270 likes | 437 Views
The Social and Economic Consequences of Spam. Katrina A. “Kat” Templeton November 24, 2003. URGENT ASSISTANCE - FROM USA IMMEDIATE ATTENTION NEEDED: HIGHLY CONFIDENTIAL FROM: GEORGE WALKER BUSH 202.456.1414 / 202.456.1111 FAX: 202.456.2461 DEAR SIR / MADAM,
E N D
The Social and Economic Consequences of Spam Katrina A. “Kat” Templeton November 24, 2003
URGENT ASSISTANCE - FROM USA IMMEDIATE ATTENTION NEEDED: HIGHLY CONFIDENTIAL FROM: GEORGE WALKER BUSH 202.456.1414 / 202.456.1111 FAX: 202.456.2461 DEAR SIR / MADAM, I AM GEORGE WALKER BUSH, SON OF THE FORMER PRESIDENT OF THE UNITED STATES OF AMERICA GEORGE HERBERT WALKER BUSH, AND CURRENTLY SERVING AS PRESIDENT OF THE UNITED STATES OF AMERICA. THIS LETTER MIGHT SURPRISE YOU BECAUSE WE HAVE NOT MET NEITHER IN PERSON NOR BY CORRESPONDENCE. I CAME TO KNOW OF YOU IN MY SEARCH FOR A RELIABLE AND REPUTABLE PERSON TO HANDLE A VERY CONFIDENTIAL BUSINESS TRANSACTION, WHICH INVOLVES THE TRANSFER OF A HUGE SUM OF MONEY TO AN ACCOUNT REQUIRING MAXIMUM CONFIDENCE… (from: http://philip.greenspun.com/humor/bush-nigerian-spam)
Overview • History of Spam • What is Spam? • Current State of Spam • Problems • Solutions • Politics • The Future
History • The first spam recorded was sent May 1st, 1978, when somebody from DEC spammed the entire western contingent of ARPAnet • One of the first defenders of the spammer? A guy named Richard Stallman • Spam that made “spam” a term among net users? Infamous Canter and Siegel Usenet spam.
What is Spam? • Spam should probably be known by the term Unsolicited Commercial/Bulk Email (UCE/UBE) • Hormel on spam: http://www.spam.com/ci/ci_in.htm • The name “spam” comes from a Monty Python skit, by way of Multi-User Dungeons (MUDs) • There is a lot of softness about what exactly compromises Spam. • It is estimated that half of all email traffic on the Internet is spam.
What is Spam? • Basic definition is easy • 92% of emailers agree that spam is “unsolicited commericial email from a sender they do not know or cannot identify.” • Content matters • 92% of users agree that UCE containing adult content to be spam. • Less able to agree on others. Statistics courtesy Pew Internet & American Life Project, October 2003
Spam Content Table courtesy Pew Internet Survey, June 2003. Error Margin of 4.2%
Very low overhead costs. Postal Service: cost of sending bulk mail is pretty expensive. Telemarketing: cost of long distance and cost to pay people to man the phones Bulk Email: Little cost. All you need is an ISP and a list of addresses. Spammers claim to only need an 0.001% positive response to break-even. 33% of emailers have clicked on a link to find further information; 7% of emailers have actually ordered a product or service from spam Why is spam profitable? Statistics courtesy Pew Internet & American Life Project, October 2003
Identifying Spam Simple headers: Date: Sun, 23 Nov 2003 21:55:38 -0600 (CST) From: Microsoft Corporation Security Department <kuvncnp-uucfbu@qokhwfvl.ms.com> To: Client <client-lolrducqp@qokhwfvl.ms.com> Subject: Last Internet Critical Upgrade Date: Sat, 08 Nov 2003 04:43:33 -0100 From: Celia Hamlin <djq34e@worldnet.att.net> To: katster@csua.berkeley.edu Subject: hey
Long Headers Received: from adsl-64-168-215-197.dsl.lsan03.pacbell.net (adsl-64-168-215-197.dsl.lsan03.pacbell.net [64.168.215.197]) by soda.csua.berkeley.edu (8.12.9/8.12.6) with SMTP id hA7NfGXs026341 for <katster@csua.berkeley.edu>; Fri, 7 Nov 2003 15:41:23 -0800 (PST) (envelope-from djq34e@worldnet.att.net) Received: from [72.58.224.216] by adsl-64-168-215-197.dsl.lsan03.pacbell.net with ESMTP id 10974427; Sat, 08 Nov 2003 04:43:33 -0100 Message-ID: <j7xm39$$4xl74$3d@7kx.v4.tew> From: "Celia Hamlin" <djq34e@worldnet.att.net> Reply-To: "Celia Hamlin" <djq34e@worldnet.att.net> To: katster@csua.berkeley.edu Subject: hey Date: Sat, 08 Nov 2003 04:43:33 -0100 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Confusion over Headers • The FTC found that 66% of spam forwarded to it were found to be false in either the sender line, the subject line, or the message text. • Confusion reigns. 63% of emailers say “they know spam when they see it”, but 9% have to open the email to see if it’s spam • MessageLabs, a company that produces spam filtering software, estimates that 70% of spam is sent via hijacked computers. Statistics courtesy Pew Internet & American Life Project, October 2003
Current State of Spam • Many people find spam annoying, but not a big problem • However, people feel that pornographic spam is a big problem • Possible solutions to the spam problem include technical methods, litigation, and legislative matters • Some people have been driven to vigilantism
Percentage of Email That is Spam Received on a Typical Day Statistics courtesy Pew Internet & American Life Project, October 2003
Time Users Spent on Spam on a Typical Day Statistics courtesy Pew Internet & American Life Project, October 2003
Annoyance? • 59% of emailers think spam is “annoying, but not a big problem” • 27% think spam is a “big problem” for them; 14% think it is “no problem at all” • 70% of emailers believe that spam has made being online “unpleasant or annoying” • Spam is viewed as much more intrusive than public cell phone use, door-to-door solicitations, and junk mail. It compares with telemarketing and pop-up ads. Statistics courtesy Pew Internet & American Life Project, October 2003
