E-mail spam
E-mail spam is a subset of spam that involves sending nearly identical messages to numerous recipients by e-mail.
Spam is e-mail that is both unsolicited by the recipient and sent in substantively identical form to many recipients. Thus, a common synonym for spam is unsolicited bulk e-mail (UBE). Some definitions of spam specifically include the aspects of email that is unsolicited and sent in bulk
Overview
An email client detecting spam messages. Spammers frequently disguise their messages with obfuscated text.
An extreme amount of E-mail spam in Hotmail, a web-based E-mail service.As the recipient directly bears the cost of delivery, storage, and processing, one could regard spam as the electronic equivalent of "postage-due" junk mail. However, this does not mean that all commercial email is spam; for example, some recipients may have opted in (i.e., willingly chosen) to receive the marketer's email.
Spam is sent by organizations of varying sizes and motivations. Some are large, well-known companies; spam from these sources is sometimes called mainsleaze. A widely-known instance of spamming by a large corporation was Kraft Foods' marketing of its Gevalia coffee brand. Advance fee fraud spam such as the Nigerian "419" scam may be sent by a single individual from a cyber cafe in a developing country. Organized "spam gangs" operating from Russia or eastern Europe share many features in common with other forms of organized crime, such as turf battles and revenge killings.
Spammers may engage in deliberate fraud to send out their messages. Spammers often use false names, addresses, phone numbers, and other contact information to set up "disposable" accounts at various Internet service providers. They also often use falsified or stolen credit card numbers to pay for these accounts. This allows them to move quickly from one account to the next as the host ISPs discover and shut down each one.
Spam is often used to collect personal information bought by other companies, allowing them to access your information typed in the "spam".
Senders may go to great lengths to conceal the origin of their messages. Large companies may hire another firm to send their messages so that complaints or blocking of email falls on a third party. Others engage in spoofing of e-mail addresses (much easier than IP address spoofing). The e-mail protocol (SMTP) has no authentication by default, so the spammer can pretend to relay a message apparently from any e-mail address. To prevent this, some ISPs and domains require the use of SMTP-AUTH, allowing positive identification of the specific account from which an e-mail originates. Senders cannot completely spoof e-mail delivery chains (the 'Received' header), since the receiving mailserver records the actual connection from the last mailserver's IP address. To counter this, some spammers forge additional delivery headers to make it appear as if the e-mail had previously traversed many legitimate servers.
Spammers frequently seek out and make use of vulnerable third-party systems such as open mail relays and open proxy servers. The SMTP system, used to send e-mail across the Internet, forwards mail from one server to another; mail servers that ISPs run commonly require some form of authentication that the user is a customer of that ISP. Open relays, however, do not properly check who is using the mail server and pass all mail to the destination address, making it quite a bit harder to track down spammers.
Increasingly, spammers use networks of virus-infected PCs (zombies) to send their spam. Zombie networks are also known as Botnets. In June 2006, an estimated 80% of e-mail spam were sent by zombie PCs, an increase of 30% from the prior year. An estimated 55 billion e-mail spam were sent each day in June 2006, an increase of 25 billion per day from June 2005.
Spoofing can have serious consequences for legitimate e-mail users. Not only can their e-mail inboxes get clogged up with "undeliverable" e-mails in addition to volumes of spam, they can mistakenly be identified as a spammer. Not only may they receive irate e-mail from spam victims, but (if spam victims report the e-mail address owner to the ISP, for example) their ISP may terminate their service for spamming.
Legality
Sending spam violates the Acceptable Use Policy (AUP) of almost all Internet Service Providers. Providers vary in their willingness or ability to enforce their AUP; some actively enforce their terms, some lack adequate personnel or technical skills for enforcement, while others may be reluctant to enforce restrictive terms against otherwise profitable customers.
