Online Advertising

e-Mail spam

e-Mail spammers | Spam bait | Word salad | Spamvertising | DNSBL | The Abusive Hosts Blocking List | e-Mail authentication | Sender Policy Framework | Open mail relay | Boulder Pledge

View of a modern spam email, containing an advertising image.

E-mail spam is a subset of spam that involves sending nearly identical messages to thousands (or millions) of recipients. Perpetrators of such spam ("spammers") often harvest addresses of prospective recipients from Usenet postings or from web pages, obtain them from databases, or simply guess them by using common names and domains. By popular definition, spam occurs without the permission of the recipients.

Overview

An inbox filled with spam

As the recipient directly bears the cost of delivery, storage, and processing, one could regard spam as the electronic equivalent of "postage-due" junk mail. However, the Direct Marketing Association will point to the existence of "legitimate" e-mail marketing. Most commentators classify e-mail-based marketing campaigns where the recipient has "opted in" to receive the marketer's message as "legitimate".

Spammers frequently engage in deliberate fraud to send out their messages. Spammers often use false names, addresses, phone numbers, and other contact information to set up "disposable" accounts at various Internet service providers. They also often use falsified or stolen credit card numbers to pay for these accounts. This allows them to move quickly from one account to the next as the host ISPs discover and shut down each one.

Spammers frequently go to great lengths to conceal the origin of their messages. They do this by spoofing e-mail addresses (much easier than Internet protocol spoofing). The e-mail protocol (SMTP) has no authentication by default, so the spammer can easily make a message appear to originate from any e-mail address. To prevent this, some ISPs and domains require the use of SMTP-AUTH, allowing positive identification of the specific account from which an e-mail originates.

Spammers cannot completely spoof e-mail delivery chains (the 'Received' header), since the receiving mailserver records the actual connection from the last mailserver's IP address. To counter this, some spammers forge additional delivery headers to make it appear as if the e-mail had previously traversed many legitimate servers. But even when the fake headers are identified, tracing an e-mail message's route is usually fruitless. Many ISPs have thousands of customers, and identifying spammers is tedious and generally not considered worth the effort.

Spammers frequently seek out and make use of vulnerable third-party systems such as open mail relays and open proxy servers. The SMTP system, used to send e-mail across the Internet, forwards mail from one server to another; mail servers that ISPs run commonly require some form of authentication that the user is a customer of that ISP. Open relays, however, do not properly check who is using the mail server and pass all mail to the destination address, making it quite a bit harder to track down spammers.

Increasingly, spammers use networks of virus-infected Windows PCs (zombies) to send their spam. Zombie networks are also known as Botnets.

Spoofing can have serious consequences for legitimate e-mail users. Not only can their e-mail inboxes get clogged up with "undeliverable" e-mails in addition to volumes of spam, they can mistakenly be identified as a spammer. Not only may they receive irate e-mail from spam victims, but (if spam victims report the e-mail address owner to the ISP, for example) their ISP may terminate their service for spamming.

Legality

Sending spam violates the Acceptable Use Policy (AUP) of almost all Internet Service Providers, and can lead to the termination of the sender's account. Many jurisdictions, such as the United States of America, which regulates via the CAN-SPAM Act of 2003, regard spamming as a crime or as an actionable tort.

Article 13 of the European Union Directive on Privacy and Electronic Communications (2002/58/EC) provides that the EU member states shall take appropriate measures to ensure that unsolicited communications for the purposes of direct marketing are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.

Accessing privately owned computer resources without the owner's permission counts as illegal under computer crime statutes in most nations. Deliberate spreading of computer viruses is also illegal in the United States and elsewhere.

Thus, some of spammers' most common behaviors are criminal quite independently of the legal status of spamming per se. Even before the advent of laws specifically banning or regulating spamming, spammers have been successfully prosecuted under computer fraud and abuse laws for wrongfully using others' computers.

Avoiding spam

Typical spam

Computer users can avoid e-mail spam in several ways:

• End-users can use automated e-mail filtering on their own computers.
• System administrators can use appropriate tools to trap e-mail spam at the mail server level, either by use of software or special appliances.
• Spam can be reported to appropriate ISP so that the spamming can be stopped.
• By giving out one's ISP e-mail address only to closely trusted acquaintances, friends, and relatives, and using web based e-mail services for everyone else.
• By ensuring that those acquaintances, friends and relatives who have been trusted with one's e-mail address do not include the person who wants to avoid spam's e-mail address in the "To" or "CC" fields when sending several copies of an e-mail to ensure that, when such e-mails are forwarded, to avoid one's e-mail addresses from appearing in an ammassing list of e-mail addresses
• By creating a unique e-mail address for each person or site you wish to communicate with. This can be done using an online mail forwarding service, or with administrative access to your own e-mail server. If spam is received on one of these addresses, you immediately know who leaked or sold your address to spammers, and you can also cancel the affected e-mail address.
• End-users can take precautions to avoid needlessly publicising their e-mail addresses or protect them from e-mail harvesting by spam bots, such as by using e-mail forms that do not display the address in the webpage code, or by address munging.
• Using anti-virus and anti-spyware programs with regularly updated definitions to avoid having their computers hijacked and used as spammer tools.
• Users are also advised to configure their e-mail clients to disable rich content features such as HTML mail and automatic downloading of images. Downloaded images can be used by spammers to identify valid e-mail addresses.
• By periodically performing an internet search for one's own email address, and if necessary getting the appropriate website administrator to remove it.

Anti-spam programmers have released several tools