TechTarget.com/searchsecurity

https://www.techtarget.com/searchsecurity/definition/spam

What is email spam and how to fight it?

By Paul Kirvan

Email spam, also known as junk email, refers to unsolicited email messages, usually sent in bulk to a large list of recipients. Humans send spam, but more often, botnets are responsible for sending it. A botnet is a network of computers, referred to as bots or spambots, infected with malware and controlled by a single attacking party, called a bot herder. Apart from email, spam can also be distributed via text messages and social media.

Daily email volume in 2023 was estimated to be about 350 billion messages, with about half of those messages considered spam. Spam costs legitimate businesses and individuals billions of dollars every year.

Most people find spam annoying and consider it an inevitable part of using email. Nevertheless, it can choke email inboxes if not properly filtered and regularly deleted. It wastes the time of people deleting or unsubscribing from the emails, and uses IT resources. It can also be a threat.

Email spam senders, or spammers, regularly alter their methods and messages to trick potential victims into downloading malware, sharing data or sending money.

Spam emails are almost always commercial with a financial motive. For example, spammers often attempt to capture personal information, such as bank account and credit card numbers, try to promote and sell questionable goods, make false claims and deceive recipients into believing something that's not true.

A common misconception is that spam is an acronym that stands for "stupid pointless annoying malware." The term is actually derived from a famous Monty Python's Flying Circus sketch in which there are many repetitive mentions of the canned meat product Spam.

Spam, spammers and spambots

Spammers use spambots to crawl the internet looking for email addresses that are used to create email distribution lists. The lists are used to send junk emails to multiple email addresses -- usually hundreds of thousands -- at one time.

The most popular spam subjects are pharmaceuticals, adult content, financial services, online degrees, work-from-home jobs, online gambling and cryptocurrencies.

The conversion rate for spam is low. Simply put, few people fall for emails from rich but desperate Nigerian princes or so-called pharmaceutical businesses claiming to hold the patent on a miracle lose-weight-fast pill.

Spammers expect only a small number of recipients to respond or interact with their message, but they can still swindle their way to a big payday because they send their shady message to so many email addresses in a single stroke. That is why spam continues to be a problem in the modern digital economy.

A brief history of spam

Spam's history goes back several decades. Gary Thuerk, an employee of the now-defunct Digital Equipment Corp. (DEC), sent the first spam email to promote a new product. The unsolicited email went out to about 400 of the 2,600 people who had email accounts on the Advanced Research Projects Agency Network. Some reports suggest that it generated about $12 million in new sales for DEC.

However, it wasn't until 1993 that the term spam was used. It was applied to Usenet, a newsgroup that's a hybrid between an email and a web forum. A glitch in its new moderation software caused it to automatically post 200-plus messages to a discussion group. Someone jokingly called the event spamming.

Usenet was also the victim of the first large-scale spam attack in 1994. By 2003, spam constituted 80% to 85% of email messages sent worldwide. It had become such a widespread problem that it prompted the U.S. to pass the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003. The CAN-SPAM Act is still the most important regulation that legitimate email marketers must comply with to prevent being labeled as spammers.

Common spamming techniques

Spammers use different techniques to send spam:

• Botnets. Botnets enable spammers to use command-and-control servers to harvest email addresses and distribute spam.
• Snowshoe spam. With this technique, scammers use a range of Internet Protocol addresses and email addresses with neutral reputations to distribute spam.
• Blank email spam. This technique involves sending email with an empty message body and subject line. It could be used in a directory harvest attack to validate email addresses by identifying invalid bounced addresses. In some instances, seemingly blank emails might hide viruses and worms that can spread through Hypertext Markup Language code embedded in the email.
• Image spam. The message text, which is computer-generated and unintelligible to human readers, is stored as a JPEG (Joint Photographic Experts Group) or GIF (Graphics Interchange Format) file format and placed into the email body. This method attempts to avoid detection from text-based spam filters.