In the United States spam is legally permissible according to the CAN-SPAM Act of 2003, provided it follows certain criteria: a truthful subject line; no false information in the technical headers or sender address; "conspicuous" display of the postal address of the sender; and other minor requirements. If the spam fails to comply with any of these requirements, then it is illegal. Aggravated or accelerated penalties apply if the spammer harvested the email addresses using methods described earlier.
Article 13 of the European Union Directive on Privacy and Electronic Communications (2002/58/EC) provides that the EU member states shall take appropriate measures to ensure that unsolicited communications for the purposes of direct marketing are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.
In Australia, the relevant legislation is the Spam Act 2003 which covers some types of e-mail and phone spam.
Accessing privately owned computer resources without the owner's permission counts as illegal under computer crime statutes in most nations. Deliberate spreading of computer viruses is also illegal in the United States and elsewhere. Thus, some common behaviors of spammers are criminal regardless of the legality of spamming per se. Even before the advent of laws specifically banning or regulating spamming, spammers were successfully prosecuted under computer fraud and abuse laws for wrongfully using others' computers.
Legislative efforts to curb spam have been ineffective or counterproductive. For example, the CAN-SPAM Act of 2003 requires that each message include a means to "opt out" (i.e., decline future e-mail from the same source). It is widely believed that responding to opt-out requests is unwise, as this merely confirms to the spammer that they have reached an active e-mail account. If this is true, the CAN-SPAM Act's opt-out provisions are counterproductive in two ways: first, recipients who are aware of the potential risks of opting out will decline to do so; second, attempts to opt-out provide spammers with useful information on their targets. A 2002 study by the Center for Democracy and Technology found that about 16% of web sites tested with opt-out requests continued to spam. (Only 31 sites were sampled, and the testing was done before CAN-SPAM was enacted.)
Anti-spam techniques
The US Department of Energy Computer Incident Advisory Committee (CIAC) has provided specific countermeasures against electronic mail spamming.
Some popular methods for filtering and refusing spam include e-mail filtering based on the content of the e-mail, DNS-based blackhole lists (DNSBL), greylisting, spamtraps, enforcing technical requirements, checksumming systems to detect bulk email, and by putting some sort of cost on the sender via a Proof-of-work system or a micropayment. Each method has strengths and weaknesses and each is controversial due to its weaknesses.
Detecting spam based on the content of the e-mail, either by detecting keywords such as "viagra" or by statistical means, is very popular. Such methods can be very accurate when they are correctly tuned to the types of legitimate email that an individual gets, but they can also make mistakes such as detecting the keyword "cialis" in the word "specialist". The content also doesn't determine whether the email was either unsolicited or bulk, the two key features of spam. So, if a friend sends you a joke that mentions "viagra", content filters can easily mark it as being spam even though it is both solicited and not bulk.
The most popular DNSBLs are lists of IP addresses of known spammers, open relays, zombie spammers etc.
Spamtraps are often email addresses that were never valid or have been invalid for a long time that are used to collect spam. An effective spamtrap is not announced and is only found by dictionary attacks or by pulling addresses off hidden webpages. For a spamtrap to remain effective the address must never be given to anyone. Some black lists, such as spamcop, use spamtraps to catch spammers and blacklist them.
Enforcing technical requirements of the Simple Mail Transfer Protocol (SMTP) can be used to block mail coming from systems that are not compliant with the RFC standards. A lot of spammers use poorly written software or are unable to comply with the standards because they do not have legitimate control of the computer sending spam (zombie computer). So by setting restrictions on the mail transfer agent (MTA) a mail administrator can reduce spam significantly. In many situations, simply requiring a valid fully qualified domain name (FQDN) in the SMTP's EHLO (extended hello) statement is enough to block 25% of incoming spam. Some small organizations go so far as to remove their MX (Mail eXchange) record and arrange to have their A-record point to their SMTP server. RFC standards call for fall-back to a domain's A record when an MX lookup fails. While this method runs the risk of losing some legitimate e-mail from being received, some claim that it results in a 75% reduction in spam.