SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

5 Things to Know About Spam

Posted on June 29, 2017

On today’s Checklist, a hard look at Spam: how millions of junk emails flow, who’s sending them, and what you can do about them.

Spam: it’s not just a canned lunch meat most of us try to avoid whenever possible. You probably also know it as the term for the mountains of junk emails that clog up your inbox and consume your valuable time. Spam emails have been a problem for years now. It’s estimated that there are over 14 BILLION spam emails sent every day! And now it has even expanded into other areas, from web comment boards to even our voicemail boxes. There are so many types and such a high volume of spam flowing across the Internet that it drives us to ask one overarching question: why?

Today on The Checklist, we’ll delve into the answers. We’re opening a can of spam to give you a look at exactly what’s inside: how millions of junk emails flow, who’s sending them, and what you can do about them. Let’s start by looking at some of spam’s general characteristics and its ultimate origins.

  • Where does Spam come from?
  • Why do we have to deal with spam?
  • Spam and the Law.
  • Fighting Back Against the Spammers.
  • Filters, blacklists, and anti-spam technology.

Where does Spam come from?

The best place to start is with a simple definition: what is a spam email? You know you have an inbox folder where all that junk collects, but it’s not just “junk mail” like you might find in your actual mailbox at home delivered by the mailman. Its ultimate purpose is similar, and we’ll get into that, but two qualities classify an email as spam. First, it must be an unsolicited message; Legitimate email lists properly ask you if you’d like to sign up, and also give you a way to unsubscribe. Unsolicited email, sometimes presenting as mailing lists, are things you did not sign up for and often don’t give you a way to opt out.

Second, it should come in the form of a bulk email. If you’re the sole recipient of a message, it isn’t really spam. If you’re one of perhaps tens of thousands of recipients, though, that’s a different story. Most if not all spammers also rely on anonymity by spoofing their email addresses or employing methods to conceal the true sender. Some observers include that in their definition of spam. Overall, though, bulk and unsolicited email — almost always with a commercial purpose — is what we call spam.

How we came to call these emails spam ties in to their origin, but we all know that ultimately it loops back around the tinned meat product produced by food giant Hormel. You might notice that any time you see the product name SPAM written down, it’s in all capital letters. It’s not a branding exercise; it’s part of Hormel’s efforts to put some distance between the company and the wave of negative press that follows spam emails. Hormel would certainly prefer that you call them “unwanted emails” instead.

When the first spam was sent depends on your perspective. If we go by the “bulk and unsolicited” definition, that distinction belongs to a message sent out to several hundred users of the ARPANET way back in 1978. The first actual usage of the word “spam,” though, dates to the late 80s or the early 90s. In one tale, it started as a way to refer to the flooding of another user’s inbox with junk on old BBS systems and MUD games. In another, it has to do with a mass-posting on Usenet. In either case, users chose the word “spam” as a reference to a famous Monty Python sketch involving the famous lunch meat.

Those first spam messages were sometimes accidental, but others quickly figured out they could use them for a commercial purpose. It wasn’t long after that when unsolicited emails began to become a real problem — enough to spur people to create lists of banned addresses to stem the tide. Today, billions of spam emails flow around the Internet every day. There is an almost immeasurable number of accounts affected by it, and yet in comparison, there are very few spammers. Only a handful of people are responsible for this digital mess.

Spammers today have branched out from emails, too, though there are still plenty of those. Today, we use spam to mean many different things, but all of them are unwanted solicitations. We now get spam text messages on our phones, and even spam phone calls. You might answer only to hear a recording playing you an advertising pitch. Sometimes, they won’t even make your phone ring! So-called “ringless” calls are a new way for advertisers to leave you a voicemail without giving you the opportunity to hang up on a call. In every case, we’ve come to call these nuisances spam. Today, though, we’ll focus on the emails.

Why do we have to deal with spam?

