Is spam a dilemma, phenomenon, or both?

I do not know anyone that likes spam. Yet, nine out of every ten emails are spam-related. If it's not cost-effective, wouldn't spammers stop?

I do not know anyone that likes spam. Yet, nine out of every ten emails are spam-related. If it's not cost-effective, wouldn't spammers stop?


The fact that spam exists eludes me. First, how can you trust unsolicited email advertising questionable products (you know the kind)? Next, despite our disdain, spam must work. Otherwise, advertisers wouldn't be using it. In trying to figure this out, I came across the Messaging Anti-Abuse Working Group (MAAWG).

MAAWG is a consortium of Internet Service Providers (ISP), Email Service Providers (ESP), anti-spam technology vendors, and companies interested in fighting email abuse. Here's their mission statement:

"The purpose of MAAWG is to bring the messaging industry together to work collaboratively and to successfully address the various forms of messaging abuse, such as spam, viruses, denial-of-service attacks, and other messaging exploitations.

To accomplish this, MAAWG develops initiatives in the three areas necessary to resolve the messaging abuse problem: Industry collaboration, technology, and public policy."

Last year, MAAWG published a report about email abuse. The paper is packed full of useful information. The 2010 Email Security Awareness and Usage Report is this year's equivalent. It's impressive, providing what I would consider an in-depth look at how users view spam. Check out what MAAWG is trying to accomplish with this survey:

  • Measure the levels of email users' awareness of spam issues.
  • Understand how email users distinguish legitimate email from spam.
  • Measure the level of awareness of messaging threats and perceived vulnerability.
  • Track changes in response patterns among U.S. respondents.
  • Provide a benchmark for future research.
  • Promote research results as basis for outreach and communication campaigns.

That's quite a list. Now, let's see what the participants had to say.

Who are the participants?

The survey is specific about participant requirements. MAAWG was looking for people that consider computers and the Internet a tool, not their profession. The following is how MAAWG classified the participants:

"Those surveyed were general consumers who indicated they did not have an IT professional managing their email address and were therefore generally responsible for their email experience. Since we were interested in consumers' habits, we did not differentiate between ISPs and ESPs, but used these terms to refer to the service where consumers obtain their email."

The interviews were held early January of 2010 and involved six countries. The following graph depicts participant distribution by country:

Amount of experience

One of the first questions requires participants to judge their level of experience: How would you describe yourself when it comes to your experience with security on the Internet; including firewalls, spam, junk mail, and computer viruses? Here is what the participants decided:

  • 44 percent classified themselves as somewhat experienced.
  • 36 percent considered themselves having little or no experience.
  • 20 percent felt they were very experienced.
Importance of sender?

I thought this question was telling: In general, how important do you consider each of the following types of personal email sent you? A spammer or phisher would love to know which email addresses are important. It gives them a distinct advantage, since they can spoof the sent by address. That said, email from family and friends topped the list as being extremely important, with financial email a close second. The following chart gives the run down:

What is spam?

Next, MAAWG asked: How do you personally define spam? The respondents were asked to pick all that apply. Topping the list at 69 percent was non-requested email. The following chart shows the break down by type of email and participating country:

Spam indicators

Appropriately, the survey asked: When going through your email and deciding what email is spam and what is legitimate, what indicators do you rely on to help you decide? The sender's name or address garnered over 70 percent. Subject line came in second with 67 percent.The chart below lists all the indicators and how the participants ranked them:

By correlating the above results with other survey information, MAAWG was able to come up with the following statistics:

  • Women are more likely to check the sender's name or address (76 percent to 71 percent).
  • Men base their decision on the email's contents or spelling (56 percent to 49 percent).
  • Email users that are 55 or older are more likely to use all of the indicators.

The indicators seem intuitive. Yet, I never think to check the "time of day/night sent". I should, that's a great way to help verify the sender.

When is spam email opened?

The results of the next two questions are where I start to see a crack in the spam-fighting armor. MAAWG first asks: When you receive email that you think is spam, what do you usually do? Here are the results:

Over 60 percent say, "Do not open it." That's as I would expect. Do you agree? The next question is: Have you ever done any of the following? The first chart breaks the answers into age groups:

The next chart correlates participant's answer with their level of experience:

Almost half of the participants opened emails they suspected were spam. Does that surprise you? It did me, for the following two reasons:

  • First, the 18 to 34 age group was determined to be the more experienced, yet a large percentage of them opened suspect email.
  • Second, if you refer back to the question: When you receive email that you think is spam, what do you usually do? The chart points out 60 percent of all respondents do not open spam emails.

Does that mean users, even experienced ones are tempted to check out email they know is spam at least some of the time?

Survey conclusions

If spam is a concern, take the survey and see how your answers compare. Then see if you agree with one of the conclusions made in the report:

"Among various types of organizations, Internet/email service providers and anti-virus software companies are those most widely perceived as responsible for stopping the spread of viruses, fraudulent email and spam.

Less than half of users think that stopping the spread of viruses and spam is their own responsibility, but they tend to rate themselves better at doing it than all organizations, except for anti-virus software companies which get the highest marks."

There is certainly some food for thought in that statement.

Is there a disconnect? Let's look at the conclusion in more detail. The survey participants feel that:
  • ISPs, ESPs, and antivirus providers; not users, are responsible for stopping spam.
  • Users are more capable of detecting and stopping spam than all organizations except antivirus providers.

I will let that sink in. In many ways this survey mirrors what I found when writing "Are users right in rejecting security advice" and "Is there hope for antivirus programs."

Final thoughts

I am starting to think the problem is more than a technical issue. Could it be another case of how "we're wired" is being used against us. What do you think?

I want to thank Linda Marcus of Astra Communications and MAAWG for publishing the 2010 Email Security Awareness and Usage Report, along with allowing me to repost the above MAAWG charts.