Spam, Spam, Spam
A nice tune for a pain

Interview of Louis McCaul, Chief of the Information and Communication Technology Service (ICTS)

What is a spam?

Well, Spam is a term used to define unsolicited email, but the origin of the word “spam” is from Monty Python’s song “spam, spam, spam, spam”. and the actual term comes from that. But basically, it is used to define any unsolicited email from a source that you do not know.

How does it get to your mailbox?

It is sent by individuals or companies who have obtained or “made up” your e-mail address. This can be done in many different ways. There is web based software, which does “email harvesting”. It actually searches the web for email addresses which have been left on web sites. Another way, is programs which automatically generate e-mail addresses. Many of these addresses are wrong but some are right, and one of them may be yours. The worst thing you can do is actually reply to one of those emails, saying: “take me off the list”. That is the classic thing: they put at the bottom “unsubscribe” from the email lists. Because once you press the unsubscribed button, they know that it is a valid email address. And so they spread that to even more people.

How many Spams are there?

At the moment, there are varying figures. I would say — according to statistics— it is something like between 30 and 50% of all email is spam. It is huge. I think we are relatively untouched here. It is not as bad as in lots of places. The worst thing is that globally they cost a lot of money, something like 8 billion dollars per year.

What do you mean by cost?

When you send an email, or when you receive an email here in the Palais, it comes through our gateways, into our network. It gets stored. It uses our connections to the Internet; so all of that costs us money. If 50% of the traffic is spam, then effectively, 50% of what we are paying for could be wasted. So there is real cost. And the main thing about spam is that real cost is totally borne by the person who is receiving the email. It costs nothing to the person who is sending it.

Who are the people who are sending it?

Nobody knows for sure. For example there are over 300,000 different places advertising Viagra on the Internet, many of these send spam. That is only for Viagra, but it can be anything from insurance to construction, to sex, to anything you can think of. They would not do it if it did not work. People buy things which they see advertised in these messages, or they visit the web sites. There was a spam a while ago, from Nigeria offering different ways to make money obviously illegal. But that worked as well there were cases in the United States, and probably other places as well, of people actually having fallen for it, so people are making money out of this kind of activity. The other aspect of it of course is the directly malicious aspect where recently some spam contains viruses or worms. People attack other networks by including worms or viruses in their spam.

What is the difference between viruses and worms?

A worm is something which propagates itself; it does not necessarily do damage on your PC. A virus will get into your PC and normally do some sort of damage. A worm tends to work its way through the network, like the last worm we had that propagated itself to the extent where the whole network became full of it and stopped running.

What can be done?

Not a lot, actually. We can invest a lot of money in installing hardware and software strengthening the perimeter at the edge of our network but what we are effectively doing is spending money; we are not stopping the spam from arriving to our servers because you have got to collect it to know it is a spam. There are two schools of thought whether you should block it and just throw it away, or whether you should send it through. And I always feel uncomfortable about blocking email because you can never be 100% sure that it is spam. The day that you block an important email, is the day when you can have serious problems. So, effectively, yes, you can filter, you can decide that it is spam, and you can either block it or send it on to the user who then can go into a special folder –and the user can decide that it is spam and delete it. All you are doing in terms of our own environment is adding to costs. We are helping the user but at what cost? Because it means putting in the infrastructure filtering, managing and it still gets through. So it still fills up the disk, it still fills uses the band width for the Internet, it still ends up on a hard disk somewhere. It needs somehow to be blocked or identified as spam before it gets to our network.

Legally, what can you do against spam?

Some countries have just introduced new laws. The first prosecution took place last month in the California. A company got fined 2 million dollars for sending out spam. So, effectively, they are trying to legislate against it. Of course, there are people who would say, well, this goes against the idea of freedom of speech, you should not legislate against those kinds of things but I think they do have to legislate against it. But to legislate against it, you have got to really define exactly what it is, and I think some people are having problems with that, with the definition. The issue of that of course the Internet being what it is, people would just go offshore, outside of Europe, or the States and send them from somewhere which is not under those legal restrictions. I don’t think it will reduce the amount of spam, but it may eventually make it easier to identify.

What is the effect on the UN?

I guess the UN reflects what is happening in the rest of the world. The effect on us is more or less the same as in other places. Personally I don’t get a lot of spam because I never use my work place email address anywhere. I always use an external address – such as Yahoo, Hotmail, or one of the other commercial providers. But I know people who get hundreds of spams per day. So, clearly they waste a lot of time on deleting them and if you don’t delete them, then you have them sitting in your mailbox, on the hard disk somewhere, we back it up to tape, the cost is substantial.

What happens if our email address is published?

If your email address is on a website somewhere it could get “harvested”, or if your email address gets published, like in our telephone directory then If somebody gets hold of that directory, they have got 3.000 valid email addresses. Clearly you should never ever use your working address for anything other than work and you should probably even work wise, be very careful about when you register. Even if you register in another organisation, you should take care because you don’t know what happens to email addresses once they are outside. Also you have got to be careful the way you set up something like Internet Explorer, because Internet Explorer can also broadcast your email address. Some people put the email address in Internet explorer, there is possibility of doing that– and so all of those cookies that come in could pick up that sort of information and people can use it. You have got to be careful of cookies as well. Use them rarely and definitely delete them regularly. There is actually, I think, a security brochure which has been prepared by UN in New York which will be broadcasting in the next weeks or so, which gives some clues how to approach those things. It can be found on the Unog Intranet site; http://intranet.unog.un.org/home/ under reference material.

We sometimes get spams with a known sender address. How come?

That is a classic virus attack on somebody’s PC. It happens mainly on home PCs. It frequently happens with Microsoft Outlook. The PC gets infected with a virus, and the virus, takes the mailing list from Microsoft Outlook and they send itself to all the people on that mailing list; so if you are on somebody’s mailing list, then it sends you a little message with maybe the same subject line as arrived on that PC. It is not unusual and that is why obviously you have got to have your PC in the office at least with the antivirus equipment up to date.

What do you do at home where you don’t have the help of experts like in the office?

You have to have up to date antivirus software in the PC, you have got to download from the Internet their antivirus software on a very regular basis at least weekly. And if you are running Windows XP you should at least have the fire-wall which is built-in into XPs so that it filters the spam and viruses coming in. And if you want to do it properly, you should invest in getting third party fire wall software to install that on your home PC. And then you have got to manage all that.

Who are doing all these viruses and worms?

Kids, hackers, people proving that they can beat big companies. Recently, Microsoft offered hundreds of thousands of dollars reward, for the person that created those problems with a virus. From what I can see, when Microsoft does something like that, it is like throwing the gauntlet down, people just take it as a challenge and they say: “well, I can do it better than that” and more damage is done. It is just that people are doing it a) because it is Microsoft, everybody likes to tackle the giant; and b) because it is technically interesting for some people to develop something, a piece of software which nobody can trace, which is really what these things are. They come from places nobody knows where, they get hidden inside codes that nobody knows about, and they either do damage or they can just be a pain.

What is the alternative to Internet?

So much business is done on Internet now that there is no alternative. Of course one could use dedicated lines, which is going back to the telephone, or virtually private networks. For instance, if the UN constituted one, we still would be using Internet, but it would be dedicated links between each different site. If we use virtual private network then we could keep our communications private inside, but then if anything comes in from the outside, the same risk is there. Once you are connected to the Internet you are exposed.

Interview by J.-M. Jakobowicz.

Spam, Spam, Spam A nice tune for a pain

Spam, Spam, Spam
A nice tune for a pain