The Economics of Spam

higgins writes "The Wall Street Journal has the best story I've ever seen on the economics of spam. A self-described "spam queen" (Clean link; should work for non-subscribers) talks about not just the millions of emails she spews, but what it costs per mailing ($250 for 500k emails), what the response rates are (1-2 one-thousandths percent) and what she actually makes. (40% of each sale of one product: anti-spam software)."

New spam...

[swordboy]

Here's a new one for you:

The other day, I got spam via my 'windows messaging service' - someone on my cable modem subnet is sending me pop-up spam with the 'net send' command (Windows only). Obviously this is easy to disable (for someone who knows how to) but...

WTF?

I took a screen shot which indicated time/date AND IP but the cableco tech morons said that they couldn't do anything about it? Right... How about revoking access? Perhaps it was the cableco themselves selling this service?

Re:New spam...

[diverman]

Actually, you're wrong. It's also their job to enforce their policies. Something like SPAM'ing other users (decreasing customer satisfaction) is covered under most ISP abuse policies.

It's also their responsibility to enforce abuse policies that they agree to with THEIR network provider (not necessarily being violated in this situation tho).

So, what I recommend is that people go read the abuse policy of their ISP, and see if it has anything that covers this kind of abuse. If the person sending you this SPAM over SMB (first turn off SMB messaging and get a Firewall), confirm that they are breaking their agreement, and then bitch to all high heaven. If the idiot on the phone says there's nothing they can do, ask for their manager. If they refuse, get their employee number and report them (then report the company to the appropriate agency [ie. BBB]). If that manager doesn't help, ask for his/her manager. It may not immediately solve the problem, but it will leave a big fat record of this being a problem.

If fewer people just sit on their ass, and say "It's my problem", nothing will get done on a more global level. And THAT is the only way crap like this really gets addressed. Be loud, be clear, be heard! Don't let a stupid company bully you.

And finally, even if they help you... if you feel they are a good company to you as the customer drop them. You pay them. If you are under contract, and they don't help you, accuse them of being in breach of their policies (if they are).

Not everyone knows how to protect their computer. And they shouldn't have to know how to. That's the point of computers, to make your lived easier not more of a headache.

So... in summary... I couldn't disagree more with reaper20. Don't just take it and get walked all over. Stand up, and fight for your right as a consumer and customer!

Just my $0.02!

-Alex

Re:New spam...

[xsbellx]

Your ISPs job is to provide you an internet connection that you pay for - it is NOT their job to secure your computer for you.

Boy that was one tough conclusion to arrive at. It is also the ISP's JOB to ensure the "Acceptable Use" policies are being followed.

To quote from the End User Agreement from my ISP:

7. Use of the Service(s). You agree to comply with all policies regarding permitted and prohibited uses of the Service(s) that may be posted by Rogers on the Rogers Help Website from time to time (collectively, the "Acceptable Use Policy" or "AUP") or that may be conveyed to you pursuant to Section 9(b) of this Agreement. Without limiting the generality of the foregoing, you agree that you will not use any Equipment or other feature of the Service(s) to, directly or indirectly:

[SNIP]

c. access any computer, software, data, or any confidential, copyright protected or patent protected material of any other person, without the knowledge and consent of such person, nor use any tools designed to facilitate such access, such as "packet sniffers";

[SNIP]

g. restrict, inhibit or otherwise interfere with the ability of any other person to use or enjoy the Internet, any Equipment or other feature of the Service(s), or create an unusually large burden on our network, including, without limitation: posting or transmitting any information or software that contains a virus, lock, key, bomb, worm, trojan horse or other harmful or debilitating feature; distributing mass or unsolicited email; or otherwise generating levels of traffic sufficient to impede others' ability to send or retrieve information;

Perhaps I don't share your particular/pecular taste in was constitutes an "enjoyable" Internet experince, but personally, SMB popups only lower my "enjoyment" level. In the specific case of my ISP, I believe they are LEGALLY bound to take action against the offending parties once a complaint has been lodged.

So while it is not their JOB to protect my computer, it is their JOB to ensure policies are being adhered to.

Re:New spam...

[Zocalo]

Bad analogy. Just as there are people who you can pay to repair cars, there are people who you can pay to secure computers as well. Of course, in both cases, not all of them know what they are doing or do a proper job, but you pays your money...

