Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Is There So Much Spam?

Because it works.

Even though most of us might never fall for it, the reason there's so much spam is simple: spam works.
The Best of Ask Leo!
No Spam
(Image: canva.com)
Question: Between bouts of frustration with my inbox, I’ve been reading your various articles on spam. I think I’m slowly getting a handle on it all, but it sure seems crazy. And it really got me to wondering… why is there so much spam in the first place?

I feel your pain.

Some time ago, I did some research. I looked at all my email for an entire year. I found out that not only do I get a lot of email, but my calculations show that 87% of it was junk. Wow.

Why is there so much spam?

Because it works.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Why so much spam?

Even if only a tiny fraction of the recipients of spam respond to it or fall for it, that’s enough for spam to be successful. More people fall for spam than we think — even the spam that seems obvious. Spam preys on the vulnerable. Spam continues to exist because it works.

High volume, tiny success

I define spam as unsolicited email, or email you did not ask for.

There are different types of spam, but in almost every case, sending spam is so cheap that it doesn’t take much response for a spammer to declare a spam campaign a rousing success.

For example, say a spammer sends out 10,000,000 emails pushing a knock-off of the latest wonder drug. If only a tiny percent — perhaps even just one person out of ten million — purchases the drug, the spammer has made a profit. It doesn’t matter if it’s fake watches, body-part enhancement aids, or cheap computer software; if even the tiniest percentage of spam emails result in a sale, then that spam was successful, and you can bet it will continue.

But wait! There’s more!

We don’t fall for scams — do we?

The most famous scam is the so-called Nigerian scam, also known as the 4191 or “advance fee” scam. You receive an email “in confidence” from some supposedly high-ranking official attempting to move large amounts of money out of their country. They need your help, and in return, they promise you a significant portion of those funds. Once you engage, they use various techniques to scam money from you until you finally realize you’ve been had.

That’s common knowledge, right? Nobody falls for that anymore, right?

I thought so too, but it turns out you and I are both wrong. I checked with ScamBusters.org, and would you believe $100 to $200 million dollars are lost to these scammers every year? People continue to fall for it at an alarming rate.

You can see why variants are so popular right now. As I write this, I’m getting notified several times a day of various lotteries I’ve won overseas, and I still get variations on the Nigerian scam where the names and countries have been changed.

They exist because they work. They don’t need to work often; even the occasional success on the scammer/spammer’s part is enough.

And there’s even more…

Is that email really from who you think it is?

Phishing is email that looks like it came from a legitimate source, like eBay, PayPal, your bank, your ISP, or your email provider. It asks you to visit a site to confirm or update some information. When you get to that site — which, again, looks legitimate — you’re asked to log in with your account name and password, after which it might ask you to “confirm” additional private information by providing things like your credit card number.

The problem, of course, is that the site isn’t legitimate, and you’ve just given your login or personal information to a scammer, who probably uses or sells it within minutes.

Phishing and advance-fee scams are two of the most prevalent traps we fall prey to. Some scams are very well-crafted. Some aren’t, but people fall for those too. It only takes a little success for a phishing campaign to be worth continuing.

Because it works

So why is there so much spam? Because it works. It’s dirt cheap to send out a ton of spam, and as long as just a few people respond, spammers continue to find ways to get their junk into our inboxes.

So what about those few people? Are they ignorant? Naive? Uninformed? Desperate? Perhaps even — dare I say it — stupid?

Yes. No. All of the above. Maybe. Sometimes.

There’s no one conclusion to be drawn. People definitely aren’t as educated about scams as they should be. Unfortunately, that state of affairs predates the internet and email. The promise of something for next to nothing is just too good to ignore for some people, and thus they become victims.

The rest of us become indirect victims as we wade through the sea of spam.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: A reference to the Nigerian Criminal Code.

53 comments on “Why Is There So Much Spam?”

  1. For me the problem isn’t that the spam’s unsolicited, but that it’s poor quality, illiterate, incoherent.

    I don’t like to frighten you all, but there’s a gap a million miles wide for intelligent, literate, sophisticated and, above all, entertaing spam. When the villains latch on to this, they’ll *really* clean up! People will always forgive someone who’s entertaining.

    Reply
  2. In my experience, the reasons that there is so much SPAM are:
    1. Legislation is required to prevent unsolicited e-mail.
    2. Current Anti-Spam software is 90% useless.

