Feeds

Spammers break law with covert tracking

They couldn't care less

  • alert
  • submit to reddit

High performance access to file storage

Many spammers are ignoring laws forbidding them to insert covert tracking codes in their messages, according to a survey by out-law.com, the IT and ecommerce legal service arm of law firm Masons, and network security outfit iomart.

The survey highlights how spam messages often contain covert tracking codes which enable senders to record and log recipients' email addresses as soon as they open a message.

Such spamming techniques, often used by spammers to identify active accounts, are well known. Although iomart's investigation yields a little more insight into this (more anon), we'll draw your attention first to Masons' assessment of the effectiveness of laws on unsolicited commercial email.

The Law and Spam

There's certainly no shortage of UK legislation applicable to spam. Depending on how the email addresses were obtained and the manner in which spam is sent, there may be a breach of the Data Protection Act.

Also relevant is the E-mail Preference Service, a list to which people can add their email addresses to say that they do not want to receive email marketing - although it lacks any legal weight, Masons' reckons.

Then there are the UK's recent ecommerce regulations, which mandate that all unsolicited commercial email must be clearly and unambiguously identifiable as such.

A European Directive on the protection of privacy in the electronic communications goes further than this. It requires that the UK to ban all forms of unsolicited commercial communications (emails, text messages, faxes or telephone calls) aside from those sent through opt-in lists. The UK is obliged to introduce laws to this effect by November.

419 fraudster taken to court for spamming? Don't make us laugh

Plenty of legal bullets to fire against spammers then, we may think? But these laws are nearly unenforceable, Masons believes.

"The problem with the type of spam that clogs up our inboxes is that the people sending it could not care less about the law," says Shelagh Gaskill, a partner at Masons.

"Much of what they're promoting is illegal anyway, so they're not going to take much notice of laws from the UK, EU or anywhere else. Occasionally, a spammer will be caught and successfully sued. But this is not a viable option for most people."

"It's important that there are laws against pure spam - it must be deterred; but it's also vital to protect the right of companies to market their products legitimately. The best way to deal with spam is not in court; it has to be found in technology," she adds.

Technology is the answer! Not

Ah technology, yes. But as even iomart (which like world+dog is developing filtering technology itself) admits spam filters are unreliable. Filters sometimes lead to the "loss of legitimate business communications, unless someone examines all filtered email," (which kind of defeats the object), iomart warns.

To investigate spamming techniques, iomart set up dummy accounts to find how people's actions on receiving spam affected how much crap they subsequently received.

It found that 83 per cent of unsolicited commercial HTML emails sent to these accounts contained hidden tracking codes that notified the spammers as soon the messages were opened.

Opening such messages (even in the Outloook/Outlook Express preview pane) results in yet more junk, natch, thanks to information gleaned through the hidden tracking codes.

After a two-week period of opening all the spam it received, iomart's team found the volume of spam received by the dummy accounts virtually doubled.

Next, the team 'sterilized' the spam flowing into the decoy accounts, using iomart's technology to remove hidden tracking codes. During the next few weeks there was a slight but steady decline in the mountain of spam being received.

iomart (unsurprisingly) concludes spammers use hidden tracking codes to target further assaults. For a third trial period, spam email was bounced.

Predictably, based on iomart's earlier findings, there was a marked drop in the number of spam emails being received.

The decrease in spam emails started almost immediately, and after about two weeks the volume being received had decreased by about 40 per cent. iomart did, however, notice an increase in the number of domain spam was originating from.

It reckons this was a sign of spammers trying to fox blocking mechanisms based on domain name alone.

After all this iomart's basic advice is simple: do not open spam if you want to minimise it.

Iain Richardson, a software developer with iomart, comments: "A lot of spam is evident from the subject header and sender's name. If you suspect it's spam, the easiest thing to do is to delete it - otherwise you're letting the senders know that you exist and you will receive more."

Indeed.

But to all spam messages are easily recognised as such, which leaves the option of applying filters. But spam filters are far from perfect...

Hang on a minute, isn't that where we came in? ®

Related Links

The spammers are watching you, Masons/iomart survey
Show 419 spammers what you think of them with our exclusive T-shirts, from Cash 'n Carrion

Related Stories

We hate Spam (email your friends)
Climbing Spam Mountain
Porn spam on the rise
Where the heck is aall this spam coming from?
Plaid up in arms as Commons spam filter bans Welsh
Anti-spam filters kill legitimate email
BTo anti-spam move kills its users' mail servers
Messenger Pop-up Spam makes us sick
Europe bans spam
Text spammer fined £15,000

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.