I have chosen to focus on the so-called “4-1-9 Scam”. Do you know the 4-1-9 scam? It is a confidence scam. Here is one variation: an e-mail that offers you a windfall profit if you help liberate money from some deposed African head of state’s bank account. It is a pervasive form of spam.

My research question is: What makes the 4-1-9 scam effective? My hypothesis is that the scam is the result of three things: greed, ignorance and apathy. I have organized my work into fifteen questions and answers about spamming and scamming. The answers will help support my hypothesis which I will expand on afterwards. Links point to original sources throughout the essay.

1. What exactly is spam?

According to The American Heritage^® Dictionary of the English Language (4^th edition; Houghton-Mifflin), the term ‘spam’ is defined as ‘unsolicited e-mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups; junk e-mail’. The term is also a verb, denoting the act of sending such e-mail. The definition gives the term’s probable etymology as ‘inspired by a comedy routine on the British television series Monty Python's Flying Circus, in which the word is repeated incessantly’.

Spam can be the slang equivalent of the term UCE (unsolicited commercial e-mail) but it is more than that. Spam may also be non-commercial in nature. It may be political, religious or a simple chain letter. The 4-1-9 scam is an example of fraudulent spam.

SPAM, coincidentally, is a trademarked, spiced ham product of the Hormel Foods Corporation. According to a SPAM Web site, the company does ‘not object to use of this slang term to describe UCE’.

2. Who started spam? When?

According to the Wikipedia, the first non-commercial spam was sent on January 17, 1994 by Clarence L. Thomas IV. Its title was ‘Global Alert For All: Jesus is Coming’. Laurence A. Canter and Martha S. Siegel posted the first Usenet UCE on April 12, 1994. Given a broad definition of spam as unsolicited e-mail, one can imagine that these were not the first instances.

The first case of the 4-1-9 scam started in the early 1980s. This predates the Internet.

3. What percentage of all e-mail is spam, specifically UCE?

Estimates and research methods vary. One report by Brightmail, estimated 40% of all e-mails were spam in 2002, up from 8% in 2001. Coincidentally, it sells anti-spam software, so it has a financial interest in the figure. According to the Cobb Web site, 45% of emails sent in 2003 were spam. Finally, the Government of Canada cites Brightmail statistics that show month-by-month increases up to 63% (cached version here) as of March, 2004.

4. Is all unsolicited e-mail spam?

This is by true by definition. Yet, one person’s spam is another person’s welcomed e-mail. I think it is important to emphasize that spam is hard to define because there can be legitimate reasons for sending e-mail to unknown people. Are the ‘informational’ e-mails at UNC spam? I do not think so.

According to Brightmail, the Symantec anti-spam section, if the sender ‘has no discernable relationship’ with the recipient, then the e-mail is spam. Brightmail adds that if e-mail is sent ‘mistakenly’, then it is not spam. Those statements may be true at the same time, so spam is not defined exactly.

5. What do people think about spam?

Attitudes could vary from happiness to anger. I find this area has not been researched enough. Is spam a loathsome thing? We can assume it is for most people, most of the time, while also remembering the times when people appreciate receiving so-called spam.

One thing missing from this research is the attitude of spammers and spam recipients. It represents an interesting topic for study because knowing spam’s appeal to them can help with prevention and policing. Regarding UCE specifically, one can assume the appeal is easy money.

6. Who likes spam?

According to eWeek Web site, a Gartner Group study found that ‘except for the senders, no one likes spam’. This is a clear finding. Writing personally, I find some spam can be amusing and, sometimes, a welcome diversion to my online work. If people buy the products and services offered in spam, then spam may hold some added appeal for them.

Of course, when spam is used for fraud, such as the 4-1-9 scam, then criminals like it. The criminals may include government officials. It is a cost-effective way of marketing a product and/or service, so business people like it, too.

7. Who sends spam?

If one uses the wider definition of spam, as any unsolicited e-mail, then any person or organization can send spam. They may not even know that it is spam if they sincerely believe the correspondence is for the benefit of the recipient.

Many e-mails have a disclaimer ‘This is not spam’, but it likely is. The sender is certainly a spammer. Both legitimate and shady business people do engage in UCE mailings. Criminals send spam e-mails, such as the 4-1-9 scam.

According to a BBC News article, PCs in the U.S.A. are responsible for 35% of spam, but this figure is decreasing. PCs in South Korea account for 25% of spam worldwide. The BBC cited research by Sophos.

Wikipedia offers this list of famous spammers: Serdar Argic, Howard Carmack, Alan Ralsky, Scott Richter, Sanford Wallace. Some of these people, like Argic, sent spam to Usenet Groups. Recently, I have have received two unsolicited instant messages from 4-1-9 scammers. These examples show how the people who send spam are adapting their commercial and non-commercial messages to various platforms.

