Caslon Analytics elephant logo title for Security & InfoCrime guide
home | about | site use | resources | publications | timeline   spacer graphic   Ketupa


























related pages icon



related pages icon


Email &

regulation in Australia

Forgery &


Forgery &


419 scam

section heading icon     messaging

This page deals with electronic junk mail (spam, speam, spit and spim) - also known as unsolicited commercial email (UCE) - and email scams. 

It covers -

A profile about electronic mail, instant messaging, chat and other messaging systems is here.

A profile discussing the regulation of spam in Australia and New Zealand is here. There is also a note about EU, US and ITU developments.

subsection heading icon     basis

If you've used email you've almost certainly encountered UCE, a concern because

  • the recipient pays for unwanted (and often offensive) messages, leading some to characterise spam as a form of trespass
  • the volume of messages floods many mailboxes, reducing productivity, increasing stress and requiring action by ISPs or corporate network administrators
  • stopping that flood is perceived by some recipients as an insuperable difficulty
  • spammers often forge addresses, resulting in damage to reputation and even blacklisting of legitimate email in some instances
  • some spammers exploit open relays or other technical inadequacies to use the machines of other internet users in sending their junkmail
  • much spam travels across national borders, posing challenges for national and international governance.

Uptake of instant messaging (IM) systems means that more consumers are encountering spim, the IM version of spam.

Spam is used by direct marketers because mailing lists are readily available (eg can be purchased from specialists or generated from databases of all inquiries to a web site), because it is 'easy' - a few keystrokes and a message appears in email boxes all over the world - and because sufficient recipients respond to make the mailout commercially viable. 

The average cost per thousand addresses for permission-based email lists is between US$200 and $600 (with a response rate of 3% to 10%). For addresses marketed by spam merchants the average cost is between 0.1 and 0.025 of a US cent (with a response rate of up to 0.5%). As they say in the US, do the math - enough people respond to spam to make it worthwhile.

It is not uncommon to receive offers - via spam, of course - for a three CD set that supposedly contains "300 Million Email Addresses and 1.5 Million USA Business Fax Numbers" for a mere US$99. The disks claim to offer email addresses of people living in all US states (broken down by area codes) and addresses of people -

  • interested in gambling
  • running a home based business
  • interested in online shopping
  • interested in gardening interested in golf.
  • interested in fitness, weight loss, etc
  • "people interested in Opt-In"
  • "who have bought more than $1,000 over the Internet in the last 2 months"
  • interested in traveling and vacationing.

along with 25 million verified AOL, Compuserve & MCI addresses.

Spam is also used because some marketers claim that response rates are significantly higher than those for traditional junk mail (eg 0.5% rather than 0.001%), although such figures are problematical. We've highlighted some issues in our Marketing guide.

Figures on investment by marketers (eg the 132 page PDF from eMarketer) are even more contentious than those on traffic. However, it is common to see claims that

that companies in the US and EU are now spending upwards of US$2.5 billion pa on electronic direct mail

the cost of generating email lists 'in-house' and actioning them is in the order of US$2 per head, in contrast to direct snail mail of US$18-100 ph and purchase of snail mail lists at around $280 ph.

subsection heading icon     size

There is little agreement regarding figures about -

  • the volume of spam sent to consumers
  • the volume received (not necessarily the same, as many ISPs and organisations employ filters that deflect the junk before it arrives in the recipient's in-box)
  • the volume actually opened by recipients
  • growth rates, the frequency of particular types of messages and points of origin

One reason for uncertainty is that many figures come from vendors of anti-spam products/services. Particular announcements by the anti-spam industry have received widespread attention, particularly in the mass media, but been questioned. Another reason is that volumes appear to vary significantly, with US studies suggesting that recipients in the entertainment and transport industries get a higher per capita number of messages than those those in the health or construction industries.

One study suggested that 2.8 billion direct marketing email messages were sent in 1998, with - hold your breath - that figure forecast to rise to 236 billion in 2005. US-based AOL estimated in 2001 that spam accounted for 30% of email to its subscribers, between 5 and 8.5 billion messages pa. By mid-2003 other ISPs and institutions were claiming that spam accounted for up to 45% of incoming messages. Filter vendor MessageLabs claimed in May 2003 that 55.1% of all messages scanned were spam; competitor SpamTrap announced that 55.8% of messages tracked with its service were spam.

A January 2001 study from the European Commission suggests that internet users pay 10 billion euro in connection costs just to receive spam. Other studies have claimed that at the beginning of 2002 some ISPs were now receiving between 4 and 20 items of spam for every genuine message.

