Why is spam email still a thing?

Because it works. Still relevant, from Microsoft Research:

"Why do Nigerian Scammers Say They are from Nigeria?"

This approach suggests an answer to the question in the title. Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.

https://www.microsoft.com/en-us/research/wp-content/uploads/...

Outright spam is one thing. What’s more prevalent these days and vastly more annoying is corporate spam. Every purchase now is apparently free license to send you pure garbage emails multiple times per day.

> These emails are so bad and there is almost no chance of them finding their way through a spam filter, why are people still sending them?

Most likely because the cost to send per email is so low as to be essentially free.

As well, there may be some amount of 'Nigerian email' issue here. I've heard it said that the "Nigerian prince with 65M needs help moving money to your country" emails are so poorly worded on purpose to specifically filter out individuals who are not good marks for exploitation. I.e., if the recipient fails to notice the poor wording and grammar then they may also be easier to exploit. It may be the same with the spam. If an individual responds to the spam, then the spammer knows they have possibly found a very gullible individual that can be easily exploited.

It still works. You don't need a lot of little old men buying knockoff Viagra or little old ladies looking for love to make a decent wage in a lot of countries. Also, you take for granted that everyone is benefiting from Google and Microsoft's SPAM filters attached to GMail and O365/Outlook. There are still a LOT of email addresses running on SMTP or even POP3. And a LOT of those email addresses are legacy addressses still in use by people that are rich targets for SPAM: old peopl using the addresses set for them in the 90's. A non-zero number of the messages that make it to your SPAM folder actually wind up in inboxes. Which inboxes? The ones that don't have good SPAM detection and, more importantly, are used by people that don't get a lot of email and may well be thirsting for connection. My parents practically dive over furniture during dinner to answer the phone just to see who it is. This behavior extends to inboxes for a lot of people.

Sadly, better SPAM filter technology won't be the end of SPAM. SPAM will lose its efficacy when old, unfiltered inboxes stop being used. And they will stop being used when the (largely) older demographic stops using them as a result of the passing of time.

Check your spam box. There's probably one saying "we have control of your camera and we've seen you playing with yourself". There's usually a bitcoin address to send a few hundred bucks to so they don't "send all your contacts the video".

Give it a few days and go look at the address in a Blockchain explorer. There's usually 2 or 3 transactions.

I guess you send 10m emails, you get lucky a handful of times. Spam works enough to make it worth it, especially for what, 7 minutes work?

I switched away from Gmail a couple of years ago – I have gotten the impression that spam is only still a thing for Gmail users.

Gmail's spam filters would break horribly for me every few years, either flooding my inbox with spam, or filing obviously-not-spam emails in the spam folder.

With Fastmail, my experience is that all spam goes to the spam folder, and only a few questionable newsletters get put in the spam folder by "mistake".

Apparently enough people ultimately click the links to make it worth it for the spammers, otherwise it would have stopped.

It's probably something like less than 1 in 10,000 emails getting a click, which is depressing when you consider all the computing resources wasted by receiving email servers and then by all the recipients which need to filter out the noise (for example I still at least scan subject lines of items in my Gmail Spam folder).

So with that considered, spammers clearly completely lack empathy for their fellow human beings, they have zero care on the cost of their practice, as long as it makes them a few bucks. Sure, there are people who do far worse things, but that fact in no way redeems spammers.

Personally, I believe a spam will exist while it makes a reasonable profit. In other words, while people are still clicking links in those emails, and sending a thousand emails is dirty cheap - it will exist. I also believe that spam is unbeatable as a matter as it's now everywhere not only in "dirty cheap emails": we all faced robo-calls, sms, messages in social networks, etc. I'm even still receiving a spam into my analog postbox right at front of my house. It's something that will pursue us while it makes a sense for businesses.

This is why ;) https://www.thedailymash.co.uk/news/society/60-year-old-who-...

