 |
Cybertelecom Federal Internet Law & Policy An Educational Project |
Email : SPAM Notes
|
Email : SPAM Notes |
|
|
|
Economics :: Cost of Spam
"In a 2002 survey on the commercial use of e-mail, it was estimated that the cost to send a single e-mail averages USD 0.05 with a low value of USD 0.01.12 Other research has suggested that it costs 0.00032 cents to obtain one e-mail ad dress.... With low costs, low response rates will show a profit through spam nonetheless. According to a survey conducted by Mailshell in March of 2003, more than 8% of the 1 118 respondents admitted that they have actually purchased a product promoted via spam. A study by the Wall Street Journal in 2002 showed that a return rate as low as 0.001% can be profitable when using e-mail. In one case cited, a mailing of 3.5 million messages resulted in 81 sales in the first week, a rate of 0.0023%. Each sale was worth USD 19 to the marketing company, resulting in USD 1 500 in the first week. The cost to send the messages was minimal, probably less than USD 100 per million messages. The study estimated that by the time the marketing company had reached all of the 100 million addresses it had on file, it would probably have pocketed more than USD 25 000 on the project." OECD Background Paper For the OECD Workshop on SPAM DSTI/ICCP(2003)10/FINAL page 9 Jan 22, 2004
Cost of Hoaxes and Spam
While these hoaxes may appear benign, there is a considerable and measurable cost, one that network operators know first hand. The cost for transmitting a single email through a network may be essentially free. The bits pass through the communications pipe barely noticed. The cost, however, of transmitting a million emails through a pipe can show up on the budget. Network operators, facing onslaughts of email are faced with choices: they can let the email flood over whelm their pipes, dropping packets here and there, good packets with the bad, resulting in the equivalent of a denial of service attack on their network - losing customers who are annoyed about their emails vaporizing - or they can spend a lot of money over building their networks in anticipation of peak load, passing the costs of this excess capacity onto the consumer.
Hoaxbusters [Hoaxbusters, Information About Hoaxes] has a very interesting analysis of the cost of hoax emails. If everyone on the Internet were to receive one hoax message and spend one minute reading and discarding it, the cost would be something like:
50,000,000 people * 1/60 hour * $50/hour = $41.7 million
Think of it another way. What if everyone who received a hoax email sent it onto 10 people, who then sent it on to 10 people, and so on, and so on, and so on..
"Generation |
1 |
2 |
3 |
4 |
5 |
6 |
Number of messages |
10 |
100 |
1000 |
10,000 |
100,000 |
1,000,000" |
Within 6 generations of the hoax (it being passed along 6 times), the number of messages generated would be up to one million! The load on the networks for this traffic is considerable - the network must either indiscriminately drop traffic or invest in capacity. Either way, it is a cost.
SPAM Tactics
- Bots
- See Worms and Bots
- PC controlled by bot master to do what the bot master, or the person he rented it to, to do something like send out spam. Use trojans to infect and compromise a wide array of individual computers; try to get people to download something onto their own computer. Requires a command and control network. Frequently take advantage of P2P.
- Spiders crawling for email addresses on webpages
- Bot networks that can send out email - Use Zombies
- Harvest: Spiders crawl net searching for email addresses
- "you cannot avoid having your email harvested. Putting something like (a) or "name (at) isp.com" no longer works as harvesters know how to interpret this."
- Directory Harvest: Send out a whole bunch of messages to addresses. One portion of messages gets returned as bad addresses. Those addresses are subtracted from the set. The rest of the set is likely a good set of addresses. Can overwhelm email servers.
- Zombies computers, infected by trojan viruses
- Dictionary Attacks
- Spoofing
- Phishing
- CDs marketed as having millions of valid addresses
- Worms exploiting Address Books
- Unique text
- Text hash from literature in order to fool spam filters.
- Change address of origin every 15 minutes
- Change content every 15 minutes
Spam Techniques
- Types of Spam
- Nigerian 419, Pharmacy, Stock, Mortgage, diploma, porn, extortion, terrorism, cyberwar
- Stock: Pump and Dump (see Investing)
Anti SPAM Techniques
- Acceptable Use Policies (AUP)
- Example: RCN FAQ Prohibited "You agree not to post or transmit any unsolicited advertising, promotional materials, or other forms of solicitation to other subscribers, individuals, or entities, except in those areas (e.g., classified advertisement areas) that are designated for such a purpose"
- Honey Pots
- Project Honey Pot
"Spam email may be clogging your inbox. But did you know that the settings on your servers may make it easier for spammers to send more spam? This website has information about the Federal Trade Commission's efforts to inform organizations that their mail servers or proxy servers may be vulnerable to abuse by spammers.
"Open relays and open proxies allow unauthorized people to route their spam through your server. These unsecured servers are all over the globe. To spread the word about how organizations can protect their servers, the FTC and thirteen other domestic and foreign agencies have sent an email, translated into 11 different languages, to potentially open relay servers around the world. The email explains what open relay servers are and some of the problems associated with them. To view the letter in any of the languages, click on the links below.
"In the Business Guidance section, you'll find tips on how to secure your server to close the door on spam." FTC Open Relays
PressPress Release
World Map [PDF]Business Guidance
Open Relays Close the Door on Spam
Open Relay Letter, complete with partner signatures and seals [PDF]News