Economics :: Cost of Spam
"In a 2002 survey on the commercial use of e-mail, it was estimated that the cost to send a single e-mail averages USD 0.05 with a low value of USD 0.01.12 Other research has suggested that it costs 0.00032 cents to obtain one e-mail ad dress.... With low costs, low response rates will show a profit through spam nonetheless. According to a survey conducted by Mailshell in March of 2003, more than 8% of the 1 118 respondents admitted that they have actually purchased a product promoted via spam. A study by the Wall Street Journal in 2002 showed that a return rate as low as 0.001% can be profitable when using e-mail. In one case cited, a mailing of 3.5 million messages resulted in 81 sales in the first week, a rate of 0.0023%. Each sale was worth USD 19 to the marketing company, resulting in USD 1 500 in the first week. The cost to send the messages was minimal, probably less than USD 100 per million messages. The study estimated that by the time the marketing company had reached all of the 100 million addresses it had on file, it would probably have pocketed more than USD 25 000 on the project." OECD Background Paper For the OECD Workshop on SPAM DSTI/ICCP(2003)10/FINAL page 9 Jan 22, 2004
Cost of Hoaxes and Spam
While these hoaxes may appear benign, there is a considerable and measurable cost, one that network operators know first hand. The cost for transmitting a single email through a network may be essentially free. The bits pass through the communications pipe barely noticed. The cost, however, of transmitting a million emails through a pipe can show up on the budget. Network operators, facing onslaughts of email are faced with choices: they can let the email flood over whelm their pipes, dropping packets here and there, good packets with the bad, resulting in the equivalent of a denial of service attack on their network - losing customers who are annoyed about their emails vaporizing - or they can spend a lot of money over building their networks in anticipation of peak load, passing the costs of this excess capacity onto the consumer.
Hoaxbusters [Hoaxbusters, Information About Hoaxes] has a very interesting analysis of the cost of hoax emails. If everyone on the Internet were to receive one hoax message and spend one minute reading and discarding it, the cost would be something like:
50,000,000 people * 1/60 hour * $50/hour = $41.7 million
Think of it another way. What if everyone who received a hoax email sent it onto 10 people, who then sent it on to 10 people, and so on, and so on, and so on..
Number of messages
Within 6 generations of the hoax (it being passed along 6 times), the number of messages generated would be up to one million! The load on the networks for this traffic is considerable - the network must either indiscriminately drop traffic or invest in capacity. Either way, it is a cost.
- See Worms and Bots
- PC controlled by bot master to do what the bot master, or the person he rented it to, to do something like send out spam. Use trojans to infect and compromise a wide array of individual computers; try to get people to download something onto their own computer. Requires a command and control network. Frequently take advantage of P2P.
- Spiders crawling for email addresses on webpages
- Bot networks that can send out email - Use Zombies
- Harvest: Spiders crawl net searching for email addresses
- "you cannot avoid having your email harvested. Putting something like (a) or "name (at) isp.com" no longer works as harvesters know how to interpret this."
- Directory Harvest: Send out a whole bunch of messages to addresses. One portion of messages gets returned as bad addresses. Those addresses are subtracted from the set. The rest of the set is likely a good set of addresses. Can overwhelm email servers.
- Zombies computers, infected by trojan viruses
- Dictionary Attacks
- CDs marketed as having millions of valid addresses
- Worms exploiting Address Books
- Unique text
- Text hash from literature in order to fool spam filters.
- Change address of origin every 15 minutes
- Change content every 15 minutes
- Types of Spam
- Learn How to Spam
- Call to action (get recipient to do something) techniques
- Spammers need the recipient to take action
- URL Spam - go to a website
- Register domain
- DNS Server
- Publish two DNS records (NS Record, Find the DNS Server) This is a WHOIS issue
- Web server
- Note: Spammers use multiple methods to obfuscate web site connection including redirectors, framing, scripting, reverse proxies, zombie proxies
- The message is an image that cannot be machine read by anti-spam techniques - no link present in message that might trigger spam filters
- Take an image, and make different versions of the image, with just little different dots or noise in image, just enough to defeat image fingerprinting.
- Randomized text above and below image to confuse filters
- legitimate press release attached to the bottom
- Need Payment Processing - obtain money from victims
- Need fulfillment of order even with fake product
- 2006 was the year of spam
- From 32 b / day to 75 b / day
- Image spam from 5% to 30% of spam
Anti SPAM Techniques
- Acceptable Use Policies (AUP)
- Example: RCN FAQ Prohibited "You agree not to post or transmit any unsolicited advertising, promotional materials, or other forms of solicitation to other subscribers, individuals, or entities, except in those areas (e.g., classified advertisement areas) that are designated for such a purpose"
- Honey Pots
- Traffic Analysis
- Fingerprints of images (checksum or a hash)
- Historical data applied to a known entity. Observed/objective sender behavior. End user feedback is key. Granular score. Legitimate, bad and gray mailers. IPs, domains, and businesses.
- White Lists - only let these addresses through
- Black Lists - block these addresses
- Spam Buttons
- Buttons within email services or applications that individuals can use to report spam in their inbox. While this helps service providers identify unwanted email, it can also give false reports to the service provider where the individual simply does not want to continue receiving legitimate email but does not know how to (or is to lazy to) unsubscribe from the email list.
- Email Authentication
- Domain Keys
- DKIM - Domain Keys Identified Mail
- Approved by IETF as a standards track protocol RFC 4871
- IETF Working Group
- Provides signature based authentication of email messages
- Soon available in a wide variety of vendor products
- Deployed by Google, CISCO
- Can create white list and deal with false positive problem in whitelist that are otherwise authenticated. Gives you reliable domain name identification system. Deters use of well-known phisher domains by cybercriminals.
- Note that cybercriminals can authenticate their messages too.
- Crypto Based
- Email Certification
- Digital Signature in the header. Token received from certifying authority. Email is authenticated by ISP including the legitimacy of token, appropriate content, and number of emails sent.
- Goodmail (clients: AOL, AT&T, Comcast, COX, Road Runner, Verizon, Yahoo)
- Mail Sentry
- Client SMTP Validation
- Sender Policy Framework
- Other News
- Disposable Email Addresses
- Permission Based Email
- Truste - participants agree to Truste best practices. Clients opt-in programs show seal indication of participation in program.
- Blocking Email Message Images
- Images in a message are pulled from a server. Each image can have a unique file name, and when it is downloaded, it confirms that the receiving email box has received the message and that the email address is valid
- HTML mail can also contain scripts that can infect the computer.
- Follow the Money
- Only one credit card brand that will still accept their sales
- Dec. 05 US Money Laundering Threat Assessment
- Shipping of Goods
- US Customs - delivery of ordered goods
- Port Blocking
- Open Relays, closing them
"Spam email may be clogging your inbox. But did you know that the settings on your servers may make it easier for spammers to send more spam? This website has information about the Federal Trade Commission's efforts to inform organizations that their mail servers or proxy servers may be vulnerable to abuse by spammers.
"Open relays and open proxies allow unauthorized people to route their spam through your server. These unsecured servers are all over the globe. To spread the word about how organizations can protect their servers, the FTC and thirteen other domestic and foreign agencies have sent an email, translated into 11 different languages, to potentially open relay servers around the world. The email explains what open relay servers are and some of the problems associated with them. To view the letter in any of the languages, click on the links below.
"In the Business Guidance section, you'll find tips on how to secure your server to close the door on spam." FTC Open Relays
World Map [PDF]
Open Relays Close the Door on Spam
Open Relay Letter, complete with partner signatures and seals [PDF]