What drives people to send out so many unsolicited messages? As it so often is, the answer is a very basic one: money. Spammers want to get rich, plain and simple, and for some, it is remarkably easy to do so with the right infrastructure in place. Spam generation methods have evolved a lot over the years, but let’s think about it on a basic level. How much does it cost you to send an email? Nothing at all. Sure, fundamentally, you’re paying your ISP for an Internet connection — but the actual act of sending an email? There is no specific cost involved there.

The ISP paying for the bandwidth and the recipient paying for their connection to read a spammer’s content bear most of the cost. So, one of the real reasons spam exists is because it’s easy to create. Blasting out fifty thousand emails is about as intensive for a spammer as sending out five. That equates to the ability to reach a massive amount of people. A spammer who has amassed a large repository of proven email addresses might command high prices from shady advertisers offering products of at best dubious legality. Not all spam is commercially oriented — some early spam messages would fall into the category of what we now call “phishing.” Often, though, it’s about pushing products. Which ones?

Pharmaceuticals are the big-ticket items — maybe you’ve even encountered your fair share of emails claiming to offer cheap pills. These might be medications that someone is too embarrassed to ask their doctor about, or it might be something they don’t have a chance of earning a prescription for, like pain medication. These “online pharmacies” are often based overseas and run as fly-by-night operations that offer little to no protection to the consumer. Why should they want to protect their customers? They’re working with spammers, after all.

Identity thieves and financial scammers turn to spam as well. While some advertising spam is legitimate, these other types are always illegal and seek to do you harm. We’ve all heard jokes about the “Nigerian prince” who wants to offer you a huge sum of money in trade for you performing some financial transaction today. Some spam emails claim to be from figures as lofty as the UN Secretary-General. All of them offer financial reward in return for your cooperation — but the end goal is always to get you to fork over your cash for something that doesn’t exist. Between spam for pills, sex, and scams, there’s a lot of unsolicited email flying around the Internet.

But when was the last time you opened a spam email, let alone decided to click on any of the links in one? Most people might skim a spam email out of curiosity, but many others never even look at them. If that’s so, how can there be any money in sending out so many? Well, not everyone looks at these messages the same way. Billions of emails go out from spammers every day. Even if many thousands go unopened, there will always be at least one person in a group who will click that link and who will plug in their credit card information.

The result is a very lucrative operation indeed. With so many individual emails going out, they’re bound to find someone who will pay. If not, they can always turn around and take their list of legitimate emails and sell them on to another spammer to try.

Spam and the Law.

With so many spammers out there, isn’t there anything the governments of the world can do about the nuisance? Well, they have, in fact, tried. Spam emails are illegal to send in many countries around the world, including the USA, the UK, Germany, and others. As we know from our experiences with malware, though, just because it is illegal does not mean it stops bad actors from pursuing shady methods of making money. The US—even after passing legislation to halt the spread of spam—remains one of the top producers in the world. Even so, legal efforts to fight spam have helped — but it took a while to reach that point.

Back in 2003, the US Congress passed a law known as CAN-SPAM. The act was intended to curtail the volume of spam on the Internet, in particular, those for adult websites, which were often ending up in the inboxes of children. That year, spam comprised more than half of the total volume of email sent across the entire Internet! That’s a long way from the early days of bombarding a few hundred BBS users with unsolicited messages.

CAN-SPAM did a few important things, like creating a legal definition of spam and outlining what wasn’t allowed — like falsified email headers, deceptive subjects, and the inability to unsubscribe. Legitimate marketers altered their tactics to comply, which made real emails better for everyone. Unfortunately, it did very little to stop the flood of spam onto the Internet. Even as a few individuals were prosecuted for sending spam, the numbers worsened. Five years after CAN-SPAM, almost all emails sent were spam: a staggering 97% of email traffic in 2008 was unsolicited.

