Spam Slayer: The Fog of Spam War

Tip of the Month

In Greece they may be celebrating the Athens 2004 Olympic Games, but online spammers are gearing up for the spamming equivalent of the Olympics. Antispam firm Vircom reports a fiftyfold increase in Olympics-related spam between January and July. Typically hawked via spam are tickets, souvenirs, and online betting. You may want to add olympics to your spam filter blacklist.

After nearly a year of lawsuits against bulk e-mailers, improvements in antispam technology, and passage of the Controlling the Assault of Non-Solicited Pornography and Marketing law (CAN-SPAM), spam fighters face an unenviable choice: They can concede their new weapons are not as effective as they'd hoped, or they can claim progress despite some failures.

Spam volumes are on the rise, say several recent surveys. In early August, the nonprofit group Consumers Union reported that in a survey of 2000 e-mail users, 47 percent said spam had increased since the federal antispam law took effect in January. Sixty-nine percent said at least half the e-mail they receive is spam. This corresponds to a Commtouch Software study, which reports a 42 percent increase in the first half of 2004.

Judging from reader feedback and my own experience, these studies seem right on the money.

Who's Claiming Victory?

But here's a weird thing: No matter how heavy the spam gets for us e-mail users, the news is always good from leading spam-fighting e-mail providers like America Online, EarthLink, and Microsoft.

Microsoft recently told me that Hotmail users have seen a 60 percent decrease in spam volumes. AOL says spam's entry to AOL in-boxes has dropped "noticeably." And EarthLink says customers who use its optional free spam-blocking feature can "eliminate virtually 100 percent of all junk e-mail."

Do these well-intentioned slayers of spam live in the same universe as the rest of us?

But wait--the news is even better from companies that block spam from corporate networks. Antispam company Postini says companies that use its advanced spam filters "experience a 90 to 99 percent reduction in spam." I guess Consumers Union didn't survey any Postini customers. Apparently Brightmail customers, who enjoy a "95 percent effectiveness rate," aren't well represented in the survey results either.

The story is the same with desktop software. Allume (formerly Aladdin Systems) says its SpamCatcher "blocks 99 percent of unwanted e-mail" and Cloudmark claims its SpamNet provides a 98 percent drop in spam.

Taking those claims at face value, one might conclude the war against spam has already been won. Hardly.

Rose-Colored Glasses

Vendors tout success in the spam wars not simply to win new customers. My guess is that the folks who work for companies like Microsoft, which filed 60 spam-related lawsuits over the past two years, need to feel they are making a difference.

Don't get me wrong: We should be enormously grateful to these companies for spending millions of dollars to combat spam. Anybody with an in-box should applaud EarthLink for taking down the Buffalo Spammer. AOL also fights spammers in court.

But keep in mind that ISPs don't fight spam simply because it's a nuisance to you and me. Spam costs ISPs millions of dollars each year. The unwanted, excess e-mail hits them with the costs of data storage and of bandwidth to send and receive messages, plus their investments in spam-filtering technologies. It's also expensive for an ISP to lose any customer who is flooded with spam and thinks a new ISP might fight spam more effectively.

Clearly spam is a scourge to individuals, ISPs, and big businesses. Ferris Research forecasts U.S. companies will spend $10 billion this year to fight spam. The figure includes lost productivity plus the cost of spam-fighting hardware and software, and the technical staff needed for combat.

The Measure of Success

Even the e-mail providers' impressive-sounding spam-blocking statistics reveal a failure: A 95 percent filter accuracy rate, for example, still lets through 5 out of every 100 spam messages. The sad reality is some of us are getting hundreds of unsolicited messages each day; even filtered, that means upwards of 35 spam messages a week.

The only filter that is 100 percent accurate is a challenge/response system. This type of filter is permission-based, which means messages are blocked if they come from anyone who isn't on your whitelist. But there's more to a challenge/response system.

A simple whitelist system works fine if you're expecting e-mail only from your friends, whom you can put on your list in advance. But blocking every unknown sender isn't practical. That's where challenge/response comes in. When someone not on your whitelist sends you an e-mail, the filter responds with a message directing the correspondent to perform some action, such as clicking a link. If the sender responds correctly to the challenge, the e-mail address is added to your whitelist, and subsequent messages get through. The idea is that bulk e-mailers can't perform such individual tasks, and so their e-mail remains blocked from your in-box.

What Spam Filter?

The real story isn't that consumers are complaining about receiving more spam at the same time antispam firms are touting spam-free in-boxes. Rather, my hunch is a lot of people are like my brother: He gripes about spam, but he can't be bothered with using a spam filter.

Astonishingly, 46 percent of e-mail users do not use any spam filter, according to a 2003 study by Forrester Research. The same study reveals that 44 percent rely only on the spam filter their ISP provides. Only 5 percent use both their ISP's filter in combination with desktop spam-filtering software.

Today, with spam harboring viruses, distributing phishing lures, and spreading Trojan horses, spam filters are as essential to computing as virus protection and firewalls. A good spam filter--on the desktop as well as on the e-mail server--is essential, no matter how successful your ISP says it is when it comes to fighting spam.


Q. One curious thing I've noted in a good portion of the spam I receive is that the body of the message is peppered with gibberish, random words, or made-up words. What purpose does this serve for the spammer?

--Bruce C., Youngstown, New York

A. Spam filters will often look for word patterns that indicate a bulk e-mail campaign. Once a spam filter sees, say, 50 messages with the identical phrase in it, the filter can block sometimes millions of other messages that contain the same phrase. Spammers try to outwit this type of filter by randomly generating gibberish and made-up words that throw off spam filters.

Q. I have a purely personal Web site used only to post family pictures and such for friends and family. I recently took my e-mail address off my Web site because I was worried that spammers would find it and send me even more junk e-mail. How can I let people contact me through my site without posting my e-mail address?


A. Some JavaScript programs will generate an e-mail address when you click on a link. These can elude spammers, which typically use automated search programs to scour the Web for e-mail addresses.

Here is the JavaScript that hides your e-mail address in HTML code:

<script language=javascript>


var x1 = "username";

var x2 = "";

document.write("<a href=" + "ma" + "ilto:" + x1 + "@" + x2 + ">E-mail Username</a>")



To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon