Junk E-mail and Newsgroup Postings, a.k.a. "spam"
E-mail is the single most prevalent use of the Internet, and the number
of people around the world using it to communicate has risen exponentially
over the last decade. Unfortunately, so has the level of Unsolicited
Commercial E-mail (UCE) and Unsolicited Bulk E-mail (UBE) which have collectively come to be known as "spam"
and which have in the last few years become a virtual tidal wave swamping
the inboxes of Net users everywhere. In early 2003, the consensus among
computing security experts was that as much as 40% of all e-mail
worldwide was spam of one sort or another, and many predict that the figure
will rise to as high as 60% within the next few years. It's not just e-mail,
either. Commercially-oriented, off-topic postings to Usenet newsgroups
are also considered to be spam, and continue to plague readers of the
thousands of groups affected.
How did the term "spam" for this stuff come
Spam® (note: capital 'S') is a registered trademark of the Hormel
Foods Corporation for a canned meat product ("spiced ham") that
has been around for more than 60 years. In the early 1970s, the British
comedy group Monty Python's Flying Circus did a television sketch that
revolved around the characters repeating the word "Spam" over
and over and over and...well, you get the idea. It's not clear exactly
when, but probably sometime in the early 1990s, when junk e-mail and postings
really began to gain steam, "spam" came into common usage to
describe them, and the Pythons' sketch is generally credited as the inspiration.
What, exactly, is "spam"?
First, let's be clear about what is not spam:
E-mail messages and newsgroup postings that are
threatening or harassing are not considered to be spam. If you
have received threatening or harassing e-mail or been the subject of similar
newsgroup postings, or you feel the personal safety of yourself or any
other person has been threatened via e-mail or newsgroup posting, you
should report it directly to Penn Public Safety at 511 (on-campus)
or 215-573-3333 (off-campus).
Having said that, pretty much any unsolicited e-mail you receive
that pitches you products, goods, services, etc. for sale can be considered
spam. When you do some things on the web, such as register new software
or buy products from legitimate vendors, they often present you with a
check box (usually pre-checked for your "convenience", meaning
you have to actively un-check it to decline) that says something like
"Send me information on deals and specials", and the box is
often easily missed due to the way it's placed on the page. This can result
in your receiving commercial e-mail that you don't remember "soliciting",
but it's not really spam, since technically, you did ask them to
send it to you, even if you didn't realize it. Most reputable web vendors
and marketers, though, will honor requests to be removed from their lists.
Spammers, on the other hand, rarely do (more on that below).
What if whatever it is the "spam" is selling
Although the people doing the selling may not be entirely honest business
people, in most cases the products, services, etc. contained in spam messages
are, on the surface at least, entirely legal. There are exceptions, though,
that include (but are not limited to):
- Child pornography - or more accurately, material depicting
sexual activity involving a minor. Owning or distributing material of
this sort is a Federal offense in the U.S., and holds similar status
in most countries around the world.
- Illegal drugs and controlled substances - such as heroin, marijuana,
- "Pirated" software, CDs, DVDs, games - sometimes
called "warez", these are illegally copied programs, albums,
movies, etc.offered at cut-rate prices, or even free in some cases
- Fraud - this includes chain letters of any sort, "pyramid"
schemes (sometimes called "Ponzi" schemes) and, in general,
fraudulent misrepresentation of the goods, services, terms of payment,
If you receive a spam e-mail or newsgroup posting that you believe is
promoting illegal materials and/or fraud, or otherwise constitutes criminal
activity, report it to Penn Public Safety at 511 (on-campus)
or 215-573-3333 (off-campus). There is one notable exception
to this, though - the infamous "419" or "Nigerian
Scam". This is a well-known "fee fraud" scheme that
has been around for more than 20 years, but has multiplied many times
over in the form of spam. We have a special page for it at http://www.upenn.edu/computing/security/advisories/419scam.php.
In general, though, do not report Nigerian Scam messages.
