9.1.1.1. Opening and replying spam

We could consider that all users are equal in terms of spam exposure and understanding of the risks that such messages pose. Experience shows, however, that this is not the case in reality. Everyone understands that spam consists of unsolicited messages. But are these messages inconvenient?

According to a study conducted in 2009 by the Messaging Anti-Abuse Working Group – MAAWG (a working group established by the industry to work against spam, viruses and DoS attacks) – on a sample of 800 people in the United States and Canada, one in six users had replied to a message that they suspected to be an unwanted message [MAA 09].

The same study was reproduced in 2010 in North America and extended to Europe. The sample numbered 3,700 people and the study revealed increasing spam efficiency. According to the second study, half of the respondents stated that they had opened or replied to undesired messages three times more than the previous year. While some users indicated they had reacted by mistake, 46% of the respondents had deliberately opened messages they suspected to be spam.

A significant number of users (practically half of those who had opened the messages, according to the study) had equally engaged in dynamic behavior by either clicking links included in the messages or by replying to messages, either to unsubscribe or because they were interested in the products presented [MAA 10].

Such behavior is a door opened wide to incoming spam. One reply or click is enough for the address to be communicated to professional agencies that send large numbers of messages and it then becomes impossible to avoid receiving spam from such sources.

9.1.1.2. Address validation

In effect, a recipient becomes exposed as soon as he opens the unwanted message. Opening just one such message is enough (no need to reply or click a link in the message) to validate the recipient’s address and definitively confirm that messages can be sent.

Spammers use for this purpose web bugs, which are tags or images through which the sender gets the confirmation that the message was opened.

9.1.1.3. Nigerian scam

As we have seen above, the Nigerian scam, also known as 4-1-9 fraud, takes advantage of the users’ gullibility and greed by promising often huge amounts of money. Active reply to such e-mails, even when motivated by pure curiosity to understand how these crooks operate, is equivalent to accepting to come in contact with a mafioso network. It is proof of foolishness, or in the worst case, of unconsciousness.

9.1.1.4. Botnets

Practice shows that beyond the discomforts and inconveniences associated with spam reception, the two main risks of spam are viruses and botnets. Botnets are the propagation means most frequently used by commercial spam senders.

According to the study conducted in 2010 by MAAWG, 58% of the respondents had indicated that their computer had already been infected by a virus. While 47% of the sample members did not really know what a botnet is, 36% thought their computer might have been infected by a botnet, while 47% were convinced that this was not the case.

We could thus conclude that respondents had little or no knowledge about viruses and botnets and, at the same time, had in this respect a too confident, though naive perception. Moreover, the majority of questioned users thought that fighting botnets did not fall within their competence. When asked who should stop viruses, fraudulent e-mails, spyware and spam, 65% of the electronic mail users answered that this was the role of Internet access providers, 54% thought it was the responsibility of antivirus software development companies, and only 48% believed it was the users’ responsibility.

This ingenious attitude toward viruses, botnets and their effects is thus a fundamental dynamic factor of spam exposure.

9.1.1.5. Leaving electronic footprints while browsing the web or reading e-mails

Practice also shows that the users who frequently browse certain sites, such as those dedicated to sports, leisure, or other subjects, receive more unsolicited messages promoting products or services related to the activities displayed by those sites. For example, football fans who frequently browse sports sites often receive commercial spam promoting products related to their supposedly favorite team.

Professional spammers use data mining, market segmentation, consumer profiling techniques, cookies and other web robots to collect information that allows them to adapt the message so that it gets through the automated antivirus filters [STA 01, PAL 05]. This leads to a gap between companies, particularly those that activate in electronic commerce, and generates a large part of the spam and consumers. Consumers on one hand are not well informed referring to the new methods and techniques employed by the spammers and on the other hand, the latter are practically invisible to web and e-mail users.

Though dynamic and thus user-related, these elements are nevertheless difficult to control. It is therefore up to the users to be cautious when choosing the sites they visit.

