What is SPAM?
This article is intended to be a user introduction to spam – what it is, where it comes from, why it is so dangerous, and some ways in which it can be identified. With this knowledge we hope that users can better spot problems and avoid many of the issues associated with messages of this type. For information on how Jade Networks tries to protect against spam on our backend servers please see our article on Spam Countermeasures.
Defining SPAM
Spam, also known as Unsolicited Commercial Email (UCE) is commonly defined as commercial communication from organizations you have no relationship with. Some have mistakenly interpreted spam as being any unwanted email message that shows up for any reason. The later can include email from friends or relatives you no longer want to communicate with as well as organizations or mailing lists you have had a relationship with but lost interest in. From the Wikipedia Spamming article: While the most widely recognized form of spam is email spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social spam, spam mobile apps, television advertising and file sharing spam. This article is only concerned with email spam.
Jade Networks uses the more formal definition of email spam as being UCE – from organizations you have not requested commercial email from or those who refuse to stop communicating after being requested to do so. Email from organizations, mailing lists, or relationships you have not asked to quit communicating with (but have had a previous relationship with) are NOT considered spam and are the responsibility of the message recipient to deal with. With that said spam is a HUGE problem on the Internet. Many sales ads sent as spam are scams containing viruses, worms, trojan horses, phishing hooks or other malicious content designed to either compromise your computer and/or identity.
Spamming continues to remain attractive to criminal organizations and some advertisers as the costs are very low to almost nothing. Holding senders accountable for their actions remains a problem due to the inability to properly identify the culprits, ineffective legal frameworks, and the difficulty of fighting this type of crime across International borders. The combination of well informed email users and additional tools used by email service providers remain the best defenses at this point in time.
How Big Of A Problem Is SPAM?
There have been several industry reports over the years that have tried to quantify the problem with estimates ranging from about 80% to 95% of all Internet email traffic being spam. Some of the more recent reports suggest that the percentage has been slowly declining, most likely do to better email defenses being in place at the email service providers and corporations that run their own systems. Even with a slight decline in the percent of total traffic, the volume of junk mail clogging up mailboxes and Internet bandwidth continues to be a significant problem.
In addition to added bandwidth costs which get passed to the consumers, the processing of junk email in terms of lost productivity and fraud are borne by both the users and service providers. In the year 2011 the costs associated with spam were estimated at USD 7,000,000,000,000 (seven trillion). This number is likely much larger today. Clearly this is not just a minor inconvenience but a huge cost to individuals, businesses, and society in general.
Much of the spam email received today is sent via “zombie networks”, or botnets. These are networks of malware infected personal computers located around the globe. Many of these systems have have backdoors installed to communicate with centralized command and control (CNC) centers which direct the criminal activity. Most malware infections are unknown to their owners and the activities run in the background mostly undetected. Botnets have been used for many different kinds of criminal activity, not just the propagation of spam but also to launch coordinated attacks (denial of service and other) on other networks or services, theft of data (PC and connected LANs), and industrial espionage. Protection from malicious email is considered by most to be one of the most important first lines of defense in any computer network.
Why Me?
Don’t take it personally – regardless of why the spammers send their junk, at the end of the day it’s basically a numbers game. Due to the extremely low costs (to the spammers) of spewing tons of rubbish around, it does not take much to make this profitable. If only 1 in 10,000 messages (an arbitrary number) resulted in a reply to an advertising message it can be extremely profitable.
Spammers have many ways to get your email address. The most common way is harvesting this information off of web pages that include names and addresses. Other methods include the automated guessing of addresses (dictionary lookup of names @ your domain) as well as through email lists which are distributed and sold on the Internet. Another common way is through malware that make it onto a personal computer which reads the local address book and returns the information back to a central server. It then sends spam, masquerading as the victim, directed to those the victim normally communicate with.
Types of SPAM
While the administrative and bandwidth costs associated with purely advertising spam are significant, the more dangerous types of spam involve messages with either web links and/or attachments to the message. Clicking on the wrong link can send you to a phishing site, silently download and install malware on your computer, or perform other nefarious activities. Attachments, if run, can do the same or worse. Most spam attempts to capitalize on human greed, often taking advantage of the victims’ inexperience with technology and common frauds on the Internet to trick them (phishing). Multiple types of threats can also be combined into a single threat. Some of the more common problem types are outlined below together with how to identify them and their risks.
Phishing
Phishing scams are fraudulent email messages appearing to originate from legitimate and trusted sources, such as your bank, ISP, or other organizations which you would normally do business with. They are social engineering tools designed to defraud and invoke panic in the recipient causing them to divulge private information (passwords, credit card details, or other personal information) that can later be used for identity and/or financial theft. They usually provide a link to a spoofed (fake) website which they control, but built to appear as the trusted source. Once the victim has fallen for the scam and has visited the website, they try to keep up the illusion that the victim is communicating with the trusted source while enticing them to provide personal and/or financial information.
