Evict the Spammers from Your InboxWritten by Paul Judge, CTO, CipherTrust, Inc.
Block Spam and Other Email Threats From Entering Your Gateway Spam, commonly defined as unsolicited commercial email, is a powerful advertising channel for many products and services. As a result, spamming has become a profitable business, driven by low cost of sending email compared to other direct marketing techniques. The high return on investment for spammers has resulted in an overwhelming volume of unwanted messages in personal and business email boxes. Consider this: Conducting a direct mail campaign costs an average of $1.39 per person, meaning that a response rate of 1 in 14 is necessary just to break even on a product with a $20 gross profit. Selling same item via unsolicited spam email costs only $0.0004 per person, meaning that a response rate of 1 in 50,000 gets seller back to break-even; anything above that is gravy. With profit margins like these, it’s easy to see why spammers will try anything to get past anti spam technology to deliver their messages to your inbox.
Types of Spam Threats The recent onset of fraudulent spam variants such as phishing and spoofing pose an even greater risk than spam volume clogging email servers. Spammers use techniques such as phishing and spoofing to fool users into opening messages that, at first glance, appear innocuous.
Phishing Phishing is a specific type of spam message that solicits personal information from recipient. Phishers use social engineering techniques to fool end users into believing that message originated from a trusted sender, making these attacks especially dangerous because they often con victims into divulging social security numbers, bank account information or credit card numbers. In one six-month period from November 2003 to May 2004, phishing attacks increased in frequency by 4000%, and trend continues upward.
An example of phishing is an email that appears to come from a bank requesting that users log into their account to update or correct personal information. When users follow a link embedded in email, they are redirected to a site that looks and behaves like expected bank website. However, unbeknownst to soon-to-be identity theft victims, site is actually controlled by scam artists who sent email; any and all information entered by victim can now be used in a variety of ways, none of them good.
Spoofing Spoofing is a deceptive form of spam that hides domain of spammer or spam’s origination point. Spammers often hijack domains of well-known businesses or government entities to make spam filters think communication is coming from a legitimate source.
Today’s spammers are more crafty than ever before and have begun blending elements of both phishing and spoofing into their messages, further spinning their web of deception. The toxic combination of spoofing and phishing presents a major threat that can trick most anyone into providing personal information to a stranger.
Toothless Legislation On January 1, 2004, President Bush signed into law “Controlling Assault of Non-Solicited Pornography and Marketing Act of 2003,” or “CAN-SPAM” Act. While well intentioned, CAN-SPAM has done little or nothing to curb flow of unwanted email. In fact, an estimated 97% of all spam email sent in 2004 violated Act, and United States still dwarfs other nations in terms of origin of spam, with CipherTrust research revealing that an astonishing 56.77% of all spam comes from U.S.-based IP addresses. While CAN-SPAM was designed to decrease overall volume of spam, exact opposite has happened: in 2004, spam accounted for approximately 77% of all email traffic, and phishing attacks continue to increase exponentially, with studies showing an increase of 4000% from November 2003 to May 2004.
BUSTED: Anti Spam Forces Bankrupt Super-Spammer Scott RichterWritten by Paul Judge, CTO, CipherTrust, Inc.
Microsoft scores one for good guys Scott Richter, self-proclaimed “Spam King,” just can’t seem to get enough attention. Admittedly responsible for sending literally billions of Unsolicited Commercial Email messages (UCE), Richter made headlines again recently when his spam-fed cash cow, OptInRealBig.com, filed for bankruptcy protection in U.S. federal court in his home state of Colorado. According to Richter’s father (who is also his attorney), “It’s legal fees that are battering company. OptIn is profitable but for these lawsuits.”
At time of its bankruptcy filing, OptInRealBig.com claimed assets of less than $10 million and liabilities of over $50 million. Richter claimed his company made $15 million a year sending more than 15 million email messages per day. However, in 2003, OptInRealBig was dealt a powerful 1-2 punch from Microsoft and Eliot Spitzer, Attorney General of New York; both sued Richter under local state anti spam laws. Although New York case was settled out of court last year, Richter has had no such luck dealing with Microsoft, whose claims top $19 million.
A Case of Global Amnesia? Richter's company and others like it market products ranging from diet pills to pornography. He’s also been accused of using spam to extract personal information from unsuspecting recipients. For instance, one alleged scheme hatched by Richter and his associates promised recipients a copy of a "Girls Gone Wild" DVD if recipient registered on a website. The registration information was then used to bombard recipient with more and more spam.
Richter contends that his methods are all legal, and that he’s just a regular guy trying to do right by world; he’s even gone so far as to claim that he’s a “victim” of overzealous anti spam companies and prosecutors. “We don't spam,” explained Richter in an August 2004 PC World interview. “The biggest problem is when people get an email that they think they didn't sign up for or don't remember signing up for, and they call it spam.”
To hear Richter tell it, tens of millions of people simply forgot that they had previously asked to receive his messages. According to state of New York, however, he falsified header information and used deceptive routing and domain purchase practices in order to get his messages through. The lawsuit also accused Richter of using a network of approximately 500 “zombie” computers to send his messages. When asked how so many users could have subscribed and not remember doing so, Richter claimed signups must have been via anonymous "partners of our partners" web sites, names of which slipped his mind.