I recently realized that some websites which aggregate data on people (the same annoying ones that come up when you google your name) advertise the fact that the email addresses have been "verified", including the fact that emails sent to the address don't bounce.

So that makes me wonder which percentage of spam emails are actually just checking that the email address is valid and active.

At least sending spam is basically free for them, so any returns at all are gravy.

In your snail mail you're probably getting mostly paper advertising which goes straight into your recycling bin, and those people have to pay something even if it's "not much". And it's still apparently profitable, or else they wouldn't keep doing it.

Just hang out on NextDoor and you'll see how dumb some email users are. And then if you consider all the ones who are too dumb to even get on NextDoor, and you've got a target-rich environment there.

Check "scambaiting" generally, or for example "Kitboga" or "Scammer Payback" specifically on YouTube, for some funny-sad look on how many people can become gullible and vulnerable to various deception tactics. I only hope I'll never fall for one, but never am completely 100% sure; and we are going to get older at some point...

There are a lot of e-mail systems out there with not very good spam filters. And spammers do change up their methods to get around filters. You might not notice them, but people with less effective spam filters do get them. (And some people are dumb enough to read e-mails in their spam folder)

It's always been an economic numbers game. You might send 1 million spams that costs you $100, but you might get $400 in return from whoever paid for the spam campaign. If you're running your own spam operations for your own "products", you get more profit, but the risk and difficulty is higher.

I also have a theory that spies use spam as a form of steganography. If spam naturally contains a lot of variable information, and it comes from random places and is sent literally everywhere, it's not hard for a spy to receive an encoded message dropped into their mailbox without anyone even knowing what their e-mail address is.

I think that a lot of spam is sent to lists of emails compiled in the 90s. Pretty much any email address that ever posted to Usenet is hopelessly compromised. On the flip side, I don't think that the spammers scan websites for email addresses any more. I have an email I publish on my contact page on my writing website (with a mailto: link and everything) that gets close to zero spam, only marginally more than a domainname@domainname.com address that I never publish.

Looking at the spam that gets trapped in the filters, I do think that one source of addresses is now compromised accounts or computers since I'll occasionally see spam purporting to be from people I know.

As long as spammers can send large numbers of emails for free we’ll have spam. This extended to phone calls as well and I find this even more irritating as they interrupt me daily.

Id love to find a solution that does not involve adding more cost but I can’t. In the US I get spam calls from numbers that are completely made up legit numbers from my area code. Once my partner was called by a despetate lady screaming out not to spam call her anymore and no amount of explaining the phone calls didn’t originate from us would appease her. This particular incident happened 5 years ago. Spam calls haven’t stopped though. Luckily smart phones can label spam calls but they still disrupt.

Oh good, looks like I get to be the one to repost this classic [1]:

"Your post advocates a:

( ) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses

( ) Mailing lists and other legitimate email uses would be affected

( ) No one will be able to find the guy or collect the money

( ) It is defenseless against brute force attacks

( ) It will stop spam for two weeks and then we'll be stuck with it

( ) Users of email will not put up with it

( ) Microsoft will not put up with it

( ) The police will not put up with it

( ) Requires too much cooperation from spammers

( ) Requires immediate total cooperation from everybody at once

( ) Many email users cannot afford to lose business or alienate potential employers