Types of spam

Email spam comes in many forms, depending on the purpose of the spammer:

• Marketing messages. This type of spam peddles unsolicited or illegal products or services.
• Malware messages. These spam emails contain malware, which can trick users into divulging personal information, paying money or taking some action they wouldn't normally do or that could be harmful.
• Fraud and scams. The advance fee or Nigerian prince scam is a well-known example of email-based fraud. A user receives an email with an offer that purportedly results in a reward if they pay an advance fee or small deposit. Once they make the payment, the fraudster will invent further fees or just stop responding.
• Antivirus warnings. These messages warn a user about a fictitious virus infection and offer a way to fix it. If the user takes the bait and clicks on a malicious link in the email, the hacker can gain access to their system. The email might also download a malicious file to the device.
• Sweepstakes winners. Spammers send emails claiming that a recipient has won a sweepstakes or a prize. To collect the prize, the recipient must click on a link within the email. The link is malicious and is typically used to steal the user's personal information.
• Adult content. This category is among the highest ranking types of spam, with dating sites contributing a significant portion of the content.
• Phishing messages. Spam can also come in the form of phishing emails that trick recipients into revealing personal or confidential information.

Spam vs. phishing

Phishing scams and their messages are usually disguised as official communication from legitimate senders. These can be banks and other financial institutions, online payment processors, government agencies or any organization a user might trust.

Phishing emails typically direct recipients to a fake version of a real organization's website, where the user is prompted to enter personal information, such as login credentials or credit card details, email and physical addresses, and phone numbers -- any information that can be used steal the victim's money or identity.

Phishing attack emails are more sophisticated than normal spam emails, which are usually mass-mailed, have a monetary focus and don't require the spammer to have a lot of technical expertise. Businesses and other organizations need to train employees to be alert for phishing emails.

Antispam laws

In addition to the U.S. CAN-SPAM legislation, other countries have implemented laws to fight the spam menace, including the following:

• Australia's Spam Act 2003.
• United Kingdom's Privacy and Electronic Communications Regulations 2003.
• Canada's Personal Information Protection and Electronic Documents Act of 2000, Fighting Internet and Wireless Spam Act of 2010 and Anti-Spam Legislation of 2014.
• European Union's Directive on privacy and electronic communications of 2002.

How to fight spam

Email providers such as Microsoft and Google spend billions of dollars a year to enhance email security. E-commerce companies like Amazon and major banks also spend millions to protect their customers from phishing scams and other cyberattacks. This is in addition to the companies whose products and services can be used to block email spam.

Email spam filters, which might be part of a security application or an email system add-on, catch many spam messages. They deposit them in a user's spam folder rather than their inbox, reducing the amount of spam users see. However, while it's important to report spam as much as possible, it's impossible to eliminate spam.

Newer email filters read images and identify potentially harmful text, but that might inadvertently filter out nonspam emails that contain images featuring text. Artificial intelligence (AI) capabilities, increasingly used in spam filtering and cybersecurity systems, are able to identify even more suspicious emails, when properly trained and with a sufficient database of malware code.

Users can take the following steps to reduce their vulnerability to spam emails:

• Identify email messages that look suspicious. To do this, hover the cursor above the sender's email address and observe the displayed address to see if it looks legitimate. This approach doesn't always work, but it provides an easy first step.
• Report, block and delete unwanted messages or any suspicious-looking emails received.
• Unsubscribe from mailing lists.
• Install software that blocks emails, viruses and other malware.
• Add a third-party antispam filter on local email clients. Customize the filter to block messages that include particular words or phrases that are frequently used in spam emails.
• Install browser protection to block malicious websites.
• Create an email allowlist where trusted email addresses, IP addresses and domains are marked as ones the user is willing to receive email from.
• Have a disposable email account or masked email address for online use, such as in discussion forums.
• Never click links or open attachments in emails from unknown senders.

How to keep legitimate email out of spam filters

Legitimate email senders can take the following steps to prevent their messages from being mistaken for spam:

• Follow email marketing best practices to maintain a good sender reputation.
• Use authentication instruments, such as DomainKeys Identified Mail and Sender Policy Framework.
• Remove words that antispam filters might flag and lead to the email being marked as spam, such as "call now" or "save big money."
• Create relevant, user-friendly content that's useful to your audience.
• Optimize recipient interest with good subject lines.
• Ask recipients to opt in to receiving messages to ensure they're engaged and less likely to report the email as spam.
• Use a reputable bulk email service.

Should you report email spam?

The short answer is yes. While it isn't possible to completely stop spam, procedures for reporting it are fairly simple to use on the email platforms of service providers such as Microsoft Outlook, Apple Mail and Google Gmail. In most cases it's a matter of moving the cursor to the suspicious or unwanted email, right-clicking on the mouse to bring up additional functions and clicking on the spam reporting link. Similar capabilities are available on smartphones.