E-mail spam is a subset of spam that involves sending nearly identical messages to thousands (or millions) of recipients. Perpetrators of such spam (“spammers”) often harvest addresses of prospective recipients from Usenet postings or from web pages, obtain them from databases, or simply guess them by using common names and domains. By popular definition, spam occurs without the permission of the recipients.
As the recipient directly bears the cost of delivery, storage, and processing, one could regard spam as the electronic equivalent of “postage-due” junk mail. However, the Direct Marketing Association will point to the existence of “legitimate” e-mail marketing. Most commentators classify e-mail-based marketing campaigns where the recipient has “opted in” to receive the marketer’s message as “legitimate”.
Spammers frequently engage in deliberate fraud to send out their messages. Spammers often use false names, addresses, phone numbers, and other contact information to set up “disposable” accounts at various Internet service providers. They also often use falsified or stolen credit card numbers to pay for these accounts. This allows them to move quickly from one account to the next as the host ISPs discover and shut down each one.
Spammers frequently go to great lengths to conceal the origin of their messages. They do this by spoofing e-mail addresses (much easier than Internet protocol spoofing). The e-mail protocol (SMTP) has no authentication by default, so the spammer can easily make a message appear to originate from any e-mail address. To prevent this, some ISPs and domains require the use of SMTP-AUTH, allowing positive identification of the specific account from which an e-mail originates.
Spammers cannot completely spoof e-mail delivery chains (the ‘Received’ header), since the receiving mailserver records the actual connection from the last mailserver’s IP address. To counter this, some spammers forge additional delivery headers to make it appear as if the e-mail had previously traversed many legitimate servers. But even when the fake headers are identified, tracing an e-mail message’s route is usually fruitless. Many ISPs have thousands of customers, and identifying spammers is tedious and generally not considered worth the effort.
Spammers frequently seek out and make use of vulnerable third-party systems such as open mail relays and open proxy servers. The SMTP system, used to send e-mail across the Internet, forwards mail from one server to another; mail servers that ISPs run commonly require some form of authentication that the user is a customer of that ISP. Open relays, however, do not properly check who is using the mail server and pass all mail to the destination address, making it quite a bit harder to track down spammers.
Increasingly, spammers use networks of virus-infected Windows PCs (zombies) to send their spam. Zombie networks are also known as Botnets.
Spoofing can have serious consequences for legitimate e-mail users. Not only can their e-mail inboxes get clogged up with “undeliverable” e-mails in addition to volumes of spam, they can mistakenly be identified as a spammer. Not only may they receive irate e-mail from spam victims, but (if spam victims report the e-mail address owner to the ISP, for example) their ISP may terminate their service for spamming.
Legality
Sending spam violates the Acceptable Use Policy (AUP) of almost all Internet Service Providers, and can lead to the termination of the sender’s account. Many jurisdictions, such as the United States of America, which regulates via the CAN-SPAM Act of 2003, regard spamming as a crime or as an actionable tort.
Article 13 of the European Union Directive on Privacy and Electronic Communications (2002/58/EC) provides that the EU member states shall take appropriate measures to ensure that unsolicited communications for the purposes of direct marketing are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.
Accessing privately owned computer resources without the owner’s permission counts as illegal under computer crime statutes in most nations. Deliberate spreading of computer viruses is also illegal in the United States and elsewhere.
Thus, some of spammers’ most common behaviors are criminal quite independently of the legal status of spamming per se. Even before the advent of laws specifically banning or regulating spamming, spammers have been successfully prosecuted under computer fraud and abuse laws for wrongfully using others’ computers.
Related vocabulary
- Unsolicited commercial e-mail (UCE)
- The most common type of spam, e-mails sent to recipients who did not request them, promoting a commercial service that makes money for the spammer.
- Unsolicited bulk e-mail (UBE)
- E-mail viruses (worms) sent by infected computers. Also forwarded hoaxes (e.g. virus warnings), political advocacy spam, and chain letters sent by a person to many other people.
- Pink contract
- A service contract offered by an ISP which offers bulk e-mail service to spamming clients, in violation of that ISP’s publically posted acceptable use policy. Not used by reputable ISPs (if they want to remain reputable).
- Spamvertised
- Adjective that describes a website “advertised” by spammers.
Licensed under the GNU Free Documentation License. It uses materials from the Wikipedia.
Spam targeting search engines (Spamdexing)
Spamdexing (a portmanteau of spamming and indexing) refers to the practice on the World Wide...