Editor’s note: Russ McGuire is the online director of Business Reform Magazine. Each issue of Business Reform features practical advice on operating successfully in business while glorifying God.
Unfortunately, spam works. It works financially because it’s so cheap, a very small response rate can still be profitable. It also works mechanically – I know – I get lots of spam in my inbox everyday. I’m guessing you get plenty too. You’re probably wondering exactly how a spammer gets your address and how they manage to send out so many e-mails from so many different e-mail addresses each day.
My private email address is protected by Mailblocks. It works well on the blocking side – I haven’t gotten a single spam since signing up (although I probably will someday – more on that later). But I’m guessing I’m missing messages that I might actually be interested in. I’ve stopped getting some of the newsletters for which I’d signed up, and when I order something online, I probably won’t get the e-mail receipt for it. But that’s a small price to pay for the protection provided – especially given some of what pops up in spam messages when our young son is at or near the computer!
But given the nature of my work, I can’t afford to block all unsolicited commercial email (UCE). Most UCE is spam. But some is simply a business message I wasn’t expecting, but that’s of high interest to me. Perhaps it’s a potential client or a potential partner proposing a deal of high potential value. I can’t afford to miss those messages. Therefore, I put up with all the spam in order to glean the few gems from amidst the muck.
This morning was particularly worrisome – or interesting if you’re a technology news hound like me. When I opened my mailbox this morning, there were 8 messages containing what appears to be a virus. Three of them, from three different senders, had a subject line of “Re: Screensaver.” The other five, also from unique sender addresses, had subject lines of “Re: Your application”, “Re: Application”, “Re: Movie”, and “Re: 45443-343556”. They all contained an attachment – each with a different filename. Obviously, I didn’t open the attachment and I hope you didn’t either.
I’m not going to tell you how to do this yourself: I’m not out to create a readership full of spammers. Don’t get me wrong, of course I trust you. I just think it’s foolish to put that kind of information out there. But, I get enough questions about it from frustrated folks like you that I thought it’d be worth sharing the basic mechanics that make it all possible.
Side Note: I’m no fool. First, since I’m not a spammer, I’m not an expert in how to do it. And unfortunately, the folks who are experts don’t seem to hesitate at all in teaching others how to spam. But I still don’t want to have any responsibility for further disseminating potentially dangerous information. (Yes, on this topic, I know enough to be dangerous…)
So – let me address a few of the most common questions relating to spam:
- How did they get my e-mail address?
- Why did Johnny send me this nasty spam?
- Why do they claim that I asked for this information?
- Why does the subject line have alkd;ail on the end of it?
How did they get my e-mail address?
Did you think your e-mail address was a secret kept between you and your friends? Well, sorry to disappoint you. There are many ways that a spammer can get your address and there’s not really any way for you to stop them.
The most basic approach is pure brute force. Both computing power and bandwidth are cheap. If I wanted to, I could quickly and easily write a program to randomly create e-mail addresses and send a message to each one. If I wanted to do this, I’d probably start with [email protected] and then [email protected] etc. then [email protected] and so forth. If I just limited my program to characters like letters and numbers, it still would take millions of iterations to cover even relatively short usernames, but again, bandwidth and computing power are cheap, so it’s not really an issue.
However, I doubt that today’s spammers use such crude methods. These guys are businesspeople and, believe it or not, they do value efficiency. Therefore, they’ve found better ways to find real e-mail addresses. There are a bunch of ways to do this. One way is to write a program that visits bunches of websites and “scrapes” e-mail addresses off of these sites. I get lots of spam addressed to “[email protected]” and I’m guessing these folks simply pulled that address off of our website. However, if you’ve ever participated in a discussion forum that’s hosted on someone’s website, then it would be just as easy for a spammer’s program to scrape your e-mail address out of that forum as it is for them to scrape [email protected] off of the Business Reform website.
Unfortunately, even if you never put your e-mail address on any website anywhere, there are still ways for spammers to find you. Believe it or not, some spammers are lacking in morals. They don’t mind stooping to the level of breaking into someone’s server to find information of value to them. Any computer that’s acting as a mail server probably keeps a log of its activities. This log usually includes a list of all messages that were sent, including the From, To, and CC lines. If a spammer can break into even one small mail server, they can probably harvest thousands of valid e-mail addresses. Think about all the messages that you’ve sent or received in the past month and how many e-mail addresses would be included – just for your own account. Now multiply that by the number of people using the same mail server as you (for example your Internet service provider’s server) and you can get a sense of how quickly a spammer can collect lots and lots of valid e-mail addresses.
