What is spam?
At a simplistic level, "spam" is simply unwanted electronic mail that you receive without ever having requested it: it might be an unsolicited advertisement for "Generic Vi@gra" tablets, or a request for you to join a campaign, or even an offer of millions of dollars for the temporary use of your bank account. The key point about spam is simply that you never asked, nor gave permission, to receive the message.
Unfortunately, a definition as disarmingly simple as the one given above is too vague to be used as a basis for controlling or eliminating spam, primarily because it is based on preference and circumstance: if we used this as our definition for spam, then you'd never be able to send a message to someone you didn't know. Coming up with an accurate description of spam is important from the legislative standpoint, because effective anti-spam laws are going to need to target the problem very specifically. An accurate description also makes it clear to developers of technical solutions just exactly what they should be trying to handle.
Defining spam in detail is not easy, and has become a very contentious issue on the Internet - a Google search for "Spam Definition" will yield over 300,000 results. In general though, the world divides into two schools - those who believe that it is the content of the message that is the key to defining spam, and those who believe that the primary attribute of spam is the fact that it is sent in bulk. The first camp usually refer to spam as "UCE", or "Unsolicited Commercial E-mail", while the second camp prefer the term "UBE" ("Unsolicited Bulk E-mail"). We believe that any definition of spam has to consider both these aspects. A definition we have come up with which we believe encapsulates the issue reasonably well is -
Spam: An electronic communication containing material or references to material of a commercial, solicitational or illegal nature, directed as part of a bulk distribution to any address where the addressholder has not given explicit prior consent to receive it.
The author's Spam White Paper contains an entire section devoted to the definition of spam - if you are interested in delving more deeply into the issue, we recommend this white paper as a good starting point.
Who sends spam?
Spam is sent by a multitude of different organizations and individuals - the only common feature they share is that they are all trying to make a profit from the activity. In general, the major originators of spam can be broken down into four distinct groups:
- Hardcore spammers: These are the heavyweights of the spam industry: they normally have their own high-bandwidth Internet connections, and generally produce and sell the "products" they advertise in their spam. Some of the largest abusers in this group send out hundreds of millions of spams every day. The SpamHaus Project, a major anti-spam group, have listed the 200 worst offenders in this group, and claim that those 200 are responsible for 90% of the spam that is sent out every day.
- Scam-artists: The favourite vehicle of this group is known as a "419 Scam", and involves offering you a percentage of a very large amount of money in return for your assistance in "processing" the money in some way. If you fall for the scam, you will eventually be asked to stump up some hard cash to cover "processing fees", at which point the scammers will vanish and your money is gone. A variation on this theme is the mail message telling you that you've won a lottery you never entered, and that a small fee will release the funds to you. Incredibly enough, there are actually people out there who fall for these things.
- Spam distributors: These are people who charge a fee to send out millions of copies of a message on behalf of another person or business. People in this class range from small-scale players (who normally don't last long in any area before they are shut down), to large firms who have invested in considerable infrastructure to provide their "services". The larger players often go to elaborate lengths to cloak their operations, because they are major targets for anti-spam operations.
- The innocent but ignorant: These are the people who buy a list of ten million addresses and use it to send out an advertisement for their product. To these people, spam simply seems like an inexpensive form of direct marketing, and because the practice is not illegal in most places, they can't see any reason not to do it. People in this class usually only send spam once, because the reaction is so hostile, and as public awareness of the problem grows, they are (fortunately) getting fewer in number.
Why do they send it?
Why do spammers send spam? One word - profit: spam can be exceedingly profitable. To give you an example, imagine that a spammer sends out 100 million copies of his spam selling... um... "member enlargement" pills for $39.95 a bottle. Now imagine that just one in every ten thousand people who gets that spam purchases the "product". That's 10,000 x $39.95, or $399,500! The cost for sending out the messages is probably measured only in hundreds of dollars (if even that much) and the "product", if it actually exists, is usually only bottle of vitamin pills with a new label, so you can see that the potential profit is very considerable indeed. (Incidentally, these numbers are based on an actual reported case).
It's not known for sure how many people fall for "419 scams" and similar illegal rackets advertised via spam but there is a persistent rumour that proceeds from this type of scam account for a noticeable portion of the foreign exchange earnings of Nigeria (a major source of such scams).
If nobody purchased anything advertised to them in e-mail they had not explicitly given permission to receive, then spam would rapidly cease to be a problem. The only reason spam continues to grow as a problem is because there are people who are willing to purchase the products it promotes.
How did they get my address?
Spammers get your e-mail address in a number of ways, of which the most common are probably the following:
- From web pages: specialized programs called Web Spiders (also called Web Crawlers), wander around the Internet visiting every web page they can find: when they see an e-mail address on the web page, they add it to the spammer's address database. Available evidence suggests that this is the most common way of getting onto spam lists, so wherever possible, try to avoid placing your e-mail address on your web pages.
- From public postings: If you post to publicly-accessible news groups or mailing lists, there is a fairly good chance that your address will be "harvested" and added to a spammer's address database.
- From address harvesting programs: These are specialized programs that connect to mail servers and start trying to deliver mail to addresses constructed from dictionaries: they repeat the process over and over again until eventually they find an address the mail server will accept. When this happens, they know they have found a valid address and add it to their spam database. This "harvesting" process runs 24 hours a day and wastes a huge amount of Internet bandwidth. An increasing number of mail servers are adding measures to defeat this type of harvesting, but for now, it's still a fairly common way of getting onto a spam list.
- From unscrupulous or careless merchants: When you purchase goods on the Internet, you usually have to provide an e-mail address. Some vendors will on-sell their lists of addresses to spammers, and in some cases, employees have stolen their employer's address database to sell. There's really very little defense against this other than keeping a second e-mail address that you only use when purchasing goods online.
- From viral break-ins: Personal computers are unfortunately vulnerable to being compromised by viruses and trojan horse programs, usually borne by e-mail. Some viruses harvest addresses from the PC's e-mail addressbook and pass them on to address harvesting sites.