Comment: 200 reasons why spam won’t go away

17 Nov 2004

Have you ever wondered why inboxes the world over — and yours, too — are increasingly groaning under the weight of assorted, irrelevant junk? How many times have you scrolled through an ad for the latest get-rich-quick scheme and thought to yourself: why are they trying to sell this to me? The chances are, they aren’t and they never intended to.

The economics of spam were well illustrated in a recent white paper from the Irish email and hosting provider IE Internet, which showed in simple terms how it’s possible, without any kind of prior marketing or targeting, to make money from a tiny few while annoying the majority.

IE Internet estimates that a spammer’s operating costs can be as low as €200. At those prices, what is there to lose? The costs break down as follows: list of 500,000 email addresses, €10; software for sending large volumes of email, €50; subscriptions to multiple dial-up accounts, €140.

Now down to business. All our erstwhile spammer has to do is send unsolicited email messages to the half a million people on the list, hawking a product priced at, say, €10. Based on these calculations, a response rate of just 0.005pc — 25 people, in other words — means the spammer breaks even and has covered his costs. Anything after that is pure jam: if one tenth of a percentage or 500 people reply, the spam merchant earns a tidy €5,000. Nice work if you can get it.

None of this is exactly reassuring to those of us who these days must routinely weed out the useful mail from the pile of irrelevant nonsense that passes for our inbox. Sadly, a solution seems as far away as ever now that a Microsoft-backed proposal for an anti-spam standard has been turned down.

The software giant had supported a specification that, on the face of it, seemed like a winner. Called Sender ID, the technology was designed to foil spammers by authenticating the @ address of an email by checking its underlying, numeric internet protocol address. One of the common tricks of spam is to spoof the sender’s ‘from’ address to make it appear hard to trace.
Unfortunately, just as filthy lucre is a motivating factor for spammers, it appears that Microsoft saw in Sender ID an opportunity to commercialise a product and make some money. According to reports, Microsoft wanted to make some of its intellectual property a mandatory part of the solution. Even before the decision came to a vote, the working group within the standards body of the Internet Engineering Task Force (IETF) showed little enthusiasm for Microsoft’s insistence on keeping secret a possible patent application on its proposed technology. The use of Microsoft’s technology in the Sender ID specification meant the software company could have specified a licence that potential users would have to agree to before using the code.

So Sender ID finds itself in limbo: the IETF has granted it ‘experimental’ status so that the industry can test it along with competing email authentication proposals and build consensus that way. But I wouldn’t hold my breath.

In the meantime, we’ll have to make do with individual products and techniques for sender verification. One such option is Spamarrest, which I got to see at close hand recently. Moments after replying to an email, I got a new message asking me to verify who I was before my mail would be forwarded to the necessary person.

The method cleverly takes technology out of the equation: from the webpage that the message brought me to, I was confronted with a series of letters hidden behind some squares in a graphic. It was pretty easy to read, but the important thing was, you had to be looking at the screen to read it. A computer trawling the web looking for email addresses to harvest wouldn’t pick up on this. By typing the code and clicking a button, I verified to my original correspondent that: a) I am not a machine; b) I have something worthwhile to say to him (I hope!); and c) he will be assured that I am not trying to sell him cheap prescription drugs or unbelievably low interest loans.

It’s simple and brilliant. The system at the far end will recognise you as a friendly face forevermore and you can carry on chatting. Granted, it would become a lot harder if everyone I ever wrote to employed the same way to protect themselves from unwanted email: imagine repeating the process for every person you correspond with! But in the absence of an overriding standard to protect us all, many more users are likely to take matters into their own hands and ‘hide’ behind filters such as this in the meantime; and who would blame them?

By Gordon Smith