( ) Spammers don't care about invalid addresses in their lists

( ) Anyone could anonymously destroy anyone else's career or business

*Specifically, your plan fails to account for:*

( ) Laws expressly prohibiting it

( ) Lack of centrally controlling authority for email

( ) Open relays in foreign countries

( ) Ease of searching tiny alphanumeric address space of all email addresses

( ) Asshats

( ) Jurisdictional problems

( ) Unpopularity of weird new taxes

( ) Public reluctance to accept weird new forms of money

( ) Huge existing software investment in SMTP

( ) Susceptibility of protocols other than SMTP to attack

( ) Willingness of users to install OS patches received by email

( ) Armies of worm riddled broadband-connected Windows boxes

( ) Eternal arms race involved in all filtering approaches

( ) Extreme profitability of spam

( ) Joe jobs and/or identity theft

( ) Technically illiterate politicians

( ) Extreme stupidity on the part of people who do business with spammers

( ) Dishonesty on the part of spammers themselves

( ) Bandwidth costs that are unaffected by client filtering

( ) Outlook

*and the following philosophical objections may also apply:*

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

( ) Any scheme based on opt-out is unacceptable

( ) SMTP headers should not be the subject of legislation

( ) Blacklists suck

( ) Whitelists suck

( ) We should be able to talk about Viagra without being censored

( ) Countermeasures should not involve wire fraud or credit card fraud

( ) Countermeasures should not involve sabotage of public networks

( ) Countermeasures must work if phased in gradually

( ) Sending email should be free

( ) Why should we have to trust you and your servers?

( ) Incompatiblity with open source or open source licenses

( ) Feel-good measures do nothing to solve the problem

( ) Temporary/one-time email addresses are cumbersome

( ) I don't want the government reading my email

( ) Killing them that way is not slow and painful enough

*Furthermore, this is what I think about you:*

( ) Sorry dude, but I don't think it would work.

( ) This is a stupid idea, and you're a stupid person for suggesting it.

( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!"

[1] https://craphound.com/spamsolutions.txt

Spam exists because sending as others here have mentioned is free. The knee-jerk reaction might be to make it not free and technically that would be rather simple. Beyond adding pre-approved DKIM signed domains to an approve-list, one could modify existing grey-list daemons to require either a one-time code or click a URL to enter authentication to approve the sender and add rate limiting for know abusers, but that isn't the problem. People are accustom to how email currently works and adding any barriers or changing communication flows or adding cost adds friction. Businesses and people will oppose friction.

I would be curious to see if anyone here has added such barriers and what their results were. What methods did you use to make spam expensive for spammers and how did it affect your legit customers and prospects?

I think of spam like a lot of direct physical mail. There’s two effects going on:

1. People will continue to use an easy tool even if it has become ineffective, because it’s available. It doesn’t take many spammers to send 100,000,000,000 emails. Direct mail isn’t what it used to be, but it’s baked into the systems for every car dealership and so it continues. Spam is probably 1000x less effective than it was in 2002, but most spammers aren’t running A/B tests either.

2. Just like direct mail, it’s easy to think that no one looks at spam because I don’t. In fact, there really are a lot of people who look at every coupon in the Captain D’s flyer. Same thing with spam…even if the open rate is 0.1%, that could still be 1 in 1000 people.

These days spam is less about selling you viagra or other crap, but probably more trying to phish or infect you in some way. They ransomeware you via some drive-by infection vector from email links, and then they get paid when you realize you're screwed.

I don’t think it’s as bad as it used to be. In the early 2000s I managed an email server (which was also running GNU mailman to provide mailing lists) and spam was a real problem. In 2015, I started self-hosting (Postfix, Dovecot) using my personal domain name and I was surprised at how little spam I was getting. All I had to do to stop the spam was to enable grey-listing: https://en.wikipedia.org/wiki/Greylisting_(email)

I think the question you should be asking is why the email standard has not evolved in a way to give users more control. Like + addressing that gmail uses is a great user control but its not supported everywhere. Extending on features like that would really empower users to control content in their mail box more.

An idea I have is if i could do this: ‘@.gmail.com’. Then change the subdomain part as i feel fit. Similar to plus addressing but dont allow no subdomain so its hard for marketters and spammers to remove.

Because forcing people to use anti virus spam filters is a way to spy legally on other people whilst getting paid for that spying without a shred of proof that someone is spying on you!

Ask yourself this, why doesnt email readers come up with a standalone built into way to reduce or shutdown the attack vector of antivirus and resource burn of spam filters?

Because email is essentially one of the oldest internet applications and also essentially has never changed.

