Spam, Scams, and Virograms
(and Crackers in Your Bed)

Once upon a time, people bought computers and used them with little concern for security. Risks were relatively few and seemingly restricted to large companies and famous people.

You can kiss that fairy tale goodbye!

In today's online, connected world, security should be priority one for everyone. New computer viruses, trojans and worms come out at the rate of about 200 each month, affecting a vast cross-section of computer users. Without adequate anti-virus protection, you're going out of your way to be someone's next victim.

But antivirus protection is not enough.

Snoops 

Along with the threat of exposure to viruses is the threat posed by the “black-magic” hackers of the cyber-universe.

Hackers are the gunmen of the Internet. There are white-hats — true experts who find ways through firewalls and along networks and into individual computers in order to test security and reliability and to increase everyone's knowledge about network behavior — and, of course, there are black hats — who may or may not be very skilled and who slink around in secret, stealing information and often, sometimes accidently, disabling their victims' systems. (The dark siders are often called crackers, although that term also refers to expert programmers who can wring the secrets from the most complex software.) Unfortunately there are many online resources for the unscrupulous black hats — so, knowledge of programming being no longer a prerequisite, their ranks increase daily.

Worried yet? Hold on, because the hackers and crackers may be the least of your concerns. A far more prevalent problem is found in the web sites and Internet Service Providers (ISPs) who invade their visitors' and customers' privacy with or without explicit permission.
 
Web sites often drop small software “packets” known as cookies onto visitors' browsers. Usually, these cookies are perfectly harmless. None of them is capable of extracting information from your computer; all they can do is place a bit of extra info there. And that info is almost always something that makes your time online easier or more fun. They help web masters anticipate the resources you need to surf quickly and pleasantly, and they can help you with everything from filling out forms to finding new and useful pages quickly.

And best of all, as every web guru has been saying for years, a cookie cannot identify your browser to any web site but one — the one that first gave you the cookie. ... Or can it?

Increasingly, cookies are being cleverly misused. There now exists a real possibility that a significant portion of your surfing habits can be known to any group that owns or affiliates with a large number of web domains. (Does the name “Microsoft” ring a bell? You guessed it. The ones with the most to gain were the first ones caught misusing cookies to identify and track individual browsers across several web sites.)

But the small danger from cookies becomes truly miniscule compared to other technology being perfected as you read this. A very few, very big Internet Service Providers (ISPs) have taken a giant step forward in the invasion-of-privacy arena. They have managed, with no great fanfare, to rewrite their Service Agreements (the policies you initially accepted when you signed up for service) to allow them to load computational software programs on your computer.

These programs work in the background while your computer is on. Reportedly, they use your computer's brain power to download and help solve a problem someone is paying the ISP to work on. They do this by searching around and locating files on your computer and putting them to work on that problem. And finally, they use your computer's resources to transmit answers back to the ISP. The big question is, if they can do this, what else can they transmit from your computer back to their bosses? (Fred Langa, a widely recognized Internet authority and the former Editor-in-Chief of Byte Magazine, offers a clear perspective on this issue. Click here to read his article.)

[NOTE: The Langalist, a weekly newletter authored by Fred Langa, is possibly the most down-to-earth and informative collection of PC information you'll find anywhere. You can subscribe to the Langalist at www.langa.com, where you'll also find tons of reliable info and several very useful free tools for keeping your PC in tip-top condition.]

Mail Baggers

Browsers aren't the only things that harbor security problems. Any open path to the “Information Superhighway” is a potential risk. Electronic mail (e-mail) is no exception.

Some free e-mail applications include a commercial advertisement-server that tries to track the user's online interests. Beware also of web applications that have subroutines which can grab some of a computer's resources every time it's online — and sell them to companies the computer's owner may never have heard of. (And if those subroutines can grab a computer's system files, what on its hard drive can't they grab?)

In addition, most e-mail applications have security holes if not properly configured upon installation. (For instance, they all can leave you vulnerable to various hacks if you accept mail written in Hypertext Markup Language.)

That said, there is probably no aspect of the internet more widely utilized than e-mail. Many people access the digital world for no other purpose than to send and receive e-mail. In fact, more e-mail was sent last year than snail mail. The reasons for this are clear; e-mail is faster than conventional mail, as efficient, and costs virtually nothing. But, just as with snail mail, e-mail has been misused to aggravate people no end ... as you will see.

Hoaxes 

The proliferation of e-mail hoaxes has to be due in no small part to the relative ease and economy of electronic mass mailings. When this ease and low cost factor are paired with the mind of a person who has too much free time and a childish sense of humor, hoaxes result.

Hoaxes take many forms, though you can recognize most of them by the poor spelling, bad grammar, and wondrous illogic. Some promise goods or cash if the recipient forwards the e-mail to a specified number of people. One of the more popular hoaxes involved an alleged e-mail tracking program designed by the Microsoft Corporation. According to the hoax, Bill Gates would pay $1,000 to everyone who forwarded the message, providing 1,000 people became involved in the forwarding. Gates himself addressed this hoax, along with the subject of unwanted e-mail in general, in an article from March of 1998 entitled “Wasting Time on the Internet.”