Isn't "spam" itself illegal?
A number of states and local jurisdictions have enacted laws aimed at
prosecuting people who send spam, however, a close reading of these laws
shows that they are actually laws against sending e-mail with forged or
fraudulent headers, and make no reference to content.
In 2003, Congress enacted anti-spam legislation that has come to be known as the CAN-SPAM Act, which states that in order for a commercial e-mail message to be considered legal, it must:
- Contain no false or misleading message header information - the "To:", "From:" and "Received:" (message routing) headers must be accurate
- Contain no deceptive or misleading "Subject:" header information
- Provide the recipient with a valid "opt-out" method to request the sender stop sending additional messages
- Identify itself as a commercial message and include the sender's correct, valid postal ("snailmail") address
As long as a message meets the above criteria, a commercial e-mail message generated in the US may meet the definition of "spam" - commercial and unsolicited - yet be perfectly legal. The fact, of course, is that the overwhelming majority of "spam" contains all sorts of bogus headers and misleading information. However,
the larger problem is that even if valid, constitutional laws exist, they
are to a large extent unenforceable because:
- U.S. law enforcement agencies do not have the time, resources and
manpower to pursue what would likely amount to millions of individual
- A major portion of spam sent to U.S. addressees comes from foreign
countries which, in most cases, have no anti-spam laws at all, or if
they do are likewise unable (or unwilling) to follow up and prosecute.
Why do they keep "spamming"? Nobody buys
stuff through "spam", do they?
Available figures suggest that the "rate of return" on direct
e-mail marketing is somewhat less than one percent, some peg it at about
0.75%. Compared to more traditional Third Class "junk mail" postal marketing, this is abysmal,
but on the other hand, the cost to send several million e-mails is miniscule
when compared to the cost of third class mailing of a similar number of
printed flyers, etc. So, surprisingly, "spamming" turns out
to be very profitable if the spammer has a big enough list of valid e-mail
addresses. The plain fact is that spammers keep spamming because they
are making money, because there are enough people who do
respond to spam ads to make it worthwhile.
How do they get these addresses - including mine?
It is nearly impossible to keep your e-mail address "secret"
or exclusive, no matter how hard you try. There are numerous ways that
spammers acquire the addresses they bombard. Here are just a few:
- If you ever entered your e-mail address on a website, it might be
used by that site, or sold or given to others for mass mailings
- Any e-mail you send out contains your return address. The original
recipients may forward it on through a chain of others until it lands
on a spammer's list
- If you use "vacation/out of office" replies on your e-mail account when you're away, you may be automatically generating a reply to each incoming spam message that confirms that your address is valid, and that someone is reading it (see "What should not be done about 'spam'?", below). This makes it more likely that your address will be sold/swapped by spammers.
- Spammers use "bots" to scan Usenet newsgroup postings for
e-mail addresses, so if you ever posted to a group and put your e-mail
address in the post, it may have been "harvested" in this
- Similarly, spammers' "bots" also cruise the web looking
for e-mail addresses on web pages. If you have a personal web page that
has your e-mail address on it (especially as part of a "mailto:"
hyperlink), or there is some other page (departmental, school, etc.)
with your address, they might acquire it this way as well.
- If you've ever subscribed to an e-mail discussion list, or listserv,
it's possible that the listowner sold all the addresses to a spammer
- Spammers often probe large, well-known mail hosts (Penn has several)
to learn active account names. This sometimes involves the "brute
force" approach of attempting to send mail to every possible 8-character
- If your e-mail address appears in an online directory, it may have
been picked up by a spammer. Penn's online directory is at http://www.upenn.edu/directories.
To update the information about you that is available to a search of the online directory, select the "Update directory listings" link on the main directory page (PennKey authentication required)
- Spammers also sell and swap "catalogs" of e-mail addresses
among themselves. These catalogs are sometimes printed, but recently
are more likely to be on CD-ROMs that contain literally millions of
What can I do to keep "spam" out of my inbox
Here's a foolproof method:
- Locate the cord (usually black, about 1/2 inch thick) coming from
the back of your computer and going to an AC power socket on the wall
or power strip.