9.1.1.6. Cookies

When a user visits a website, the site’s hosting server and the browser (for example Explorer, Google Chrome, Safari, Mozilla Firefox, etc.) exchange a set of random data generated by the server. Following this exchange, a visit log is created. This will permit the user’s identification upon his next site visit. This technique was originally developed to facilitate the development of e-commerce applications, such as shopping carts. Thanks to the shopping carts, visitors can save the information related to the articles they want to order before continuing their visit, being confident that this information will not be lost during the session or eventually during several sessions.

Cookies are also very useful for the sites asking for visitor authentication. Cookies store authentication data and visitors are not required to provide them at each site visit. They also store users’ preferences, such as language, currency they use, or other information elements they would rather not repeatedly provide at each session.

Nevertheless, there is a “dark side” of cookies, both in terms of security and in terms of protection of the private sphere. Let us take the example of the online retailer Amazon. When a user visits the Amazon website and it is not his first visit, and particularly when he is already a client, the site “recognizes” the visitor. He is greeted (being called by his first name), the information is provided in his preferred language, and he also receives product recommendations based on previous purchases or “browsing paths.” Every single click of the client in question is stored by the site. It stores and analyses personal data and uses them for client profiling. Amazon presently works on an algorithm that would allow their clients with works even “before” they had ordered them based on their personal data analysis.

Moreover, nothing indicates that the online retailer would not sell this data to other partner or affiliated providers. This is current practice, especially on social networks. Users of online retailer sites frequently find on their social network or usual aggregator (such as Facebook, Google or Yahoo!) advertisements related to products they viewed on retailer sites. These advertisements add to the already targeted elements, such as location-specific advertisement, for example.

While advertising seems to be part of the daily life of users browsing the web, the situation is different when the information provided to commercial sites and social networks feeds potential spammers databases, providing them with millions of addresses they can use in their campaigns. It is all the more different since messages could be targeted and formatted based on the recipients’ personal data, which will increase their chances to pass through the normal anti-spam filters.

9.1.1.7. Web bugs

Web bugs are generally small 1 × 1 pixel “images” that are embedded in the web pages or electronic messages but stored on specific servers (different from the visited page or the recipient’s mail server). When the visitor opens the web page that contains a web bug, the image has to be received by the other site and thus an exchange takes place, which allows the remote site to collect information on the visitor, visited site, time and date of the visit, etc.

Similarly, data is collected when a recipient opens and reads electronic mail containing a web bug. To have the invisible web bug “displayed” on the e-mail being read, the mail server launches a query to the remote server. This allows the spammer to collect valuable information: e-mail address validity, confirmation that the message has successfully passed through the filters and reached the target, the message was opened and probably read, reading date and time, number of readings (and so on, if the message was opened several times).

The message in question is not necessarily commercial spam. It may be a trivial message sent and received by mistake. Nevertheless, as soon as the message is opened, the web bug is activated and provides the spammer with information.

9.1.1.8. Address voluntarily provided to online services providers

It can also happen that users of online services willingly offer (or are incited to do so) their address to their provider. It is frequent practice for travel agencies, online ticketing services, online newspapers or journals and social networks, to give only several examples. While facilitating their users’ and subscribers’ subsequent visits, this is often associated with automatic subscription to newsletters, mailing lists and “partner promotional offers,” in short, exposure to multiple sources of spam.

9.1.1.9. Subscription to mailing lists

Above we have seen the bacn definition. Electronic mail users frequently subscribe to mailing lists reflecting their interests at a given moment. Over time, they continue to receive messages sent by these mailing lists while their interest fades away. They stop reading the messages received either because they find them tiresome or because their interest has shifted or the content of these messages does not meet their expectations anymore.

Nevertheless, these messages continue to be regularly sent and they eventually get in the flow of “useful” messages. In effect, they are difficult to filter out because the users have voluntarily subscribed to receive them.