8. What companies facilitate spam e-mails?

They call themselves direct marketers. According to Spamhaus, ‘The (American) Direct Marketing Association ("The DMA") is a pro-spam group, not an anti-spam group, whose mission is to advance the interests of junk email senders’.

Here is the Canadian Marketing Association (CMA) Web site and information about its code of ethics. Its code provides guidelines such as this: ‘If you do not have an existing relationship with an individual, you must obtain consent prior to sending a marketing e-mail to that individual’. So, one should send an unsolicited e-mail, ask for permission, then send other e-mail. These particular guidelines are voluntary and based on self regulation. Both the DMA and CMA champion self regulation.

ComputerWeekly Web site had an article titled The value of email in marketing. It includes this advice about spam:

‘There is a fine line between good marketing and spam. However, there are several questions you can ask yourself to determine which is which. If your customer didn't ask for it and it has no clearly discernable value (other than as sales information), then it is likely to be considered spam’.

One thing that I note is, if there were several questions, none were asked. Another is that, again, the marketers decide what ‘clearly discernable value’ is. Does a Web site like ComputerWeekly actually facilitate spam by publishing these guidelines?

9. What is a spam list?

People who send spam need e-mail lists. It is simply a list of e-mail addresses. These lists must be compiled and used ethically, according to the CMA. In the CMA’s Compliance Guidelines, we can see that only those with an existing relationship with a seller may be on the seller’s mailing list. ‘Existing relationship’ means that the receiver and sender have had business together in the past six months or the ‘normal’ life cycle of the product/service. For example, that means about eight years for a car or a year for Spring-cleaning services. The CMA allows adding the names of those who have given consent to receive e-mail. How long does the consent remain valid? It is not clear.

10. Who gets on a spam list? How and why?

In the CMA’s Compliance Guidelines, we can see that only those with an existing relationship with a seller may be on the seller’s mailing list. ‘Existing relationship’ means that the receiver and sender have had business together in the past six months or the ‘normal’ life cycle of the product/service. For example, that means about eight years for a car or a year for Spring-cleaning services. The CMA allows adding the names of those who have given consent to receive e-mail. How long does the consent remain valid? It is not clear.

Spammers, direct market association members or not, can make or acquire a list of e-mails. They can use a computer program to scour the Internet and compile a list. If your email address is published online, then one of the robotic programs can harvest it. These days, I see many instances of people writing ‘AT’ instead of using the ‘@’ mark. Is this effective?

Spammers can send emails to every possible e-mail address and assume that those that do not bounce back are existing e-mail addresses. For example, in Japan, mobile phones can receive e-mail. A mobile’s default e-mail address used to be the mobile number, ‘@’ and the carrier’s domain (e.g., 09000000001@k.vodafone.ne.jp). This meant that everybody could make an e-mail list of 100 million addresses in Vodafone’s prefix range starting with 090. These days, a typical default e-mail prefix looks like this wm8n80cbfjv4bbst1ga2. So, this can have one million times 26 to the power of 14 possible combinations. This can be termed a ‘dictionary attack’.

There are other techniques. According to InfoWorld, e-mails can be gathered by exploiting e-mail protocols. By simply opening an e-mail, one can confirm one’s address is valid, as well as inform the sender of the time, and even the place the e-mail was opened. Another way to get e-mail addresses is to create a phony address removal service from spam lists. Finally, e-pending is a list-creation technique that involves appending e-mail domains to hard copy lists of names.

11. How can people get off a spam list?

Theoretically, you can just send an e-mail and ask for your name and e-mail be deleted from the list. You need to know that your name is on a list. You need to know where to send your request. You may need a special form to fill up. Again, some opt-out and removal e-mails are operated by unscrupulous people who may be spammers.

Some sites are clear about the duration and use of one’s address on their mailing lists. Often, the sites delete your name automatically after a certain period of time. Should it be my responsibility to ensure my addresses removal from a mailing list?

13. How do spammers able to beat anti-spam software?

Drupal.org is the official website of Drupal, an open-source content management platform. It is a good resource for a beginner to learn some of the key words and concepts. On the bulletin board, any fundamental question is OK to ask. My first choice for technical information was http://www.Slashdot.Org, but that site was difficult to navigate. When I finally found the articles on Spam, they were too technical for a beginner.

What I did learn is that, in the current environment, spammers and anti-spam companies are not evenly matched. The question is not how spammers beat anti-spam software. The question is how well anti-spam software finds spam.

Brightmail claims to have a 99.9999% success rate: ‘with an industry leading false-positive rate of fewer than 1 false positive in every 1 million messages identified as spam.’ That figure is based on research from the Yankee Group. On its main technical page, it offers specific details; in fact, the software has a 95% effectiveness (eWeek) in identifying spam. So, 5% is let through, minus the unlucky 0.0001% falsely labeled as spam.