Frankly, given all of the recent mainstream press hype about PC security, exploits, worms and all the rest, even if it is rather thick with FUD, there really isn't much excuse for claiming ignorance anymore. Lot's of people don't know how to service their car, but pretty much everyone knows to get it serviced regularly don't they? My only hope is that the inevitable flood of NetBIOS spam raises the awareness level above the threshold necessary for J.Q. User to get of their butts and do something about it.

Re:New spam...

[Anonvmous+Coward]

"No, ISPs should NOT be blocking ANY ports."

Why not have the ISP block the ports by default and give you an option to enable them via web interface?

Let the ISP be the firewall...

Re:New spam...

[SailorBob]

On that note, how does one secure a Microsoft OS when the cableco does not allow hardware firewalls?

How can anyone prevent you from using a hardware firewall? The best they can do is require you to install an ethernet card that they supply and then check the MAC address. But most descent consumer Internet router/firewalls, for example the D-Link DI-604, allow you to clone the MAC address from your NIC. Which doesn't really leave the ISP any room. You can hook up a hardware firewall (which is what the 604 is) and as many computers as you want, and the ISP can't do a damn thing about it.

Short of coming out physically to your house and checking if you have one that is. But short of that they have no way of knowing. Unless you insist on telling them that is. ;-)

actually..

[corian]

With only 65 people filling out a survey to enter a contest, that's not a unreasonably bad chance of winning. Of course, that's assuming the prizes are bone fide...

How to stop SPAMMERS

[NutMan]

1. Get some blank checks without an account number on them
2. Write the spammer a check for the amount they are asking
3. Use a fake name/address
4. Mail it to them
5. They cash it
6. It bounces
7. They are charged a bank fee
8. Repeat Forever

Re:How to stop SPAMMERS

[Steve+B]

I am not sure this would be legal. And if it were, it would damage your credit history.

I assume that where the fake name and address comes in.

On a more serious note, it's a standard technique of scam artists to make sure that the victim is himself implicated before he realizes what's going on, so he won't call the cops. This idea turns the tables -- what's the clown going to do, complain to the cops, "This guy wrote me a bad check to pay for the phony penis enlarger I sold him"?

That said, writing bad checks is illegal and nobody should do it.

Le'ts spam all Florida ISP's

[Arcturax]

With her name and a complaint that she sent us spam, whether she did or not. Let's see how quickly she finds herself permanently without an ISP. :)

Why not just charge to send email?

[Kombat]

I have an easy solution, although some might find it a tough pill to swallow. What if ISPs started charging subscribers and affiliates a small fee to send emails? Say, 1 cent per email? For people like you and I, who send maybe 5 - 10 emails a day, that's nothing. But to a spammer, suddenly their cost to send 1,000,000 emails has gone from virtually nothing (I think the number mentioned in the article was $250) to $10,000.

They'd have to get an awful lot of buys to make back their costs.

I'd wholeheartedly support a 1 cent/email fee to be imposed across the board, by law, everywhere. Would you?

"Mainline" companies who spam

[phsolide]

Spam is theft, plain and simple. Spammers need to be punished.

You know who else needs to be punished? Mainline companies like Symantec who hire obvious fly-by-night spammers to slosh crap ads for Noron SystemWorks all over email, and then deny that Norton has anything to do with it.

About twice a week for the last 6 or 8 months I get the same ad from some theiving yellowbellies. I used to send the ads to piracy@symantec.com. After 10 increasingly strident emails, the neanderthal Symantec hired to insult people who write to piracy@symantec.com finally wrote me back, using both fingers, only to deny the obvious connections between Symantec and the spammers. Hey, unibrow! Do you think I was born yesterday?

I have sworn NEVER to buy a Symantec product because of this spamming.

Well, I also use Linux and NetBSD so it's very unlikely I will ever need Symantec's to fix up a crap Windows installation, but still, I've taken the oath.

Re:"Mainline" companies who spam

[skurk]

I've received at least 20 spams regarding the Symantec products too. It is really annoying to get the same mail in your inbox, over and over again.

I always report these spams to spamcop.net, hoping that the admins who run the open mail servers will straighten up, and I also CC abuse@symantec.com asking them to find this reseller and stop him/her.