Anti-spam vendor Brightmail claimed that of 5.5 million unique UCE messages identified through its service in November 2002, over 75% were solicitations for consumer products, financial services and adult content, with 25% regarding online scams or spiritual, health and other services. In July 2003 Brightmail projected

at least 1 in 2 of all emails that individuals and businesses receive will be spam by September 2003 or earlier, and a fifth of spam in the UK will be pornographic.

An August 2001 Gallup Poll report indicates that most US email users say that up to 30% of messages they receive are spam; 39% say they receive more than that, including 18% who say that at least half their e-mail is spam. 42% said they "hate it," 45% said spam is "an annoyance, but do not hate it," while the rest have no strong feelings either way (9%) or sometimes find the information contained in spam useful (4%).

And the cost?

In 2003 Ferris Research claimed that the cost of spam in the US was US$10 billion per year. Radicati Group - noted for the claim that "email failure is more stressful than divorce" - estimated that the global cost for 2003 would be US$20.5 billion. Nucleus Research claimed US$87 billion for the US alone in 2003.

Those figures - and similar estimates from Australia and the EU - are problematical because they appear to assume that all messages are individually scrutinised by recipients and then manually deleted. In practice many consumers appear to be manually identifying and preemptively deleting spam on the basis of the message title, the sender's email address or even the ccTLD (with the exclusion of much email from Romania or S Korea).

Others are actively using filtering tools, which for example allow a recipient to add all messages from a particular address or with a particular title to a personal filter.

subsection heading icon     does it matter?

How Much Information, the major report by Hal Varian & Peter Lyman, suggests that some - perhaps many - people are swamped by information. 

There are few impartial studies of the impact of spam - most research promotes particular filters or network management schemes. 

However, it is clear that those on the receiving end of electronic junk mail (spam) consider that it is a waste of time and expensive, since the recipient pays for the traffic. Some characterise it as threatening. As a business practice it is rarely effective.

A February 2001 study by NFOWorldWide, for example, suggests that when consumers change email address (41% of US respondents chaged within 2 years), under 32% inform regularly-visited sites and newsletter lists. 78% commented that they were receiving unsolicited mail from those sites. 5% were receiving over 100 messages a week.

subsection heading icon     legal frameworks

Defining and regulating junk mail, electronic or paper-based, is contentious. Globally there are few guidelines or standards. Most derive from privacy legislation and principles such as the OECD privacy guidelines discussed in our Privacy guide.

Perceptions about the likelihood of building on those guidelines varies. In January 2003 Jamie Love of the Consumer Project on Technology (CPT) for example claimed that

the reason there is no cross border cooperation on rules is both ideological and the result of lobbying by firms that dream the Internet will be a haven for self-regulation on other issues. Hence, we tolerate spam, to prevent cross border consumer protection measures from getting off the ground.

The US has traditionally adopted a laissez-faire stance, given the clout of mailers and recognition of free speech issues. However, in line with tougher federal and state involvement in privacy, it has been moving to regulate spam, with state legislation driving the development of federal law. 

In 1999 US industry group CommerceNet released a paper (PDF) on Unsolicited Commercial E-mail: Legislative Solutions. It updates the more learned analysis in Jonathan Byrne's 1998 paper Squeezing Spam Off The Net: Federal Regulation of Unsolicited Commercial Email, David Sorkin's 1997 paper on Unsolicited Commercial E-Mail & the Telephone Consumer Protection Act of 1991 and Michael Carroll's Berkeley Technology Law Journal paper on Garbage In: Emerging Media & Regulation of Unsolicited Commercial Solicitations.

Michael Geist's 2004 Untouchable? How Canadian Law Can Tackle Spam (PDF) argues that despite the absence of specific anti-spam legislation current Canadian legal options allow for enforcement actions against most conduct addressed by anti-spam enactments and suggests that the problem primarily results from the lack of aggressive enforcement action by government agencies.

A map of overseas anti-spam codes and laws is here. For a global view we recommend Wye Keen Khong's 2001 JILT paper Spam Law for the Internet.

For a more detailed discussion of particular national and international regulatory initiatives see

subsection heading icon     other action

Many US and EU ISPs restrict the sending of spam in the contract with their customers. ISPs are unhappy about the cost of such activity and the potential damage to their reputation. Legal proceedings have already been brought successfully by ISPs, particularly in the US.

The US Coalition Against Unsolicited Bulk Email (CAUCE), European Coalition Against Unsolicited Commercial Email (EuroCAUCE), Mail Abuse Prevention System (MAPS) and Australian Coalition Against Unsolicited Bulk Email (CAUBE.AU) are four consumer advocacy organisations lobbying for improved regulation.