    Reply
    • Alan:

      The can spam act was an attempt at blocking it. Just made some of it seem more legitimate. As can be seen with the do not call list, laws will not block it. The likelyhood of getting caught is slim and most are outside the jurisdiction of US laws, or could be very easily.

      You need to try running your mail through Gmail’s system (and using the online version to report spam to them. reporting it trains their filters).
      I have a domain of my own but the mail is passed through Gmail. Their system is extremely good. The blocking rate for spam is well over 99% blocked. I think that I may have seen one spam message more than a month ago out of 500 or so blocked ones. The false positive rate is even better. I check the spam folder regularly and am shocked when a bulk email (from groups I belong to) gets blocked. Usually, it is one that looks kind of like an advertisement.

      Reply
      • I do EXACTLY the same thing. In addition to my gmail address, I have two other accounts that forward to my gmail account which is uncannily excellent at filtering spam. Maybe one a month at most gets through and almost zero legit emails get misclassified as spam.

        Reply
        • Amazingly I get virtually no spam. Possibly 10 in total in the last 18 months. But I certainly do get valid email going to the spam folder in Gmail. Not so much that it is an issue, just check it when the SPAM changes from grey to black in Gmail.

          The best thing ever was our ISP killing off email because of the spam overload. Then I would easily get upwards to 300 spam emails per day, per email address. Had 6 of them. And most of them did NOT get triggered by the ISP’s so called world class spam filters.

          Reply
  3. I believe that there are so many people on the internet who are looking for ways to promote their business or program, that they sign up to the so called free website submission programs where they give their own email address to join. Then there are thousands of money hungry people who will then send emails to them, most of which are junk.

    Reply
  4. I am so frustrated with getting comments from spammers that scraped an article I wrote.

    My boyfriend says I should let it bother me coz no one will see it and it is a back link.This confuses me.

    I don’t want to be linked with the type of blog that has spam,scraped and sponged me.

    I have set the comments to moderation and still find this week a daily comment from the same domain with a different IP address.

    Do you have any suggestions for me.Just what is the purpose of hitting a blog site with spam comments?

    Thank you
    Bunny

    Reply
  5. Bunny, the reason for spam comments on your blog is simple: to get a backlink to their spammy site which Google may use as a positive factor in calculating the worth of their site. That’s also why they may scrape your site, steal paragraphs of your content, and link to you in the hopes of a pingback link. It’s all in their attempts to fool Google and other search engines into believing their site has something worthwhile on it.

    Reply
  6. Since I started using Gmail I hardly ever get spam. Maybe once or twice a month one will get through, and for some reason it’s usually an obvious one, like a Nigerian style scam. I check the spam folder but haven’t had any real mail dumped there yet. Why does Gmail’s spam filter work so well?

    Reply
  7. Why aren’t Yahoo!; Hotmail; Gmail; AOL and other similar web mail providers more circumspect with e-mail account registrations?

    When I have time I forward scam messages, complete with headers, to the provider concerned and in their defence they usually close the offending account immediately. The scammer/spammer, however, simply registers another and off they go again.

    What I find quite extraordinary is the so obviously forged names which these providers permit, presumably by use of an automated registration processes.

    As another correspondent has so aptly put it…
    we simply have to get over it!

    Actually most email services have stopped automated account creation completely using techniques such as Captchas and rate limiting account creation. What spammers are now doing is hiring cheap labor to quite literally create these accounts by hand.

    Leo
    09-Dec-2009

    Reply
  8. Leo,

    Thanks for the newsletter, it’s great!

    Idea – computer manufacturers could include a start up screen that would activate when you set up a new computer that outlines spam, scams, phishing, hacking email addresses, strong and to change passwords, etc. Yeah, I know, alot of people would just skip it (especially if it’s not their first computer), but if it saves some new computer people, it would be worth it.

    I’m not a programmer, don’t know how much work it would be for the company to do an info page like that, but it would only need to be programmed once – that component could be added to each subsequent start up program, right?

    I wish that ISP’s would limit their users to their respective country – if you’re not in the US you can’t sign up on yahoo.com, etc – it would have to be yahoo.(your country). Then ISP’s give their customers the option to “opt out” of certain country “codes” – never receiving those emails.