Variations on this approach include asking the victim to call the trusted company right away to deal with the “problem” and provide a convenient number for them to use. Instead of being presented with a fake website, the victim reaches a fake call center where the criminals try to gain the trust of the caller and then get them to give up important personal and/or financial information.
Please note that very few legitimate companies or services will send messages asking you to click a link and provide personal or sensitive information. ALWAYS verify the entity you are communicating with before providing any information. If there is any question contact the organization directly and ask. DO NOT use the contact information provided in the potential scam message but rather use contact information and phone numbers from a known trusted source.
Links (URLs) presented in phishing scams are often concealed from plain view. The actual URL that the victim is redirected to is made to look like a trusted source by changing the domain name to a similar sounding name as the real source in hopes that the victim will not investigate too closely. If using a modern browser on a personal computer you can hover your mouse over the links to display the actual URL that you will be sent to. If using iOS, tap and hold your finger over a link to display the real URL. If this does not directly point to the site you expect (your bank, ISP, etc), then most likely it is a scam and you should not click on anything. Please note that there are ways to circumvent this type of checking using javascript in the email message so the display of a legit looking URL is not a guarantee that is where you will be sent. The only real way to be sure is to look at the actual HTML in the message. Unfortunately not all users have the technical background to do this. Increasingly more and more mail systems check for this type of scam when pre-processing messages as they are received and some of this can be detected and removed by the mail service provider.
Viruses, Worms and Trojan Horses
Viruses, worms and trojan horses are all different kinds of programs that can be attached to email messages. Some take the form of a normal looking executable (windows .exe file for instance) while others can be embedded into other file formats such as PDF, Word (doc, docx), Excel (xls) and other standard formats. Once run by the user they install themselves and usually sit in the background trying not to be noticed. At some future time they will become active and perform the malicious functions which they were designed to do. Malware creators often steal the user’s address book and use of the computer to launch spam campaigns. Other common actions include first joining the newly infected computer with a botnet controlled by the malware authors. From this point the remote CNC can take over directing the zombie computer to perform almost any other kind of action including theft of additional data, attacks and spying on a local or corporate network, and coordinated denial of service attacks on other networks.
The different types of programs differ in how they operate, get installed, and propagate once installed on the local computer. Viruses tend to attach themselves to other trusted programs on the host computer and replicate through file sharing. Worms don’t need to be installed in the file system, and use the network to replicate. Trojan horses masquerade as software that is desired and useful and depends on the user deliberately installing it. The differences are small and more technically focused than their effects. Collectively these are known as malware and their potential damaging effects on computers and networks are very similar.
Blended Threats
Blended threats are simply attacks that use more than one of the above approaches in tandem. A phishing scam might take you to a site where worms get downloaded and installed. Some malware may have multiple ways to propagate rather than relying on just one.
Why Am I Getting SPAM From Myself?
Few things are as frustrating as getting spam messages purporting to be from yourself. Similar frustrations occur when it comes to your attention that others are getting spam claiming to be from you and your email address. There are three common ways this can happen – spammers masquerading as you and forging your address, as a result of a mailware infected computer used for email, or from compromised accounts, typically with web mail providers.
Masquerading and Forged Addresses
The SMTP (Simple Mail Transfer Protocol) used to send mail messages between machines makes it very simple to forge sender addresses and masquerade as other senders. This problem was addressed with the introduction of the Sender Policy Framework (SPF), used by mail transfer agents to have a way to verify that an originating mail system has the authority to send messages from a given domain. Older systems or providers who have not implemented SPF are still at risk from this type of abuse. Jade Networks by default configures all internal and customer accounts with SPF support to help protect accounts.
To determine if the spam sent in your name has been a result of a forged or masqueraded sender you will need to check the message headers. If you don’t understand these please let your provider assist in their interpretation. Forged messages will typically originate from REMOTE systems and pass through the Internet with no complaints. They will NOT typically originate on your providers network or from a PC or computer you control. If this is the case then contact your provider and ask that they check the SPF configuration for your domain and install if not already done. This involves the addition or modification of records into the Domain Name System (DNS).
Infected PC’s
Malware infected PC’s often result in the email address book becoming compromised (stolen). This combined with malicious programs on your computer with the ability to send email in the background can result in messages being directly sent from your own computer or device as you. To determine if spam has originated on one of your devices you will again need to check the message headers. In this case there should be trace information that identifies one of your computers or devices as the source of the original message.
See the sections above for recommendations on how to spot potential malware as it arrives on your system so that it never gets installed in the first place. If malware manages to get through and installed despite your best efforts the first step is to run any anti-virus or anti-malware software you may have installed or at your disposal. Often this type of malware can be detected and corrected without having to take further action. If you don’t have access to dedicated anti-virus / anti-mailware software there are several online providers who have solutions that can be run from a web browser. HouseCall from Trend Micro is one of several online solutions available. Scanning your system with more than one solution (especially the online ones) is advisable as they don’t all catch the same threats. If after scanning your system the problem persists re-installing your system may be required.
