Spam: It’s annoying and dangerous

Who are Liu Yan, Arianna Keesha and Wilfred Saenz? What do they have in common? Smart internet users, especially the pioneers, will simply smile at these names and delete the e-mail messages coming from these machines. Indeed, they are not real people but names used by computer servers that, everyday, send billions of unsolicited e-mail around the world, known as “spam”, selling anything from fake Viagra and medicines to cheap software, replica watches and lottery winnings. Sometimes there’s an attempt at fraud or other criminal activities.

According to the Messaging Anti-Abuse Working Group (MAAWG) around 85 per cent of e-mails sent everyday is spam. A 2009 Cisco Systems report lists the origin of spam by country. Brazil is the major culprit with 7.7 trillion e-mails, followed by the United States with 6.6 trillion, India with 3.6 trillion and then South Korea, Turkey, Vietnam, China, Poland, Russia and Argentina.

Maltese internet users are not immune to spam. i-Tech’s inbox receives spam on a daily basis despite the efforts of the ICT team at Allied Newspapers.

Just to have an idea as to the extent of the problem in Malta, the Malta Government network, Malta’s largest closed network which includes the public services and sensitive entities for the running of the country, receives around two million e-mails daily, of which on average 70 per cent are identified as spam.

“Spam is an ongoing problem. Anti-spam technologies keep getting better but spammers will always try to devise new ways of delivering this unwanted e-mail,” said Pierre Axiaq, systems engineer for internet and groupware services at the Malta Information Technology Agency, which provides ICT services to the government.

“It is also ‘seasonal’ - sometimes spam volume trends vary between months of the year. In extreme cases of spam overload, traffic from entire networks that are the source of large amounts of spam can be shut down by the authorities.”

Indeed there is a cost to spam. On a commercial and corporate level, spam is a burden on computer servers, a burden on human resources, it slows down internet speed during delivery, and online services such as search engines can be duped into indexing useless content.

On a personal level it can lead to identity theft, data theft, fraud and virus infections on computers.

Most of the spam e-mails received still consist, more or less, of the same type, i.e. selling pharmaceuticals, fake goods and the like, with some being more creative than others. There are also some spam e-mails that are a little bit more elaborate and which are considered as phishing or scam e-mails. Another type of spam relates to the acquisition of fake diplomas and university degrees. Hoax chain letters or requests to help some young child dying of cancer by sending e-mail appeals are also considered as spam.

“A good portion of spam is dangerous,” warns Nicholas Sciberras, product manager at GFI Software, an international software developer of network and security solutions for small to medium-sized enterprises. GFI has offices in Malta and in several locations around the world.

“One of the most dangerous types of spam is phishing. This type of spam resembles an e-mail coming from well-known institutions such as banks, insurance companies, internet service providers, PayPal and others, and their purpose is to steal information such as user credentials or credit card details. Viruses and certain types of worms are known to spread using spam techniques. Apart from that, when visiting a URL in a spam e-mail, there is a good chance that the spammer’s web page hosts drive-by-download malware (malicious programme).”

Maltese users have recently received e-mails with phishing attempts on local banks and ISPs, inducing them to issue public statements to protect their clients.

Spammers and anti-spam solutions developers have been playing a cat-and-mouse game for years, and spammers are always coming up with new methods of annoying people, and in some cases, making money illicitly out of them.

Mr Sciberras explained to i-Tech that new spam techniques include the embedding of their message in an image and embedding the message in other types of attachments such as zip files, Excel spreadsheet documents and pdf files. Some spam fake the sender of the message (known as spoofing), while others make use of certain tricks in HTML (the language used to build web pages) which makes conventional keyword checking techniques useless.

Another new variant of spam has a small HTML page attached to e-mail. The e-mail message itself is innocuous, and typically appears to be from a well-known organisation. The HTML includes some JavaScript code so that when the recipient clicks on the HTML to open it, the user is immediately redirected to a website controlled by the spammer. That site might be a phishing site, a site that attempts to install malware on the individual’s computer, or any other destination site that provides a potential payoff for the spammer.

Certain anti-spam technologies would just need to be updated to start blocking new types of spam, reassured GFI’s executive.

Yet even established companies like Apple, whose products are not particularly linked to online threats, fell victim to spammers as its new Ping online music network was spammed within hours of going online a few days ago.

And its seems Facebook, Twitter and Skype, relatively new kids on the block, are increasingly targeted by spammers as more internet users spend most of their time on these social networks and new online services rather than using e-mail. It might also be the case that anti-spam filtering is doing too good a job with e-mails.

Anti-spam filters are constantly being updated with newer definitions, a technique similar to the one used by anti-virus products. MITA for example has two groups of filters that consist of a commercial product coupled with a customised in-house product. The first filter deletes e-mails, the second tags e-mails as spam and delivers it to the user’s mailbox for him/her to decide.

So what can internet users do to combat spam? MITA’s executive has this advice for internet users: “The most important thing you can do to combat spam is educate yourself in recognising the difference between spam and legitimate e-mail. The most basic and effective rules are: do not register your e-mail address with unverified/untrusted parties and do not reply to spam mail, actually delete it without reading!”