    I don’t know if that would work completely – they always find a way around it. If these people worked half as hard at “real” problems/jobs, they wouldn’t have to work as hard. ;)

    That startup screen would be easy, BUT – NO ONE would read it. It’d be an annoyance and a waste of time. Consider how much information there already is on the subject that most people pay little or no attention to even after having been told again and again. I like the sentiment expressed by the idea, but IMO it has zero chance of any significant success.

    Leo
    19-Apr-2011
    Reply
  9. Some people do read the info – I know someone that I had to call for my business, through general conversation, she had just bought her first computer in her 60’s. I let her know about the spam, scams, etc and directed her to your newsletter for more info – she emailed me later and said how much she learned just from our conversation and your info, and had much more to read. :)

    Reply
  10. To the gent that hardly ever gets spam on Google – Check your spam folder, it is there. along with e-mail that you might want to get. Same with Yahoo mail.

    Reply
    • Yes. That’s me too. I hardly ever get Spam in my account. They’re two emails in my Spam folder right now, three weeks apart. And as usual, Google will delete them once they’ve been there for 30 days.

      Reply
  11. @Dan,
    Gmail’s spam filter is IMHO sub-optimal. My wife received a mail from a nephew and forwarded it to my computer — not a Nigerian in sight — and Gmail stopped it as spam.

    Reply
  12. After a few months training, Gmail is now 99.9% effective for me. I get over 400 spam emails a month and only occasionally does one slip through the spam filters, so spam has become a non-problem for me. I suspect many are unwilling to invest the little time that is required to do the training.

    Reply
  13. In an ironic twist, Mozilla Thunderbird always thinks Ask Leo is a threat. I have to tell it to ignore the warning every time I open the newsletter. I can’t seem to train it to know the Ask Leo and The Straight Dope newsletters are legit. I’ve added them to my personal email address list but no joy. I can only assume it’s due to the HTML embedded.

    Reply
  14. I love those ones that say they want to bring money into my country. When I have the time I string them along as if I fell for their BS. They spend days convincing me they are on the up and up. I keep asking stupid questions just to make them work for it then when it comes time for me to pay I say no and they spend a bunch more time trying to convince me. Some of them get real mad. lol.

    Reply
    • @Rick + Snert

      Hahahaa! I’m not the only one that gets a kick out of stringing them along then! I do exactly the same, sometimes indirectly from a throw-away email address to avoid revenge attacks. I get such joy out of wasting their time and then I share my exploits on Facebook in my ‘scam of the week’ synopsis. Some of them are simply pure genius that you couldn’t make up if you tried. It does really highlight just how retarded and illiterate (albeit sometimes technically-gifted) some of these scammers are. Even seemingly ‘authentic’ email scams are full of holes if you look through sceptical eyes. Stay frosty, people

      Reply
  15. I’m with Rick. I love stringing these jerks along. I’m not working and I have time to waste, so why not? I figure if they’re spending time on me they’re not bugging somebody else. I make up idiotic scenarios about why I can’t send money at that moment – “My wife’s getting married and I have to disinter the groom.”, or “My mother needed $1,252.59 for treatment for her acute dromadrosis.” I had one going for almost a month. I had a blast but I think he got a tad PO’d.

    Reply
  16. I would have thought that the ISPs themselves a) resent so much of their traffic being spam, and b) could stop it at once. How? Simply by restricting all subscribers’ input to the Internet, either
    a) by number of addressees per e-mail (say 20?); or
    b) by number of messages per day (say 50?); or c) by a combination – or something similar.

    You, Leo, would obviously register for more than the “standard” allowance – but you would have to satisfy the ISP w.r.t. your bona fides.

    Reply
  17. The bulk of the spam I get is from myself.
    Or appears to be.
    I have receives thousands of returned emails as undeliverable in the last 8 months.
    Spammers have adopted my domain as a return address.
    Those thousands I receive can only be the tip of the iceberg. They have had to have sent out millions.
    Do you think it would be wise of me to delete the domain? I have several web pages attached as well as email accounts set up under it.
    It would mean starting over on everything.
    Since I have stopped developing my pages as a result of this perhaps it is a non issue.

    Reply
  18. @Roy,
    This is “from spoofing.” It’s not coming from your domain and no need to close down because of it. The spammers send out emails using a program that makes the from the same as the to. So I would get the very same email but to me – and from me.