Today, that number has declined, thanks both to improved anti-spam efforts and better blacklisting technology. Even so, the US is still one of the primary sources of spam around the world. Other countries which lack strong regulations against spam, or any regulations at all, are also hotbeds for spam production. Countries like China and Russia create a huge volume of spam. However, it’s not only people sending these emails anymore. Spammers and malware authors often work together now, and sometimes are the same people. Now, most spam is coming from remotely controlled computers — in other words:botnets.

We’ve talked about botnets before on The Checklist. Recently, Internet of Things devices were infected by malware and used as a botnet to direct a DDOS attack against a major DNS provider. Spammers build botnets to use them to direct emails to addresses on their behalf. This way, the spammer never exposes their own IP address to anti-spam efforts and—for all intents and purposes—they, themselves, appear innocent.

Except, of course, they’re directing a command and control server that oversees a botnet network made of thousands, or tens of thousands, of computers or devices. As these machines receive directions to blast out spam emails, their IP addresses might end up on a spam blacklist. In some cases, those may be poorly secured real mail servers, and now suddenly, the unsuspecting users of that server find that their emails aren’t going anywhere, even when they mail their friends. The original culprit gets away scot-free.

Most botnets arise through common, fundamental vulnerabilities left unpatched in most systems. For this reason, it’s so important to always update to the latest version of the software and/or firmware for your system! The alternative could be accidentally contributing to the spam problem without any intent to do so. With many shady companies and individuals out there looking to make a quick buck from spam, anti-malware efforts are a front-line defense for fighting spam.

The fact that creating spam is so easy for those willing to put in the time and effort is why the problem persists. Even with CAN-SPAM and other legislation, new spammers appear even when major perpetrators go down in court.

Fighting Back Against the Spammers.

Spam can be both annoying and, with the addition of malware-laden attachments or links, a danger to our security, too. So how can you protect yourself? Even when you set up a brand-new email account, it seems like it doesn’t take long before spam starts hitting your junk folder. How is it that spammers are even getting your email address in the first place? Understanding the “how” is the first step to grasping the ways you can fight back against spammers. Your email could end up in a spammer’s cross hairs one of several ways.

Perhaps the most common method today is for a spammer to simply buy a list that contains your email address. How did it end up on such a list? There are a variety of methods. You’ll often hear about usernames and email addresses traded on dark net markets. When a website is hacked and user information stolen, those email addresses can fetch a pretty penny on the black market. Spammers buying them have a good idea that they will all be valid, functioning addresses – think about it: many times when you sign up on a website, you have to verify your email address. For spammers, that means more chances to make money off unwitting users.

Other spammers set up web spiders that crawl the Internet, much like search crawlers, looking for anything identifiable as an email address. These digital spiders collect any email addresses they find into a list which is then used to generate thousands of spam emails. Other services might pretend to be useful for individuals, but in reality harvest and then sell their email address to spammers. These three methods are the most common ways your email could end up in a spammer’s hands. Sometimes, though, it’s pure luck.

Given today’s computational power, it’s a pretty trivial task to create software that generates email addresses at random or based on words in the dictionary, names, and other characteristics. Even if a spammer sends out hundreds of thousands of messages that will bounce back as invalid, they will snare some legitimate emails in the process too. Sometimes your email might be one of them. If you’ve ever looked at a recipient list had addresses similar in theme or content to your own, your email might have been generated from such a program.

You can rely on filters to work for you, but you can also choose to fight back against spam as well. An important tip: never post your email address in a public, visible place on the web. Starting up a personal website? Great! Build a contact form instead of directing users to your email. The bots that scour websites for email addresses will find yours in short order, and then you can expect a massive increase in spam.

So, try to avoid posting it anywhere visible, or restrict access to it as much as possible. Sharing it on social media, for example, is okay as long as you use privacy settings to keep it “friends only.” Any other public setting might be an invitation to spammers. To cut down on unsolicited mail further, consider setting up several separate email accounts. Why?

Segregating your emails into different inboxes is not just good for organization. If you keep a personal email you only use for friends and family; the likelihood that it will be bought and sold as an email list is much lower. Your risk of contracting malware from an attachment or receiving a spearphishing email drops too.