Why is spam annoying? • When asked to prioritize the reasons spam bothers them, 23% of emailers said that it was the offensive or obscene content of spam that bothered them the most. • Other reasons spam was found annoying was the unsolicited nature, the dishonest content, the possibility of damage to the computer, the volume, the fact that they can’t stop it, the compromise to privacy, and the time it takes to deal with it. Statistics courtesy Pew Internet & American Life Project, October 2003
Technical Solutions • The Blacklist • Has had some effect on getting ISPs to close down open relays • However, is sometimes difficult to comply with blacklist standards, and blacklists are open to denial of service attacks. • Challenge/Response • Relies on the fact that spammers aren’t going to send a response to a challenge. • Legitimate emails are sometimes lost in the protocol, and mailing list owners find huge headaches with people using C/R systems.
Technical Solutions • Most common is the filter (programs such as SpamAssassin and MailWasher) • Works on the principle that there are things that are common to spam that are not common to legit emails. • There are known problems with false-negatives (allowing spam to get through) and false-positives (filtering wanted emails)
Spam Assassin content analysis Content analysis details: (7.30 points, 5 required) ALL_NATURAL (1.2 points) BODY: Spam is 100% natural?! HTML_80_90 (0.5 points) BODY: Message is 80% to 90% HTML HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_FONT_BIG (0.3 points) BODY: FONT Size +2 and up or 3 and up USERPASS (1.5 points) URI: URL contains username and (optional) password HTTP_USERNAME_USED (0.7 points) URI: Uses a username in a URL DATE_IN_FUTURE_12_24 (2.8 points) Date: is 12 to 24 hours after Received: date CLICK_BELOW (0.1 points) Asks you to click below MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts Full rules for Spam Assassin can be found at: http://eu.spamassassin.org/tests.html
Mutual Assured Destruction “At the moment, the war on spam seems to be in a phase similar to mutual assured destruction, with e-mail users and legitimate companies caught in the cross-fire. Internet providers are creating ever tougher spam filters. The hard-core spammers are trying to break through the filters with an ever-expanding number of messages, each with more unusual spelling and phrasing, turning offers for V1@g.ra and Home Loan$ for Le$$ into puzzles as much as sales pitches.” “Marketers Adjust as Spam Clogs the Arteries of E-Commerce“ New York Times, December 1st, 2003
Litigation • Microsoft has currently sued spammers for spamming the emails of its MSN clients or using msn.com and hotmail.com as their domain names • Many other ISPs have filed suit as well. • Problem with litigation is that the laws are uneven over juristictions, and it is often hard to find the spammer.
Legislation • California and Washington led the nation in passing spam statues back in 1998 (both of these, however, rely on opt-out). • 36 states now have some form of anti-spam laws on the books. • More recently, California passed a spam statue with teeth on it, which includes criminal penalties for the most egregious spammers (September 23, 2003). It also notes that spam must be opt-in as opposed to opt-out.
Legislation • On November 21st, the House of Representatives passed a spam bill. However… • The House version is much like California’s first anti-spam bill, in that it is opt-out. Worse, the House version pre-empts the new California law. • The Senate has passed a similar bill recently, the big difference being a “do-not-spam” list, which the FTC does not want to implement. • It is likely that this legislation will be signed by President Bush. • It is doubtful any of this will matter as spammers move offshore.
Vigilantism • Spammer Alan Ralsky made the mistake of admitting where he bought his new house to a newspaper reporter. Now he gets several tons of snail mail every day. • People are finding it fun to tweak the noses of Nigerian scammers. • Several people are finding themselves in untenable positions after being victims of a ‘joe job’.
The Future “David W. Kenny, the chief executive of Digitas, a Boston-based direct marketing agency that represents big marketers like American Express and AT&T, said most of his clients had stopped using e-mail to find new customers. “’A lot of e-mail gets lost in the spam,’ he said. What is not lost sits in an in-box among offers for illegal cable descramblers and Nigerian money transfer scams. ‘That's not good for a brand,’ he said.” “Marketers Adjust as Spam Clogs the Arteries of E-Commerce“ New York Times, December 1st, 2003
The Future? • Spam is fast killing the ‘Internet’s first killer app’ • Legislation that many have pinned hopes on looks as if it will be watered down. • The Internet works on trust. If that trust is broken, then the system will not function. • We will probably have to move to an authenticated system, which denies privacy and anonymous emails.