11% of people...
"11 per cent of people admit to having bought goods in response to spam messages". Fuckwits. Shooting's too good for 'em. Seriously.
Spam celebrates its 30th birthday on Saturday (3 May). On that day in 1978, 393 Arpanet subscribers were sent what's reckoned to be the first ever spam email1 in history (the message itself was written on 1 May 1978). DEC marketing rep Gary Thuerk came up with the wheeze which produced a fierce backlash from Arpanet (military …
"11 per cent of people admit to having bought goods in response to spam messages". Fuckwits. Shooting's too good for 'em. Seriously.
The sad truth of the matter is that we are blighted with spam because it works for the bad guys.
We may all roll our eyes at yet-another-letter-from-NIgeria, the endless waves of fake Rolex offers, weight loss pills, and unwanted mortgage loans.. but the only reason these things get sent is because *some* people *occasionally* respond to spam and make a purchase.
What we really need to do is educate more people to NEVER buy, try or reply to spam. The dudes at SophosLabs put a little video together today hoping to raise awareness of the need to never buy goods advertised via spam:
Maybe the readers of The Register are immune from the lure of spam emails, but can we say the same of everyone in our family? Is it our Aunty Hilda's innocent clicking and purchasing of penny stocks what is perpetuating the spam problem?
I still have my Green Card Lawyers -- Spamming The Globe T-shirt from the first organized effort to stop spam by denying spammers a UUCP connection. This was back in the days when system admins thought they could cut off spammers air supply. 1993 I think. But there was always someone willing to forward spam for money. Sigh.
If 20% of the population is online (1.3 billion/6.5 billion) and 11% of people admit to buying from spam, then more than 50% of internet users buy from spam. This seems rather high.
It is more likely that the universe of Sophos' survey was not "people".
Because this number doesn't show up on any real monitoring tools I have access to. I think one client peaked at 55% spam, where another never really got past 40%. My own domain never got past 60%.
My clients and I subscribe to Messagelabs, who provides actual statistics. I can't say the same for Sophos.
Not that Messagelabs is much better. In 2001, Mark Sunner claimed that one in ten (10%) of e-mail would have viruses by 2007/2008, and one in two (50%) by 2013. Their own tool identified, what, 0.32% (one in 312) e-mails to my domain had a virus in 2007/2008.
Sunner's prediction was off by a factor of 31. And these guys supply realtime virus and spam data.
I'm sure not going to believe any predictions from Sophos, who only have pretend numbers, if the guys with real numbers make such outlandish predictions themselves.
Spam persists because of the astonishing return on investment that it generates.
Buy a CD full of e-mail addresses for a tiny amount per addy, splash some cash on some quality time in your favourite Internet cafe, and bring a few pennies for the coffee to drink while watching your mass mailer do it's funky thang, and *BAM* you just sent 100,000 messages. Or more.
If just ONE moron replies / responds / rushes out to buy your product / convinces their girlfriend it will change their private life (delete as applicable) - your time has been gainfully spent. And Deity-of-your-choice knows there are enough morons in the world, daytime TV is proof of that...
Awareness campaigns are all very wonderful, and I appreciate the effort that some people are making to reduce the spammers' incomes... but they'll never eliminate spam, because of this oh-so-tempting ROI. Which is of course even greater when the 'product' concerned doesn't actually exist...
Mines the designer label overcoat that goes so well with this suit...
11%? I knew SOME People must be buying spam-vertised products, but that high? - Over 1 in 10?
How can we possibly combat this with numptys like them on our side?
Until every god-damned soul on the internet learns to blackball - not blacklist - any companies who use spam, then I'm afraid we may be fighting an unwinniable war....
just like some f*ckwits will trust people like G.W.Bush, Tony Blair or organised religion.. There will always be idiots.
Sophos's figure of 95% of email is spam comes from our spam filtering software and appliances at companies worldwide. We count the amount of legitimate email they receive, and we count the amount of spam they receive. And then do the maths to get a percentage.
Of course, individuals may have varying experiences.
We polled 390 people in November 2007. 11% said that they had bought goods advertised via spam.
Hope that helps.
I don't know why people don't like spam.
I'm now $4 million richer because of my new friend in Nigeria.
My dick is 3.75cm longer with much more pleasing girth thanks to these great pills I found through spam.
My new Rolex will be arriving any day.
What is there to complain about?
The 11% does come from an online poll of 390 people. How they were selected / asked to participate isn't clear.
Also, I'd wonder how many of the kind of people who might answer "Yes!" to "Have you bought spam advertised products?" entirely understand the difference between spam emails and marketing emails resulting from them handing their details out to a legitimate company (who might have passed them on to an associate).
