Spam Takes a Holiday to Go Phishing

By Don Lange

Direct Marketing News

July 2004 — Spam used to be easy to recognize. Some of the more recent subject lines and sender names that helped me to identify spam as spam included:

"Got all pills 4 U. V|cod|.n \ V1@grA ' V@1|um ^ X@Nax" - from cyberwolf@england.com

And,

"Do you still feel the energy!"? - which was kindly sent by fairy@cox.net

More recently though there have been suspicious e-mails arriving from sender names of organizations that I recognize and more than often do business with on a regular basis. It's happening everywhere.

Here's an example:

E-mail arrives that looks like it comes from a bank. The message advises you that the new security system of the bank will help avoid fraud transactions. All you have to do is reactivate your account by clicking on the link provided.

The scary part is that the link actually opens to a legitimate web page of the bank – but then frequently keeps open or serves a pop-up asking that you sign on using your User ID, password and ATM pin.

The idea behind this fraudulent e-mail is to get you to give up sensitive and private information to an organization that you trust.

Its called"phishing" and while it has been around in the US market for some time it has more recently moved into the Canadian marketplace in a big way. Phishing is one of the most dangerous trends in the arsenal of spammers because it completely erodes consumer confidence in highly recognizable brands. While it most often takes the identity of banks and other financial institutions, it also targets major ISP's such as MSN, Yahoo and AOL. The most common objective is to trick recipients into believing that their credit or debit card information must be provided"securely" to a form on a landing page that has been designed with the same kind of style sheets as the actual organization.

For legitimate e-mail marketers it is a nightmare. Brand recognition is one of the major factors in successful e- marketing. In tracking open and click reports, we consistently see higher response from both consumer and business mailings when e-mails are from recognizable marketers.

Phishers are very clever. One of the more famous examples is a message that spoofed MSN. The message arrived and by design looked just like a text message. It included what looked like the very legitimate link – www.msn.ca. However, the URL was actually an image that linked to a phony page.

It's just one more reason why marketers are scrambling to come up with some sort of solution to spam.

So far, the general consensus is that there is no easy solution. The act of sending and receiving e-mail is so technically simple that there is no practical means to verify that a sender is who they say they are.

Legitimate marketers have long leaned on overt messaging as a means to convince recipients that the e-mail they are receiving has merit. This morphed into the so-called best practices of identifying source and providing a legitimate opt-out. But how long can this go on if phishing continues to grow?

There seems to be lots of little solutions. The stop spam industry is blossoming.

There are systems in place that send automated replies asking that you"verify" your e-mail and your identity. However that's just not a palatable solution for e-mail marketers who want to (legitimately) send out thousands or millions of e-mail messages.

Other solutions rely on either blacklists or white lists. Essentially this merges the IP address of the server that is sending the e-mail against a list of good or bad IP addresses and reacts when a match is found.

Filters are probably the most common method to stop spam. However, spammers have countered the filters by misspelling words ever so slightly so that peple stll undrstnd the meanng.

The idea is to let the good guys through and stop the bad guys. But how do you really know what colour hat the sender is wearing? The quick answer is you don't.

In theory, a certification process seems to be the best way to authenticate that a sender is who they say they are.

There is a need for technical advances that would allow ISP's to vouch for the identity of e-mail senders. To do this, a process could be set up that essentially mirrors the role the post office has with mass postal mailers in this country:

You have an "account" with the post office.
You tell the post office when a mailing is going to take place by preparing mailing statements.
You pay for your postage.
You deliver the mail on the day you said you would (or as close to it as possible).

Would this kind of process work in the online world? Not entirely.

While there are probably enough direct mailers out there that would welcome and be willing to pay for the opportunity to try e-mail there is no way that pure play dotcom's would be willing or able to pay for postage. And technically, there is no way to affix digital stamps on e-mail that would be efficient and not easily stolen (spoofed).

The key might be in the registration of an "account". If e-mailers were required to register their contact information then that could work in concert when the technology is developed that would allow ISP's to check the account status of the sender.

In this country, like most countries around the world, industry players are meeting and wrestling with these issues. If anyone tells you that they have all the answers you're probably listening to another one of those phish tales.


	Cornerstone and Privacy Trademarks and Copyrights Glossary of Terms	A Member of the Canadian Marketing Association All Rights Reserved.