Scamming the spammers

Earlier this month the USA, the UK and Australia signed a ‘memorandum of understanding’ in which they agreed to share evidence to assist the fight against spam (1). When the key coalition protagonists in the Iraq conflict declare war on spam, you know that something must be up.

Spam, or junk mail, is one of the most interesting and apparently intractable problems facing regular internet users. In my case it has gone from being a mid-1990s novelty – junk mail was so rare I would keep it out of interest – to a daily turkey shoot, taking out almost 1,000 messages a week.

That these missives are so easy for people to identify and delete might hold a clue to the eventual demise of junk mail – with or without coalition action. Internet Service Providers (ISPs) have deployed increasingly sophisticated (and often overly blunt) junk-mail filters that work by scanning for key words (such as vicodin or Viagra) in emails arriving at their customers’ mailboxes. To get around them, senders have resorted to representing these words using other characters and punctuation as glyphs to create letter and word shapes that our smart eyes and brains can discern, but stupid junk mail filters can’t.

Another common trick is to include random words in the email subject or body. As Sandy Starr has noted on spiked, ‘the resulting email, even if it does manage to convince a machine that it is legit, will quite clearly be gibberish in the eyes of a human’ (2). Junk mails that don’t appear to be gibberish are often easy for us to identify as they tend to be over-formatted, typically centred, and employ that old favourite of crank letter writers: green text.

I have only once (at least knowingly) been convinced by a junk email, in this case a ‘phishing’ operation asking Ebay users to update their credit card details. I have an Ebay account that uses the address at which the email arrived, and my credit card had recently been re-issued with a new expiry date, so I was not surprised to receive such an email. I only cottoned on to the scam when I reached the field on the form asking me for my credit card PIN number – something we all know we are not supposed to share with anyone.

These ‘phishers’ almost got lucky. But the vast bulk of junk mail we receive has been so degraded as communication – in order to get around junk mail filters – that it no longer serves its purpose. If this is the case, why does the volume of junk mail continue to increase? As others have observed, it is effectively free to send any amount of (junk) email, so any success rate can be beneficial to the sender. The internet is bigger and less coherent than ever, and it is easier than ever to get online and create email accounts. But a junk mailer still needs to buy the email lists, bulk mail software, and invest in online scam sites in order to get in on the act.

My instinct is that in the junk mail industry the main people getting scammed are the junk mailers themselves. Uber-scammers are selling them junk mailing ‘kits’ – and laughing all the way to the bank. In reality, many email addresses sold to junk mailers are themselves junk, having been ‘harvested’ from invented email addresses (used by other junk mailers to disguise the source of their mails).

Much junk mail seems naive and poorly considered, and the people sending it don’t appear to know what they are doing. Some emails still have ‘Message subject’ in the subject line – probably left un-customised from the junk mail kit purchased by the sender. Other emails have no subject at all, and a meaningless sender name. Not the best introduction when you want to lead a recipient into a scam.

On one occasion I followed up a junk mail offering pharmaceutical products. I entered an invalid credit card number (0000 0000 0000 0000) with my correct postal address in order to find out which payment processing system was being used. To my surprise, a week later a package of weight loss drugs arrived from India. Sending goods without payment hardly seems a sensible strategy when you have lead someone part way into a scam. (Needless to say, I binned the package.)

I suspect that we are nearing a peak in junk mailing and most junk mailers will soon give up, having realised that they themselves have been scammed, and with declining responses from savvier email users. Of course, there are also billions more people due to come online, and with them will come more potential junk mailers and uber-spammers. This latter trend may mean that junk mail may not wither of its own accord.

If this is the case, we will need to continue to address the problem of junk mail, approaching it as an intriguing, practical problem. And many organisations have applied themselves to this end.

Most recently AOL, Yahoo, Microsoft, EarthLink, Comcast and BT agreed to collaborate on technical standards that will help identify the sender of an email message, and plan to merge some initiatives and ensure that other initiatives are mutually supportive. These announcements represent a laudable level of cooperation, and one we would be grateful for around other internet applications, such as instant messaging. But unless they are well designed, such technical solutions could easily create excessive hassle for people who rely on email.

This has happened already. For instance, in an attempt to limit junk mail most Internet Service Providers (ISPs) prevent anyone from sending mail via their servers (known as ‘relaying’) if they are not directly connected to their network. With the greater use of laptop computers, people are increasingly connecting to the internet via other networks, in other people’s offices and houses via broadband, and wirelessly in cafes, hotels and airports. In these situations they will generally not be able to send mail using their default settings.

Not being able to send email is frustrating, and doubly so when it results from a non-obvious cause such as a badly designed anti-junk mail system. If I have a choice between not being able to send one important email and receiving a ton of junk mail, then I will opt to let the junk keep flowing.

Another side effect of badly designed systems is the interception of emails that the intended recipient would want to receive. (These kinds of interceptions are said to identify ‘false positives’.) Again, this happens already. For every user of a corporate or web-based email system who wonders what all the fuss is about junk mail as they ‘don’t get much’, I will show you someone who fails to receive messages they would have wanted to see.

To an extent, this is a product of IT departments which set about clumsily filtering junk mail and rejecting email from every ‘blacklist’ they can find – without reviewing the consequences of their actions. It is also a product of managers and chief information officers more desperate to find ‘solutions’ to the problems of junk mail than to understand the nature of the measures that they are implementing.

While some may laugh that emails mentioning Scunthorpe are rejected for unacceptable language, we should be worried when a professional newsletter sent to a scientific publication with the subject line ‘Should we have new laws to stop sex selection?’, is returned by a junk mail filter as it is ‘believed to contain profanity’. And we might collapse in despair when a subsequent newsletters mentioning ‘substantia nigra’ – an area of the brain, in case you aren’t up on neurology – is rejected for ‘unacceptable language’, as determined by the racism guidelines created for a junk mail filter.

The rise of junk mail, and poor implementation of filtering, has led some people to be less trusting of email systems, and a number of commentators have advocated using a ‘go to’ rather than a ‘send me’ model for getting information. In a ‘send me’ model such as email, one (effectively) has a public letterbox into which information can be deposited – information one requested and information one doesn’t want. With a ‘go to’ model, one goes to get information of one’s choosing, ensuring that what one receives cannot be ‘contaminated’, and is not subject to filtering.

The web employs a ‘go to’ model, albeit often driven by emails sent to people, but it would be impractical to continually check websites for new information. Partly to address this, a complementary ‘go to’ model, known as Really Simple Syndication (RSS), has been developed. Here, people subscribe to information ‘feeds’ using ‘news reader’ software that can tell when there is new information on a website and allow it to be read or linked to.

This approach has many other advantages in comparison to email lists, not least the ease of subscribing to and unsubscribing from feeds, selecting presentation formats, and browsing and referencing information found.

Other tools that can substitute for the roles email has been cajoled into include instant messenger systems (such as AOL Instant Messenger, ICQ, Yahoo! Messenger, and MSN Messenger, many of which now support voice and video calls), and personal information managers (such as Microsoft Outlook for Exchange, which allows meetings to be scheduled and contact information exchanged).

The benefits of these tools go well beyond dealing with junk mail, and their number and scope make it clear that email systems and programmes are unable to deal with the growth in, and growing number of uses of, email. As IT industry analyst Ester Dyson argues, ‘the interesting news in mail – or rather, in messaging – is the still unsolved problem of how we deal with all the wanted mail we get… Spam is easy to get rid of, but what about all the stuff we wanted; we just don’t want it right now’ (3).

Of course these problems are also a testament to the success of email. Since its appearance in the early 1970s, commercialisation in the 1980s, and widespread adoption in the 1990s, the ease of use and clear mental model presented by email has lead it to be used for correspondence, information and document exchange, meeting and project planning, announcements, and news and editorial publishing, as well as human-to-machine interactions such as subscribing to mailing lists.

Tools for reading and dealing with email have changed little since I first addressed this issue in 1998 (4) – the most significant development being the addition of junk mail filtering. Other developments include general email filtering and organising (which are typically too difficult or clumsy to use), threading of conversations (usually poorly visualised), the ability to send and receive contact details and appointments (not widely or well-enough supported), and flagging emails for follow-up (insufficiently flexible).

The future of email is, however, looking brighter. At the human-computer interaction conference CHI2004 this year, researchers from IBM Research in Cambridge, Massachusetts, presented Remail, a ‘reinvented email prototype’ that addresses a number of these challenges (5). Elements of their research will be incorporated into IBM products – and this won’t be a moment too soon.

Solutions to junk mail are likely to build on the best characteristics of the internet. While we are dealing with the problem of junk mail we should not forget that we need to make innovations, not just restore the status quo ante, in email – which is the key business and organisational tool of the moment.

To an extent, these goals can be complementary. As Microsoft chairman Bill Gates noted in a recent executive email, ‘[as] we work to help isolate and block spammers, we’re also helping to build an infrastructure that will enhance the reliability, efficiency and safety of email, of the internet, and of computing in general’ (6). However, if dealing with junk mail reduces the openness of the internet, makes using email more difficult, and puts off much needed improvements for users, we will have taken one step forward only to take two steps back.

Nico Macdonald consults on collaboration and publishing strategy. He is the author of What is Web Design?, RotoVision, 2003. Buy this book from Amazon (UK) or Amazon (USA)).

(1) Federal Trade Commission press release, 2 July 2004’; Spam-Fighting Triumvirate Formed, internetnews.com, 6 July 2004

(2) Can Technology Can Spam?, Sandy Starr

(3) Release 4.0, 21 June 2004

(4) Special Report: Interface Design ‘The Future of Email’, Nico Macdonald and Rachel Abrams, Graphics International, issue 61, 1998-1999

(5) Reinventing Email, IBM Research Collaborative User Experience (CUE) Group 2004

(6) Preserving and Enhancing the Benefits of Email – A Progress Report Bill Gates, 28 June 2004