Why did Johnny send me this nasty spam?
Give me five minutes and I can configure my e-mail client to send out messages as if they were from you. Scary huh? Spammers have written their software to do this even easier and faster than I can do it manually. With their huge database of e-mail addresses, they can have each message be from any randomly selected address in their database and to any other randomly selected address in their database.
However, if they’ve gotten their addresses by breaking into someone’s mailserver log, they can be even sneakier. They can use that mail log to figure out who legitimately sent a message to whom, and then mimic that. If Johnny sent you a message last week about the project you’re working on together, this week, a spammer might send a message “from” Johnny to you about a “cool screensaver”. In fact, the spammer might even mimic the subject line “Re: Our project” so that you think that you really want to open the attachment.
A final way that you can receive a spam from Johnny is if his PC is infected with a virus. Some viruses can break into the address book and start sending messages to every address in that address book. Of course, these tend to include the virus itself so that it can further propagate through the Internet. But, just because you get a spam, or even a message with a virus from Johnny, doesn’t mean that his computer has been infected. As mentioned above, there are other ways for a spammer to make you think the message is from Johnny.
Why do they claim I asked for this information?
Did you know that some spammers lie? There’s actually a government funded study out there that proves it! One of the messages I received yesterday offered me a “genuine” Rolex watch for some incredibly low price. At the bottom of the message it said that I received the message because I had previously subscribed to their list or purchased something from them. They even gave me a link I could click on to unsubscribe from their list. Of course, I’d never heard of the company, never subscribed to the list, and never done business with them in the past.
Why would they do this? Well, there are at least two reasons. First of all, if they can trick you into thinking that they are a legitimate company whom you’ve trusted in the past, your likelihood of buying from them will dramatically increase (maybe from 0.01% up to 1%). But perhaps more importantly, if you click on that unsubscribe link, you’ve just confirmed for them that you are a real person at a real e-mail address and you really read these messages. This one may have failed, but now they know to try you again with their next offer.
Don’t get me wrong – real unsubscribe links from real companies with real offers almost always work just as advertised. But use your discretion.
Why does the subject line have alkd;ail on the end of it?
And finally, one of the great mysteries of spam is solved. Have you noticed that a lot of spam messages have some weird stuff on the end of the subject line – as if someone accidentally ran their fingers across the keyboard while reaching for the mouse to hit send? Don’t be fooled. This is no mistake.
Some e-mail servers have gotten a little smart about spam. If they see hundreds of messages to hundreds of different addresses from hundreds of different addresses all with the exact same subject line, chances are it’s spam. These smart e-mail servers will kill it then and there.
Unfortunately, it’s a very easy thing to generate random characters. By sticking a few randomly generated characters on the end of the subject line, these spam blocking servers can be easily fooled. “Become a bazillionaire today!!! Ajola12~” is not the same as “Become a bazillionaire today!!! Jlejyaj-+” is it?
Conclusion
I’m sorry this article doesn’t include a magic solution to stop all of your spam problems, but I hope it has given you a better understanding of why spam works the way it does.
There are a few lessons I hope you can take away from this:
- Try not to have your e-mail address posted on any websites.
- If you run an e-mail server, limit the amount of logging it does and do everything you can to keep hackers from getting to it.
- Don’t blindly trust messages with attachments, even if the sender and subject line look familiar.
- If you can’t afford to block all unsolicited messages, then get used to hitting the delete key.
- Even if you do block spam by filtering out unknown senders, recognize that a spam message can get through your filter by pretending to be one of your authorized senders.
However, let me recommend one of my favorite solicited e-mail messages. Each day I receive a “business proverb” automatically sent out by Steve Marr’s webserver. Each message is short and full of wisdom I can apply in my business life. Sign up here. By the way, I’ve tested it and Steve’s unsubscribe process really works!
Russ McGuire is Online Director for Business Reform. Prior to joining Business
Reform, Mr. McGuire spent over twenty years in technology industries, performing various roles from writing mission critical software for the nuclear power and defense industries to developing core business strategies in the telecom industry. Mr. McGuire is currently focused on helping businesspeople apply God’s eternal truths to their real-world business challenges through Business Reform’s online services. He can be reached at [email protected].