TERM PAPER ON

SPAM, TECHNOLOGICAL SOLUTIONS AND ITS CURRENT REGULATIONS

By, Mahathi chintapalli (09224) Pratyusha borancha (09233) Khaja rasool (09244) Shalini (09245) Sushobitha (09250) Sushrutha (09251)

Table of Contents Introduction ...... 3 Spam ...... 3 Reason for ...... 3 The Volume of Spam ...... 4 The Effects of Spam ...... 4 How Spam Works ...... 5 Different types of Spam ...... 6 Spam- social networking sites ...... 6 Facebook: ...... 6 Twitter ...... 6 Preventing Spam ...... 8 The Spam Solutions ...... 8 NON-GOVERNMENTAL...... 8 GOVERNMENTAL ...... 11 CASES : ...... 14 Current Anti-Spam Legislation ...... 15 Conclusion ...... 16

2

Introduction: Every day, when people open their e-mail inboxes, they find numerous messages from unknown parties offering a range of services and products. These unwanted messages have come to be referred to as ³spam.´ Just a few years ago, spam was considered a minor nuisance. The increase in spam over the last few years, however, has led many to focus on this problem. The scale and the effects of the spam epidemic suggest that spam is no longer simply a nuisance but is a large scale network problem.

Spam: The definition of spam is neither clear nor consistent across different individuals or organizations. We can describe spam as unwanted e-mail messages. These types of messages are often referred to as ³unsolicited commercial e-mail.´ However, over the years there has been an increase in unsolicited mail that is not necessarily commercial in nature. Therefore, some have begun to refer to these types of messages as ³unsolicited bulk e-mail.´ This column will focus on commercial spam, which makes up the majority of all unsolicited e-mail.

The problem of defining spam becomes more complex across different types of organizations. For example, organizations with more liberal network access policies allow users to receive personal e-mail and mailing lists; other organizations restrict users to receiving only business- related messages and therefore describe all other messages as spam. A good approach to this problem is to define the different categories of messages that may be deemed spam and allow organizations or individuals to create an appropriate definition for their environment.

Reason for Spamming: Many wonder why spam activity has increased over the last couple of years. Is it because more people want to be nuisances to society? Spamming is not a pastime but is an actual business process. Spammers are in business, and like most others in business, they have a goal of making a profit. This fact is useful in understanding the swift growth in the use of spam. As in any other business, spammers must perform a few essential activities in order to create a profit:

3

1. Find potential customers. For spammers, this involves obtaining a list of e-mail addresses. There are two main methods that can be used to obtain these lists: address harvesting and list purchasing. 2. Offer a product or service to the potential customers. This involves sending information or an offer to the list of e-mail addresses. 3. Sell and deliver the product or service to some percentage of the potential customers. The success of spam as a business is based on the low cost of #1 and #2, allowing a low response rate to still lead to a profit. Sending spam can cost $0.0005 per recipient; direct mail can cost $1.21 per recipient, or about 2,400 times more. Direct mailers usually require a response rate of about 2 percent; spammers, on the other hand, can break even with response rates as low as 0.001 percent²about 2,000 times lower. For example, a spammer can send 500,000 messages and still be pleased and profitable with five responses.

The Volume of Spam Just one year ago, spam accounted for only 10 percent of inbound e-mail traffic; today, spam accounts for over 60 percent of inbound e-mail traffic on average.2 consequently, an average user now has more unwanted messages than wanted ones in his or her inbox. This influx of messages has introduced a burden not only on end-users but also on administrators and the infrastructure. The cost of the spam problem includes lost productivity from the users who must deal with spam messages and from the computing resources that must be used to handle these messages.

The Effects of Spam Individuals, or a group of users, are easily targeted by . Spam usually arises as a result of giving out your on an unauthorized or unscrupulous website. Some of the effects of Spam: y Fills your Inbox with number of ridiculous emails. y Degrades your Internet speed to a great extent. y Steals useful information like your details on you Contact list. y Alters your search results on any .

