Spammers and Those Who Enable Them

TLDR: This is an angry rant about how corporations, instead of making things they supposedly care about (like Email) more secure, use the very same techniques as spammers do to send out ads and it is because of this that most people cannot tell the difference between spam and legitimate communication. If these corpos could stop for a minute, simplify their communications protocols, and prioritize security then spam would become much easier to control, but so would their advertisements.

We've all received emails, and seen various other advertisements from companies warning us of spammers, scammers, and all manner of other nasties. They warn us of the latest tricks that crooks on the internet use to flool people into downloading and opening the wrong file, running some application, sending money to some Nigerian prince, and everything else in-between. These corporations, everyone from ISPs to banks, warn us of the dangers lurking around the web seeking to trick us into doing something stupid.

Many companies will tell you that they're doing a good job fighting spam, and that its a problem that will soon be eradicated, if only they could stop the latest thing allowing cyber-criminals to hide themselves. What they casually ignore is that the means of communication that they themselves use, are key to why spam and various other forms of cyber-crime continue to proliferate. They'd rather not talk about the fact that many of techniques used by spammers are also used by those same companies to send out their advertisements, all the while, using spammers as the excuse to curtail basic personal freedom and privacy on the web.

Overview

We've also heard the stupid stereotypes - its always someone's elderly grandmother that clicks on the wrong link, or cannot figure out how to log into her bank account (heck, I've been one of the people spreading that one before I realized what was wrong with it). Except... what if my grandmother was right all-along? What if the people who enable the scammers and spammers aren't your tech-incapable relatives, but the companies who purport to help?

Corporations and various other types of organizations the world over produce a torrent of information about how they are fighting spam and various other types of cybercrime. Freedom and privacy on the internet has been significantly curtailed in the name of fighting spammers, scammers, hackers, and bots. Yet, every day these companies produce more and more complex mechanisms for the delivery of their communications. Mechanisms that by their very existence enable spammers. Filtering for spam takes massive resources and complex algorithms. Significant AI research is dedicated to spam-detection. And yet these measures fail constantly and consistently.

Most of the communication standards we have are fairly complex. Email, being extremely old, and very widely used, has a lot of weird old crufty corners. Its not just a message being sent from one person to another with a "to" and "from" address. Its way more complex that that. It has tons of different metadata in each email, a lot of it very esoteric. Things like "reply-to" addresses, for example, can be different from the "from" address. Counter-intuitive, but an essential feature that companies need for many of their marketing campaigns and complex data-gathering. If email was a much simpler protocol, with fewer "places to hide" it would be much easier to ferret out the spam. There might still be a place for filtering algorithms and so on, but it would be much easier for the average person to notice that something is a miss. If every "legitimate" email from their ISP or their Bank didn't use half the tricks used by every spammer, then perhaps it might be a lot easier to notice that something is amiss?

The same is true of other protocols such as SMS (see below for an example).

Potentially even worse than enabling spammers, companies use spam as their excuse for borderline idiotic practices. For example, many ISPs simply don't allow you to host a server at all. In the name of combating spam, email has become an oligopoly, completely inaccessible to those who wish to host their own server, handing dominance of the whole field to large corporations and locking everyone else out. If these communications protocols were not made to be so complicated, if service providers prioritized security like they say they do, and if advertising and data collection by way of communication protocol abuse wasn't prioritized over simplicity, then we wouldn't have all the issues that we do with spam. We would have a much more inherently secure and open communication infrastructure. The people effectively standing in the way of that are the ones sending you messages about how they're fighting spam.

Examples

Amazon

Many people at this point, will say that email is an old protocol, older than DNS in fact (true!) and there is cruft with any such old protocol. Things get added to standards, and its hard to eliminate things that did not work out because some random company somewhere is still using a weird header from 1982. I agree, I cannot blame "corpos" for everything that's wrong with email, some of it is just human nature. However, I cannot help but ask, why are we like this? Why are there so many complex email header elements and virtually no widely adopted standards for end-to-end encryption of email? This isn't fusion reactors. The cryptographic algorithms that can accomplish this are almost half-a-century old. Why is it that when I configure Amazon to use text-only emails, the URLs they send are so large that they don't fit on my phone screen?