9.1.1.10. Having a (too wide) social network

Social networks have recently become one of the main personal communication channels. They have also become powerful tools to establish and maintain personal and professional networks. Their development is such that it has become difficult to keep out of them, so strong is the pressure to publish personal or professional profiles, establish contacts, post notes, images, video clips, articles, or presentations.

However, while the success of networks such as Facebook, Twitter, LinkedIn, Viadeo, etc., are widely admitted, their real usefulness for professional purposes is still controversial. Nevertheless, many believe that online presence is a must, to the same extent that companies’ presence on the web was considered indispensable several years ago.

Whatever their opinions, all the observers agree on one aspect. Social networks lack “discretion” or, as we shall see further, discretion is probably the strongest asset when it comes to avoiding spam.

Three elements contribute to social network users exposure to spam. First of all, users are too trusting and publish too much personal information. Secondly, social network administrators tend to use the data they collect for commercial purposes. Finally, there are frequent security breaches and the users’ private data are exposed.

9.1.1.11. Users’ carelessness

The boom of information technologies, and particularly of mobile telephony and the Web, was accompanied by increasing trust of users in the networks and systems based on these technologies. Most average users, with little or no training in computer systems or telecommunications, are hardly aware of the real risks associated with ICT.

Thus, they become too confident, establish contacts with new “friends” or new “contacts” they do not really (or not at all) know and, hence, expose their personal data, including physical and electronic addresses, telephone numbers, hobbies and other elements that are highly valuable to potential spammers, profilers, etc.

They expose themselves to all sorts of spam.

9.1.1.12. Commercial use of private data

Users are not the only ones responsible for the disclosure of their personal data. Social network administrators sign commercial agreements with third parties that are interested in the data available online. Even though analyzing petabytes of collected data may be a challenge, modern techniques, such as big data, associated with segmentation and profiling methods, expose the users to an increasing number of commercial entities and multiply the probability to receive spam.

9.1.1.13. Mixing personal and professional contacts

In the ICT field, the main characteristic of the first two decades of this century shall definitively be the exponential development of social networks. Recent statistics indicate that social networks are replacing search tools in certain fields (hotels, restaurants and tourism, for example) little by little and that in time they could completely replace electronic mail as a tool for private correspondence.

Certain social networks, such as the best known Facebook, continue to be used essentially for personal purposes. Others, such as Twitter, serve for real time news broadcast on the Internet. Finally others, like LinkedIn, are instead used as professional networks. The variety, diversity, numbers, and reach of the social networks are limited only by imagination. In this field, technology no longer limits the individual’s creativity.

However, these tools continue to be developed and the majority of users are just at the beginning of the learning curve. This results in certain errors, which can expose users to spam and to the disappearance of boundaries between professional and private life. Some do not really distinguish their professional “contacts” from their “friends,” the persons they “follow” from the posts they “like.”

They are thus exposing themselves to friendly spam because of the mix of genres and roles from the public and private spheres.

9.1.1.14. Having conversations and chats

A large part of the electronic footprint comes from the traffic generated by users themselves. Some prefer face-to-face private conversations, others shine during meetings and still others pour out their souls on the telephone. While e-mail is the most used mode of communication in the professional environment, individuals use it in various ways. Some are frugal users, others use it like a “chat” tool, while others, perhaps unwillingly, are real spammers.

Our studies have shown that the more e-mail we send, the more exposed we are to spam.

9.1.2.1. E-mail addresses published on websites

Few individuals are really aware of their real presence on the web. In particular, a very limited number of people know how many times their address is published online. Even though they know the techniques that would allow them to avoid their address being detectable by web robots, few use them. Moreover, few of them check how their address is used by third parties, and if this use poses any risks to be exposed to spam.

Few employees are aware of the policies prevailing in their company. Are professional addresses published online, and if yes, how? Are there any lists of addresses published (consciously or not) online? Are address munging techniques such as firstname(dot)name(dot)organization(dot)com systematically used?

