One major problem facing modern computing systems and communications systems is the prevalence of spam and/or scam electronic mail (e-mail) that includes malicious content. Herein, malicious content includes, but is not limited to: any content that promotes and/or is associated with fraud; any content that promotes and/or is associated with various financial scams; any content that promotes and/or is associated with any criminal activity; and/or any content that promotes and/or is associated with harmful and/or otherwise undesirable content, whether illegal in a given jurisdiction or not.
One common form of scam e-mail are confidence scam e-mails that entice a user/victim to provide funds in response to the scam e-mail; typically by eventually asking the user/victim to provide credit card, or other payment information, or via an untraceable and/or irreversible means such as wire transfer. One very well known type of confidence scam e-mail is the advance-fee fraud scam e-mail that entices a user/victim to provide funds in response to the scam e-mail, typically via an untraceable and/or irreversible means such as wire transfer, in order for the user/victim to receive a return on their investment that far outweighs the amount of money being requested.
One particularly troublesome, and at times dangerous, form of advance-fee fraud e-mail is the so called “Nigerian 419” scam e-mail. A typical Nigerian 419 e-mail is a widely used form of advance-fee fraud in which the target is persuaded to advance sums of money in the hope of realizing a significantly larger gain. The number “419” refers to the article of the Nigerian Criminal Code (part of Chapter 38: “Obtaining Property by false pretences; Cheating”) dealing with fraud.
Although similar to older scams such as the Spanish Prisoner, the modern Nigerian 419 scam originated in the early 1980s as the oil-based Nigerian economy declined. Several unemployed university students first used this scam as a means of manipulating business visitors interested in shady deals in the Nigerian oil sector before targeting businessmen in the west, and later the wider population. Scammers in the early-to-mid 1990s targeted companies, sending scam messages via letter, fax, or Telex. The spread of e-mail and easy access to e-mail-harvesting software significantly lowered the cost of sending scam letters by using the Internet. In the 2000s, the Nigerian 419 scam has spurred imitations from other locations in Africa, Asia and Eastern Europe, and, more recently, from North America, Western Europe (mainly UK), and Australia, the latter three mainly done by Africans.
A Nigerian 419 scam usually begins with an e-mail purportedly sent to a selected recipient but actually sent to many, making an offer that would result in a large payoff for the victim. The e-mail's subject line often says something like “From the desk of Mr. [Name]”, “Your assistance is needed”, and so on. The details vary, but the usual story is that a person, often a government or bank employee, knows of a large amount of unclaimed money or gold which he cannot access directly, usually because he has no right to it. The sums involved are usually in the millions of dollars, and the investor is promised a large share, typically ten to forty percent, if they assist the scam character in retrieving the money. Whilst the vast majority of recipients do not respond to these scam e-mails, a very small percentage do, but this is often enough to make the fraud worthwhile as many millions of messages can be sent. Invariably sums of money which are substantial, but very much smaller than the promised profits, are said to be required in advance for bribes, fees, etc. This is the money being stolen from the victim, who thinks he or she is investing to make a huge profit.
A Nigerian 419 scammer often introduces a delay or monetary hurdle that prevents the deal from occurring as planned, such as “To transmit the money, we need to bribe a bank official. Could you help us with a loan?” or “For you to be a party to the transaction, you must have holdings at a Nigerian bank of $100,000 or more” or some similar request. More delays and more additional costs are then added, always keeping the promise of an imminent large transfer alive, convincing the victim that the money they are currently paying is covered several times over by the payoff. However, the essential fact in all advance-fee fraud operations, such as a Nigerian 419 scam, is that the promised money transfer never happens because the money or gold does not exist. The perpetrators rely on the fact that, by the time the victim realizes this, the victim may have sent thousands of dollars of their own money, and sometimes thousands or millions more that has been borrowed or stolen, to the scammer via an untraceable and/or irreversible means such as wire transfer.
Since e-mail scammers typically send the scam e-mails person-to-person using legitimate e-mail services, identifying scam e-mails and quarantining them is often quite difficult. In addition, scammers are adept at hiding their identity using multiple aliases and frequently using internet cafes for scam e-mail distribution. Consequently, it is often quite difficult to identify scam e-mails using traditional and currently available methods and systems.
In addition, scammers repeatedly and regularly change the content of their scam e-mails. As a result, language based filtering to identify and block scam e-mails is often of little use. In addition, many scammers have recently begun to send their scam e-mails as file attachments, thereby further frustrating and evading analysis and detection.
Despite the inherent difficulty in identifying and blocking scam e-mails, most scam e-mails do have one element that distinguishes them from other illegitimate e-mails, such as spam, phishing, and malware propagating e-mails. That is the fact that for the scam e-mail to yield results, the scammer must eventually make, and often maintain, contact with the user/victim in order to lure the user/victim into providing the funds. However, as noted, scammers typically send their scam e-mails out using webmail services. Consequently, the connecting IP address detected by a security system, i.e., a spam filtering system, is the IP address of the webmail service and this IP address cannot be blocked without blocking a large number of legitimate e-mails as well, i.e., blocking the IP address of the webmail service would result in an overwhelming number of false positive results. What is really needed is the IP address of the original sender of the scam e-mail, i.e., the scammer. However, using current methods and currently available security systems, determining the IP address of the original sender of a scam e-mail, i.e., the IP address of the scammer, has proven to be a highly elusive goal.
As a result of the situation described above, scam e-mails are currently extremely difficult to identify and isolate and, therefore, many of these harmful, and at times dangerous, e-mails still find their way to thousands of victims each year. Clearly, this is a far from ideal situation for the victims, but it is also a problem for all users of e-mail who must suffer with the delays of false positives and/or must be wary of all e-mails, even those of legitimate origin and intent.