Some hoaxes have had disastruous results. A few years back we received an e-mail that contained a tear-jerker of a story about a child dying of cancer. The e-mail ended by imploring us to forward it to as many people as possible. It assured us that two cents would be donated to the American Cancer Society for each e-mail sent. Unfortunately, not one word was true. But worse still was that the American Cancer Society suffered while this hoax was active. People who would normally have sent a check to the ACS were forwarding the e-mail hoax instead! Good joke? We don't think so.

Our personal favorite — it had everything the real hoax fan loves to hate: lack of purpose, stupid premise, unbelievable conclusion, lots of exclamation points — was the kidney-theft hoax. We've yet to read a more preposterous story. Simply put, an e-mail went out warning that someone on a business trip in a strange town had a drink at a bar with a stranger (a beautiful stranger, of course) and the next thing he knew, he woke up in an ice-filled bathtub, with a note nearby telling him to call 911 if he wanted to live. When the EMTs showed up, the e-mail said, they discovered the person in the bathtub had had one of his kidneys removed by a gang harvesting organs for sale on the black market. Scary, huh? And utterly false (but don't take our word for it. Click here for extensive background on this hoax). What amazed us most was how many people who should have known better forwarded this to us. One such is a member of the medical professions and knows how difficult it would be to remove and preserve a kidney for transplant.

The moral is, “Check the truth and the legality of what you get online before you pass it on.” Visit any of the authoritative sites online (see the links at the end of this article). If that action fails to turn up any information, check with the organizations mentioned in the suspect email as sponsors, beneficiaries, or recipients.

Spam 

Legally speaking, spam is unsolicited commercial e-mail — electronic junk mail. Unlike the junk mail that comes to your door, though, you pay for spam: it bloats e-mail traffic significantly; forces e-mail providers to install more hardware so they can be sure you quickly get the e-mail you actually want; and pushes Internet Service Provider costs up, costs that get passed on to you. No government agency patrols for it, so dealing with spammers is left to you.

But in common parlance, spam is any mass-mailed unsolicited e-mail. It can take the form of a serious offer, which is usually intended to transfer your money to the sender's wallet (“Want to cash in on the billions to be made on the Internet? Just click on the link below! [Sucker!]”), or it can be a prank, sometimes associated with a virus (more on this follows).

If it ain't commercial or a chain letter (or another form of bunco), it ain't illegal. But it still costs you money, and it can cost you time, effort, and your good nature. Ironically, during the time we were writing this article, we became secondary victims to an elegantly effective spam prank. Someone got hold of a mailing list for people on a daily joke server and sent out an offensive e-mail designed to cause recipients to unsubscribe from the list.

Not knowing the offensive message was a scam, some recipients immediately attempted to stop their subscriptions. They followed the e-mail's instructions and sent replies containing the word “unsubscribe” ... and usually a few other, and choice, words expressing their displeasure at receiving the mail — and here's where the fun started. The reply-to option was a coded piece of misdirection. It actually sent their unsubscribe requests to every person who had received the offending e-mail. This, of course, led to scores of people writing back to say, sometimes heatedly, that they were not responsible for the list or for the original offensive message. The thing grew like a prize piglet in tall corn. After the number passed 125, we stopped counting how many crossing and re-crossing messages came to our mailbox alone. The moral of the story? 1) Never reply to spam and never click on any link contained in suspect or offensive email; 2) Never complain about a particular email message unless you know how to analyze email "headers" and can positively identify where the message came from.

Again: if you suspect some piece of e-mail might be spam, never reply, never click, even to unsubscribe. Ask yourself, do you really want to engage in conversation, no matter how brief, with anyone dumb or rapacious enough to use spam? Besides, replying confirms that you access the mailbox the spam came to. Reply just once, and you could have spam up to your elbows every day.

Of course, not replying won't stop future spam. Once somebody has set up a mailing list for spam, there's no financial incentive for him to remove you from it. After all, it costs him nothing to email you, whether you respond or not. So, the only ways to avoid future spam are 1) use mail filters effectively; 2) change your email address (and who wants to do that with any frequency?), or 3) fight back (a long and usually fruitless battle). We recommend you filter and trash all spam and forget it.

[To those of you who may be losing hope, buck up; there are a growing number of good, free spam-fighting apps out there. We particularly like Thunderbird for sending and receiving email and Mailwasher for pre-filtering. Both use Bayesian filtering, which, when combined with a white list (a list of email addresses you want to receive mail from), does an excellent job of blocking spam. By the way, never use any spam-blocker that relies solely on black lists (lists of domains you supposedly do not want to receive mail from). If your spam-blocker relies on black lists, your friends who use web-based email, like Yahoo or Hotmail, may be blocked simply if someone somewhere has reported receiving spam from an address at that domain.]

Luckily, spam is usually easy to identify — and ignore. If the subject line sounds too good to be true, if it contains unusual characters, strange misspellings, or an excessive number of exclamation or question marks, you are probably being spammed. And look out for any email with a link in the body. That link often contains part or all of your email address and prompts a data-mining operation; click on the link and you've alerted the spammer to the fact that your email address is active; expect a lot more spam from that source).

