By Chris Long and Dan Simmons
Reporters, BBC Click
Spam is a very big problem. There are billions of e-mails sent every day and 80 - 90% of them are junk.
Up to 90% of e-mail traffic is unsolicited
And it is getting worse. Today, spam e-mails have developed well beyond the traditional offers of illegal drugs and questionable body enhancement surgery, but you will be pleased to know it is not a new problem.
We have had junk mail for as long as we have had letterboxes, and that is exactly what spam is: junk mail, although unlike junk mail spam has got cleverer in the way it tries to trap you.
Whereas the junk that falls through your letterbox rarely does more than try to sell you another credit card or fast food, the kind of junk that we see in our inbox has got way more sophisticated, although apparently the naming of these things has taken a backward step.
"Pump-and-dump is a type of spam," said Mark Sunner from Messagelabs, "and it's one of the most prevalent things that's going on at the moment. Essentially the bad guys are sending out, in huge volumes, messages that purport to be a hot stock tip.
Spammers have affected the price of stocks and shares
"Ironically, because enough people fall for this, we can see, by tracking these shares, that they do elevate very slightly.
"It's not a huge bump but the bad guys will have taken a slice of these penny shares and then they get out quickly, usually within a 24-hour period, as the price rises. Then people are left with something which is going to be worthless."
So how do they come up with the e-mail addresses?
"Brute force, in e-mail terms," explained Mr Sumner. "Someone can create an e-mail account called, say, abcd1234@. It's not a name, so how would anyone guess that?" And yet it still starts receiving spam.
"The answer is that there are many programs out there that are working their way through all permutations of letters and numbers, but starting with names; for instance things like asmith@, bsmith@, csmith@ etc, will be at the top of the algorithms that are targeting a particular domain.
"They have no concept of who might be behind that address, but by performing a brute force attack starting with real names there's a high likelihood that they're going to get real addresses."
Did you know you were not supposed to even open up a spam e-mail?
"When you receive a spam message in your Inbox," said Phil Watts of SoftScan, "my advice to you is please don't click on it.
"The double click is like opening a Word document, which means it opens that document into your Inbox, releases the software that's inside it, and it inserts itself into your directory or wherever it needs to go. And it could be sending out messages to your e-mail list, for example."
But it gets worse, as Thierry Karsenti from CheckPoint revealed.
"By opening the e-mail you're automatically downloading images or whatever makes the e-mail attractive to you, but by doing that you give the spammer the information that you're actually reading the e-mail."
Choosing an e-mail account
We thought we'd try an experiment to see how much unwanted e-mail we would attract simply by setting up some e-mail accounts. Would spam simply flood in? Would it make much of difference who we signed up with, or what we signed up for?
First of all we set up three e-mail accounts with AOL.
Number one was our secret account - not to be used or disclosed by anyone. Number two - was set up for social networking. We registered on MySpace, Bebo, and a dating site called FriendFinder.
Finally, number three was used to sign up for just about anything we could think of: free TV and film sites, national online newspapers, beauty products, voucher schemes, all sorts.
To make sure we were not being biased we set up similar free accounts with MSN's Hotmail, and Google's mail service.
With each account we accepted the provider's default spam settings. For each site we signed up to, if we were given an option to avoid third party e-mails, we took it.
After seven days we returned to our inboxes.
Our secret accounts, the ones we just set up and kept completely hush about, have been untouched by spammers. Each of the number one accounts has just one e-mail in - welcoming us to that service. So far so good.
The number two accounts, used for social networking sites, attracted more e-mails - mainly to verify our registration. But there was nothing here we did not ask for. No third parties have been in touch. So no spam so far.
And so to the sign-up-to-anything accounts. We chose six sites at random and used our number three e-mail addresses to register. Would they attract spam inside a week of being used?
AOL was clean. There was nothing in the spam folder and all 10 messages have come from our six sites. Half of them come from a site we signed up to called Secret Satellite, all pushing the company's web TV service.
Our Hotmail account did not attract uninvited e-mails either, but it decided to treat two of Secret Satellites' messages as spam. They appear to come from Oliver, adding a personal touch to the site's repetitive pitch. Hotmail also decided that the e-mail from beautyexpert.co.uk confirming our registration was junk too.
Google seemed more cut-throat about what constitutes spam. Again there was nothing from strangers - but this time every e-mail from Secret Satellite went into the spam bin.
Which begs the question: are repeated e-mails from a service you have signed up for spam? You will have to decide, and all of these services "learn" what you think is spam depending on where you file messages.
Certainly in the short term we were not deluged with unsolicited e-mails simply because we set up e-mail accounts. Spam is a little more complicated than that.
Of course our experiment is only seven days in. But we plan to return to our inboxes to find out more the next time Click tackles spam.