Where Did That Email Come From?

An interesting new tool from the guys behind the controversial DidTheyReadIt?: LocationMail. (For some posts on DidTheyReadIt, check out here, here, here and here.)

LocationMail tells you where e-mail was sent from. It uses the most accurate data in the world to analyze your e-mail, trace it, and look up where the sender was when the message was sent. Find out where your friend was when she e-mailed you, or where a business contact is really writing from.

LocationMail integrates seamlessly into Outlook or Outlook Express; once installed, it shows you location information next to each message. LocationMail shows the City, State, Country, Company, ISP, and Connection Speed of the sender.

Installs painlessly into Outlook but crashed my Outlook Express. In Outlook a popup window appears with details of where the email was sent from, including the company, location, connection type, domain and IP address. LocationMail does this by using what it thinks is the IP address of the sender and running it through data from DigitalEnvoy and IP registrars. (A fuller explanation is here.) The makers hope to target a range of customers:

With phishing and other forms of Internet fraud becoming more and more problematic, LocationMail protects you from e-mail based frauds. The program can tell you if an email you seemingly received from your local bank was actually sent from a location half way around the globe. By instantly tracing the source of your emails, LocationMail helps keeps you safe from identify thieves. LocationMail lets you identify and eliminate fraudulent transactions from eBay and other Internet-based auction houses.

LocationMail protects companies who accept orders by email. Credit cards are regularly stolen from people in affluent countries, and used for placing online orders by criminals from other countries. By telling you an email’s origination location, the program helps you detect fraudulent inconsistencies.

Whether you’re a business person who wants to keep track of the demographics of prospects and customers, a manager who wants to ensure that incoming email addresses are legitimate and consistent, or a home computer user who is curious about where friends are e-mailing from, LocationMail has the tools that you need.

It costs $30. Another program that does something quite similar is eMailTrackerPro which will also identify the network provider of the sender, including contact information for abuse reporting, and uncovers the ‘misdirection’ tactic commonly used by spammers. Of course, LocationMail may not help that much, since legitimate emails might not, in Internet terms, originate from the place where they should. But it does a pretty good job and is useful if, say, you’re not sure about whether an email is spam or not (it does happen) the fact it originated in Seoul should provide a clue (unless you know lots of people in Seoul, of course).

And most importantly, this isn’t an invasive technology.

The Grim Reality Of The Phishers

Good piece in this month’s US Banker magazine on phishing. Some tidbits:

Phishing is getting more and more sophisticated. I’ve detailed some of those tricks in this blog, but here’s one I hadn’t heard of:

Crooks [the unfortunately named Ted Crooks, vp of identity protection solutions at Fair Isaac] says that “the level of cleverness is disturbing.” He notes how in one phishing scheme, phishers sent out an e-mail that requested sensitive information and to prove to customers the request was legitimate included two numbers the phishers said were the last two digits of each customer’s account number. As Crooks points out, a random two-digit combination has a one in 100 chance of being right, so if a phisher sent such an e-mail to one million users, 10,000 people’s accounts will match those two numbers.

Another thing regular readers will know is the sometimes absurd figure attached to losses associated with phishing:

TowerGroup estimates that direct fraud losses attributable to phishing will top $137.1 million globally in 2004, a figure far below widely cited levels of $1 billion and just a fraction of the total fraud at banks.

But I guess what is worrying is that phishers will start to target those smaller institutions that don’t have the clout to do much about it:

TowerGroup predicts the number of phishing attacks will top 31,300 in 2004 and rise to more than 86,000 by 2005 as they spread to smaller institutions, new merchant/service-provider categories, and new global markets.

Then there’s the need for banks to do more. Consumers don’t believe they are doing so, and I sometimes wonder whether the reason that banks give for not introducing more complicated and multi-layered log-in processes — that users don’t like it — is just an excuse. There are some interesting new approaches being tried out there:

Acknowledging the reality of what consumers will and will not do, Associated Bank, a $20 billion bank in Green Bay, WI, has implemented a voice biometric technology from Authentify to securely pass sensitive information to customers via the Internet. By logging onto the Web site to receive a PIN, a phone call is activated to the customer’s home or office. When the customer answers the phone, the voice biometric verifies that it is the customer and not a phisher requesting the PIN. This confirmation doesn’t require the customer to do anything out of the ordinary. It requires no training, no cost and no software installation.

