Where spam comes from

Spam takes many forms, from debt advice to penis enlargement

For anyone plagued by junk e-mails, the question that often baffles most is how did the spammers get your address.

US researchers at the Center for Democracy and Technology set out to answer this question in the summer of 2002.

They found that e-mail addresses posted on websites or in newsgroups attract the most spam.

Spam is estimated to account for up to 40% of global e-mail traffic and is causing a massive headache for businesses, which are losing billions in productivity.

E-mails on the web

To determine the source of spam, the researchers set up hundreds of different e-mail addresses and waited six months to see what kind of mail the addresses were attracting.

For the purposes of the study, researchers posted e-mail addresses on websites and newsgroups.

They also provided e-mail addresses in response to services on popular websites such as auction site eBay and e-commerce favourite Amazon.

E-mail addresses were also sent to websites in response to jobs, auctions and discussion boards.

Finally researchers posted addresses in the Whois database of information about the owners of domain names.

Evasive techniques

Spammers regularly launch so-called brute force attacks

The researchers found that spammers used harvesting programs such as robots and spiders to record e-mail addresses listed on both personal and corporate websites.

One way of avoiding this mail-harvesting, said the team, is to replace characters in an e-mail address with human-readable equivalents - for example john@domain.com would become john at domain dot com.

Another successful evasion technique is to replace the characters in an e-mail address with the HTML equivalent.

None of the project's addresses written in human-readable formats or HTML received a single piece of spam.

Over the course of the six-month study, the researchers received over 10,000 e-mail messages to the 250 e-mail addresses they had created.

Only about 1,600 of these were legitimate e-mails.

Over 97% of the spam was sent to addresses that had been posted on public websites.

The number of messages received was linked to the popularity of the website. Organisations linked to major portals such as AOL and Yahoo received a lot more spam than those without links.

AOL is currently waging its own war on spammers, recently launching over a dozen lawsuits against individuals and companies it claims is sending unsolicited mail to its members.

Opting out

The research also looked at whether websites respected consumer attempts to opt out of receiving commercial e-mail.

In all cases where researchers asked not to receive commercial e-mails, their wishes were respected.

Opting out of e-mail communications further down the line also resulted in the majority of websites complying with the request.

The study found that most web companies did not share or sell e-mail addresses to third parties.

Just 25 spam messages were received as a result of inappropriate sharing or selling of e-mail addresses, and most of these were from gambling and adult-content related websites.

Scatter gun approach

At one point during the study, the system began receiving spam messages to addresses that had never been used for any purpose or submitted to anyone.

Such brute force attacks, in which spammers attempt to send e-mails to every possible combination of letters that could form an e-mail address, are relatively common.

The system received over 8,000 brute force e-mails before a block was installed.

These messages were not included in the final data.