Jan 11, 2016
What is Spam
• Probably, it’s “unsolicited and unwanted commercial email sent in bulk”.
Sometimes It’s Not Spam
• You did sign up for it.
• You accidentally signed up for it.
• You still don’t want it.
How Is It Delivered?
• Anyone can fake email.• 80% of all spam came from bot-nets
– We helped • Open relays are mostly gone.• You can hire this done for you (see Google).
How Much Spam Is There?
• In absolute numbers
• 1978 - An e-mail spam is sent to 600 addresses.
• 1994 - First large-scale spam sent to 6000 bulletin boards, reaching millions of people.
• 2005 - (June) 30 billion per day
• 2006 - (June) 55 billion per day
How Much Spam Is There #2
• As a percentage of the total volume of e-mail
• MAAWG estimates that 80-85% of incoming mail is "abusive email", as of the last quarter of 2005. The sample size for the MAAWG's study was over 100 million mailboxes.
• More is coming!!!
Why They Spam
• Money
• Political causes.
• Money
• It’s fun
• Money
• Money
Sell You Something
• It’s just mass electronic marketing
• They give you a web site, you click over and buy the product.
• Email might even be targeted.
• weight loss.html
Does Selling By Email Work?
• Kodak settled a CAN SPAM suit with the FTC. Their Ofoto unit sent two million commercial messages that didn't comply with the CAN SPAM act. They didn't include a notice that it was an ad, opt-out info, and Kodak's postal address. They paid the FTC $26,000, the revenue they got.
Pure Fraud
“There is a sucker born every minute.”
• Send email to lots of people.
• Wait for sucker to respond.
• Convince them to give you money.
• Nigerian bank fraud
Identity Theft
• Send an email message.
• Direct them with a bad URL.
• Capture their info.
• Reject login and send them to the right site.
• Microsoft says to manually check every link.
Identity Theft #2
• An Example
• Who Did It.
Stock Manipulation
• Pick a small cap stock
• Buy some.
• Send spam telling people about the stock.
• Sell when price rises.
• stock-spam.txt
• spam-stock.jpg
• New York Times
Yes, Spam Works
• 5% response rate from sexual material.
• 0.02% response rate for drugs.
• 0.0075% response rate for Rolex Watches.
Avoiding Spam
• Don’t let them get your email address.– Don’t use AOL, etc.– Don’t put address on web page.– Don’t use mailing lists.
• Throw away email addresses.– Mailinator, spamgourmet, sneakermail
• Annoying …. but possible.
List Removal
• For a reputable company, you can always click “remove me from the list”.
• A disreputable company will merely take that to be confirmation you’re reading the email.
• It’s a calculated gamble.
Auto Detecting Spam
• Blacklist
• Whitelist
• Bayesian Analysis
• Other Analysis
• These are all things your email server does for you.
Blacklist
• A list of web sites from which you don’t take mail.
• Automatically interfaced to your email server.
• Spamhaus Block List– Zelots– Many choices.
Defeating Blacklists
• The spammers can switch ISPs.
• The spammers can use a botnet.
Whitelist
• There is no global whitelist; you make your own.
• Your own contact group is a good start.
• Add your institution.
• Add people to whom you have sent mail.
• Semiautomatic at best.
Bayesian Analysis
• Make two piles of mail: spam and ham.
• Find words or phrases that can be used to identify mail.
• Check all incoming mail for those phrases.
• Normally you get a starter database that can be customized.
Example Bayesian Analysis
• My friends don’t email me about Viagra.
• They do email me about Linux.
• The phrase “stupid freshmen” appears in email to me.
• The phrase “hot freshman” does not.
• Result is a score.
Fighting Back
• Don’t.
• The nasty email goes to an innocent.
• Or it confirms you exist.
• Or it bounces back to you.
Using
• Gmail filters.
• Gmail allows pop downloads.
• You can even forward the mail to Gmail to keep your old account name.
Summary