4

How Spam Works Spam is usually not targeted to specific email addresses. Instead, the email addresses are collected at random for the purpose of emailing promotions and other junk. Since the email addresses are not targeted, the idea of mailing the promotions is a numbers game in the eyes of the spammer. Sending out spam is a really easy and inexpensive process, which is why a lot of marketers who are lazy and want to find a get-rich-quick way to make money resort to spamming. The reality is, it is not a quick way to make money and you face a lot of headaches in the aftermath of a spam promotion. Spammers use software that is specifically designed for spamming. The software has the capability to weave its way down through the layers in the Internet to collect hundreds of thousands of email addresses from websites, social networking groups, and any other sources where people reveal their email addresses. The addresses are collected in a very short amount of time. Once the addresses are collected, the spammer simply enters the sales message into the software, creates a title, and then presses "Send." It is that easy. Any website you have visited where you have entered your email address to receive more information or for some other reason is fair game to spammers. This is how they get your email address. Additionally, they can set up the software to address you by name among a host of other sophisticated practices. Deceptive Practices of Spammers:

y Spam Blocker Escape: Spammers are masters of getting around the spam blocking software. Although this software is effective in blocking spam, spammers are learning more and more how the software works and then wording their messages to get around the spam blocker. y Evading the Law: In recent years spam has become against the law in some areas of the world. Spammers get around this by intruding on remote computers which send out the spam for them without the knowledge of the PC owner. This way there is no trace of the spammer's real Internet protocol address. The problem with this is the IP address of the computer they hacked will show up on the spam message which results in the innocent person losing their Internet service account due to spam.

5

y : Some versions of spam software include what is called cloaking. The software will automatically cloak the spammer's Internet protocol address so the message cannot be traced. Additionally, it will insert a bogus return email address which is the reason it is nearly impossible to track down.

Different types of Spam y spam ± a popular and heinous type of scam y foreign bank spam y Get rich easily and quickly spam y Illicitly pirated software y News group and forum spam

Spam- social networking sites Facebook: Facebook is a fantastic tool which can be used to stay in touch with friends or even to promote your business. If you're promoting your products on Facebook then there are a number of things that you need to be careful of because if you're not cautious then you could end up getting banned or having your account deleted. There are many things which can cause your account to be blocked on Facebook. Many of these relate to spam. It's very important that you do not spam contacts on Facebook because this would be grounds for the cancelation of your account. If you send out too many friend requests then this will be considered a form of spam and this could get your account deactivated. If you post on lots of peoples walls with the same messages then this will almost certainly get you banned. If when you request friends you always copy and paste the same message then this will also be seen as a type of spam. You should avoid poking people for no reason because if you poke too many people then you could end up getting banned.

Twitter Spam on Twitter has become a growing problem and with more and more individuals and businesses using the social networking service, it is expected that spam will continue to be on the rise. In addition, Twitter is an open application programming interface (API) and it does not

6 require a valid email address when you are creating an account which further increases the risk of spam. There are many different ways that spammers operate on Twitter with more methods on the horizon as Twitter continues to grow. Short URLs:

Although businesses promote their products through a subtle approach, spammers blatantly promote their business opportunities or scams on Twitter through the use of short URLs. Short URLs are used frequently due to the 140 character limit on tweets so; it is impossible to tell if the link is a scam or contains a virus, Trojan, or other type of malware. Hijacking:

Hackers can hijack Twitter accounts by breaking into the account and using it to send out spam. Hackers usually target accounts that have an extensive list of followers so they can send out spam. This usually includes the accounts of famous people but it can happen to any Twitter user. One way around this is to avoid using passwords that hackers can easily guess but like everything else, there is no guarantee. Hash Tags on Trend Topics

Trending topics on Twitter are topics that are currently popular on Twitter. Spammers exploit the trending topic by adding a hash tag to a popular keyword in their tweet that is related to the trending topic. As a result, spammers increase the visibility of their tweets because they show up more often in popular searches. Tweet jacking

Tweet jacking occurs when spammers reply to tweets by replying to your @username. When they reply or retweet the messages appear in your timeline. Often the messages contain a short URL that replaces your URL and leads clickers to a porn site or, worse yet, a site laced with malware. Follower Fraud

The success of your Twitter account is partially dependent upon the number of people that are following you. As mentioned earlier, creating an account is very easy which encourages spammers to automate the process and collect a massive amount of counterfeit followers. The

7 spammer then turns around and attempts to sell the account for a good amount of money and repeat the process to cultivate their spam group. Twitter provides instructions on their site on how to report spam and abuse. There are also a number of Twitter spam applications such as TwitBlock and TwerpScan that will help you block spam and they are free for the asking.