"A young Richard Stallman was among the minority who suggested DEC's mass message was nothing to get upset about."
Really? His exact words were "Well, Geoff forwarded me a copy of the DEC message, and I eat my words. I sure would have minded it! Nobody should be allowed to send a message with a header that long, no matter what it is about.". Rather nice to think that he was more bothered about the email software than the human recipients. A true hacker. :)
The 390 people were selected by a process of sending out a spam email to 100,000 people. Of the 390 that replied, 11% admitted to buying from spam.
5% of those who replied also asked when their commplementury Rollexx watch would be to be despached from Nigeria.
Hope that amuses.
Contrary to popular belief, there *was* email before Arpanet, only it was mainframe based. And at least one system I worked on categorised 'telebulletins' as Sales Promotion and Marketing (SPAM), along with Commercial, Personal, and Management COMM PERS and MGMT.
The poll was run on our website. According to the marketroids, the typical make-up of people who come to our website are IT specialists and system administrators (as we don't have a consumer product).
I expect they know the difference between spam and "legitimate" marketing emails - but who knows..
We've published links and more information on the Sophos Spam Pledge page at http://www.sophos.com/pledge
So 11% of people who answer surveys admit to having bought stuff that was spam advertised. Or maybe, since they are survey answering folks (BTW This is coming from me, a guy who bins paper surveys, ignores online surveys, barges past people with clipboards, and lies when forced to answer) , they think all emails threatening to sell stuff are spam.
I did, however, fork out a fiver(?) for Jacaranda Jim back in the day and still consider it to be money well spent. Many Thanks for that, Mr Cluley.
Paris would have known what to do in the Toilet.
...who would believe numbers published by a company who sells anti-spam solutions? It's in Sophos' interests to add to the scaremongering about people being suckered by spam. They're hardly likely to say "nah, spam's not a problem, it's irritating but hardly anyone falls for it. But spend $2k on one of our anti-spam boxes anyway", now are they?
"Please bear in mind that this poll is not scientific and is provided for information purposes only. Sophos makes no guarantees about the accuracy of the results other than that they reflect the choices of the users who participated"
So that's 11% of people who responded to an email invitation to do a poll - sounds like the gullible being led by the nose and a vast overestimation.
By the way, if it's not scientific it has no information content, so there is no 'information purpose' - pay some researchers to do it properly.
Full disclosure: my company sells Sophos products, and their competitors.
I can say the same for Sophos: I can get full statistics from my installation. 95% is about right for my domains at the moment. Service industries have a nasty choice: publish an email address and get LOTS of spam, or stop providing email service.
I think Mark Sunner failed to anticipate the change to criminality in attacks: mass outbreaks don't make money, so we see more trojans, less viruses, and drive-by downloads put the malware on websites, not in email where it can be caught be Messagelabs scanners, and count for the prediction. This is what often happens when you extrapolate too far.
Bill Gates' prediction was overconfidence to the point of stupidity: predicting a quick victory over a motivated, intelligent opponent, but he isn't the only prominent American to have done that in the past few years..
Of course, the real origin of spam was over 2700 years ago: the Chinese King You of Zhou (reigned 781 BC - 771 BC) used his military beacon network to amuse his concubine, Baosi. When the kingdom was really attacked, the army no longer responded to the beacon and the Western Zhou Dynasty fell.
[flame icon, because beacons are a genuine binary system]
"How they were selected / asked to participate isn't clear."
They replied to an email.
I think you hit on one of the problems - Major name-brand "legitimate" companies are using mass market E-mailing campaigns that give the sense of establishment to SPAM. I'm sure that I get both SPAM and "targeted marketing campaigns" from the same companies sometimes - how could one tell the difference there?
And really IS there any difference?
People should not buy things that are "pushed" or hawked to them. They should use forums, reccomendations, advice and price comparison to make informed decisions. If its not worth this, then you really don't need it.
We not only have to not respond to SPAM, but also have to ignore targeted E-mails as well.
Maybe while we are all at we can all stop clicking on ANY banner ad that blinks, hops, moves or otherwise makes itself annoying. What is wrong with a static picture ad? I'm trying to read the data I'm interested in, I hate these childish sideshow tactics of grabbing my attention -- enough already
The 11% will be of those surveyed, all of which would have to be internet users to qualify. Therefore it doesn't follow that 50% of internet users respond to spam.
I completely agree with David Wilson's comment that quite a few of those respondents wouldn't be able to distinguish between spam and opted-in retail communications (whether opted in intentionally or not).
We just have to accept that some people are just so stupid that they either don't care or don't realise that responding to the spam makes the problem worse. Education is the only way to go, and even that's not going to go that far.
I would imagine theyre compiled from many different sources. You wanted numbers though, here's an example. A randomly-chosen server I manage has received 107,624 inbound delivery connections between 7:26am today and 18:28 this evening. Of these, 98,794 were rejected immediately at SMTP time for various anti-spam reasons (mostly sender verification failures or being sent to known blackhole recipient addresses).
This leaves 8,830 messages that actually arrived on the system over those 12 hours. Out of these, 3,395 were then filtered by SpamAssassin with a variety of different rulesets, however it's reasonable to assume that all of these messages were in fact junk.
The overall result of that is that out of 107,624 inbound messages submitted to this random mailserver over 11 hours, roughly 5,435 actually ended up in users' inboxes, and it's a fair bet some of those were still junk. By my count that's 5.04% of mail that was delivered as "legitimate", or a rough figure of 94.96% junk.
Not far off the figure Sophos arrived at, i'd say.
Because there are enough gullible people out there to make it a viable industry.
Same with Windows. There are enough gullible people out there for Microsoft to make a slow and buggy OS and they still rake in billions.
>>"The poll was run on our website. According to the marketroids, the typical make-up of people who come to our website are IT specialists and system administrators (as we don't have a consumer product)."
>>"I expect they know the difference between spam and "legitimate" marketing emails - but who knows.."
So something like 11% of *IT specialists and sysadmins* buy as a result of actual spam emails, not just legitimate marketing stuff?
Unless there's a fair chunk of BOFHs there buying stuff on the boss's credit card, or people deliberately mis-answering the survey for joke or darker reasons, those *would* be pretty scary figures.
A quote from his message:
"Must I advertise in a paper in every city in the US with population over 50,000 and then go to all of them to interview, all in the name of fairness? Some people, I am afraid, would think so. Such a great insistence on fairness would destort everyone's lives and do much more harm than good."
Here RMS is complaining about people forcing their fairness on others, yet what does the GPL do?
Your analysis makes a lot of sense.
I think the 95% is misleading to most users because they don't see what goes on "behind the inbox" at the SMTP server-level.
I would guess that 95% is a pretty accurate number. I have one client who is averaging 99.468% spam. From 17 Mar to 15 Apr, they received 2,283,349 messages. Of those, GFI MailEssentials detected 2,271,209 as spam (which still isn't all of them, because there are still spam messages which get past the filters). That leaves 12,140 possibly legitimate messages.
Of those 2,271,209 spam messages -- 2,179,780 were directory harvesting (non-existing recipient addresses); 7,098 failed SPF; 2,338 failed spam URL blacklist; and 74,233 failed Bayesian analysis.
If you exclude the directory harvesting messages and only include properly addressed and received messages, that's 103,569 total messages minus 12,140 possibly legitimate messages, resulting in 91,429 spam messages (88.27%).
Ch-klick... HOCK! OOOOORRRRAAAAAAYYYY!!!
"...RMS is complaining about people forcing their fairness on others, yet what does the GPL do?"
A tad unfair, methinks. You don't *need* to use GPLed software. Most of us do need to put up with spam.
That 90% share of the market that Windows has? Nearly all have got email addresses (pumping spam, worst luck) and hardly any have GPLed software. I'll go out on a limb and say that the average computer user finds it dead easy to live without GPLed software but living without an email address would defeat one of the principal reasons for their having a computer.
I think that sounds about right as a percentage of the gene pool that needs some chlorine....
I always thought the first spam (vs UCE) appeared on Usenet (early '90s?) where two US lawyers cross-posted advert-laden messages across thousands of groups. Cross-posting on its own is a capital offence on Usenet but advertising as well! Regardless of the flame war they created, the two mother lovers were proud of their stunt.
My point is at the time there was differentiation between UCE (what is now email spam) and Usenet spam. I don't really see the need myself but some pedants at the time were quite adamant about insisting on the correct terminology...
Oh yeah, clicking on and/or buying from a spammed link should be punishable by public boilng.
Lets break it down here.
Cost of sending a single spam e-mail: $0.00. Building a botnet doesn't cost money, just takes some coding skill and time. Even if it costs $10,000 you can then use that net to send out billions upon billions of e-mails.
If your spam generates $2 per "sale" you only need 5,000 people to fall for it to make profit. Then until your botnet is caught (months? years?) you can keep sending any veriety of junk e-mail you want for effectively no cost.
There is no effective "retalliation" for spam. E.g. lets say us "smart" net users agreed that every time we recieved a spam e-mail we would feed the domain into a script that just hammers the site to death thus preventing sales....all it takes is one person to put "www.theregister.co.uk" into their spam and no more register.
I'm all for the charge $0.01 per e-mail idea suggested before. make people buy $10 of credit, and once they send 1,000 e-mails they need to top up the account. No more spam.
I just polled the pepol in my office and I can confendly say that 0% of the populatoin respond to spam emails buy this logic spam will be dead b y next mounth I will pridect with certainty
It usually consists of:
Dear Sir or Madam,
Thank you for your nice email. However, I am completely happy with the size of my penis, and therefore have no need for your product.
As for the term SPAM, I though it was an acronym for something. can't remember what "S" stood for, but the rest was "Processed Automated Mail".
I always open spam, even if the silly key breaks off. Just love the bits of jelly and the compressed meat in the tin.
Judging by your spelling alone... I think you're writing most of the spam I get!
Maybe we need an annual spam Day, when all ISPs switch their filters for a day so that instead of blocking spam emails they let them through and just change the subject line to "Buying products advertised in spam emails is why there is so much spam." Or leave it like that permanently. People who know how to set up their own local filters based on the subject line are probably more likely to know not to buy from spammers anyway.
And also in full disclosure, I don't consult for ISPs. I mostly consult for small to medium sized businesses with their own e-mail setups, one or more Exchange servers, for instance. I can say that the numbers I posted were consistent with those SMBs.
So, everyone who posted numbers supporting Sophos' claim: Good job. Thanks again.
Here are some other things to consider with these numbers: How much spam is for invalid addresses? I don't mean addresses that were valid at one point but then became invalid (such as a user rename or a user leaving), but rather, addresses that are, seemingly, intentionally invalid. This would include otherwise valid addresses with one character missing, or an extra character added, to the username.
I might have had numbers closer to Sophos' numbers if I factored in e-mail for invalid addrdesses. I don't see that e-mail anymore because ML doesn't accept mail for them.
We use Pure Message and our email admin said that it was running at about 95%, Last year it was about 90%, or about 97,000 out of 105,000 messages received.
Really, spammers are deluging the net with a tsunami of spam. Problem is that, due to filtering, the users see few of the spams and think that the amount is actually much lower.
How much spam is for invalid addresses?
Difficult to say, particularly if you want to separate obsolete addresses from "intentionally invalid" addresses (and what about address guessing: sales@, accounts@, info@...). After staff leave, there's a grace period when the messages are redirected to their manager or replacement, then, when there are no more useful messages, the address is made invalid, like any other invalid address. Also, I think the SPF check is happening before the recipient check, so messages from an invalid source AND with an invalid recipient won't be counted as having an invalid recipient.
So, FWIW, the statistic I can give:
Messages rejected for invalid recipient: 3.9% of total messages, during the last 7 days.
Less than I would have expected. Perhaps I've missed some other factor, or spammers are fairly efficient at targeting real addresses.
In one client's logs, prior to implementing ML, I saw a massive number of dumb things like "12345_validuser@example" and "0validuser@example" and "aliduser@example" (missing first character) -- this was what I meant. I don't know about businesses outside my scope of influence, but no one I knew had addresses like that on their own domains.
Of the 95% of e-mail that Sophos claims is spam, how much of it is destined for addresses that never have and never likely will exist?
We used to stop these with a 550 Invalid User response, until spammers started using automated guessing bots against them. Then we started accepting them and bounced them later, only to cause a reverse flood to some hapless soul whose address happened to be in the MAIL FROM command. Now we're eating messages we'd normally bounce. I still don't want to include such messages that are "permanently undeliverable" in any realistic spam statistic.
Nowadays I'm fine with giving spammers a 550 response, because anything that gets past ML has to look so un-spammish that, if I deemed it to be spam, I could put the sender in the "go away and don't come back" list and have it work.
By the way, who in Hades is "Doron Pely" and why is she trying to sell me on Homeland Security related stocks? To a Canadian, no less?
A quick look at today's logs shows 722 (attempted) message deliveries, 37 of which were legit, the rest rubbish: which works out at 94.87%.
From SANS' "NewsBites" email newsletter:
"Edward Davidson has been sentenced to 21 months in federal prison for tax evasion and sending spam. Davidson sent hundreds of thousands of spam messages with falsified header data over a period of nearly five years. According to authorities, Davidson made US $3.5 million sending the spam for a number of companies;" It goes on to say he has to pay $700K to the IRS.
So his tax rate is less than mine, AND his income is substantially higher to boot? Now all we need to be told is that his prison time won't be spent in the "pound me in the..." prison the guys in Office Space feared so much.
Biting the hand that feeds IT © 1998–2018