    In other words, nobody else is getting this spam from your site (unless, of course, your email has been hacked and that’s another story!)

    Here’s an article from Leo on from spoofing:
    Why am I getting spam from myself?

    Reply
  19. The most puzzling aspect of SPAM is when there is nothing but silly phrases that are meaningless. At first, I was concerned that it was code to insert malware into my computer. But with up-to-date processes to monitor it, along with UAC, and weekly application of total system scans, I’m not seeing any malware takeover. I could be mistaken, but after 30 years of computer usage, I’m not seeing any unusual behavior in my system, nor has any personal or business information become problematic.

    The other question is why GMail can do such an excellent job of separating SPAM (for FREE!) while ISPs, either, cannot or want $7 a month to do so.

    Reply
  20. When I get spam in my inbox I put a checkmark and mark it as spam. I look through the pages in my spam folder to make sure there’s nothing from people I want to get email from and I delete it all. I never open spam because I don’t know what’s in there.

    Reply
  21. After 30 years you’d think the ISP’s would have developed a Pay for Email system – If only $0.001 – a tenth of a penny per email, people would be careful to cull their Reply All tendencies and spammers would be hit hard.

    Reply
  22. I don’t get much spam, and most of what I do get is automatically filtered to my Spam folder. One way I achieve this is to minimise use of my “official” email address. Instead I mainly use Yahoo disposable addresses (like I do with you Leo) and if spam starts coming to one I simply bin it and create another one (renewing any subscriptions or whatever I want to associate it with.

    A couple of times with phishing I have visited a website and put “spoof” info in, false name and card number etc. It might be a good idea if lots of people would do that in order to waste the “phishers” time and put rubbish into their databases. Might be dangerous though, what do you think Leo?

    Reply
  23. @Nick
    There was a time when I did things like that. Now, I’d be more careful, considering that some sites can inject malware into your system simply when you visit them. The risk of clicking on unknown links is too great to take a chance with.

    Reply
  24. ”Why is there so much spam? It’s very simple, really. …” [ … next bit not re-quoted so please refer to original comment!]

    For goodness’ sake, Leo! Don’t broadcast it!!

    Reply
  25. A simple (HA) way to stop spam: Add a small fee (say a tenth of a cent) for every email that goes out, waived if the total is smaller than what would be incurred by any non-spammer — say

    Reply
  26. It would be great if they came out with a “DO NOT SEND ME SPAM” program, kinda like the DO NOT CALL LIST for phone calls. We never know, this day in age, anything is possible.

    Reply
    • The problem is most spam comes from countries, or at least through servers in countries, where measures like this aren’t enforced. Until we can persuade the rogue countries in this world to take a common position on this problem, it won’t go away.

      Reply
    • The do not call list and the ban on spam calls to cell phones has not worked for over a decade. Spammers don’t care about US laws, even the ones in the US.
      For phones, there is a new law that phone companies do not have to connect the call if the “from” number is faked. The only way for them to know that would be to check every phone number in the country to see if this one is active.

      Reply
      • True, and additionally, more and more spam doesn’t come directly from the spammers. It comes via spam bots, malware which sends out spam from computers which are infected. If you block the sender, you’ve only blocked the IP address of a victim of that malware, and there are still millions of spam bots sending out spam.

        Reply
  27. I’m always personally amazed, because I was a computer science major back in the mid-90s, so I’ve been telling my parents for literal decades what to look out for, what not to click, how easy it is to tell if something is legit, but they still check with me, what is this? I think this is spam! Yes, if you even think it is, it is. If you’re about to turn 70 and I’ve given you enough wariness to think about it, and you’ve thought, yes! then it probably is. What will you lose if you’re wrong anyway?

    Reply
  28. After a bit over 20 years using email/webmail the amount of spam I get is next to nothing now. I don’t see a lot of it in the spam filter or inbox. A few years ago I was asked by a friend to clean over 1500 unwanted messages from their inbox and I found that they were signing up for a lot of things that promised them savings for their family etc and it just blew up.

    I went through them with this person and asked them to describe what each new sender I found might be for and after a few hours I had it cleared up and had a talk with them about what they were doing. I think it helped them.

    There is a honeymoon period for internet users when they just dive in and try everything, and eventually they ‘mature/age’ and begin to stick to what they like or pull away from some sites. The honeymoon is when some run into these troubles.