Preventing Spam There are some effective measures that you can employ to stop spam entering your inbox: y Always use an updated and trustworthy antivirus program. y Never share your email address and personal information like credit card details with an unreliable source. y Avoid responding to any emails that you never asked for. If you receive such email then delete it immediately. y Try to avoid emails with the subject ³need assistance or some funds ³, or any other catchy titles. And never, ever forward such emails since they could be targeted to obtain as many number of mails email addresses as possible. y Whenever you need to forward an email to a group of people make use of the BCC field which enables you to hide the email addresses from each of the other recipients. y Never mention your email address in newsletters or instant messenger chats. y Switch off the reading pane in email clients such as Outlook. It can be done by View ± >Reading Pane ± Off.

The Spam Solutions Below are some proposed solutions to the problem of unwanted junk E-mail. In many cases there are levels of complexity. NON-GOVERNMENTAL Recipient Revolt:

At first Spam was related to with unwanted mail by recipients, in E-mail and in the physical world. This has helped significantly to scare more legitimate companies away from using junk E- mail, and this is good.

8

Customer Revolt:

A very small minority of Spams come from places the recipient has had contact with, such as web sites they gave their E-mail address to or companies they have done business with. Customers fortunately have power over companies, and revolt and anger by customers is far more effective than anger at strangers.

Vigilante Attack:

Some have taken to more serious efforts; including methods that are illegal or which break net "rules." Mail-bombs and denial of service attacks, sometimes against the innocent, in particular are a bad idea.

Pattern and Bayesian Filters

Many mail tools now can filter out mail or redirect based on analysis. Some search for known patterns or the names of known junk mailers. Such systems are not a likely long-term solution. They can always be gotten around. It's just a war of escalation. As long as the patterns can be found out, as they can in any product, the mailers will learn not to use them.

Domain filters :

Many mailers now refuse mail from domains that don't exist.

Blacklisting :

Blacklist filters use databases of known abusers, and also filter unknown addresses. A real-time blacklist system is in place at some sites to block even the initial mail connection from known abusers.

White list Filters :

Mailer programs learn all contacts of a user and let mail from those contacts through directly. Mail from strangers is redirected to other folders or challenged. It may be discarded if it matches certain patterns. If users respond to challenge, their mail is delivered and they are white listed.

9

Hide your address:

Many are reacting to Spam by refusing to reveal their E-mail addresses in public and sometimes even in private, for fear of a privacy-invading deluge of Spam.

Stop relay abuse:

Blacklisting open relays is just one technique to stop this abuse. Regular social campaigns have also helped, and all new mail software does not relay by default.

Voluntary Opt-Out lists:

Opting out means requesting to receive, no Spam. Either in a global "opt me out of everything" list (such as the DMA maintains for paper junk mail) or by requesting those who mail you to remove you from their list. Neither of these tends to work. Abusers are ignoring them or worse, pretending to take requests and adding names to more lists. Opt-out is best implemented where possible at the mail protocol (ESMTP) level, so that undesired mail is never even sent if possible. This is most efficient.

Voluntary Tags :

Standards can be developed to tag bulk mail, providing headers or other information listing the number of recipients of the mailing, whether the recipient requested the mail, or whether the sender is personally known to the recipient.

Insisting on tags:

They become valuable if recipients start insisting mail they receive be tagged, and diverting untagged mail to a low-priority folder. And of course diverting mail tagged in ways they don't wish to receive. Such a scheme requires that Spammers be honest. There is evidence that many would not be. However, it is possible that some laws may force them to be.