Then, you also have the typical chain letter which I've received like 20 or 30 copies of by now. You've seen it, it goes like this:

><--#rotate>
>You may have seen this business before and
>ignored it. I know I did - too many times! However,
>please take a few moments to read this letter.
>I was amazed when the profit potential of this
>business finally sunk in... and it works!

..suuuure it works, suuure. And the whole world gets to know that you're an ass. And your home address.

I've been thinking on how we could get rid of this. Has anyone thought about creating an Open Main Tracking System of some sort, where admins discretely can contact the parent server to get more information on where a mail has been sent from and when?

-skurk

Very interesting, but I still don't understand...

[bigmouth_strikes]

...who actually reads the emails ? Even if I was so oblivious that I didn't filter my emails, I would never dream of supporting the spammer. Even if I accidently read a spam and then amazingly found the product/service interesting, I would not respond to anything in the spam.

> He also hunts for new ways to get around
> software that tries to filter out spam and to
> get people to open his e-mails.

With a response rate as low as 0.002%, do they expect that the people that install and run spam filters are the most likely to respond to spam ?

It's depressing to see how irresponsible the ISPs are, letting them off the hook so easily. They owe it to their customers to shut down the spammers, not just warn them if they get many complaints.

Like the "spam queen" said, It's a numbers game. If people bothered complaining, they'd really feel what people think about them.

spammers scan my email for 'personal keywords'

[wilton]

I recently received some spam whose subject line contained just the name of my 4 month old nephew. It is not a common name either.

It seems unlikely they could send spam that was addressed only to me, with a name I had mentioned in several previous emails without some sort of email scanning.

Has any one else had this ?

Will

If you really want to piss these people off

[Ted_Green]

Steal their databases.

I can only imagine the kind of horror they might feel at getting hacked and finding somone had DL'd their precious list of names.

Spam sucks

[Dexter's+Laboratory]

[...] 15.8 million messages he sent out. They promoted antispam software [...] someone read the spam about the antispam software and bought the product for $57.

It's sad enough that they have to promote antispam software by the means of spam, but for someone to actually buy it? I mean, who would take the time to read spam in order to stop spam?

Ms. Betterly says she refuses to send e-mails about adult fare, because it "disgraces society."

Well, at least Ms. Betterly is a "better" person. I am glad to hear that.

In the first week of the Triumvirate Technologies campaign, 81 orders came through from 3.5 million messages, a 0.0023% response rate.

Much ado about nothing, anyone? Seems like a lot of damage just to gain $1,555 (ok, I'm a student and $1,555 is a lot of money, but STILL!)

Better idea

[IamTheRealMike]

Set up a mail filter to bounce all spam you get to her address! Genius. Make sure you remember to check her website every so often though so she can't change her address.

If you're using the Razor you can change your mail filters file to do this. Make sure you bounce the messages as opposed to forwarding them, that way she can't block the addresses, bouncing also doesn't leave a record of where it came from afaik.

I dunno, if only 20 of us did this, that's 20x the normal amount of spam she's receiving. It'd be hard to find the genuine mail amongst all that. I think she'd get the message.

Anti-spam system

[DeadSea]

Being fed up with the amount of spam that I receive, I took preventative measures. I was up to about 150 spam each day. I tried filters, the best I could do was get rid of about half of it. Too many false positives. I lost email from friends. I thought about switching to the new bayesian filters I'd read about on Slashdot, but they don't seem that mature yet and anyway, I thought of a better solution.

First I bought my own domain name. This allows me to enable new email addresses at any point. I have an unlimited supply. I can create a new email address for anything that I want. Anytime I buy something, I enable an email address with some number and the name of the company in it. Anytime I post to usenet or ask somebody for help from somebody I create a new email address for that purpose. I give all my friends a private email address and ask them to be careful with it.

This means that I can also disable email addresses. I send an autoreponse to any disabled email address saying, "You attempted to send deadsea email, but you used an address that gets too much spam". I then can give them a URL for a contact form if they really need to contact me.

The contact form is the best part though. If you go to my website, the contact form lets you send me email but never reveals my address. It uses an alias system. That means that my addresses won't be harvested to begin with. I made the contact form available under the GPL so you can use it too.