The Junkbusters organisation, despite its clunky name and dot com domain, is a US-based citizens action group that offers a lengthy set of pointers to print and online publications on spam. 

In the US the Responsible Electronic Communications Alliance (RECA), an industry group that includes DoubleClick, 24/7 Media, Bigfoot Interactive and ClickAction, sought to channel legislative proposals by suggesting self-regulatory privacy standards. 

The standards, to be accompanied by a 'Seal of Approval' for online direct advertisers, would ban advertisers from sending solicitations to consumers without consent, allow consumers to remove themselves from mailing lists, restrict email to relevant content, and require RECA members to state how information supplied by customers will be used.

More drastic action has been taken by the StopSpam organisation, which issues a 'Usenet Death Penalty' encouraging usenet systems administrators to delete usenet postings from ISPs such as Excite@Home ISP after alleged failure to address spamming concerns. Other activist cum vigilante groups include SpamFree (FREE), SpamCop (SCop) and Spam.Abuse.Net (SAN).

subsection heading icon     practice

Do you want to use online direct mail?

The Australian Direct Marketing Association (ADMA) has released Online Marketing Guidelines (PDF). The guidelines are not mandatory and although ADMA now maintains a central register which consumers can use to flag that they do not want to receive print/digital junk mail the organisation does not cover all direct marketers and there are questions about use of the data. The register embodies an 'opt-out' approach: the onus is on the consumer to alert the sender that spam is not appreciated. 

This contrasts with some US proposals and EU practice with 'opt-in' schemes, where the sender has to get permission from the recipient before sending commercial email. Permission might involve recipients having ticked a box in a response form explicitly saying they are prepared to receive emails. Or it could involve registering their interest in specific subjects on a central database, maintained by a commercial operator or a trade association. Opt-out schemes are currently used for both mail and telephone sales, where the cost is borne by the sender. But the recipient bears the cost of email, so an opt-in system may be more appropriate. 

A December 2002 New York Times article on the privacy practices of Vivendi subsidiary noted that the site

requires users to provide an e-mail address before they can listen to music. Then, without offering a choice or notice, the site adds that address to six mailing lists, including a music newsletter and one for "partner product announcements."

A note at the bottom of the messages sent to the lists offers two ways to avoid receiving e-mail. The first, less user-efficient method involves clicking a link. But as it turns out, this removes the person's address from only one list. The second way is to send the message to an "unsubscribe" address. ....

There is also a third approach: The user can go to the site's e-mail preferences area to opt out. But because of the confirmation screens for each list, it can take 21 pages of clicking before the user is reasonably assured of being removed from all the mailing lists.'s defence? The company needs to be aggressive with its e-mail marketing "to keep the lights on and to keep the service free for people".

Consumer perceptions are changing: overall businesses and individuals (particularly those who receive large volumes of mail) appear to be becoming negative about junk mail. We suggest that you think carefully before spamming: any revenue that you gain may be outweighed by the damage to your brand. 

If you do send unsolicited mail, operate on an opt-in basis. Identify the nature of mail and provide valid contact details. Don't follow Medibank Private's example at Christmas 2000, sending thousands of people a message with an EXE attachment (which many recipients regard as synonymous with a virus) and a 14 line legal disclaimer.  Don't send further spam once you receive a complaint. Do follow-up any feedback.

subsection heading icon     studies

Although there are a large number of academic papers and industry documents regarding the dimensions of the spam problem, its impact and potential regulation there are surprisingly few books on UCE.

Two of the better works on technical aspects are -

Stopping Spam (Sebastopol: O'Reilly & Associates 1998) by Alan Schwartz & Simson Garfinkel (author of the privacy primer Database Nation) - an introduction to spam and its management for people whose diet isn't based on takeaway pizza, Jolt cola and C++

the more technical Removing the Spam: Email Processing & Filtering (Reading: Addison-Wesley 1999) by Geoff Mulligan

For views of and from within the industry see

Spam Kings: The Real Story behind the High-Rolling Hucksters Pushing Porn, Pills, and %*@)# Enlargements (Sebastopol: O'Reilly 2004) by Brian McWilliams

Inside the SPAM Cartel (New York: Syngress 2004) by Spammer-X

Spam Wars: Our Last Best Chance to Defeat Spammers, Scammers & Hackers (New York: Select 2004) by Danny Goodman

subsection heading icon     email scams

A note about the 419 (aka Nigerian) email scam and chain email scams is here.

icon for link to next page    next page  (site defacement and DOS)

this site
the web


version of December 2004
© Bruce Arnold | caslon analytics