few hundred of them. If even a fraction of a percent of all Internet users started spamming, the amount of spam we all would receive would be worse than what AOLers see now. One could hope that such a pandemic would cause a reaction that would inoculate the net against spam by making those who do it completely unacceptable. But it is more prudent to do what we can now to stop it.

Countermeasures

There are some things you can do about spam. See <URL:http://spam.abuse.net> for more.

The main thing to remember in all countermeasures is not to sink to the spammer's level. Don't spam them back, don't flood their networks with SYNs or pings or whatever, and don't threaten them with anything you're not willing to carry out, and not with violence at all. You can't fight robbers by becoming one. If you send complaints, send polite ones.

Close Mailing Lists

If you're running a mailing list, set it up so only list members can post to it. Be sure to also ensure that only list members can get a list of addresses of list members, or spammers will raid your list for addresses and then spam the members individually. And you'll need to arrange that all subscription requests have to be manually approved by the list owner, or spammers will subscribe just to send spam or steal addresses. These changes are easy to implement with most mailing list software, and they will keep spam out. Of course, this isn't possible for some really public mailing lists or for USENET newsgroups, but it works for most lists.

Manually Delete It

You can just delete each spam message as you recognize what it is. That was the basis of our minimal estimate of costs above. The problem with this approach is that it provides no negative incentive to try to get spammers to stop. The advantage of this approach is minimal effort, and it also gives the spammers no positive feedback, such as confirmation that your address actually reaches someone.

Filter It Automatically

It would be nice to be able to write a rule for procmail or some other such incoming mail filer to automatically delete spam. Unfortunately, spam is hard to recognize automatically, because spammers go to great lengths to make it so, precisely to avoid such a countermeasure. You can try filtering on subjects, to trap such things as MONEY in all caps or multiple exclamation points or golf balls, but you always risk filtering out legitimate mail (such as complaints about spam with those subjects) and you will never get rid of all spam that way. Short of only accepting mail from a set list of known addresses, automatic incoming mail filtering doesn't really work well. Although you can, of course, filter out spam from spammers who are stupid enough to repeatedly use the same From: address.

Complain to the Sender

This may seem the obvious course, but unfortunately it almost never works with spammers. Any reply, no matter how negative, is to a spammer simply positive confirmation that your address is answered by a live human. Which is to say, by a potential sucker. Answering spammers only gets you more spam.

Spam often tries to tease you into making a negative response, by offering that if you reply with the word "remove" in the Subject: header you will be "taken off our list". Many people have conducted experiments as to the real results of doing this, which are that you will get more spam.

Complain to the Spammer's Postmaster

A better idea is to complain to postmaster@domain, for the domain the spam came from. If the domain's organization has an anti-spam policy, the postmaster there may choose to shut off the spammer's account or otherwise discipline the spammer. Many ISPs maintain special aliases, such as abuse, as in abuse@aol.com, just for handling such complaints. AOL, by the way, is a particularly popular location for spammers to use to send spam, because it's so easy to get an AOL account, do the dirty deed, and vanish. To its credit, AOL is also one of the more active opponents of spam.

Anyway, a good way to find the right complaint address for a domain is to use the facilities of <URL:http://spam.abuse.net> that are available for that purpose. There are also scripts for this purpose, such as <URL:http://www.mids.org/nospam/>, as well as others that are available through abuse.net.

Whenever you send a complaint, always include the entire spam message, including the headers.

It's probably worth noting at this point that not all spammers are hardened sociopaths. Some are people who don't know that spamming is bad. Some of them just don't understand the difference between paper junk mail and spam. Some of them got a spam offer of software to send spam, and accepted it, not understanding that the use of it would be considered bad by the recipients. Some of them bought mailing lists from spammers, with similar lack of understanding. Some such people are educable, and a slap on the wrist from a postmaster may be what it takes. Unfortunately, most spammers are not such misguided puppies. Nonetheless, you will do well to always make your complaint messages polite, if only because such a puppy isn't going to be converted by invective.

