You’ve received it, you don’t want it, you don’t understand who it’s from or what it’s about. So just press Delete. Or, if you want to recognise, report or block some of the offensive, fraudulent or just plain annoying email that very occasionally gets through GreenNet’s anti-spam systems (or that you’ve come across with other email providers), here is a rundown of the main types.
Over 95% of spam (that is, unsolicited bulk email or UBE) is blocked or marked by the open-source anti-spam software that GreenNet uses or produces. However, you may get the occasional bit of junk, particularly if you forward messages from a non-GreenNet account. If you’re like most GreenNet users and hardly ever get spam, here’s what you’re missing.
Knock-offs and dodgy deals: pills, watches and pirate CDs
These messages are perhaps what people first think of as spam. Just as there used to be a bloke down the pub – in 80s sitcoms at least – trying to flog his armful of luxury timepieces that had supposedly fallen off the back of a lorry, so today exactly the same thing happens on the internet with adverts for shoddy and sometimes dangerous goods. However, on the internet the bloke has a better disguise and can run away quicker, quite likely with your credit card details.
Usually this is advertising a website or ‘online store’ selling something cheap to produce but illegal in most countries, maybe because it’s an infringement of trademark or copyright, or it violates regulations on licensing and advertising of prescription medicines. Since the business is well known to be dodgy anyway, to get around blocks the spammer gangs aren’t afraid to use ‘botnets’, which are networks of thousands of infected Windows computers (see below). This makes it harder to block the spam using a blocklist or trace the spam, because it originates from thousands of dynamic locations in cyberspace. It also means that reporting the source via SpamCop to the ISP or institution responsible for connecting the infected computer to the network is not very effective in such a case. Nevertheless the distinctive web link and text it includes can still make it worth reporting, forwarding directly to the responsible web host or sending to us. Similarly the spammers may try to vary or disguise the link to their site, to try to avoid some very successful methods of spam detection (for example URIBL) which match lists of web addresses.
Because most anti-spam systems long ago wised up to these types of spam and are also looking for particular strings in the text (words or phrases), even the text is deliberately mangled beyond machine or human recognition in an attempt to add ‘noise’ and get past anti-spam measures. Alternatively the spammers can try to avoid the spam being blocked by presenting the text as one or more images. Even if it gets accepted by our mail server it almost invariably ends up being discarded into ‘quarantine’. Therefore: they just increase the rate at which they send.
So the spammer may sometimes be able to get a message through, but with the penalty that the link won’t work and the text will be completely incomprehensible. In fact, trying to discern the content of typical messages that suggest that we need to change the size and shape of certain body parts, academics have come up with an alternative theory about the origin of spam – published in the normally respectable Fortean Times in 2004 – that such electronic messages are in fact an attempt by a extraterrestrial intelligence with alien physiognomy to communicate and interbreed with human beings. However, there is little conclusive evidence either way.
- Often you get spam, either pharmacy spam from a gang in Ukraine/Romania or for electronic goods from China, via compromised freemail accounts, such as Hotmail or Yahoo. The spammers evade blocks by sneakily discovering details giving access to a freemail account, logging in to the service, and sending a short message to everyone in the victim’s address book, and maybe altering other options such as the signature and impersonating your contact. So you may see something confusingly looking like a recommendation from a friend, with a short or broken link in it. Even Microsoft Hotmail advice is not clear how the passwords were compromised in the first place: maybe by abusing the password recovery feature or phishing using either tabnabbing or ‘who blocked you on messenger’ sites, or by cloning the session cookie you use to log into Webmail via a cross-site scripting (XSS) attack. However it happened, it is clear that the Hotmail/Yahoo user will need to change their password to something “strong” (at least 8 characters including numerals and not the same as for any other website) and also reset their secret question. To be on the safe side, they should perform a full scan with up-to-date anti-malware software in case the password was filched using a “keylogger”; log out of the service, find the cookies option in the browser (often under Tools/Options/Privacy) and remove cookies for the service. If you’ve received such spam, clicking on the link in it is of course a bad idea, but you might want to phone or email your contact to suggest they follow the steps above and to contact their email provider.
‘Opt-out’ and ‘business-to-business’ spam – selling seminars, spending sprees and instant degrees
Spam is the final proof that the more something is advertised, the more worthless it must be. At the other end of the spectrum from the pill-peddlers in some ways is the unwanted and annoying hype from real, named companies that apparently think that providing a method to unsubscribe (‘opt-out’) or sending a ‘one-off’ mailing somehow makes it all right that they sent tens of thousands of unwanted and irrelevant emails in the first place. There was already a perfectly good alternative to un-subscribing anyway: blocking them and reporting them for network abuse.
