/ 24 June 2003

I think, therefore I’m spam

Things are getting a little worrying: junk email is getting intelligent. True, those pitches for Viagra, penis enlargement, gambling, baldness cures, cheap credit or phoney diets are just as crass as they ever were.

But the techniques used to stuff the spam into your mailbox are getting smarter by the day.

”It is like an arms race and it appears at the moment that the spammers are winning,” said Paul Wood, chief information analyst with MessageLabs, a British email security company.

”To be honest, I expect it to get much more unpleasant in the future.”

In May, according to anti-spam firm Brightmail, nearly 50% of all internet traffic last month was unsolicited junk mail, an amplifying trend that translates into productivity losses of billions of dollars a year for corporations and individuals.

Spammers get into your mailbox by generating random addresses and spraying them into the ether in the hope they find a target.

And they also send out software robots called ”spambots” which, like little spiders, crawl out over the Web and harvest addresses posted in chatrooms and newsgroups.

In an experiment last year, US researchers at the Centre for Democracy and Technology created 250 e-mail addresses, some of which were posted in the public domain and others in the corporate domain.

Some addresses were posted using the @ symbol, while others used human-readable equivalents: ”[email protected]” would be written ”fred at bloggster dot com”.

During their six-month study, the team received around 10 000 emails, 8 400 of which were spam. Ninety-seven percent of the junk derived from addresses that had been posted on public sites, with organisations linked to major portals like Yahoo! and AOL — themselves highly active on fighting spam — the biggest sources.

But none of the addresses sent in human-readable form got junkmail, for they could not be read by the spambots. Not yet, anyway.

Anti-spam filters work by sniffing out keywords typically used in unwanted bulk mail and blocking the message before it hits the in-tray.

So to get around the guardians, bulkmail copywriters are deploying efforts worthy of avant-garde poets to change the spelling of words in the subject line or replace letters with numbers.

They also strive to find unsullied, enticing words that can worm their way through — using ”need to know,” ”demo,” ”preview” and ”trial” rather than the over-spammed ”free,” ”opportunity,” ”exciting” and ”credit.”

But the spammers’ creative skills are also veering over to the dark side. One nasty invention, uncovered last October, is an e-mail greetings card in which victims are told they have to install a software ”plug-in” to read the message. As soon as the mini-programme is installed, it starts blasting out popup advertising.

Worse is the highly illegal ”Trojan spam” — a virus wrapped in an email which exploits weaknesses in Microsoft’s Outlook programme.

If activated, it opens up the computer’s address book and trots out the junk message to everyone on its list.

MessageLabs last week said it found the first example of a highly sinister Trojan in which spammers take over a slave server or a computer with an ”open proxy” broadband connection. Exploiting a loophole called the back door, it turns the machine into a junk mailer. Unlike its predecessors, the new virus is almost impossible to trace and virtually undetectable by the victim, said Woods. Users might notice that their internet connection has slowed down a little, but nothing more.

In this case, the unknown spammer used the hijack technique to send out a million e-mails with ads for websites selling images of incest pornography.

Opening a legal front against spam has now become a major task. European Union countries are due to implement a tough law by October that will require bulkmailers to secure the permission of the user before including his or her address on their mailing list.

This ”opt in” approach is the opposite being taken by the United States, where between 150-200 organisations are believed to account for 80% of internet junk mail.

They flourish thanks to a messy hotpotch of state laws which the US Congress is now trying to resolve with a proposed federal law. But legislation may only reduce spam, not eradicate it. In a globalised economy, offenders can easily shift to a location where the policing is less tough.

The vast majority of spam recipients delete junkmail without a second thought, but a response rate of just one in 100 000 is enough for the spammers to make a profit.

So targeting the companies that give mailing contracts to the spammers, rather than the spammers themselves, may be a far more worthwhile approach, say some. – Sapa-AFP