Other efforts are being focused on foiling the phishers at their own point of sale:

One novel phishing countermeasure utilized by Cyota is bombarding the phishing Web site with bogus customer information. “It looks like real user names and passwords, but it’s just a hodgepodge,” [Cyota CEO Naftala] Bennett says. It compromises the phisher’s data, making it a painstaking process to sort out the legitimate accounts. “We want to change the equation for them. We want to make it harder to use the data and put them at risk of selling bad data to their customers,” Bennett says.

The bottom line, however, is well expressed by Gene Neyer, head of the Financial Services Technology Consortium’s counterphishing effort:

“Phishing has become a problem overnight because it has leveraged the infrastructure of spam,” says the FSTC’s Neyer. “And like spam, the concern is that with phishing every countermeasure spurs technology to get around the countermeasure. Unfortunately, scams that rely on social engineering can never be eliminated, but practical, tactical strategies can be put in place.”

Putting Spam Inside Your Email: SpEmail?

Here’s a novel way to get advertising into email without calling it spam: RelevantMail. RelevantMail, from a company called RelevantAds, inserts contextual ads into emails very much as Gmail does. Only the folk doing the inserting are your ISP:

RelevantMail provides a new high quality way to distribute advertisements to consumers while providing a much needed revenue stream to email providers. Email is a very effective medium for advertising with the capability of high conversion rates. However, existing techniques of marketing through email have a high user rejection rate due to the disruption of the normal workflow of reading their email. Additionally, existing email marketing strategies suffer from the lack of relevancy and timeliness. RelevantMail addresses all these problems and provides it as a benefit to the end user instead of a hindrance .

These ‘contextual ads’ would appear as links at the bottom of emails. Say you wrote to a friend about your upcoming trip to Vegas, or your new BBQ grill, or your uncomfortable hemorrhoids problem, your email would include links to products or services somehow connected to casinos, BBQ sauce or cushions. The economic aspect of this is the idea is that ISPs bleeding from having to provide virus checking, spam filtering and other services to users can turn a profit cost into a profit centre.

I am, of course, skeptical. RelevantAds suggests that it is focusing on privacy: The entire system is automated and at no time are emails read by human eyes. Moreover, we are intentionally separate from email service providers and do not store any information on emails. In other words, our engine never receives information as to who sent or received the email message. It only receives the text of the email itself. And the company say the ads are not particularly intrusive. The screenshot seems to bear this out, in that the ads are just text links that appear at the bottom of the message.

But I think users might be a bit freaked out by seeing their emails combed for possible ad-related subject material. It’s one thing to put ads alongside web-based email where it’s clearly not part of the body. But inside an email that arrives in your inbox? And how will those same recipients feel if they find out that their emails to you are also being added to in this way?

But to me the biggest drawback is the impact on spam-filters. Are emails which once would have sailed through a spam-filter now likely to be caught? How are recipients going to feel if emails to them arrive with links inserted at the bottom And if we alter our settings to allow them through, are spammers not going to capitalise on this to make their spam look similar?

I can quite understand the need to explore opportunities to turn an honest buck or two. But I’m not convinced email, already on its last legs, is the place to do it.

But there’s an interesting link here that may prove me wrong. One of the people behind RelevantAds is David Rodecker, who is also involved in Mail2World, a company that hosts email and other messaging services (think SMS and things like that) on behalf of customers (ICQ was a recent sign-up. Last November it started offering users two gigabytes of storage and some other bundled features for a small fee.)

It’s not clear from the press release whether there’s a link between these two companies (and I suppose it’s possible they’re not the same guy). But if there is a link I guess the broader vision here is one where ISPs, companies, vendors or pretty much anybody could outsource their email to a company like Mail2World, who would in turn offer the option of including RelevantAds as a way for the customer to defray the cost. An interesting vision, but I stick with my view that email is already a stumbling beast. But clearly not everyone agrees. In an edition of CNBC’s World Business Review last June, where Rodecker appeared, host Alexander Haig sang email’s praises: “Those who are seeking ways to tap into the potential of e-mail,” he said on the show, “will find themselves in a position to capitalize on the pending explosion in Internet usage.”

