Dropsafe

by Alec Muffett

Musings on Spam

In one month I’ve had 1549 spam messages, all but a handful of which were caught automatically by Google; the conversion rate must be minuscule – somebody buying something due to spam is surely rather rare? – but from the spammer’s perspective the costs are equally minuscule, so the trade continues.

Of course a lot of the products are fraudulent or otherwise not valid, so there’s another reason that spam continues; but given that GMail especially is extraordinarily spam-resistant, I wonder why they still bother.

Well, in truth, I don’t wonder much. I suspect the answer is “the spammers are dumb and they don’t care.”

Thing is: I wonder what would happen if they did care, all of a sudden? What if they started paying reasonably literate people an adequate wage to e-mail people personally and directly, and pertinently?

These would be the door to door salesmen of the 21st century – ding-dong Avon calling / excuse me Sir, may I demonstrate how to clean your carpet? Properly written, personal e-mails, bereft of fake headers, we1rd spe11ing, bad domains, included images and javascript tricks these love-missals would fly over the spam traps and straight into peoples’ inboxes… and there would actually be a conversion rate – still small, but without destroying brand reputation.

I blame the web-metrics and SEO people – the current situation lasts only as long as “page impressions” and “number of people contacted” are accepted as measurements of the value of advertising – but I won’t go too far down that route else some people might say I am proposing/supporting VRM.

But what I am saying is that – at some point – personalised spam would be unfilterable.

Comments

9 responses to “Musings on Spam”

  1. Peter Hickman

    Then we would just mark everything as spam if we have not had any prior communication with the sender.

    Because people emailing me out of the blue are spammers 99.99% of the time.

    Reply
  2. Mike

    People would still report these emails as spam, and the sender IP address or email address or domains or urls would still get added to block lists.

    “personalised spam would be unfilterable.” assumes that systems only filter spam on the text content. *Much* more spam filtering happens purely on IP addresses and domain names.

    Reply
    1. alecm

      @Pete: I see what you’re saying, and I agree that where whitelist-only is deployed that it would not work – but where whitelist-only is _currently_ deployed spamming does not work either (modulo fraudulent senders created by virus/botnet combos) – so for me there’s an obvious upside in becoming conversational to attack the “market” where whitelist-only is not currently deployed and where textual spam-filtering is done.

      @Mike: Yep; so what these door-to-door-salesmen-type spammers do is adopt legitimate GMail accounts – and similar resources – and basically be nice, polite, and behave well, so that it’s really hard to shut them down. There would be ructions and problems but essentially (say) Google would have to look to its TOS to determine whether they can shut down e-mail accounts because they’ve been sending polite, legitimate, individually targeted e-mails.

      What I am proposing is essentially a small-scale organisation of spammers to come out from under their rocks, learn to write well, and join the human race.

      They would find a new evolutionary niche.

      Reply
  3. Clive

    Presumably in a lot of cases the spams are sent out by a contractor who knows they’re screwing both the sender and the recipient, but doesn’t care?

    The semi-reputable people send advertising to “opt-in” mailing lists garnered from people omitting to ticky the tickybox when buying stuff online. For this reason I give each website a different address and bounce any that piss me off.

    I’m assuming spammers don’t realise their output is borderline-illiterate. And, after all, who would tell them?

    Reply
  4. Dave Walker

    The “throw people-power at the problem” approach is one much used in China, of course.

    It’s fortunate that there doesn’t appear to be a nation (yet) which meets the requirements of “significant population with English as their first language, large number of currently-unemployed and low-wage culture”; my guess is India may beat China to it, although if the US economy (or indeed our own) *seriously* implodes, all bets are off…

    Reply
  5. Dogsbody

    IMHO this is already happening.

    As someone that has used the same email address for years, for everything and with very little hiding I am already getting messages like this that are well typed with good headers but that have not been requested. The current fad seems to be for local news sites. They have obviously bought my address on a list somewhere and just auto subscribe me to a brand new website without warning. Annoyingly some of the “spam” has actually been useful!

    I have also found that unsubscribe links are becoming more and more broken on legitimate newsletters. I used to like the monthly mails from Fly BMI, PicStop and Mazda until I tried to unsubscribe and still am to this day. Now I’m submitting their newsletters to spam blocklists. Shame really.

    Reply
  6. Simon

    I don’t think you can blame web-metric or SEO people for this. That assumes there is a legitimate business behind paying for it by hit or visitor, and I’ve only seen one spam from a “legitimate business” recently (thank you BT PLC). Besides most SEO people are happy to be paid by results (conversions), rather than hits, otherwise they would just paste Paris Hilton naked into every page.

    I wrote the article below a while back. The simple truth is the people running the big email servers by and large aren’t helping the spam differentiation issue by conforming to sensible practices. Gmail were better than average for the big email providers.

    http://www.circleid.com/posts/false_positives_and_ignorance/

    Although currently a combination of block lists and Greylisting still stops most spam. Almost none of our spam filtering at work is based on textual analysis of the content (I think we block Alliance and Liecester” in the subject line, on the grounds it was unlikely to turn up in a real email).

    When I checked last that post was still appropriate although the GNU project servers have improved their anti-spam measures enormously.

    I suspect the reason they don’t employ reasonably competent English speakers is simply there aren’t many in and around Guinea Bissau, Romania, or former soviet states who want to work for crooks. Indeed one of the objections to 418 eaters is that some people involved are compelled to do this.

    Reply
    1. alecm

      More on this later, but in the meantime Zooko has sent me this:

      http://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf

      Reply
  7. dropsafe : Somebody asked what’s so scary about RPZ?

    […] Vixie writes: “Most new domain names are malicious“; as Wikipedia would say that’s a matter of “[citation needed]” but also I wonder what’s being got-at here; yes I have suffered any number of redirects through u43vbs1egs.com to http://www.viagrascammers.com, but banning them just means they’ll all just move to GMail […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts