If you feel like your inbox is suddenly overrun with spam again, you are right.
Not long ago, there seemed hope that spam had passed its prime. Just last December, the Federal Trade Commission published an optimistic state-of-spam report, citing research indicating spam had leveled off or even dropped during the previous year.
Instead, it now appears spammers had simply gone back to the drawing board. There’s more spam now than ever before.
In fact, there’s twice as much spam now as opposed to this time last year. And the messages themselves are causing more trouble. About half of all spam sent now is “image spam,” containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don’t even use e-mail. About one-third of all spam is stock spam now.
“Traditional methods have failed spammers, so they are resorting to more and more sophisticated tactics,” said Dave Mayer, a product manager at IronPort, which makes anti-spam products.
The tactics are working. There are 62 billion spam messages sent every day, IronPort says, up from 31 billion last year. Now, spam accounts for three of every four e-mails sent, according to another anti-spam firm, MessageLabs.
Image spam is a big part of the resurgence of unwanted e-mail. By using pictures instead of words in their messages, spammers are able to evade filters designed to detect traditional text-based ads. New computer viruses have contributed to the uptick, also, particularly a surprisingly prolific Trojan horse program called “SpamThru” that turns home computers into spam-churning “bots.”
Some small organizations are having real trouble with the spam surge, IronPort officials say. One county government office called the firm after its mail server shut down. “(It) could not even slowly process mail,” said IronPort spokeswoman Suzanne Matick. “They ended up with no mail going to their 7,500 users for seven days.” She declined to identify the agency, citing confidentiality agreements.
Of course, there wouldn’t be this much spam if it didn’t work.
Concentrated stock spamming has the ability to send share prices of penny stocks soaring, said Graham Cluley, a consultant for computer security firm Sophos.
“They absolutely storm up in value. And then there’s the inevitable fall,” he said.
Last summer, California-based Southern Cosmetics was forced to issue warnings to investors after spam campaigns touting shares of the company. During one such campaign, the firm’s stock value rose from below 1 cent per share to a high of 6.6 cents.
The Securities and Exchange Commission has prosecuted some spam pump-and-dumpers, and on other occasions, has suspended trading in firms after it spotted a spam campaign. But the agency can hardly keep up with millions of stock spams each day.
Attempts to manipulate stock prices through e-mail are nothing new, said John Reed Stark, chief of the Securities and Exchange Commission’s Office of Internet Enforcement. But despite the agency’s “hefty track record of bringing cases” against spammers, the technique persists.
No clicks required
Stock spam is effective because no Web link is required, Cluley said. In old-fashioned spam, criminals generally try to trick recipients into clicking on a link and buying something. Many e-mail programs now block direct Web links from e-mails, rendering click-dependent spam much less effective. But stock messages merely have to make the recipient curious enough about a company to motivate him or her to buy a few shares through a broker.
There is another element that helps perpetuate stock spam, Stark said ” he believes speculators unrelated to the original spam sometimes try to “play the momentum” surrounding a spam campaign ” either getting in early on a pump-and-dump campaign to profit as shares rise, or by “shorting” stocks, betting that they will fall after the spam campaign flames out.
“There are all these people pushing the envelope in sometimes desperate ways to try to make money,” Stark said.
Image spam, which seems not inseparable from stock spam, can arrive entirely devoid of text, but that’s not common. Most messages have what appears to be nonsense text pasted above and below the image. Experts call this “word salad,” or “good word poisoning.” Below this story, we’ve pasted some examples of what we call “spam haiku.” Here’s one:
“I thought I was Train cars derail, catch fire in KentuckyMassive fireIdol begins this week!”
‘Word salad,’ or not-so-random text
The word jumble is generally borrowed from news headlines or classic books like Charles Dickens’ “David Copperfield,” the text of which are often available online. The seemingly random text actually serves and important purpose – to foil or confuse word-based spam filtering. Many spam filters determine the likelihood that a message is spam based on the individual words in the body of the e-mail. The presence of obviously spamish words like “Viagra” or “sexy” tilts filters to categorize a mail as spam and block it or route it to a junk mail folder. But because normal conversational words tend to persuade filters that a message is legitimate, spammers paste in bits and pieces of text to fool the filters. There’s debate about how well that trick works, but there’s no debate about how much word salad there is – it’s everywhere.
Spammers continually refine and combine their techniques, said Doug Bowers, senior director of anti-abuse engineering at Symantec. The firm recently found spam attached to legitimate newsletters that appear to be from big companies, including a Viagra ad atop a 1-800-Flowers e-mail newsletter and another on an NFL fantasy league letter. Such e-mails are simply spam masquerading as authentic, with real content borrowed from legitimate companies. They are similar to phishing e-mails, and so are much more likely to be opened by recipients than traditional spam, Bower said.
“They craft an e-mail that looks like a newsletter, but change as little as a single line and insert an image,” Bower said. “As in phishing, they are copying the look and feel of the legitimate e-mail.”
One way companies are combating image spam is to turn off all images arriving in inboxes. But that can be a draconian measure, as it will cut off pictures of grandchildren, too.
Never Invest Based on Spam
Consumers can sometimes spot image spam without opening the message, thanks to hyped-up subject lines like this: “MHII.OB Best terms and conditions for your investments.”
Spotting spam before you open it is a plus – sometimes spam messages contain small images that report back to the sender as soon as a message is opened, teaching the spammer that your e-mail address is valid. More spam is sure to follow.
But in some cases there is no way to tell if a message is spam without opening it. So for now, the best defense consumers have is their delete key – and a heavy helping of skepticism when investing based on anonymous tips.
The SEC’s Stark puts it bluntly: “Never invest based on spam.”
Find out if a public company’s stock has been spammed by entering a stock symbol and searching our exclusive spam reports.