Compromised Accounts
Hijacking, or the theft of access to a real account, is also common. This can happen when user account credentials (login name and password) are stolen. Common causes include neglect through the sharing of passwords, writing them down in places that can be found, or someone looking over your shoulder while you type. It can also happen when users select weak passwords that can easily be guessed or found through password cracking programs. Once credentials for a web mail account are discovered, the spammer goes in and sends their rubbish though your legitimate account as you. To determine if this has happened, again study the message headers of a spam message that gets out that you have access to. There should be trace information in the headers that points back to the original account (your webmail account for instance) and IP address where the message was submitted from.
To protect against this type of abuse be sure to properly manage and protect all of your account details, especially passwords. Try not to use public computers if you can avoid as they may have key loggers installed to record this information. Don’t write passwords down anywhere where they are easy to find and interpret. If you have to write them down, do not write the login information and the password information down in the same place. Finally, and this is critical, be sure to use strong passwords. Don’t choose passwords that are easy to guess or crack. Change your passwords on a regular basis and try not to use the same password for all account you have. Should one of your accounts be compromised be sure to change ALL passwords for accounts you manage and use the strongest passwords you can remember.
Legality of SPAM
Most ISP’s and Mail Service Providers have acceptable use policies in place that prohibit sending spam. Not all providers however either have the desire or ability to enforce these policies. If they were able to control email being sent via their networks better it would go a long way towards reducing this massive problem.
In terms of the legality of spam – this really depends upon the jurisdiction in which the abuse took place. In the United States, the CAN-SPAM Act of 2003 made a very week attempt at addressing this. It seemed to be more concerned about pornography getting into the wrong hands than actually combating the spam problem. It can be argued that this law actually made matters worse in many ways. The CAN-SPAM act simply tried to redefine spam (UCE) in a way that legitimizes it. Their misguided attempt to redefine the term states that spam is any message that meets ALL of the following criteria: (1) the address and identity of the sender are concealed AND (2) is not sent to a “large” number of people at once AND (3) is unsolicited. By this definition as long as messages are properly labeled (legit sender address), then all is OK. As the old saying goes “You can clean up a pig, put a ribbon on its tail, spray it with perfume, but it is still a pig.” The same goes for SPAM/UCE – no matter what rationalizations one uses, if the messages are unsolicited commercial or criminal content, they are SPAM and will be treated as such by the users and mail service providers. CAN-SPAM simply reduced the legal consequences to the spammers as long as they comply with minor labeling requirements.
Some other jurisdictions, such as Canada, Australia and the European Union (EU) have adopted laws that forbid the sending of SPAM/UCE in a manner consistent with the Jade Networks interpretation. Many parts of the world still have no laws on the books yet in any form dealing with this problem.
What Can I Do?
Be aware of the different types of spam attacks described above and be suspicious of any message that is out of the ordinary or not expected. In addition passwords for all accounts should be updated on a regular basis, with the application of strong passwords. Do NOT share passwords and keep them private. Companies who maintain email accounts for employees need to make sure these accounts are either terminated or disabled upon an employee leaving the organization. Dormant accounts which remain active with account information in the hands of people who no longer have an active interest in the well being of the organization is at best a huge security concern.
When messages come in that look too good to be true – chances are that they are fraudulent and need to be dealt with very carefully. Don’t believe everything you read and look for the fine print. URL’s should be carefully examined – often times the criminals will use URL’s that appear similar to a legit URL hoping you will not notice and go to their site instead. The same goes for attached files – only open attachments from trusted sources – and then make sure that the message actually came from who you think it came from.
Do NOT Reply to SPAM
By replying to spam you veryify to the spammer that your account is real and has a person on the other end. This will subject your account to even more spam and have your now verified address circulated to other spammers and marketing lists. If the spam message includes a link to opt-out of future mailings, DO NOT follow this link. More times than not this is just another way the spammers have to verify your address as being real. They are not usually real opt-out links and serve the same purpose to the spammer as replying directly to them.
End User Education
By far the most effect tool in the war against spam is better end user education in this area. The more aware email users are of the threats and dangers associated with links and running of attachments, fewer of them will fall prey as victims. This document is one attempt to provide information to non-technical users so that they may better protect themselves and the companies they work for. Companies should consider regular training sessions where these issues are taught and explained. For companies or individuals who are more technical, more in-depth knowledge of how email message headers are built along with basic HTML knowledge can be beneficial.
This document covers many of the issues associated with spam, but does not claim to cover everything. As we write this malware designers continue to come up with new ways to attack networks and steal information and money. It is an ongoing battle with no end in sight. Email service providers and the ISP’s are making progress, and as more users better understand the abuses fewer will fall victim.
If after reading this you still have questions please let us know. We’ll be happy to answer whatever questions we can and we plan to update this document from time to time as new information becomes available or to better clarify specific points.