A Better Way To Measure The Spam Flood

Here’s an interesting take on spam which helps illustrate how big a problem it has become.

Florida-based email service ZeroSpam Net (0SpamNet) says (via email, afraid no URL available at time of writing) that current methods of measuring spam, as a percentage of total email traffic, has become meaningless.

Two years ago, seeing Spam grow from 60% to 70% in a month or two had some meaning. Over the last couple of months the impact of Spam growing from 85% to 90% has been lost by being reported as a percentage. That last 5% of growth as a percentage of total traffic represents a 50% growth in the total volume of Spam. Measurement of Spam volume as a percentage of total traffic is a poor indicator of the ever increasing size of the Spam problem.

Instead it proposes an index, which it calls the ZSN Spam Index, which accounts for spam and legitimate email growth against a constant reference value of 100 valid messages. This takes into account the increase in normal email traffic — roughly 12% per year. The index goes back to November 2002, with a value of 66.67 — i.e. about 67 spam messages for every 100 valid emails. Now the index is at 782.12. That’s 800 spam messages for every 100 valid ones. Gasp.

Here’s the chart (PDF).

Why do people never talk about CAN-SPAM anymore, I wonder?

Scams, Dialers And Urban Myths

When is a scam a scam or an urban myth?

Dinah Greek of Computeractive writes that Britain’s premium rate line watchdog is being inundated with calls from worried consumers about scams that turn out to be untrue.

One email warns of a scam that says people have received a recorded message on their phone informing them that they have won an all-expenses paid holiday. The email goes on to say people who receive these calls are asked to press 9 to hear further details and when they do are connected to a £20.00 per minute premium rate line. This will still charge them for a minimum of five minutes even if they disconnect immediately. It is also claimed that, if callers stay connected, the entire message costs £260.00.

Another email says some people receive a missed call from a number beginning 0709. It is then claimed that, if callers dial this number, they are connected to a £50.00 per minute premium rate line.

ICSTIS, the watchdog with a name that sounds like an unpleasant disease, point out that these emails are incorrect. But with the whole rogue dialers thing going on, people are scared. (What I like about this story is that the problem seemed to have started in my old hometown: “We believe these emails started off years ago from a neighborhood watch liaison office in Northampton who got the facts wrong,” an ICSTIS spokesman says. (This, based on my experience of that town, seems plausible.) Since then it’s blown out of all proportion: ICSTIS points out that “these scams just can’t happen. Premium rate tariffs of £20 per minute and £50 per minute do not exist – the highest premium rate tariff available is £1.50 per minute.”

Does the fact that we don’t really know what’s going on in our computer make us prey to these kind of myths? Ignorance, superstition and credulity rise in inverse proportion to our understanding of our environment. Do computers make us more superstitious?

Lycos And One Way Not To Deal With Spam

Lycos Europe, according to The Register, is distributing “a special screensaver in a controversial bid to battle spam”. Make Love Not Spam “sends a request to view a spam source site. When a large number of screensavers send their requests at the same time the spam web page becomes overloaded and slow”.

The idea, of course, is to slow down servers allegedly delivering spam by overloading it with requests in what is called a distributed denial of service (DDoS) attack. Lycos’ argument: The spam sites will get charged for the higher traffic, and eventually go out of business. As Aunty Spam, a website dedicated to spam issues, points out, Lycos may be skating on thin ice: denial of service attacks are illegal, at least in the U.S. “The problem is, just because you are part of DDOSing spammers rather than legitimate companies doesn’t make it any less illegal.”

I’d tend to agree. Tempting as it is to do this kind of thing, it’s not the way to go, and I’m surprised that Lycos is doing it. My bet is that Lycos Europe finds itself on the end of its own DDoS attack from vengeful spammers.

Email Newsletters And Reputation Maintenance

It always surprises me how companies which try to present an image of good email practices (i.e., don’t spam) let their standards slip so easily, and their reputations with it.