So people can email me, but if I start getting spammed, I can disable an address and people can still contact me. Sure its a pain to have to use the contact form, but it doesn't happen that often. When it does happen, I reply with an email address that can actually be used to contact me.

275 messages read...

[coyote-san]

One of the most damning comments in the article seems to have been overlooked.

"Two days later, 275 messages were opened (out of a half million, remember) and 65 surveys completed...." (paraphrased). Gee, how the hell did she know how many messages had been read?

Maybe she's just counting the number of hits on a specific image on her server... but it seems much more likely that she's using a mailbug. If only 275 people, out of 500,000, even opened the message then these are the morons you want to include in all future mailings.

ISPs have rights too

[why-is-it]

No, ISPs should NOT be blocking ANY ports. I pay them for a connection. Perhaps email, news, etc. Securing my machine is my responsibility. If there is a machine on their net causing a problem, then yes, they should kill THAT machine's connection. Filtering anything is not the right thing for them to be doing.

You pay for a connection, but the ISP owns the infrastructure, and it's their network you are connecting to. While it would be nice if they did not block any ports, they have every right to do so on their own network. If you don't like that, you are always free to take your business elsewhere.

Re:Lets Here It For Indepth Reporting

I live only c.a. 20 miles from Dunedin, FL and I'm going to drive there with few friends of mine asking her politely (no, realy politely) to stop sending spam. I urge everyone who can to do the same, I believe it will help us all.

But there will always be stupid people

[Mustang+Matt]

I deal with a lot of Realtors and some of them print off every piece of spam and wait for me to come around to ask me about them.

Sure spam should get less and less effective over time, but there will always be stupid people.

If I could go back in time, I would setup a company that would allow people to sign up to receive spam and simply split X% of what I'd charge companies to send out marketing material. I guess it's not too late but such a service wouldn't be trusted and would be blackholed everywhere instantly.

Hmmm, maybe I'll create the site. In fact, I could make part of the business model to give X% of the profit to FSF or some other beneficial foundation.

The ideas are flowing now. I'd probably be too scared of being labeled as a spammer.

Re:Lets Here It For Indepth Reporting

I also just googled her address and found the same. Here is the kicker however:
The site I found this on is the "World Institute of Scientology" in particular the "Scientology Enterprises" section.
(You can find this under: http://www.xs4all.nl/~catootje/wise-1999-usa.html)

Wow. Now she is starting to really piss me off. Spam & Cult is just a little too much for me.

Re:Wotta Rip!

[bilsaysthis]

I'm just thinking out loud here but I think the cost is not just for the addresses, which are a one-time (per address) expense, but the bandwidth, preparation, and other resources used in actually sending a spam attack.

How is Parent Insightful??

[CharlieO]

This is a 5????

Why - what is insightful here?

Paragraph 1 is an inaccurate[1] and personal attack on the previous poster - no insight here.

Paragraph 2 is the usual bleating of 'how did my email get out' - no insight here.

Paragraph 3 is a BGO, Blinding Glimpse of the Obvious - no insight here.

Paragraph 4 is a plain and simple personal attack - no insight here

====
[1] Why Inaccurate?

1) Because enabling a program to run without using its CD as a key does not AUTOMATICALLY mean the poster does not own the original.

2) Because while the use of the no-cd crack for any reason may be illeagal under the DMCA in the US, elsewhere it is not, and will be decided on intent.

3) The poster's family is not at any legal risk - in most juristrictions (Not US due to DMCA) this is a CIVIL not a CRIMINAL risk, no-one is going to chase you for a few bucks because they will have to pay for the case, the state will not. Even in a juristriction where this is a crminial offence it will almost certainly not be prosecuted by the state as it will not be in the pbulic interest.

Additionally they can only chase the poster, not thier family. Why be personal and bring thier family into the argument. Not surely because they took the trouble to explain they'd used the no-cd crack to protect the original cd's when his kids played with them? If thats the true explanation then that is perfectly morally and ethically defensible thing to do with something you own that in certain juristrictions is being criminilized by poor legislation

A $cientology spammer?

[AndroidCat]

She's also probably a member of the Cthurch of $cientology.

Refs at Here and and here as well as a Laura Betterly on the 1997 WISE list. (Co$ organization.)

Yet another scientology spammer, what a surprise!