Some companies do not protect internal data properly. Entire data files are, sometimes, posted and can be freely accessed, and easily identifiable with search engines such as Bing, Google or Yahoo! These files may contain valuable information such as e-mail addresses, telephone numbers, etc., everything being in readily usable formats.

One can also find numerous documents that were initially drafted for reunions, and end up being posted on participants’ demand without preliminary “cleaning.” Most frequently, these are Microsoft PowerPoint presentations that contain contact information, especially e-mail addresses, which are offered to all the properly equipped spammers!

9.1.2.2. Security breaches

No week passes by without news about one more company, one of the top huge databases, announcing the loss of thousands, even millions of client, employee or other types of records.

This is often either the result of internal handling errors or, more and more frequently, organized theft that exploits security breaches. Hackers then resell these data to spammers or use them to create botnets, or even for immediate profits (like selling credit cards or Twitter accounts).

9.1.2.3. Viruses

I love you… On the 4th May 2000, millions of electronic mail users have received a similar message. The message subject was “ILOVEYOU” and the body of the message was empty, but the message had an attachment entitled “LOVE-LETTER-FOR-YOU.” Millions of users were intrigued by this message and opened the attachment, without suspecting that the message, apparently sent by a trustworthy third party, contained in reality a very powerful virus.

Hardly had the message been opened, when the attachment launched a malicious software that copied the virus on the victim’s computer, thus infecting it, and destroying a certain number of files and replacing them with copies of the virus and resending the malicious message to all the contacts found on the infected computer.

Such viruses are called worms, due to their propagation method, involving successive and autonomous copies of the malicious software, which use e-mail as channel of propagation on the Internet and computer networks.

These viruses are extremely powerful sources of hostile spam.

9.1.2.4. Bots and botnets

Once infected by viruses or malicious software, computers can become “zombies.” This means that they can be remotely controlled and used without their owners being aware. Professional spammers use hackers’ services to increase the reach of their messages by financing the creation of botnets, the networks of infected computers.

Figure 6.1 illustrates the mechanism used for infecting computers and then using them to send mass messages. Bots and botnets are very powerful tools for sending spam.

9.1.2.5. Data loss

With the increase in the use of social networks, online services, or cloud computing, the users’ data are increasingly often archived on remote sites, which are out of their owners’ and client organizations’ control.

However, trusting third parties with our data management or disseminating our information, and data on social networks or online data archiving sites is not without risks.

Symantec has recently underlined the risks inherent to the use of social networks and the possible losses of profile data, images, conversations content, etc. [RYA 11].

9.2.1.1. Professional address and personal address

The most frequent strategy consists of establishing a clear segmentation between different roles, especially between professional roles and private activities, by using different e-mail addresses. This method allows distinguishing between contacts depending on the respective roles and to communicate to each of them, an address corresponding to their category.

Full-blown integrators would probably not want to implement this separation, as the mix of professional and private contacts, or messages does not disturb them. By contrast, separators would use this method to facilitate the management of boundaries between their different roles.

9.2.1.2. Public addresses

A frequent, though easily avoidable, error consists of communicating our professional address during visits on websites, forums, or online services, for example, for private purposes. To avoid communicating both our professional and private addresses, an effective technique is to use a public address. This address is uniquely used to satisfy the online service providers who require an e-mail address to validate subscription.

Mark Rushworth, a professional of online marketing and search engine optimization, with an expert knowledge of web and its pitfalls, recommends individuals and organizations to use a generic address of the type [email protected] (where “sam” is, in fact, used instead of “spam”). All the e-mails received on this address could then be separated and analyzed in order to identify the spam sources and to take relevant protection measures [RUS 10].

9.2.1.3. Disposable addresses

Another method used for spam protection consists of using disposable addresses. The method is similar to using a public address, but, in this case, the user provides a different address for each of his services, websites, mailing lists etc. that require him to provide an address. Once this address is communicated to the service provider, and the verification (often compulsory) is performed, the user can retransmit all the messages received at this address toward a “real” address of his choice.