What they are selling is usually apparently legal in itself – traditionally seminars on the best way to ‘sell, sell, sell’ and lists of ‘business contacts’, which is kind of ironic when you think about it. A lot of the time and brain space that is wasted by this type of email goes something like “surely I couldn’t have subscribed to this?” Again, they may avoid including links to avoid spam detection, although if links are included they are often to ‘tracking images’: by default, merely by opening the message in many email programs tells the sender that the message has got someone’s attention by being previewed or opened, potentially an infringement of privacy.
People who send opt-out spam often claim that there is nothing wrong with them spamming, citing the CAN-SPAM Act in the USA (widely referred to as the “you can spam act”) or the somewhat more useful EU directive on Privacy and Electronic Communications (PECR), enforced by the Information Commissioner’s Office in the UK. These are laws that explicitly define offences of sending spam under certain conditions, and in the case of PECR, additionally of sending individual (non-bulk) unsolicited emails to private citizens or unincorporated bodies.
Using the legal idea of ‘the exception that proves the rule’, these spammers claim to believe that these laws somehow make other forms of spam (particularly that which is targeted at businesses, which for them includes .org.uk and .org domains) legal and acceptable. They are generally marketing types and internet newbies, with little knowledge of technology beyond what is needed to install some commercial mass-mailing software, apparently little knowledge of anything else other than the previously mentioned regulations, and almost certainly haven’t heard of Kant’s categorical imperative (if it were a universal law that everyone were permitted to spam…). They seem blissfully unaware that it is a condition of being connected to the internet that they do not send UBE. They do however, oddly seem to deliberately be using the sending facilities of web hosting companies with unresponsive or understaffed abuse desks. It’s like the guy in the pub again, except this time he’s a yuppie.
We can block the spammer’s servers from connecting to ours if they are not known to also send personal email. Although the return email address may be technically valid, it is usually not read, and in replying by email, unless you are careful and create another email identity, you may give them a valuable piece of information they usually don’t already have: your real name. It is usually difficult to tell whether unsubscribe links will actually stop you getting messages from the sender, or whether they will confirm your address to them and invite more spam. Even if you do succeed in getting un-subscribed, it probably won’t remove you from any list of emails the spammers have bought or generated, so you may in future get something very similar from someone else, or the same group of people operating under a different name. (You can sometimes tell after you click an unsubscribe link that you’d just made a mistake and probably unintentionally signed up to more spam, because of a minimal ‘your address will be un-subscribed within 24 hours’ message whatever address you enter, with no explanation about why their web server is so slow that it takes a day to delete a record from a database.)
The only widely-accepted form of ‘email marketing’ is what is called ‘confirmed opt-in’. This means you subscribe via web or email or otherwise; then to prove that the request wasn’t made by a web-bot or spammer that faked your address, and that you weren’t subscribed without consent, a confirmation token is sent to the your delivery address; and you have to reply to this or click on a link. (And of course genuine lists which you subscribed to have to provide a means of unsubscribing and honour those. Do we really need regulations to tell us that?) Confirmed opt-in is what Mailman and most other mailing list software requires by default. However, software also usually permits importing a list of email addresses from somewhere else: for example a database bought from one of the spammers above, or a list of email addresses that appear on the same web page as a highly specific and tailored word like “green” or “oxford”, plus additional email addresses the spammers invented themselves like “email@example.com”.
In fact, the EU regulations usually prevent sending to email individual subscribers or unincorporated bodies without prior solicitation, but the people sending the email directed at businesses almost invariably commit a PECR offence every time they do a database mailshot by carelessly including individual subscribers too. Therefore, if you receive such an email other than in the capacity of an employee or trustee of an incorporated body, from a UK company, you can complain to the ICO. If you receive it instead as an incorporated company or friendly society, you can complain directly to the company that sent the spam, for example, by ringing the sales line, asking to talk to the managing director, and trying to explain to him/her that there are thousands of organisations out there doing good work whose time she/he is wasting; that mail abuse is a prohibited misuse of a free resource; that it is wrong (there may be a barrier getting moral concepts across); and that ‘such communications [must] cease’, which you can certainly do on behalf of any organisation you represent, but also ethically can do on behalf of everyone on the internet who got the unsolicited junk in the first place.
- There are quite a lot of unsolicited business approaches in Russian too; and a further type you may see that invites contact by post or phone are the “genuine” university degree spams. Another kind that we usually block from the UK is touting tickets for concerts, sports events or holidays.
