Study: 95 percent of all e-mail sent in 2007 was spam

(Credit: Barracuda Networks)

There was a time--2004 to be precise--when spam "only" consumed 70 percent of all e-mail. Those were the good old days. Today, as Barracuda Networks' annual spam report shows, upwards of 95 percent of all e-mail is spam. In 2001, the number was 5 percent.

We've come a long way, baby.

Ironically (or not), the United States' Can-Spam Act has done absolutely nothing (zip!) to stop the spam onslaught. It has come to the point that, as a separate Barracuda survey of 261 business professionals shows, we increasingly prefer telemarketing to e-mail spam. (I find that I'm much more willing to give my home address and phone number than my e-mail address these days. You?)

Some salient numbers from the reports:

• The Barracuda Networks study, based on an analysis of more than 1 billion daily e-mail messages sent to its more than 50,000 customers worldwide, found that 90 percent to 95 percent of all e-mail sent in 2007 was spam, increasing from an estimated 85 percent to 90 percent of e-mail in 2006;


• Barracuda Networks' poll also showed that 50 percent of users received five or fewer spam e-mails in their in-box each day. Almost 65 percent received less than 10 spam messages each day, while 13 percent were inundated with 50 or more spam e-mails daily. (That's me, unfortunately.);


• Spam is becoming more sophisticated. Barracuda Networks found "that the majority of spam e-mails in 2007 utilized identity obfuscation techniques";


• Spammers also increased the usage of attachments, such as PDF files and other file formats in 2007.

• 57 percent of respondents view spam e-mail as the worst form of junk advertising, close to double the 31 percent that cited postal junk mail. Only 12 percent chose telemarketing;



What is to be done? I suspect, as Dana Blankenhorn has written, that the spam problem is not an individual's problem. It's a community's problem and, hence, a community response is arguably the best way to resolve it. There are interesting open-source projects that leverage the power of community to identify and block spam.

(Credit: Barracuda Networks)

But what about adding to this with a social-networking approach? I've written before about the role one's address book could play in building online trust networks, and how these same networks could be used to block spam. Following the six degrees of separation argument, I could presumably create a massive "white list" of allowable e-mail senders by linking my friends (and their friends, and their friends...) Everyone else? Blocked, until they become part of the network.

The point is that collective intelligence is likely better than an individualistic approach to combating spam. When we start pining for the "good ol' days" of junk mail and telemarketing, we clearly need to find solutions. Filtering probably isn't going to cut it.

[Amadal1]

Surveying normal users will gravely under-report the amount of spam because most users never see the bulk of it. As owner of a domain, I get over 3,000 spam messages a day. Some are bounces from failed deliveries of spam that was sent by someone else as if it came from my domain, some have been sent to common domain recipients (such as sales@), but most are just random as if my email addresses had been harvested. I use whitelists to get most of my messages into active mailboxes, but any left over email is forwarded to my junk folder so I can examine it because, alas, legitimate messages often get eaten by standard spam filters.
I wonder how long it will be before the spam comes in faster than I can delete it.

[vashachiroku]

I found the best way to fight spam is just join in. I buy 20 products from each email I get, now if we have everyone buying 20 of their projects, they will run out of products to sell and wont email anymore!

[geofffeldman]

There is something wrong with the study if in 2001 only 5% of e-mail was spam. By 2001 the majority of my e-mail was spam and I am sure that I was not so atypical. My curiosity is who actually buys stuff in response to spam? Obviously people wouldn't spam if no one ever responded, but no one has ever "confessed" to me that he or she spent money in response to spam. Is there anyone in this forum who would like to share his experience with buying something from a spammer. BTW I define spam as a marketing e-mail where the sender and receiver have had no previous relation. For example I do not consider the targeted marketing e-mail that I receive from amazon.com to be spam as I have patronized them in the past(I recently bought a book in response to an e-mail from Amazon). I decided to share my spam experience. In my inbox I have 6 e-mails this week that have survided my spam filter and 20 that didn't. Only three are legit, so that is 3 out of 26 or 11%. I think I deleted some spam from my inbox too this week. 13 of the 23 spam e-mails were for RX's the bulk of which were sex-related(Viagra or *****-enhancers, etc.) 6 were porno, 2 on-line gambling, one on-line college degrees and an on-line store that makes replicas of brand-name watches. I have been using e-mail regularly since 1988(we called it BITNET back then) and I never received spam until 1999, shortly after I voted on-line for baseball's All-Star team and had to enter my e-mail(maybe just a coincidence, who knows?).