10

Digital Signature

For non-anonymous mail, a digital signature that verifies the sender has many uses. Many want this for other purposes. Such a signature can be used for reliable white listing and black listing. In addition, the signature can come with a digital certificate stating the sender has agreed to a certain code of E-mail ethics. Recipients might insist on such a certificate. Or the simple fact that the sender and their ISP can be reliably identified may be enough to make people willing to give E-mail access, with non-signed mail diverted.

E-stamps

Once a digital signature and digital-money infrastructure comes into play it is possible to implement an E-stamp scheme. Such a system works regardless of borders, and allows anonymous mail without abuse. However, it requires the build-up of lots of technical infrastructure and the redesign of mail systems.

GOVERNMENTAL The following methods involve the government, but only as an enforcer of existing contract law or intellectual property law. Enforce anti-fraud, theft of service, impersonation laws :

A good portion of Spams are illegal for other reasons. They make fraudulent claims. They claim to have "remove" lists but don't. They claim to be referrals from friends but they are not. They bombard systems, acting like a denial-of-service attack. They provide forged return addresses that are actually the addresses of innocent third parties. Already some lawsuits in this area have been successful. However, a significant number of Spams do not violate any laws directly, or they could remove their illegal portion without major loss.

Trade-mark/Fraud Enforced Tags :

A tagging scheme could be enforced by placing a valid trademark on the name of the tag, and allowing the mark to be used only by those who follow proper standards of E-mail ethics. Those who use it against the guidelines -- by lying in their tags -- could be sued and stopped. This can work, with difficulty, in many countries but not all. In general, mail must be authenticated as to

11 where it comes from in order to be able to sue. Truly anonymous mailers can't be sued, though rarely can they provide a means to buy their product. It's also possible that lying on tags in order to get mail through to people for commercial purposes may be fraudulent in some fashion, and thus stoppable.

ISP User Contracts:

Already many ISP "terms of service" (TOS) call for E-mail codes of conduct. As this becomes more and more common, it may provide sufficient recourse. Today a problem exists since most ISPs, to market their services, use free trial accounts. They can't do anything with such accounts but shut them off. Users of free trials are not easily held accountable for violations of their TOS contract.

ISP peering contracts :

The internet works because ISPs "peer" (exchange data) with one another. ISPs may eventually refuse to peer with ISPs that don't have anti-Spam E-mail conduct codes in their TOS. It is unknown if this would be restraint of trade.

Open access only for agreement-bound users:

Perhaps the most suitable non-governmental scheme would involve ISPs only granting "open" access to E-mail ports on the internet to parties who have agreed to a code of E-mail ethics. All others, as well as anonymous mailers, would be allowed to only send mail to special relaying servers. The relaying servers would be programmed to mail for any (except perhaps unrepentant abusers) but would "throttle" the volume of E-mail to enough to handle the needs of non-bulk mailers. Ie. the server would allow users on any given network or computer the ability to only send a few messages per minute, per hour or per day.

U.S. State Regulations

Some states are drafting and passing laws to regulate junk E-mail and other E-mail, ostensibly within the state. However, the laws are bound to (and supporters hope they will) have effects outside the state. While similar to the issue of multiple national jurisdictions, what's different

12 here is that the U.S. Federal government may be given jurisdiction, removing it from individual U.S. States.

Required tags

Tagging as described above could be made mandatory by law on bulk mail from strangers. To send such bulk mail without correct tags could be a tort. Users would be responsible for filtering their own mail based on tags, and prosecuting violators. Tagging must not relate to content, lest it be compelled speech. Government enforced tags must be limited to entirely factual matters about the nature of the mailing itself, not the message. Some proposed tagging laws have been put forward. One suggests that the Subject line contain the word "advertisement." This is bad because it talks about the content of the message, and it's technically poor. Governments might simply provide penalties for lying with such tags.

Mandatory compliance with opt-out:

The law could compel senders of bulk E-mail to comply with an opting-out system. They could require that "remove" lists be faithfully maintained, or that a national opt-out list be supported. Better would be an ESMTP protocol to allow the expression of opt-out wishes, and a law compelling senders of certain types of mail to obey. In effect an electronic "no bulk solicitors" sign, with teeth, on the mail server. For technical reasons, because mail is often sent to a relaying server that will not know the wishes of the final recipient, a tagging system must also be in place so that the decision can be made further down the chain. One law proposed in California allows sites to opt-out with a web page policy. This does not easily allow individual user choice, or a formal way of obtaining opt-out/opt-in status.