Thus, depending on the sender’s address, the user could determine what service or provider sends spam or has sold his e-mail address to partners or third parties (also spammers).

It is a very effective method, which may seem quite difficult to implement, as it supposes the maintenance of a list of correspondence between the “disposable” address and service or provider. This is why it is often replaced by a method that is even more radical. It consists of taking action at the very moment the disposable address starts receiving spam. The spam can, thus, be filtered out upon arrival in this inbox and, even more drastically, the link between this address and the sending address can be suppressed by not using the account affected by spam and, eventually, permanently deleting it.

9.2.2.1. Address munging

We have already discussed this technique, which consists essentially of avoiding the use of “@” and replacing it with “(at)” so that the sequence of characters in the address (for example fernando(at)lagrana.net) is not recognized as such (those of you this text as an e-book will probably note that the text editor recognizes [email protected] as a valid e-mail address but do not manage to identify fernando(at)lagrana.net, which is immediately identified as such by any reader).

We shall also note the possibility to replace the dot by the word “dot.” We could finally insert blanks in the address, and this could give us for example fernando lagrana @ itu.int. Finally, any combination of these three techniques shall render the robots’ tasks even more difficult.

9.2.2.2. Complex addresses

Robots do more than searching for the presence of “@.” They also use dictionaries. These dictionaries understand common first names and names, brands, names of e-mail services providers such as yahoo, gmail, hotmail and others. A robot would have no difficulty to identify an address like [email protected] and include it in a list of valid addresses. On the contrary, it would find more difficult to spot an address such as [email protected], for example.

9.2.3.1. Do not open suspect messages

The first rule is to never open a spam message. These messages may contain viruses or malicious software; Trojan horses can destroy or render the files stored on computers useless, gain access to the contact lists and put other persons or organizations under threat because of our negligence, etc.

This is a matter of common sense. The employee of a company or organization that is significant enough to have its own IT department should be informed about the procedures implemented (or to be developed) in case of spam or virus detection.

It is also desirable to avoid previewing the received messages. This function can open the door for web bugs and provide spammers with valuable information.

An effective method is to open the messages received in text mode rather than html (this option can be configured on most e-mail systems). This allows us to avoid the activation of web bugs and malicious software.

9.2.3.2. Do not follow links included in spam messages

Following a link included in a spam message poses two risks. On one hand, it indicates that the address is valid and reassures the spammer, who will continue sending these messages while the user exposes his account and his material to viruses and malicious software on the other.

9.2.3.3. Always treat messages from unknown sources as spam

As a rule, we cannot trust an unknown source or sender. They should be first submitted to analysis by a software that can identify eventual viruses, and carefully considered in order to detect if they aim at harvesting confidential or sensitive information. We should never engage in conversation when there is a suspicion of the Nigerian scam.

Furthermore, we should never forward such messages to other users. It is preferable to ask for advice from competent colleagues on our own computer than to run the risk of infecting other computers or accounts.

9.2.4.1. Handling friendly spammers

The first method consists of approaching the source of the problem, in general colleagues, who send too many messages. It may prove a delicate task to inform these colleagues that we do not want to receive messages from them, and this measure is certainly excessive. Nevertheless, with a good communication technique, and several relevant examples, we can generally become excluded from certain mailing lists that have excessive reach or pointless conversations.

A more flexible approach to such spammers’ correspondence is to redirect their messages to pre-identified inboxes or folders (one of these latter can even be the trash) based on rules of processing messages upon receipt (see above). Using a name specific file for the sender rather than the trash allows us to have a regular asynchronous and effective check in order to detect potentially important messages in the abundance of pointless correspondence.

A large quantity of messages often results from the abusive use of carbon copy messages, through a list of “Cc:” users. In this case, it is also recommended to redirect these messages to a specific folder, rather than leave them in the inbox. This technique involves complex management, notably when we want to follow a conversation on a given subject.