Who is this supposed to be helping? Supposedly this scans the links being sent to me for security and verification? Why? How?? Why can't amazon simply send me amazon links? Why does Amazon send me links that then go through some third party service to scan them to confirm they came from Amazon? Why do they have to be this long and completely unreadable? That URL takes you to Amazon's Tax and Regulatory Compliance reference page! It should just be: https://amazon.com/reference/taxes-fees-exemptions/. This is what we have, rather than a coherent cryptographically verified system that would just guarantee that the email came from Amazon. But we can't have that, cause then people might effectively filter Amazon (and other) ads.

And don't worry, if you receive the "normal" Amazon emails that use CSS and images, all those URLs are still there. They're just hidden so you don't get freaked out, while the image of that new laptop you've been eyeing is sending analytics data to Amazon as soon as it opened, because that's another thing the email standard has been perverted for instead of providing anything like meaningful security.

So who is this actually helping? Spammers of course! Recently I received this spam message purporting to be from Dick's Sporting Goods saying I won a prize. It got through all the filters, and because words like outlook.com and protection figure prominently in many emails from legitimate companies supposedly preventing URL abuse, they used those same URL manipulation practices in their spam message to make it look legit.

All the work that Amazon and everyone else put into those weird, super-long URLs, isn't just a waste of time, its actually counter-productive, it helps the spammers.

Charles Schwab Bank

One of the things that one ought to look out for to stay safe from spam is email messages with strange header elements. For example, when the "reply-to" address is different than the "from" address. Too bad no one told Charles Schwab Bank this:

Yet another company dedicated to finding fraud and spam online.

Sure, that's a particularly egregious example, but why is it so bad? Well, because they send out all of their legitimate mailings like this, oftentimes with really important information. I cannot tell my relatives to check whether the reply-to address is different than the "from" address (heck if it were that simple, I could set up a completely automated filter and we'd be done) because then they would ignore everything their bank ever sent them!

If Charles Schwab valued stopping spam and fraud as much as they claim to, they would stop using all these spammer-like techniques in their legitimate email and focus on making it as simple as possible to filter out spam.

Verizon SMS

I saved the "best" for last. A few days back, I got this SMS text message. If all your anti-spam red flags are going off, don't worry, its legit, its from Verizon, they use this "address"(?) to send out various notifications, even though they routinely have issues with it.

How idiotic this is, may not be entirely obvious, so let's list all the ways I could think of:

  • Using what is probably an exotic element of the SMS protocol to display a text address rather than a phone number as the sender, effectively, overriding my contacts list.
  • Using an unencrypted, unsigned, unverified communication protocol to send sensitive information.
  • Using a shortened URL
  • Using HTTP instead of HTTPS (this is the part where I start to rip my hair out)
  • And best of all, clicking the link does not take you to a personalized video, no no, it attempts to download and install and Android app on your phone.

I wanna write more about this... but I am too angry. I'll let it speak for itself.

Conclusion

Companies strive constantly to portray themselves as doing the right thing. This extends not just into the sphere of cyber-security, but environmentalism, financial responsibility, various political virtues, and tons of other things. There are certainly more egregious examples of companies perverting the very things they claim to hold dear - oil companies purporting to hold environmentalist values while selling more oil every year and attempting to paint natural gas as a sustainable or green fuel - but people know about those. Few trends are so pervasive and so rarely commented on as the enablement of spammers by the very companies who claim to fight them.

After all this, all the examples above, these companies have the gall to tell us not to click on suspicious links implying that this is somehow our responsibility? That when we can't tell whether something is "legit or not" its somehow our fault? They try to teach us how to avoid suspicious links while they themselves make this virtually impossible by standing in the way of a secure internet infrastructure just so they can spy on us and mixing essential information in with the advertisements and using the same techniques as spammers do.