    Reply
  29. Hi Leo, I used to receive only two maybe three spam a week. That changed when I reluctantly opened a facebook account. Now I get 100+! There watching us… I cancelled my account but the damage is done!

    Reply
  30. Hi, Leo, in one day, i got 168 spam messages in my email. Some from repeated source. Is there a way to atleast get a minimum? I envy you that you do not get any spam message. Please give a clue about that .

    Reply
  31. Hi, I have been getting spam comments on my contact page. These emails have do not reply for return addresses. How can I keep them away?

    Reply
  32. I’ve noticed that a number of legitimate companies send duplicate emails, which I assume they do to be certain that if one copy of the email doesn’t get to me, the other copy will. The problem with this is that it increases the traffic on the email servers, and if everyone did this it would be an absolute nightmare. Also, it some cases I’ve received as many as 10 duplicate emails from a legitimate company. I’m not sure if this is intentional, or if someone held a key down too long, but in any case, this adds to the traffic and I consider that company to be spamming me.

    Reply
  33. The best Spam I’ve seen (I’ll call it ultra spam because it was targeted to each recipient) was a knock off of an IRS document, replete with authentic, copied, logo. It used the recipient’s SSN, purchased no doubt on the dark web and told them to make up a tax “deficiency”. Everything was spelled correctly, and it used good grammar. The sum was not outrageous. The sender asked for a payment by mail to a PO box one or two zip codes away from an actual IRS address. The sole giveaway was asking the target to make the check payable to IRS instead of US Treasury, a very subtle shift. Very easy to fall for. I would wager no one at the Post Office questioned boxing IRS mail.

    Reply
    • I’ve often said that when spammers learn English grammar and spelling, we’re doomed. Though there’s a counter argument that says it’s on purpose, and targets the less educated, and theoretically less astute, victim.

      Reply
      • I somehow don’t buy the deliberate poor grammar theory. A well-written email or good grammar and design would just as easily fool the less astute target and might even draw in a few more astute targets. I generally chalk it up to non-native English speakers or people from countries where good grammar is a rarity.

        Reply
  34. I don’t remember where I read this, but my understanding is that the “Nigeria Scam” actually predates the Internet — it was making its way across fax machines!!!

    And yes, it very definitely does still work at times!!!

    Not all that long ago — a few months, I think — some schlub of a woman was trying (without much success, might I add!) to convince Judge Judy* that because she fell for the scam, it was the scammers who should be held responsible for a bank’s loss, not her!. Da Judge took one single glance at the E-Mail she had received, and nearly fell out of her chair with laughter! “Solventur risu tabulae.” — “The case is dismissed with a laugh” (i.e., she was laughed out of court. NOTE: I believe that “tabulae” actually means “tablets;” the word used to mean “case,” as in a legal case.)


    *We call her “Sludge Judy” in our house. :)

    Reply
  35. @TheGrandRascal Those scams also predate the fax machine era. I remember seeing it in good old snail mail as we like to call the postal service now.

    I always consider it ridiculous that someone would offer me millions and then ask me to pay a fee to receive it. Just deduct the fees and send my cheque please!!

    Reply
  36. I have used the same Yahoo account for more years than I can remember- – at least 15 now. The amount of spam and junk mail I receive is almost none and continues to be so. Bottom line, if people would stop providing their e-mail address to every big box corporation, points/reward system, free offer, survey and celebrity click bait out there, the spam and junk mail has far less avenues of finding them. I am living proof, using Yahoo, the same company that has been exposed for how many breeches? I refuse to give anyone my email address unless absolutely necessary to complete an online purchase. I have eliminated nearly all those daily adds/sales from stores, because no one truly knows who and where they are accessing the information you give them. Sears is probably one of the worst I’ve seen, using your email address for Shop My Way, Shop My Way Rewards, K-Mart, Sears, Sears Rewards, Sears Customer Protection, and Sears Parts to name a few – – that’s a lot of sources and people possessing your e-mail, and that is from just one corporation. Periodically I will get a day or two of continuous nude/porn/hookup or fake Amazon crap in my spam box, and it’s almost immediately after I have given in to providing my e-mail for something like a purchase, This usually stops a week later and may not be seen again for months. I have even gone complete years without receiving a single spam. Bottom line, you can’t control it, but you sure can limit the nuisance.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.