Fighting the spammers

http://news.bbc.co.uk/1/hi/programmes/click_online/6598521.s tm




BBC NEWS
Fighting the spammers
By Chris Long and Dan Simmons
Reporters, BBC Click

Spam is a very big problem. There are billions of e-mails sent every
day and 80 - 90% of them are junk.

And it is getting worse. Today, spam e-mails have developed well
beyond the traditional offers of illegal drugs and questionable body
enhancement surgery, but you will be pleased to know it is not a new
problem.

We have had junk mail for as long as we have had letterboxes, and that
is exactly what spam is: junk mail, although unlike junk mail spam has
got cleverer in the way it tries to trap you.

Whereas the junk that falls through your letterbox rarely does more
than try to sell you another credit card or fast food, the kind of
junk that we see in our inbox has got way more sophisticated, although
apparently the naming of these things has taken a backward step.

Pump-and-dump

"Pump-and-dump is a type of spam," said Mark Sunner from Messagelabs,
"and it's one of the most prevalent things that's going on at the
moment. Essentially the bad guys are sending out, in huge volumes,
messages that purport to be a hot stock tip.

"Ironically, because enough people fall for this, we can see, by
tracking these shares, that they do elevate very slightly.

"It's not a huge bump but the bad guys will have taken a slice of
these penny shares and then they get out quickly, usually within a 24-
hour period, as the price rises. Then people are left with something
which is going to be worthless."

So how do they come up with the e-mail addresses?

"Brute force, in e-mail terms," explained Mr Sumner. "Someone can
create an e-mail account called, say, abcd1234@. It's not a name, so
how would anyone guess that?" And yet it still starts receiving spam.

"The answer is that there are many programs out there that are working
their way through all permutations of letters and numbers, but
starting with names; for instance things like asmith@, bsmith@,
csmith@ etc, will be at the top of the algorithms that are targeting a
particular domain.

"They have no concept of who might be behind that address, but by
performing a brute force attack starting with real names there's a
high likelihood that they're going to get real addresses."

Open invitation

Did you know you were not supposed to even open up a spam e-mail?

"When you receive a spam message in your Inbox," said Phil Watts of
SoftScan, "my advice to you is please don't click on it.

"The double click is like opening a Word document, which means it
opens that document into your Inbox, releases the software that's
inside it, and it inserts itself into your directory or wherever it
needs to go. And it could be sending out messages to your e-mail list,
for example."

But it gets worse, as Thierry Karsenti from CheckPoint revealed.

"By opening the e-mail you're automatically downloading images or
whatever makes the e-mail attractive to you, but by doing that you
give the spammer the information that you're actually reading the e-
mail."

Choosing an e-mail account

We thought we'd try an experiment to see how much unwanted e-mail we
would attract simply by setting up some e-mail accounts. Would spam
simply flood in? Would it make much of difference who we signed up
with, or what we signed up for?

First of all we set up three e-mail accounts with AOL.

Number one was our secret account - not to be used or disclosed by
anyone. Number two - was set up for social networking. We registered
on MySpace, Bebo, and a dating site called FriendFinder.

Finally, number three was used to sign up for just about anything we
could think of: free TV and film sites, national online newspapers,
beauty products, voucher schemes, all sorts.

To make sure we were not being biased we set up similar free accounts
with MSN's Hotmail, and Google's mail service.

With each account we accepted the provider's default spam settings.
For each site we signed up to, if we were given an option to avoid
third party e-mails, we took it.

Experiment results

After seven days we returned to our inboxes.

Our secret accounts, the ones we just set up and kept completely hush
about, have been untouched by spammers. Each of the number one
accounts has just one e-mail in - welcoming us to that service. So far
so good.

The number two accounts, used for social networking sites, attracted
more e-mails - mainly to verify our registration. But there was
nothing here we did not ask for. No third parties have been in touch.
So no spam so far.

And so to the sign-up-to-anything accounts. We chose six sites at
random and used our number three e-mail addresses to register. Would
they attract spam inside a week of being used?

AOL was clean. There was nothing in the spam folder and all 10
messages have come from our six sites. Half of them come from a site
we signed up to called Secret Satellite, all pushing the company's web
TV service.

Our Hotmail account did not attract uninvited e-mails either, but it
decided to treat two of Secret Satellites' messages as spam. They
appear to come from Oliver, adding a personal touch to the site's
repetitive pitch. Hotmail also decided that the e-mail from
beautyexpert.co.uk confirming our registration was junk too.

Google seemed more cut-throat about what constitutes spam. Again there
was nothing from strangers - but this time every e-mail from Secret
Satellite went into the spam bin.

Which begs the question: are repeated e-mails from a service you have
signed up for spam? You will have to decide, and all of these services
"learn" what you think is spam depending on where you file messages.

Certainly in the short term we were not deluged with unsolicited e-
mails simply because we set up e-mail accounts. Spam is a little more
complicated than that.

Of course our experiment is only seven days in. But we plan to return
to our inboxes to find out more the next time Click tackles spam.

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/1/hi/programmes/click_onlin e/6598521.stm

Published: 2007/04/27 14:42:44 GMT