Information on that 5% is hard to find. Brightmail distinguishes ‘first-time spam’ that it addresses ‘proactively’. How does it do that? It also notes that ‘some of the filters are ‘reputation-based, examining the source of the email’. Others sift through the message content, applying signatures or heuristics technology.’ Given that sending spam is free, not much thought is put into it. Brightmail seems to boast of getting 95% of sloppy work. If the spammer uses the same sending address twice, then Brightmail can catch most of it. If it is a ‘first-time e-mail’ then all bets are off.

Another eWeek article titled Cash Pours In for Internet Security Providers is not cited. Brightmail was bought by Symantec for 37000000 dollars in 2004. There is a lot of money in dealing with spam after it has been sent.

14. What is the 4-1-9 scam?

The "4-1-9" fraud is named for section 4-1-9 of the Nigerian penal code. There are clear explanations of this confidence scam on a U.S. Secret Service, 419 Coalition and Quatloos Web sites. The last site contains the most basic information about the 4-1-9 scam, examples, advice, model responses and more. The entire site is dedicated to Internet fraud of all types. The writing style and mood seem both playful and serious.

I have received 64 4-1-9 letters since February 6, 2005 and 40 made it into my main mailbox. These e-mails, and the information at the Quatloos Web site, are the reasons that I chose this research topic. The U.S.A. Government issues advisories like this one. Is it enough? The 4-1-9 scam is, above all, something that survives in shadows.

A number of people respond to 4-1-9 e-mails and instant messages. These people are willing to believe the business proposition and pay money to sort through the inevitable fees. It is truly a matter of greed over fear and common sense. Still, these people do not deserve to lose their money. Some are killed in countries like Nigeria, Ghana and Brazil. According to Unspam, the 4-1-9 scam is worth millions, can be tempting and may be the second-largest industry, after oil, Nigeria.

15. What is the possible future of spam?

Spam may be the hated relative of unloved TV commercials, banner ads and pop-up windows. Spam has expanded to every platform: e-mail, instant messaging and mobile text messaging. It will expand to every future platform. Anti-spam software solutions are not bound to fail, but cannot succeed, either. Software companies will always fight for rank and tout success rates. In fact, the ex-post-facto approach is misdirected.

Controlling spam before it is sent is a better approach, but one that may not be adapted because the Internet is an international phenomenon and cooperation is needed in all corners to advance good policy. For example, if sending an email cost money, that would be effective, but every country online would have to agree to some pay-per-send program. I pay X yen to my ISP. I would gladly pay a nominal price for every email that I send. Would you? Spammers would not enjoy the cost-benefit reality of a pay-per-send word.

What cable TV is to ‘free’ TV is what the future of the Internet should be. I believe that an Internet-mail business model will become more popular but not replace the current ‘free’ one. I think my MSN account does a better job of protecting me than my preferred Yahoo! one. I can limit e-mails to those from trusted senders.

In some cases, such as Yahoo!, spam profits are made by people and organizations that “fight” spam (e.g., the Anti-Spam Technical Alliance). It is a curious thing. The spammers are so motivated and zealous, and the volume of spam is so large, that even if 1% of the e-mails were opened, it represents a boon for a company like Yahoo! Yahoo! sells advertising space based on the number of views. Why would they be so motivated to stop spammers?

-----------------------------------------------------------------------------------------

Spam bugs me. Personally, I do not think about spam unless it wastes my time. I often open e-mail that has nothing to do with me. Then I get angry about the wasted ten seconds of my life. Apparently, by opening a spam e-mail, I have alerted the spammers of my presence. These spammers are unscrupulous. They may or may not be highly skilled, but they are lucky.

4-1-9 scammers can count on people being greedy. They can count on some of those people being lonely and misguided. Most of all, they are lucky because of the ignorance of the public and the apathy of interested parties that can help.

Answer #1 shows ignorance. Professionals that can help do not define spam precisely because they are not disinterested parties. They may work for companies with a conflict of interests. Answer #3 shows Brightmail has a conflict of interests. If it eliminated spam, then its thanks would be going out of business. So, the lack of a clear definition and scope leads to Answer #7 being unclear. Who sends spam? If spam is defined as unwanted communication, then all ubiquitous pop-up ads are spam.

One can assume apathy in Answer #5. Who cares to survey the public about its attitudes towards spam? Organizations would be asking the questions and organizations profit from an uniformed public. Asking questions raises awareness. What is more, Answer #13 leads to a question for so-called anti-spam software companies; namely, how has spam profited you?

Answer #14 shows that, without safeguards, con artists will find newer, more inventive ways to satisfy their greed. There are a lot of them and the scope and severity of fraud, and even murder, cannot be underestimated. They use the cover large corporations give them. They are what organized criminals are to many, so-called legitimate businesses: family.

// posted by Hui Liu @ 5/01/2005 11:00:00 AM