Complain to Other Parties

Some spammers have their own domains, and are their own postmasters, and complaining to postmaster in such a case will only get you more spam. This is sufficiently common that unless the sending domain is an ISP, it's usually best not to complain to anybody at that domain. The domain in the From: line is often forged by the spammer, anyway, just to make useful complaints harder. Instead, examine the Received: headers of the spam message to see what ISPs the spam passed through, and complain to postmaster or abuse at those domains. Unfortunately, spammers often forge at least one Received: line, too, and some spam software also forges other headers, including Sender:, Message-ID:, etc. It may take an expert to tell which headers are forged and which are not, so it can be very hard to tell where the spam originated.

If you can determine where the message actually originated, another recourse is to use a tool such as WHOIS, dig, or nslookup to determine the domain name servers for the domain, and complain to postmaster or abuse at the domains of the nameservers. Or use traceroute to determine the Internet connectivity provider for the origin domain and complain to them. In particularly bad cases of abuse, the ISP or domain server organization (often one and the same) may kick the spamming organization off the net. Such a defenestration often isn't permanent, since the spammer will usually just go buy access from somebody else, but every even temporary inconvenience to a spammer is that much less spam sent out.

Mailer Filtering

Recent versions of most modern mailers, such as sendmail <URL:http://www.sendmail.org/antispam.html>, qmail, or exim, can be configured to reject all mail from specific mail addresses. This can be useful for blocking stupid spammers that send repeatedly from the same address. An ISP can use this kind of block to stop a spammer in the act of sending a mass of spam through the ISP.

Router Filtering

If a spammer has its own registered network number, the most efficient solution is to simply filter out their entire IP network number at your incoming router. Clearly care has to be exercised in choosing which networks to apply such a draconian solution to.

Legal Action

Pyramid schemes are illegal almost everywhere, as are chain letters, and as is fraud. If you can identify a spammer, it may be possible to sue, but you must be determined. In addition to the obvious costs of any court case, an opponent who is willing to steal massive amounts of resources from large numbers of people is not likely to stop at any underhanded trick.

Publicity

Spammers usually have no shame, but if enough people come to realize spam is bad, spammers may be stopped by public pressure. And at least maybe we can stop the news media from misrepresenting spam as good or impossible to limit or no different from paper bulk mail.

Sometimes it's worth debating a spammer in public, although this should be done with care, since even debating a spammer can be seen as legitimizing spam. Be prepared in a debate, as in a court case, for the spammer to try to shift the burden of proof onto you. Have facts and figures at hand, but remember the basic problem: spam is stealing resources from many people for no purpose but profit to the spammer.

Spammers often try to argue that those who oppose spam are simply opposing commerce. That is nonsense. MIDS, for example, publishes the oldest for-pay non-academic newsletter on the Internet, Matrix News <URL:http://www.mids.org/mn/>, as well as other periodicals, one of which has advertising. Advertising is a mainstay of web crawlers such as Yahoo <URL:http://www.yahoo.com> and Altavista <URL:http://www.altavista.digital.com>, for example, without which most of us would find life much more difficult. The problem with spam is not that it is advertising or commerce, nor even that what it advertises is almost all trash; the problem with spam is that it damages the Internet because of the way it is distributed, which forces everyone involved except the spammer to pay for the spam. That is not commerce; that is theft.

The Best Countermeasure

There is no single best countermeasure. You have to choose the level of effort you are willing to expend, and the method that seems appropriate to the specific spam. Often you may want to use several measures, such as sending a complaint and adding the sending address to a stop list.

The Less Obvious Costs

Spam is bad, but we must be careful how we counter it.

Anti-Spam Legislation

Calling for legislation specific to spam is calling for legislation specific to the Internet, and that is usually not a good idea. Setting precedents for Internet-specific legislation is just asking for legislatures to make more laws about the Internet. Given how little elected lawmakers know about technology in general and the Internet in particular, do we really want that? Especially given how fast the Internet changes and how slow legislatures and courts work? Ill-formed laws that quickly become even more obstructive or dangerous as they age would be the most likely result.