[geofffeldman]

I have long noticed that one thing that makes spamming a novel form of marketing as opposed to junk mail or telemarketing is that it is free! It costs money to pay someone to make phone calls and it also costs money to send junk mail. Thus telemarketing and junk mailing need a minimum response rate to be profitable, while perhaps a spammer can make a profit even if just one out of a thousand respond to his e-mail. I have considered thus as an option to require provider's to charge a nominal fee, maybe a penny per message, for each message sent to each recipient. That way if you send 5 e-mails a day you pay $1.50 a month, if you send 1000 a day, $300 a month. This would not affect the behavior of most "normal" e-mail users but would be a strong incentive for spammers to at least try to target those recipients most likely to buy.

[rcrusoe]

Since 2004 when Mr. BG stated ""Spam is a major security problem... We hope this problem will be under control within two years," we've seen spam at my company climb from approximately 70% of all messages to its current level of 99.5%.

Fortunately our users see almost none of this in their Inbox. But the cost of the bandwidth to handle this onslaught and the technology to block it continues to increase.

However, I disagree with those that prefer telemarketing to e-mail. I give out my GMail address rather than my phone number. Google's filters do an excellent job, and anything they miss is usually stopped when the messages are auto-forwarded to my personal domain.

[PlexVector]

Since Time Warner Roadrunner has implemented their new spam policy several months ago at the ISP level my spam went to zero. I read their policy online and it makes a lot of sense, and other ISPs I hope will follow. I've read in past analysis that the only way to really combat spam is at the ISP level, rather than the user. I've actually turned off my spam filters! I have also read that some ISPs have stopped sending bouncebacks to help alleviate traffic.

I have several aliaes that I use. I never use the main account, I have one for registering with trusted web sites, one for websites I'm not sure about, and one for personal communications with friends. It makes it easer to manage if/when an e-mail gets compromised. Only the one that was used for personal use did I ever get spam on due to it being farmed by viruses on computers of unsophisticated friends. Unfortunately, people forward e-mails without cleansing the e-mail addresses first.

[sandradayoconnor]

The average click through rate for most spam is generally accepted to be 2%. If you consider the cost for sending spam, a 2% response rate is grossly profitable.

Spam works. Spam works because people, both the sender and receiver, are greedy. "Oh! This is a GREAT deal! I just HAVE to click through to take advantage of this!" Bingo. Spam continues.

I would like to believe there is a way to stop spam. I would also like to believe that world peace is possible. Given the sterling nature of humankind, I'm not holding my breath for either.

[Toulinwoek]

I have never had nearly as much problem with spam as the Internet as a whole is claimed to be mired in, but I'm not denying the size of the problem, though I am a bit skeptical about 95%. Maybe that's just my experience reflected in my opinion.

What I'd like to know is, what is the percentage of the idiots who keep spam alive by buying into these various offers? As has been stated, spam is profitable, but that can only be so if enough people are buying what the spammers are selling.

[only_truth]

There are some emails that I just cannot receive because Verizon cuts them off. Others however sneak through. The problem with your whole Six Degrees of Separation theory and White Listing is that eventually everyone will be included in the network - even spammers. That's the whole point of the theory: that everyone can be connected to everyone else. Some emails that I want could be considered spam to other users; it all depends on user preference.

[mopeon]

Uh, how do you think you get half that spam? One of your friends' contact list! Your 'friend network' (a) would not stop spam at all and (b) already exists via facebook, linkedin, myspace, etc.

You need to shut this down at the source, not the recipient. But you can use the recipients, in coordination with legal/financial disincentives, to make a wholistic system.

The real solution, IMHO, is that when human users choose to designate emails in their inBox as Spam then the address/IP/Header/Subject/Content all goes to a mega/community database and if that same message gets treated similarly by a threshold # of humans, say a few hundred empirically determined, then that info is added to the spam list and is accessed by all mail agents for auto-filters. This is for emails that make it past the spoofing/EHLO filters.

Benefit of 'human-eyesd' black-list accessed by query-only:
-Registrars of multiple offending domains can be prosecuted. (e.g. DynamicDolphin is registrar for 98% of the 30 spams I get every day).
- Registrars/hosting services/ICANN can review (legally mandated) and disconnect offending IP Addresses and domains. (note this is post spoofing, so no damage there).
- Contact info (namely name and phone number) of whois records listed and Registrars can opt for phone verification of registrants. This would add cost to serial spammers who hop around domain registrars as they would have to keep getting new phone numbers.
- Mail agents can build better lists for auto-filters that go beyond 'cleverly' selected keywords or validation algorithms.
- White-lists managed by the BBB (in US) or the WTO (globally) of legitimate businesses can be easily cross-referenced against this list.
- Get ICANN to actually DO something about spammers.
- Offender appeal process to get off this list would be rather straight forward, since spoofs don't hurt them.

What'smore, design the full datawarehouse to be easily, privately accessible by Fed/FTC/FCC agencies so they can directly see is getting loaded up and prosecute directly, assuming CAN-SPAM is modified.

oh4real