March/April issue of acmqueue


The March/April issue of acmqueue is out now


Curmudgeon

Email and IM

  Download PDF version of this article PDF

The Joy of Spam

Embracing e-mail’s dark side

Phillip A. Laplante, Penn State University

Not a day goes by that a large amount of spam doesn’t get past the two filters that I have in place (one on the server and one on my mail client). Most of this e-mail is annoying and some of it dangerous. But I have finally come to peace with spam and it no longer bothers me. How did I do that, you ask? I have learned to respect, even love, spam’s malicious beauty. I want to share my journey to inner peace, hopeful that you will find happiness too.

Why spam, why now?

I had been growing more agitated with the escalating intensity and elusiveness of spam for several years. At any given point in time my junk e-mail box featured hundreds of pieces of spam in more than 30 languages. This junk included phishing attacks disguised as e-mail from dozens of banks and credit unions, both real and imaginary; from PayPal and eBay (which I never use); from Internet lotteries; and every other form of confidence scam. I have been offered countless products for sale: discount drugs, computer supplies, sexual enhancement products, financial opportunities, and flattering offers of dates, marriage, and more.

More recently, I had been flooded with “important message from a family member” or “postcard from someone who cares” e-mails, which, of course, redirected to some rogue site or installed a browser hijacker. I still hadn’t fallen for any of these ploys, but I knew that I or a family member might soon fall victim as the sophistication and authenticity of this spam increased. I had not been keeping count of the frequency of these various dodges, but I knew that the threat was increasing. My anxiety level and blood pressure reached record highs. I had to deal with this crisis, but how?

Lash out

My first instinct was to strike back. I fantasized some deliciously ironic denial-of-service attack. Eventually, however, I had to acknowledge my own limited though devious skills, and I was sure that even if I could temporarily bring down one of these operations, it would just move to another boiler room. So I considered legal remedies, but I didn’t want to get involved in a class-action or private lawsuit. Political action seemed out of the question too. Besides, I don’t think that spam legislation is the way around the problem—I still get telephone solicitations, even though I am on every do-not-call list.

Finally, I imagined simply writing a withering e-mail message to some unnamed spammer that would force capitulation. But what could I write that would be so convincing? “Rosalia Boyce, Loretta Nicolay, Shad Mauny, or whatever the hell your name is, stop spamming me!” I don’t think so.

Try to measure it

In a meditative interlude, the spirit of Lord Kelvin implored me to “first measure what it is you want to understand.” Aha! A more thorough understanding, through modeling of my pain, was the way to serenity, I mused. I approached my formulation thusly.

Let T be the set of e-mails received in my inbox in a fixed interval of time, I (e.g., one day). Let S be the set of actual spam e-mails received during interval I. We could further partition S by spam type. For example:

  s1= collection of Nigerian 419 scams
  s2= collection of sexual enhancement and performance products
  s3= collection of Internet lottery awards
  s4= collection of investment opportunities
  s5= collection of health products
  sn= collection of messages from “a friend”
  so that 

By focusing on each individual si as well as S, I thought I could measure the effectiveness of one strategy or another in limiting certain kinds of spam that might be most dangerous. But I digress.

Then, let C be the set of messages correctly classified as spam by my e-mail client’s spam filter—that is, the messages in the set S correctly identified as spam and the set of messages in the set T - S correctly identified as legitimate e-mail.

To help understand the severity of my spam problem, I contrived a knowledge, confidence, uncertainty, and fear continuum by defining four bands of varying spam comprehension:

knowledge, when 
confidence, when 99.9% > 
uncertainty, when 99% > 
fear, when 

I didn’t initially care about the boundary values. My goal was to form the basis for clear communication about my spam crisis.

But then I remembered that determining the set C is hard, because without examining every e-mail in detail, it is likely that some number of e-mails will be misidentified as spam and some amount of spam will not be correctly identified. I tried to reformulate my safety zones to take this into account. After a while, however, I realized that although academically pleasing, this exercise was not going to solve any spam problems—just more thoroughly describe them and, hence, increase my anxiety. I abandoned this approach.

Accept it

If I couldn’t counterattack spam, and measuring it was futile, then, I reasoned, peace would come through acceptance. Indeed, I realized that spam, like weeds, rotten drivers, and bad weather, is always with us. We might occasionally bemoan the most stubborn weeds, the most erratic drivers, the major storms, and most malicious spam. But why sweat the everyday annoyances? Indeed, obsessing about total eradication of weeds and bad drivers leads to too high a price: ultimately, the destruction of lawns and removal of good drivers from the road. (Of course, there is nothing one can do about the weather.) Alas, this kind of acceptance seemed to be a Chauncey Gardiner-like strategy (“if the server is strong, the e-mail will return”), so I rejected it.