Furthermore, while there is a fairly clear technological difference between spam and socially-acceptable uses of the Internet, namely that spam is broadcast, ill-targeted, and unsolicited, these features may not be nearly so clear to lawmakers and courts. It's much easier to focus a law on the content of messages. That would result in a law prohibiting specific content on the Internet. And that is precisely what we are already fighting against in the battle against the Communications Decency Act (CDA). <URL:http://www.mids.org/mn/607/phila.html>. Remember, the real problem with spam is not the content, rather the distribution methods.

Volume Charging

It's easy to note that spam is possible because the Internet has no volume charging, and leap to the conclusion that implementing volume charging is the way to stop spam. That might work, but volume charging would also stop a lot more productive mail. Let's stop and think more than twice about that solution.

Edge Cases

Sometimes I get a message that reads like spam, but may not be quite that. Usually the first clue is that it has a real return address.

Surveys

Many people want to know many things about the composition of the Internet and its users. One of the best ways to find out is to survey its users or its organizations. Unfortunately, that is becoming increasingly hard to do, because any survey, no matter how carefully constructed, worded, or targeted, is likely to be mistaken for spam.

Even as long ago as October 1995, MIDS got some complaints to the survey forms for the Third MIDS Internet Demographic Survey ( MIDS ids3 <URL:http://www.mids.org/ids3/>), even though we were careful to send one and only one per domain. One respondant told us ``you're building a list to send mail to, and that's what spam is, isn't it?'' I don't think so, but it's easy to see how someone might think so. The difference I think is in how the list is built and how it is used. The list for MIDS ids3 was very carefully constructed to reach only just the people it needed to reach. Furthermore, the survey form did not ask for money, and the survey did supply a clear benefit to the recipients and to the Internet at large: composite information about the composition of the Internet and its users. Spam has none of these characteristics. But spam has polluted the conceptual space of electronic mail to such an extent that it is the main reason we have not yet done MIDS ids4; we haven't yet been willing to contend with false impressions of spam.

The year before that, by the way, in October 1994, we got no complaints claiming that the survey questionnaires were spam. The spam problem has built up that quickly. And it has increased drastically just this year, since about January 1997.

Press Releases

It is possible to spam a press release; remember the distinctive feature of spam is distribution method, not content. But most press releases are sent to specific contacts at news organizations or periodicals. If it says "Press Release" it's usually not spam.

Initial Offers

AOL, and probably other centralized services, by default sends new subscribers some mail messages about initial offers. These messages can easily be turned off on initial configuration of the AOL software, and they are only going to one person, so clearly they are not spam. Sometimes people think they are, because they are commercials, but content does not make spam; distribution does.

Targeted Offers

Sometimes there is a specific salutation with my name in it. Remember spammers are not usually on the leading edge of technology, so spam to date has mostly been impersonal. But there are always some programmers who will take on any task, no matter how unsavory, and there are now spam programs that can customize each spam message with a personal salutation. The name to use in the salutation is usually available in the same place the spammer got the electronic mail address, such as the WHOIS database, web pages, or whereever. So some spammers have now gotten up to the level of those paper solicitations I get that are addressed to "Mr. J.S." or "Mr. Project" (from the WHOIS entry for the Quarterman Family History Project <URL:http://www.quarterman.org>).

I consider such junk to still be spam. The only real advantage is that such customization does require more work at the spammer's end, not only in pulling out the salutations, but in that each message must be sent out separately. Thus the per-message cost to the spammer is higher, and there is incentive for the spammer to turn into something more savory by actually researching lists of people who want to receive mail on given topics!

Spam Is Bad

Spam is the closest thing that I know of to a purely evil result specifically made possible by the Internet. Let's use the Internet to stop it.
[up] [MN Online] [MIDS]