- Another type of email with unsubscribe information seen a lot in the summer of 2008 promised the chance to win spending sprees at British chain stores. Oh, the joy. These originate in the USA and whatever they are selling may or may not be legal, but is certainly worthless.
- The term used to describe what happens when an otherwise legitimate operation decides to spam is mainsleaze
Advance-fee frauds or 419s
Falling somewhere between the two examples above (in terms of traceability for example) are a third group of spam messages. These claim to be from Radovan Karadzic’s aunt Ivana claiming he wants to entrust his Swiss bank account to you, or say that Bill Gates has died intestate and you must be related because both of your names contain vowels, or that you have won a million dollars as a prize for breathing. They do provide a valid email address and contain human rather than automated spelling errors, and often an address or telephone number, even if these contact details change every week or two. They tend to be in English or French and originate from networks in West Africa. They usually have a valid ‘reply-to’ address that is at hotmail.com or some other provider of anonymous email accounts used to collect expressions of interest, and sent from a similar email service or a genuine cracked webmail account. Like the ‘opt-out’ spam mentioned above they therefore show up in inboxes disproportionately compared to the number sent, as they evade greylisting and filtering is based mostly on content – if a new type of ‘opt-out’ or ‘419’ appears then filter rules need to be adjusted.
Unlike the above two examples, however, these scams (called ‘419’ after the Nigerian law covering them) aren’t directly selling anything and have no reason to link to a website. What they are is a means of firstly getting your trust and contact details, involving you in a deal, and then asking you to pay money up front for lawyer’s fees or some other unexpected charge. It’s probably quite a complicated scam involving lots of third parties, impersonation, emergency bank drafts and cheques which aren’t properly cleared, poorly counterfeited money that’s covered in ink and so on.
The Metropolitan Police have some additional information (see the phishing section below for more suggestions about how to report scams). Presumably at least one person must have been caught by it in the past, but some of the other victims are the people presumably paid very little to send out junk in their second language.
There are a number of subtypes of 419 that are worth looking out for:
- Invitations to ‘international conferences’ where you have to pay a hotel fee or last-minute fees to sort out a visa problem, but presumably never really happen. Sadly, many of these seem to be targeted particularly at NGOs and .org and .org.uk addresses. This phenomenon started in 2007, and can still be relatively difficult to distinguish from a genuine approach. In the unlikely case that the event advertised sounds like it might be relevant to your work and affordable, it is of course important to ask co-workers who you already personally trust whether the organisers and event are known, and the payment address is correct for it. If you have more information about these, we would very much welcome it. Some examples of conference fraud email. | BBC article on fraud directed at climate scientists
- Approaches for grants for charitable projects. Again, these can sometimes be hard to tell from genuine Southern civil society organisations, which may make unsolicited approaches. However, presumably you don’t make grants, or have a standard application procedure for them, or know the organisation very well indeed. See this Wikipedia article.
- Job scams These typically appear to be “work from home” invitations from international shipping companies, but are in fact variations on the above Nigerian 419. Anyone recruited this way may be put to use as a “mule” or dispensable intermediary, processing stolen credit card details and consequently taking the fall with law enforcement. These scams may also appear similar in layout to international business-to-business spam that originates in China, advertising that they supply high-quality grommets around the world. We can block it and report it.
- Lottery scams Terrible, terrible spelling.
- Inheritance and bank scams The standard kind.
- Scams (and attempts to get you to install Trojan horse software) implying you have done something naughty online. We’ve even seen random attempts at protection rackets, blackmail and death threats, which are hard to take seriously given the obstacles inherent in blackmailing someone you don’t even know the name of. Then there are young women in distress who claim to be interested in you from your ‘online profile’. Even if you have an online profile with some personal details, it would be odd that they would contact you, since you’re sure you put there that you lived in Accrington, not Accra.
If you get a message telling you that ‘the shorts are up’ or ‘the issue has landed’ or ‘pink sheets are go’ along with a four-letter symbol, then it’s directed as US ‘day traders’. These are called ‘pump-and-dump’ scams because they boost demand for shares in a small company which can then be sold at a profit. And also because it rhymes. They tend to use botnets and be highly obfuscated, even to the point of changing the four-letter stock symbol. We can’t comment on whether this type of market manipulation (unlike other types) is illegal or not in itself, but it’s certainly mail abuse and the main response is to get the service provider to reject or discard it.
Most people have now heard of phishing, which is an attempt to obtain your login details to an online bank or building society (like Nationwide), or online payment service (like Paypal) or merchant (like Amazon), by impersonating that bank or service in an email. The email, being laid out with graphics like the web site it is impersonating, looks superficially convincing, particularly if you happen by chance to really be a customer of the bank or service. Were you to click on the link as advised, it would take you to a forged copy of the bank’s website with a form asking for personal details and login details.
Internet Explorer 7 and later and Mozilla Firefox 2 and later use a Google service to tell you if a site has been reported as a forgery, but you can usually tell in any case. Not just by checking for a dotted IP address like http:// 127.1.127.1 or a URL that appears to be in a subdirectory of someone’s family tree or isn’t a secure https:// site, or even by noticing that they don’t address you by full name and account details, but simply because it was sent to you by email. It’s junk, delete it. You’ve better things to be doing. If you don’t for any reason have better things to be doing, report it to us (we can give you an automated address which will deal with it), SpamCop, anti-phishing working group, the bank involved (usually spoof@ and phishing@ the bank’s domain or for the Co-op firstname.lastname@example.org, or via email@example.com), or if there’s a particular website involved you can report it to Google using the link above, Miller Smiles, Netcraft or for real aphishionados PhishTank. As with 419s, in theory you can also report it to your local police but it’s likely something unusual is going to have happened (like an actual loss, or you having contact or bank details for the scammer) before they can do much; people can also report fraud (or since 2011 fraudulent emails) to the police via Action Fraud. The US government has a dedicated site (IC3.gov) for this kind of thing, but in the UK the other government agency most likely to take an interest in pre-empting scams is Consumer Direct (08454 040506), part of the Office of Fair Trading.
- Phishing for webmail passwords. This is where an email is impersonating your internet service provider (us in other words) usually informing you of some kind of technical upgrade, quota restriction or malfunction and asking for your login details. Sometimes you are requested to reply to the “helpdesk” via email and sometimes by clicking a link that takes you to a survey site. Please, never give your password to anyone online, and if you have reason to think it may have been compromised, tell us immediately. Just like banks we never ask you to login or confirm your identity via an email, nor via the phone unless you phoned us.
- You can also sometimes get spam from an apparently reputable organisation, like the Post Office, advertising something with a link that ultimately takes you to the genuine site. This isn’t phishing, but a method of exploiting an affinity scheme using spam – you may not be defrauded by clicking on the link, but the Post Office is, and you are rewarding the scammers. So don’t click on spam links.
Someone has sent you a Columbus Day card – Trojans
This type of spam or malware (malicious software) became widespread in 2007. You may receive an anonymous-looking very short message which mostly just mentions a special occasion like Valentine’s or April Fool’s Day and contains a link to something purporting to be a ‘Hallmark’ greeting card, or a video, or a news story. Although the content may make this type of spam topical, it doesn’t make it relevant to you. Basically, sending Trojans or other malware via email attachments is now very difficult because everyone is running up-to-date antivirus software (well, we are on our mail server, and we’d recommend everyone with a Windows computer does too). So you are being sent a link inviting you to download the Trojan horse instead of attaching it. Sometimes these links to trojans are also disguised as pornography or gambling sites, or more recently as intriguing news headlines such as “[video] Mccain And Bush To Dance In Puppet Show”. The sole purpose is to grab attention and get you to install malicious software (malware).
A botnet consists of a large number of ‘zombie’ computers, distributed globally but mainly in North America. Each of these is likely to be running an unpatched version of Windows XP that has been infected by a virus or worm, and is controlled indirectly from a single point. For example, the ‘Storm’ or ‘Dorf’ botnet, roughly in accordance with the phases of the moon, has a spate of sending pump-and-dump scams, and then at neap tide trying to propagate itself by sending links to some of the zombie machines which also serve up a minimal webpage with a copy of the Trojan to download. If you really want to, you can click on this offer to install some obviously essential media player or Yuletide screensaver, ignore any warnings, and yourself join the throng of people who have lost control of their own computer and will never know if it is truly clean again.
(There may be related symptoms such as unexpected popups. We’d advise you not to follow the links in the first place, even if you have up-to-date operating system and antivirus, but you can always report it to Google Safe Browsing, or to the site owner if you can work out who that is.)
You never know what topical event the worm designers might choose to lure people in to a malware site: we wouldn’t be surprised at an exploitation of Human Rights Day, and only slightly more surprised by someone trying to send malware using World Toilet Day on 19 Nov or International Talk Like a Pirate Day.