I considered another way of accepting spam: through inclusiveness. I mean, accept that we are all part of one big spamming family. I know that some legitimate e-mails that I send, and those sent by reputable organizations that I affiliate with, are probably tagged by some filters as spam. Sometimes the spammers impersonate me or my associates through spoofing. In fact, because of spoofing, it sometimes appears that I have sent spam to myself. For the same reasons, it is likely that others might perceive you as a spammer too.

Admitting that I might be perceived as a spammer was as satisfying as concluding that I was a member of a set of serial-killers-to-be. Therefore, I rejected this approach too.

Love it

Finally, I had a catharsis. Why not love spam? Couldn’t I savor its malevolent ingenuity and sublime audacity? This ingenuity is illustrated on several levels: the sender name, the subject line, the disguised text, and the nature of the attack. Let’s consider the ephemeral beauty of these features briefly.

Only a computer could generate such improbably funny names deliberately combining infrequently paired words to defeat spam filters. I have been collecting the best of these names for a couple of years. Some of the funnier ones are: Schmuck G. Deriding, Iroquoian L. Biscuit, Zirconium H. Coquetted, Vealed C. Certitude, Abusiveness O. Solitude, Cursoring U. Bayonet, Disabling Condom, Kangaroo D. Castanet, Withering A. Footstool, Bombay Dyslexic, Disallows H. Bootstrap, Epidermis V. Manhunt, Frescoes S. Congo, Vegetated H. Febrile, Vacillating K. But.

Of course, the subject lines can contain similar kinds of whimsy, or rely on the human brain to “i n t rp rit the c rr ct meening.”

Another ploy I enjoy is the important-looking message in the body of the e-mail, which upon closer examination is techno-garbage. For example:

“To ensure the equality of the diagonals, we make use of a little testing-rod. Thus the body has the same energy as a body of mass on a Euclidean and Non-Euclidean Continuum. The surface of a marble table is spread out in front of me.”

This text is then followed by instructions to get low prices on blue pills.

Finally, though I fear and despise them, I have to respect the cleverness of the attacks themselves. Think of the irresistible allure of certain phishing attacks, the marketing savvy of the sales pitch, and so on. I am reminded of the beauty and danger found in the ocean—deadly poisonous but magnificent lionfish, brilliant and razor-sharp coral, elegantly powerful but ruthless sharks, exquisitely camouflaged but fatal rockfish, and so on. Spam is… well… so beautiful. Thus, I reached my Nirvana.

Conclusion

As I reflect on my evolving reactions to spam: lashing out, measuring, accepting, and finally, loving spam, I realize that the journey roughly parallels the cycle of grieving—denial, anger, sadness, acceptance. Although there is no analogy to the loss of a loved one, in some Karmic sense, there must be spam to achieve universal balance.

Spam will always be with us because it brings reward to the spammers. It used to be that people were naïve and easily trapped, but spam is ever-more-sophisticated and prolific, and even the most vigilant of us can be tricked. So, instead of cursing spam, appreciate it; savor its diabolical brilliance; enjoy the persistence and enthusiasm of the spammers; and behold the spectacle of it all.

PHILLIP LAPLANTE is professor of software engineering at the Penn State Great Valley School of Graduate Studies. His vital statistics can be found at www.personal.psu.edu/pal11.

acmqueue

Originally published in Queue vol. 4, no. 9
see this item in the ACM Digital Library


Tweet



Related:

Eric Allman - E-mail Authentication
Internet e-mail was conceived in a different world than we live in today. It was a small, tightly knit community, and we didn’t really have to worry too much about miscreants. Generally, if someone did something wrong, the problem could be dealt with through social means; “shunning” is very effective in small communities.


Vipul Ved Prakash, Adam O'Donnell - Fighting Spam with Reputation Systems
User-submitted spam fingerprints


John Stone, Sarah Merrion - Instant Messaging or Instant Headache?
It's a reality. You have IM (instant messaging) clients in your environment. You have already recognized that it is eating up more and more of your network bandwidth and with Microsoft building IM capability into its XP operating system and applications, you know this will only get worse. Management is also voicing concerns over the lost user productivity caused by personal conversations over this medium. You have tried blocking these conduits for conversation, but it is a constant battle.


Joe Hildebrand - Nine IM Accounts and Counting
The key word with instant messaging today is interoperability. Various standards are in contention.



Comments

(newest first)

Leave this field empty

Post a Comment:







© 2017 ACM, Inc. All Rights Reserved.