Required identification:

Several recently proposed laws are asking for mandatory identification of the senders of commercial E-mail. Such laws would create greater accountability for abuse, but violate the right to communicate anonymously when parties desire it. Less restrictive are rules stating that if identification is false, it be marked as false.

13

Banning unsolicited bulk E-mail:

Banning single E-mails based on content is probably unconstitutional in the USA. Since it is bulk mail that is the source of the Spam problem (without computer automation of mailing to multiple parties, the volume of junk mail is naturally limited to a tolerable level) regulation should focus on that. It is possible that restrictions on bulk mailing, as so-called "time and manner" restrictions, might not violate the 1st amendment in the USA.

CASES :

y In the present world political themes play a prominent role in today¶s online attacks because political leaders pay a strong appeal to wide range of audience and attackers take advantage of situations like these. Best example that could be described here is US president Obama. As the world counted down to the inauguration of 44th president of the United States in November 2008, certain online spam senders used obamania as a new way to attack. They introduced spam messages with a ³presidential theme´. The message delivers subject such as ³You must look at this, our new president has gone ³, ³Breaking news, Obama refused to be the president of the United States of America ³,´Breaking news there is no president in the USA any more´. These spam emails contain a hyper link, when these link is clicked- on it directs the user to a web page which looks similar to the official obama Biden campaign site. The files available for download from the site included names such as usa.exe, obamanew.exe, pdf.exe, statement.exe, barackblog.exe and barackspeech.exe. This piece of malware was identified under the name W32.Waledac and was capable, among other things, of harvesting sensitive information, turning machines into a spam zombie and establishing a back door into computers that would allow it to be remotely accessed. These threats are still continued in practice among threat hackers today and these tricks user in to infecting them selves by displaying messages based on current events.

14

y A convenience sample of three hundred participant volunteers was selected from a wide variety of organizations and the general public. The age group ranged from 15 to 60.Of the participants in this survey, 71% were male and 29% were female. The ages of the participants were as follows: 38% between 15 and 21, 32% between 21 and 31, 12% between 31 and 39, 15% between 39 and 49 and 3% older than 49. A questioner was distributed and 300 responses were received. And the results obtained indicated that the large portion of spams was regarding marketing products and services. Very less people get benefited by the spam. Most of them just read the e mail header n delete spam. Most of the public don¶t know any software to combat email spam. Most of them preferred to delete spam automatically. Most of the productivity is lacked by spam. Spam is largely related to pornography. Parents are very much worried regarding it. More than half of the surveyors said there should be a law to stop the email spammers.

Current Anti-Spam Legislation USA: In December 2003, President Bush signed legislation to help fight spam email. The bill, known as the CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003), preempts many provisions of existing state anti-spam laws, except where those laws cover fraud, deception, or other computer crimes. The Act took effect on January 1, 2004. India: No Anti-Spam Laws in India. CAUCE, The Coalition against Unsolicited Commercial Email is an ad hoc, all volunteer organization, created by Netizens to advocate for a legislative solution to the problem of SPAM. The Indian chapter of CAUCE - dedicated to nipping the spam problem in the bud in India, before it snowballs into a crisis.

15

Conclusion; In January 2009 when region of origin of spam was interpreted among united states ,Columbia,brazil,argentina,china,india,turkey,Russia,south korea,Taiwan. United States consistently has been one of the largest sources of spam. 23 % of spam messages originate from USA . Colombia and Argentina have joined the top ten region of origin for spam, while Brazil is in the second place behind the United States. Ten percent of spam originated from Brazil in the last month. For the past few months, India and China have both retained their positions among the top regions of origin for spam. There are several reasons behind the shift in regional spam origin, but it is notable that investment in Internet and IT infrastructure for many countries spawns a massive growth in Internet users. Countries such as Brazil, India and China have a burgeoning middle class where Internet penetration is high and access to broadband is increasing. As IT security laws and regulations also vary widely around the world, an emphasis on security may not always be a primary concern.

16