‘Spam’ is often used liberally to mean more than just unsolicited bulk email, for example messages sent via an instant messenger like Windows Messenger or Pidgin (‘spim’), and in particular unsolicited bulk postings to blogs, forums, and so on (‘form spam’ – ‘flam’?). Botnets (see above) trawl the web, trying to post links onto a website to increase the search engine ranking of an online shop, or sometimes testing to see if the application you have installed on your website has a security hole that allows it to be exploited to send thousands of spam emails. Sometimes the links they send may indeed get posted on your website, but often it is simply forwarded to you from a contact form via email as if it were a genuine enquiry. See our article “Form spam” for information on how this can be minimised.
- Link exchange spam is a more polite and manual way of doing exactly the same thing – getting more websites to try to drive more visitors who are looking for, say, mobile ringtones to a particular site. Instead of trying to put this on your website directly, they ask via email and claim to have a web site with information of interest. At least they ask. Genuinely linking between related organisations is a good thing for several reasons, but if the site mentioned is not just new to you, but doesn’t look of any real value, you wouldn’t want to add a link from your site to it anyway – and the chances are that as soon as a few people do link, the content is likely to change to one of the online shops mentioned at the start of this article. And so the adult spam swim upstream and the great circle of unsolicited commercial email is completed.
Very few people actually are selfish and shameless enough to send unsolicited bulk commercial email, but those who do tend to send lots of it. We might worry that the number of people thinking it is socially acceptable is increasing, as is the number of different types of product or approach and the complexity of anti-spam filtering rules to catch them all. If free email is conceived of as a public sphere and a largely unenclosed commons, then spam still threatens to be the tragedy of that commons.
Non-commercial unsolicited bulk email
This is fairly rare, but can be sent as part of a political campaign, usually reactionary or right-wing, and can be treated as other spam. Unsubscription requests are only sometimes honoured, and it can be reported to SpamCop instead. We know there are much better ways of getting an issue across. Then there’s the Hare Krishna guy who crops up every year or so saying ‘Gouranga! Be happy.’ We mark him as spam but funnily enough don’t mind him quite so much.
- If you have signed up for a newsletter or someone has added you to their campaign mailing list because you are obviously sympathetic, you may find you are still subscribed some time later and getting irrelevant information, for example about political actions in another country. (Some call this type of unwanted but probably not unsolicited email “bacon” or “bacn” as opposed to “spam”, although GreenNet is more likely to call it “vege-bacon”.) If you make reasonable attempts to unsubscribe, then any future email to you from that campaign could be regarded as unsolicited. If it has proved difficult to unsubscribe, we would suggest that you do your best to contact the organisation responsible by other means to resolve the problem, make a note of the communication, and only then if you are dissatisfied report it to the sender’s service provider, whether via us, via SpamCop, or directly.
Backscatter – didn’t deliver someone else’s message, out of office autoreplies, challenge-response, and the occasional anti-virus advert
A whole other issue, really. ‘Backscatter’ is a generic word for the bounces, out-of-office replies and so on that are sent in response to worms or spam that have faked your sender address. People are slowly adjusting mail systems so that they do not bounce messages back to an unverified sender address, but it will be many years before backscatter is eliminated.
This almost certainly does not mean a cracker gang has actually cracked your account, and far more commonly is because a valid email address or domain that they have found will help them get more spam through, and is nothing to worry about. The only reason your account could be cracked is if your password is too weak and was guessed (never for obvious reasons use something like a vehicle registration number or your date of birth as a password) or you gave it to someone (see above). One way to judge the account is not compromised is to look at the headers of the largest bounced message and see they say “This is the mail system at (something).gn.apc.org or .greennet.org.uk”, which means it is a bounce to an email that was sent from your account – if you didn’t send the attached message it may be time to worry. If you are unsure and would like us to reset your password to a random strong password, please let us know.
We try to eliminate and mark backscatter as much as possible, and it’s easiest with bounces (non-delivery notifications or NDNs) because they usually often include part of the spam itself. Messages about a virus detected in an email that you didn’t send are now thankfully rare, as anti-virus writers have realised there is no reason for a virus to be honest where it’s coming from.
It’s not possible to stop malware or spammers pretending to come from any email address they want to, but we can publish an “SPF record” saying where you usually send email from. Also, if you have a catch-all address for a domain, and so accept email at AndreahobgoblinNargus@example.org, we can instead restrict incoming email to a sensible pattern (for example, firstname.lastname@example.org). Contact us if we might be able to help reduce the amount of backscatter.
We do use standard anti-virus and anti-spam techniques in addition to our own methods to avoid spam. If you have any suggestions or comments, we’d be pleased to hear from you. Have a spam-free day.
© GreenNet. Last updated November 2011 (1.3).
The Little Book of Spam by GreenNet is licensed under a Creative Commons Attribution-Non-Commercial 2.0 UK: England & Wales Licence.