In June 2003 I signed up for Click2Asia, an online dating service for ethnic Asians (no I’m not Asian, but I figured living there for the past 17 years made me as eligible as anyone else, and besides, it was for a column. Well that’s my story, and I’m sticking to it.) Anyway, for a while everything was fine — they would send out newsletters every so often, but the email address I gave them didn’t find its way onto spam lists. Until this week.

This week I’ve received two dodgy emails from Click2Asia with the subject line ‘A friend has referred you to Click2Asia!’ and suggesting ‘a friend of yours thinks that you might find true love on our site! Try a search, and see what comes up!’. These emails were sent to the very unique email address I gave when I signed up, so this can only be classified as spam: No one else has that address, I have already signed up as a member with that address — ergo it must come from within Click2Asia. Pretty poor state of affairs, if you ask me. I let one go as a possible error, but now getting another within three days convinces me these guys are not to be trusted.

Why a company would imperil its reputation by sending out spam beggars belief. It would appear to me to reflect how poorly these websites understand the public mood about spam, or how little they care.

Another gripe, while I’m on the subject: Email newsletters must be easier to unsubscribe from. Now that everyone has more than one email address (or uses disposable email addresses), no longer is it acceptable to throw up error messages which suggest that because the email came from a different email address than the original message, the unsubscription has failed. Failed unsubscribe messages must be handled manually if necessary or the user pointed to a website where they can remove themselves manually. The burden should not be on the user. A case in point: Audible.com. I tried to remove myself from their list this morning but despite following their instructions found my emails either prompting another error message or simply bouncing. Black mark for Audible and a good argument for a) not subscribing in future and b) using RSS feeds.

A New Kind Of Anti-Spam?

Here’s a new anti-spam service which takes a somewhat different approach.

RI-based Mail Cruncher works, not by looking at content, but by rating emails according to the reliability of their sender. “In business, I decide to trust other companies based on how long they have been around, their location, who else does business with them, and their record of reliability,” a press release from the company quotes April Lorenzen, creator of the Mail Cruncher service, as saying. “We just applied the same common sense to sorting email. Our customers say it works well for them, saving time and aggravation every day.”

The Mail Cruncher email sorting service uses Outbound Index ratings exclusively to sort email. Messages with a high rating go immediately to the subscriber’s inbox. Messages with a low rating are held back. Once a day, Mail Cruncher subscribers are sent an email with a sorted, color-coded list of suspicious emails that can be scanned in seconds.

The ratings are based “principally on statistical facts such as domain age, relationships between server and domain, and sender stability”. There’s no attempt to run Bayesian filters or other approaches to measure the spamminess of an email. It’s done entirely by looking at the ‘from’ email address.

The Mail Cruncher list also groups domains, “so if a subscriber receives 17 messages from the same domain, the messages appear together for faster skimming”. It also displays the sender’s user name, such as “nwyiyvq,” is displayed, not just the often-misleading name (“Victoria”) shown by most email inboxes. Finally, a subscriber can read the text of a suspicious message safely within the Mail Cruncher environment “without triggering webbugs or attached viruses, without displaying any objectionable images that might be in spam, and without the sender knowing the email was opened”.

An actual Mail Cruncher list with the above features is demoed here. The Mail Cruncher service costs $3 per mailbox per month.

Spam Historians

Interesting piece by TechWeb News on Microsoft employee Raymond Chen, who has “saved every spam message and virus-laden e-mail he’s received at work since 1997”. More intriguingly, he has “graphed the spams and viruses to create a cool visual representation of one man’s malicious traffic”.

The resulting chart is fascinating. You can see the whole Spam Phenomenon in blue and red, especially as it went ‘ballistic starting in 2002’. Worth reading for the comments alone. Clearly there are a lot of spam historians out there.

More Options For Spam-Free Email

A couple of other options for email users looking to kill off spam, viruses etc.

Walla.com (thanks, Rob) is a free, 1 gigabyte thing with a very simple sign-up process.

Nevada-based Komodo (love the name, love the lizard) said yesterday (PDF file) its “unique email services are being tested internally starting this week”. This is a closely guarded “proprietary solution for email and the elimination of viruses and spam through a unique proprietary application”. Sadly you don’t get any more information than that.

And the name? “As a Komodo client, like the lizard of the same name, you are at the top of the food chain in an impenetrable high-security computing environment.” Ummm, sure.