Set up another email just for professional communications, since you won’t need to hand it out to websites often or at all. Then dedicate a third account to your website sign ups and online purchases. These addresses are more likely to get swept up by spammers, but you won’t need to worry — because it won’t be clogging up your personal inbox anymore.

Filters, blacklists, and anti-spam technology. Knowing how to reduce the chances of your email ending up in the hands of spammers won’t stop the flow altogether. There is too much of it out there to avoid it forever. That’s why instead we turn to rely on spam filters and blacklists to keep our inboxes clean. Major services like Gmail pride themselves on delivering as spam-free an experience as possible. Let’s focus on filters first and blacklists second.

A spam filter might be something as simple as an “if-then” statement: if an email contains these words, then reject the message or mark it as spam. When we’re talking about major corporate level filters like those employed by Google, on the other hand, it’s a more complex beast. These filters operate based on complicated algorithms, and they do more than look at the email in general. Google also relies on user reports of spam to train its algorithms to detect spam. They do this by looking for common traits between emails, including the sender, the number of recipients, and especially the format and content itself.

That’s why you’ll often see spam subject lines and text bodies filled with misspelled words, nonsense, and random strings of text culled from books in the public domain. These are all attempts to fool spam detection algorithms and convince them they are a legitimate email. By analyzing millions of spam emails, the creators of these algorithms can detect and identify most spam before it reaches an inbox. Spam filters like these also examine things like the email header, seeking any sign it might be faked. Detecting fake headers also prevents emails from impostor domains from fooling users into believing they are legitimate.

Algorithmic content filters are getting stronger every year, especially with advances in cloud computing bringing more processing power to bear. As users submit spam reports, these filters learn even which misspellings spammers most often use. It is also simple for an algorithm to flag content coming from an unknown sender with a suspicious attachment.

Then we can talk about blacklists, those are a little different. You can think of a filter as just that: a sieve through which legitimate emails can pass while catching spam. A blacklist is more like a bouncer that turns away any and every email originating from certain sources. It works like any other blacklist might: by defining an ISP, domain, or a range of IP addresses, sysadmins can stop spam that originates from those sources. Denying them access to your inbox outright is a very effective way to prevent spam.

In the 90s, blacklists were one of the only ways to prevent spam, and there were many huge blacklists maintained and shared by anti-spam advocates. A blacklist is often a heavy-handed approach, though. If you’ve ever been instructed to “check your spam folder,” well, that practice began when blacklists became standard. It was easier to end up on a blacklist by accident for one reason or another, and to then have important emails caught and filtered. Today, blacklists are more targeted to block smaller subsets of the Internet, and they remain very useful. They still have their problems, though.

Sometimes, a company will end up with an IP address assignment that results in all their emails going to spam. Why? They’ve been given an IP that belonged to an actual spammer in the past, often one who was subsequently banned for their illicit activities. If this happens, it can be quite a challenge to get a message out to consumers, and often involves a lot of wrangling with ISPs and blacklist maintainers to reverse the ban.

To avoid contributions to the spam problem and reach consumers effectively, most companies work with a third-party mail manager these days. MailChimp is one of the most popular ones, for example. These services let us reach out to consumers through newsletters and other voluntary mailers while avoiding the snare of the spam filter. After all, that’s still content we want to see!

The unfortunate reality is that we are unlikely to see any end to spam anytime soon. Even with the latest advances in anti-spam technology, the spammers keep on looking for new ways to circumvent them. The good news is that our efforts to fight back are still improving, and most of us can go days without ever seeing a spam email land in our main inbox. Even so, it’s important to remember what to look out for — and knowing how it works can help a lot.

Thanks for joining us for this weekly edition of The Checklist, and we hope your spam folders aren’t too full. We’ll return again next week with more interesting info for you!

Problems? Questions? Security concerns? If you have anything to ask us, send us an email at!

Join our mailing list for the latest security news and deals