That means, as has been stated in this thread a bunch of times, that sending spam is essentially "free", especially since they like to use exploited email accounts to do the sending if possible.

I am all for a re-envisioning of email from the ground up, tbh.

I think you would be interested in reading this post (it contains almost all the information you are interested in) - https://ivypanda.com/essays/e-mail-spam-what-it-is-and-how-i...

> These emails are so bad

From my understanding, that is a feature. It acts as a filter for the top % of more gullible targets.

> These emails are so bad and there is almost no chance of them finding their way through a spam filter,

I still get frequent emails in my gmail that say

> Hey It is your friend my e-mail HRU?

Or

> Hi godelski, are you in Cincinnati?

Just this week I got one about a Norton 360 purchase that looks really legit but I see no statement on my bank.

Lots of spam still gets through.

Because email is a system designed for ARPAnet not Internet, and it was designed to be used be people who could be trusted to not spam. No protections were built in, and email hasn't fundamentally changed since the late 70's. In mid-late 90's the masses came, and since then we've been adding band-aids to it to keep it alive but the truth of the matter is that it's still an open door just waiting to be walked into. You can DKIM, SPF, and do all the SMTP authentication you want, but the spammers still get through.

Sure, it might end up in the spam box. But so do real emails. So, spammers still get their emails viewed. As do phishers.

https://www.bankinfosecurity.com/tricked-rsa-worker-opened-b...

    A well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems,

https://www.wired.com/story/the-full-story-of-the-stunning-r...

TL;DR: Email is fundamentally broken because it was designed in a time when you could leave your doors unlocked at night.

Not just email. I got 3 texts this morning trying to pitch scam jobs, not to mention the endless robo calls

Total speculation: there are billions of people with access to the Internet. Every once in a while one of them says, "Maybe I'll try the Nigerian prince thing." Maybe it works, but maybe it never does. It is just that people can try it, basically for free, so some do.

Simply, it works some % of the time greater than 0 and it costs close to nothing to send it.

They do find their way to inboxes, especially for folks who continue to use services like Yahoo mail. Some get through Gmail too.

There are a LOT of older folks who are terribly un-savvy users who do not engage their brains when behind a computer.

It's a numbers game. The cost is almost zero to send, and one success can make a few thousand dollars or more. That's a ton of money in some of the world, especially parts of Africa and South America.

Why does Gmail even show them in the spam filter? Shouldn't it be so obvious spam that I don't have to deal with it? And then only keep the dubious stuff and show it to me.

I literally just got one that arrived into my inbox (made it past gmail filters) that had no subject line, a bunch of random emails on the CC and the body of the message was:

$45

The most direct spam yet!

Dude, spam on Usenet is still a thing. alt.books.iain-banks, for example, is utterly full of garbage, and that's for a discussion forum technology that's been obsolete for nearly twenty years.

I get spam from Google Apps customers, Office 365 customers, Mailgun customers, and more, despite these providers' terms of service. I get spam on my LinkedIn spamtrap address, my FreeBSD ports spamtrap address, and more. I'm seriously considering a switch to whitelisting, which is what I had to do on my phone to deal with all the robocallers. It's insane with motivated evil people will do for a little money.

Sign up for a Chick Fil A account and try to unsubscribe from their marketing emails. It's totally not a dark pattern that it fails or anything.

Because lots of people still think the internet is a democratic society with a decent police force and not the Wild West.

Same reason spam snail mail is a thing. All parties involve make money from it.

One thing that https://hey.com/ made me realize (even though I'm not a client) is that my inbox is open for everyone. Being able to screen emails is a cool way to prevent a lot of clutter.

It's a real conspiracy. Simple as that.

Google proved they could beat spam around year 2000, but now suddenly they are now letting messages through with headers that a toddler could tell you are fake.

They know it' spam, we all do. But they let it in anyway because there's some secret economic or political dynamic we aren't privy to.