- Pull it out of the socket.
- Never plug it back in again.
If you're not quite ready for that drastic a step, start by coming to
terms with the fact that it is virtually impossible to avoid dealing with
spam at some level unless you're willing to give up using computers entirely.
There are some things you can do, though, that will help ease the pain
of dealing with spam, even if it's just a little bit:
- The Direct Marketing Association's DMAchoice Service (http://www.dmachoice.org)
lets you register e-mail addresses that you would like to keep out of
mailing lists. All DMA members (more than 4,500) are required to remove
registered addresses from their mailing lists, and the service is available
to non-members as well.
- If you receive spam that appears to be originate from a Penn user
or computer, or appears to pass through a Penn computer (see "e-mail
relays", below), contact Penn Information Security at email@example.com.
Using Penn computing resources for commercial purposes is a violation
of the Acceptable Use Policy. Be aware, though, that e-mail headers
are very easily forged, especially the "From:" and "To:"
- If the spam is coming from off-campus (and this is the case well over
99% of the time), and you want to be more proactive about it, you can
attempt to identify the spammer's Internet Service Provider (ISP) and
send a complaint directly to them. This sometimes yields results, and
some ISPs will be very responsive, but be aware that is easy for spammers
to simply change ISPs, or open a phony account with one of the free
e-mail services (Hotmail, Yahoo, et al) and pick right up where they
left off. There are a number of web-based services that will help you
trace and identify the sources of spam (as much as is possible - spammers
are very crafty). Probably the best known is SpamCop (www.spamcop.net) .You can do this yourself, of course, but you'll need
to know how to interpret e-mail headers and do a whois lookup. A good
set of free tools for this can be found at http://www.samspade.org
With regard to Usenet spam, there are rules on Usenet relating to the
posting of multiple copies of the same "article". When the thresholds
are exceeded, the posting is termed "spam" and cancels for the
posting can be issued. This definition relies solely on message count,
If you are a regular poster to Usenet, you can reduce your "spam
profile" to some degree. One technique is to avoid putting your actual
e-mail address in a posting (either in the headers or the text of the
post) in a form that can be interpreted and collected by a "bot"
(automated web-crawling software application that combs websites, newsgroups,
etc. for data). For example, if your e-mail address is firstname.lastname@example.org,
and you regularly append a signature to your newsgroup postings that contains
that address (usually so people can make off-group, private responses),
then you might want to consider editing the signature in such a way that
an actual human can still recognize and interpret it, but a "bot"
will be unable to. In this case, a couple of possibilities might be:
email@example.com (remove 'x's for correct address)
You can also do this with the configuration for your newsgroup headers.
Be aware, though, that if you use the same program to read and send both
e-mail and newsgroup postings (Microsoft Outlook, for example), the headers for
both e-mail and newsgroup will use the same configuration settings. Normally,
you do want your e-mail headers, especially the "Return Address",
to be accurate, so if this is the case, you may want to consider using
different programs for e-mail and newsgroups.
What should NOT be done about "spam"?
Don't try "fighting fire with fire" by "e-mail bombing"
the suspected spammer - remember, the return address is almost certainly
forged, and you may leave yourself open to a complaint from an innocent
third party. Also, there have been instances where spammers subjected
to this sort of "return fire" have turned the tables and successfully
prosecuted the responsible party.
Do not use the "Click here to be removed from this list"
links that are often found in spam messages. All you will do is give
them a response that tells them there is a live, breathing person at the
other end who is reading that address - which is exactly the kind of information
they want to know. Letting them know you're there is a sure way to get
even more spam.
Aren't there ways of filtering "spam" out
at the mail server?