Spam, as we said, is the junkmail of the Internet. But, remember, spam costs you and not the sender. There’s no front-end economic curb to it. It will not stop until word gets to everyone that spam no longer makes money and that even the small time and effort needed to prepare and broadcast spam is wasted.

You can help. Spam is growing exponentially and interfering with the common 'Net user’s ability to communicate with friends and family. For that reason alone, you should always give spam the bum’s rush. If you want email to be the joy it once was and could be again, never buy anything from a spammer. You'll just be feeding the beast.

Two final warnings: if you think that forwarding a pyramid-scheme chain letter online is any more legal than forwarding one via the post office, think again; and if you think that broadcasting a “You're my extra-special best friend” message to everyone in your address book marks you as a caring person, get a life.

Viruses 

This is the one that worries everyone: the possibility of losing data from your hard drive because of some malicious witling with a talent for code. It is a legitimate concern. Nonetheless, most virus scares haven't been worth anything close to the panic they've caused. Several websites — our favorites are Snopes and Vmyths (temporarily not being updated) — are dedicated to clearing up the hype over virtually all hoaxes and virus alerts that invade the World Wide Web. Please bookmark these sites, and the others at the end of this article, and refer to them whenever you hear about some hoax or virus. You'll sleep better knowing the facts instead of swallowing the hype. And you'll be doing your online friends a favor by not forwarding the latest false scare campaign.

But, above all, remember that the threat of damage from viruses is very real. If you believe and do nothing else, believe and do this: up-to-date anti-virus software is critical, so buy some, install it, and update it at least monthly — for the health of your computer system and for your peace of mind. If you're online, if you receive e-mail attachments, if you load diskettes from friends, if you load CD-ROMs burnt by friends, you're subject to virus problems. Anti-virus software can prevent a catastrophic problem caused by the download of a virus from any outside source. Good anti-virus software can clean your system of viruses it may already harbor and can also intercept new viruses before they enter your system via a download.

So which package to buy? That's up to your needs and willingness to pay. Most anti-virus software in 2003 runs between $20 and $50, much cheaper than calling in the professional exterminators. In years past, we have seen some anti-virus programs retail for as much as $130, but they were packaged with a slew of other software programs “guaranteed” to make life easier for you.

Personally, we'd forget about those extensive, expensive packages. The one we owned took up a lot of disk space and proved far more bothersome than any benefits it provided could possibly make up for (one bundled application actually trashed a part of one of our hard drives, causing us to have to reload the entire system). Since then, we've stayed with a simple anti-virus program that does the job and for which the company provides free upgrades and updates. (Make absolutely sure the program you buy includes free upgrades and updates. And be sure you update your virus-identification files several times each month. With around 200 new viruses/trojans/worms appearing each month, keeping your anti-virus software current is vital.)

One interesting drawback to antivirus software is that some programs can be too protective of your system. A few years back, a friend sent one of us an e-mail joke that we thought was pretty funny. But when he forwarded it to others, it was rejected by several anti-virus programs. (The joke was that the addressee had won a gift of a cup holder from a major soft-drink manufacturer. To get the gift, all the recipients had to do was click on a message-box button. When they clicked on the button, their CD-ROM drawers opened.) Some anti-virus programs saw the joke as an invasion (which, strictly speaking, it was), because it caused systems to do something they'd not been told to do in the way they should have been told. Therefore, messages opened on some of our friends' screens telling them the e-mail they were about to open could cause a problem on their computers.

Closing Thoughts 

In that it is subject to abuse, the World Wide Web is no different from any other form of communication. But keeping yourself informed about hoaxes and hypes, and utilizing a frequently updated anti-virus software program, will protect you. If you use common sense and up-to-date software, you can safely go wherever your interests take you online.

And for the information that will set you free, click on the following links:

Computer Incident Advisory Capability (published by the federal Department of Energy — up-to-date and thorough hoax, hype, virus, and scam information)

[Note that the CIAC site logs your Internet Protocol [IP] number. Some people have said they find that fact scary because the site belongs to the US government. The unscary truth is that every site on the Web can, and most sites do, log your IP number. They do it to keep track of traffic and usage; it doesn't mean they know who you are when they're done.

Every computer connected to the Internet has an IP number. It has to; connections depend on IP numbers. But the number does not reveal who you are. If you're like most people, your IP number is assigned by the company that is providing you access to the Web (your Internet Service Provider, or “ISP”). If you use a dial-up connection, your IP is assigned to you randomly every time you dial in to the Web; it changes with every session. So, nobody but your ISP can link your identity to that number, and even they can't do it without checking their logs and comparing times of use. Without the private files held by your Internet Service Provider, not even the federal government can use your IP number to help identify you as an individual.]

Snopes (for urban legends and hoax, hype and virus information)

Spam Must Be Destroyed (no-holds-barred site, may be offensive to some: lots of useable info; details on spam and effective ways of dealing with it)

About.com's guide to hoax, virus, and urban-legend sites.

Symantec (anti-virus software and info)

McAfee (anti-virus software and info)