9.2.4.2. Checking policies and parameters for data protection

Most online services publish their confidentiality policy in the general terms, and very often, the user is invited to read and accept these terms upon registration. However, most users do not make the effort to read this information, notably because it is presented in long and off-putting texts, and displayed in windows that are difficult to view. This is, generally, the reason why users are poorly informed on the conditions prevailing in the exploitation of their personal data.

It frequently happens that the owners of commercial sites and administrators of social networks resell the data they collect from third parties, unless the users activate clauses that protect them against such methods. This is why it is worth verifying the confidentiality clauses and making sure that confidential information will not be exploited for commercial purposes.

Otherwise, it is prudent not to use the sites or social networks that have dubious confidentiality policies.

9.2.4.3. Checking our individual data protection parameters

It is not enough to check the confidentiality policies of social networks and online services. They are generally implemented through profiles that users can freely configure.

The user should, therefore, make sure that the parameters correspond to his personality, choices, rather than accepting the default settings provided by the administrators of the visited sites.

9.2.4.4. Carefully choosing our Internet service provider

The trust placed in online services has its starting point in the connection to the Internet. It is recommended that users verify whether their Internet access providers are reliable and serious, both in terms of confidentiality policy and in terms of data protection (their security conditions are sound).

9.2.5.1. Services Providers

A growing number of e-mail services providers, in particular web services, are filtering incoming messages and offering very powerful and “intelligent” filters. This requires proper discipline from the users. On one hand, it is advisable to check blacklisted messages regularly to determine whether the system’s choice was grounded or, certain messages were wrongly eliminated while on the other hand, it is advisable to notify the filtering system when a spam message passed through the filter and reached the inbox, by signaling it correctly as such, instead of simply deleting it.

9.2.5.2. Organizational Filters

Filters implemented in companies and organizations are a double-edged sword. On the one hand, they are generally very effective and prove to be sound complements to the filters of operators’ networks while their use requires the implementation of appropriate practices on the other.

Thus, in some companies, employees ignore the very existence of these filters. In other companies employees are aware of the existence of these filters, but cannot adjust them to their individual situations and profiles, either because they ignore that such a possibility exists, or because they do not know how to use it, or because the company policy does not allow them to use it.

The following question then comes to mind “Is employee e-mail filtering legitimate? Should an entity be authorized to implement filtering systems upstream of its employees’ inboxes?”. Certain observers consider this filtering an attack on their private sphere. Others consider that employees should determine whether a received e-mail is acceptable or not. It is an interesting question, which we shall endeavor to approach in our future work.

9.2.5.3. Rules

Individual rules applicable to the personal e-mail box are also very powerful. They are even particularly useful for filtering friendly spam. Automated filters at the level of networks, access suppliers or organizations are powerless in front of this form of spam. Individualized rules contribute to strengthening the safety net.

Let us take the example of Angel Rafran, who plays squash during his lunch break. He can, thus, expose himself to friendly spam, either from his squash partners or related to his hobby, and these messages will load his professional inbox.

The most widespread e-mail systems, such as Outlook (Microsoft), Thunderbird (Mozilla) or Mail (Apple) propose “actions” or simple “rules” that help the user to manage and filter spam. The available tools include automatic transfer to “intelligent” boxes of the messages coming from certain colleagues (squash partners, for example), or on specific subjects (squash). Using these tools allows filtering the messages from these friendly spammers eliminating the need to specifically ask them to curb their sending.

The rules offer a possibility to identify, sort out, reject, or put aside, archive, or on the contrary, specifically flag messages depending on the sender (individual, mailing list or address), presence of certain words in the message subject or content, recipient (main or carbon copied?) etc.

Furthermore, rules facilitate bacn management, sorting out in the most effective way the messages are received as the result of subscriptions to mailing lists, RSS feed, or e-mail alerts.

They also allow us to discriminate between messages depending on their size, sending date and eventual presence of attached documents as well as their type.

It is, therefore, recommended to learn how to use these tools. The lists of rules have to be maintained regularly to keep them in line with the evolution of prerogatives, areas of competences and user preferences.