There are many people devoting a great deal of time and brainpower to
coming up with accurate and efficient ways of filtering out spam before
it gets to your mailbox, and a lot of progress has been made, but it's
still a very inexact science. As quickly as new rules and methods of filtering
are devised, the spammers tend to be able to work around them and/or come
up with new tricks. The problem is that, no matter how good the filters
are, there will always be some level of the following:
- "False positives" - legitimate e-mails that are flagged
- "False negatives" - spam that makes it through the
filters and is considered "OK"
The possibility of false positives, in particular, requires that instead
of sending messages flagged as spam directly into the trash, they must
be directed into some sort of "quarantine" mailbox until the
user can inspect them to make sure that one or more important, legitimate
messages haven't been wrongly flagged. Although this probably doesn't
require as much user time as current user methods of handling spam, it
does significantly cut into the presumed time savings of filtering. Also,
many system administrators are reluctant to implement spam filtering due
to the added processing time and load it places on the system.
That said, though, a number of large mail hosts at Penn have begun offering spam filtering services - check with the support staff for your mail host to find out more.
Can't there be a list of addresses I don't want to
receive e-mail from that can be blocked at the server?
For a variety of legal and policy reasons, for Penn-owned e-mail servers,
the principle at work is the University cannot determine who is or is not
allowed to send you e-mail, in the same way that no one can dictate who can and cannot send you postal mail through the U.S. Postal System. Nearly all programs
for reading e-mail have filtering capability,
and you are entitled to use it to set up your own local filters. Remember,
though, it could end up being a long list of filters - spammers change
addresses frequently, and use all sorts of tricks to get around filters.
Your machine may end up using as much or more processing time and power in running
the filters as it would have taken to simply delete the messages.
What is an open e-mail relay, and what does it have
to do with "spam"?
In the early days of the Internet, it was literally possible to know
not only the name and address of every single mail server on the Net,
but also every person using those servers. The Net was a relatively closed
community whose members had a level of trust in each other that extended
down to the computers attached to the network. To facilitate the flow
of e-mail traffic around bottlenecks, the original e-mail specifications
- which are essentially still in use, unchanged - provided for mail servers
to "trust" each other enough that Server A would "relay"
mail from Server B that was addressed to Server C in the event that the
most direct path from B to C (say, through D or E) was slow or unavailable.
As more and more people began using the Internet, this sort of trust
relationship became unworkable and, more to the point, dangerous, as it
allowed e-mail tricksters to more easily "hide their tracks".
Security-conscious system administrators began turning off the "relay"
function, and it is now standard practice not to allow a mail host to
act as a relay, or to severely restrict the instances where relaying is allowed.
In recent years, particularly with the popularity of operating systems
like linux that usually include capability to be set up as a mail server,
more and more mail servers are coming online. The problem is that in some
cases, the "relay" function is enabled by default, and the people
setting up the server aren't experienced enough to know and understand
the ramifications. Or, in some cases, the setup routine asks "Do
you want to allow this to act as a mail relay?" and the installer
will answer "yes", again without understanding what it really
Today, however, what happens much more frequently is that virus writers include a "feature" that turns a newly-infected computer into an open e-mail relay (in addition to all the other bad things it does - yet another reason to install and use anti-virus software) which spammers will actually pay to use to "funnel" spam messages.
An open mail relay is pure gold to a spammer, and they scan for them
constantly. If they find enough of them, they can pour millions of spam
messages through what is, essentially, an untraceable network. Open relays
are a major link in the "Spam Road".
When an open mail e-mail relay is found at Penn, Information Security
will request that the owner or administrator close the relay or take the
server off the network until the relay has been closed. If the owner or
administrator cannot be located, or refuses to close the relay, Information
Security will request a port disconnection under the Disconnect Policy.
OK, I'm running an e-mail server - how can I find
out if I have an open relay?
Visit the SpamHelp site at http://www.spamhelp.org/shopenrelay/,
where you can test your system, plus read a whole lot more about open
Last updated: Friday, April 23, 2010