User behavior will *always* (eventually) trump technology

The Seattle PI recently posted about recent changes in the numbers of unique visitors for the major email services such as hotmail, yahoo, gmail, QQ, etc. According to that data, hotmail lost some users. From the first comment:

I can't say I'm surprised. I have email accounts with hotmail, yahoo and google. Hotmail is the WORST at filtering spam. I only use it when I sign up for free samples and things, because I know I can just go in once a month and delete everything, since it's all crud.

Let me guess - he probably had that hotmail account for many many years and well, there have been a lot of free samples over the years... But hey, he'd never give away his shiny new Gmail address for those free samples because he values it too much for that. And wouldn't you know it, his gmail account also gets less spam. Yay technology!

It's all about technology, of course, and nothing at all to do with user behavior. Right?


To be clear, I don't mean to suggest that our spam-filtering technology is flawless, I have no idea how it specifically compares to our competitors[1] - for all I know, gmail might actually have a phenomenally better spam engine[2]. This comment just reminded me of one of my favorite axioms - User behavior will always ( eventually) trump technology:

  • If your email software forces you to save .EXE attachments to disk with a scary dialog, you can be darned sure that the next virus that comes out is going to be advertised as "A fix for the latest virus, just save it to disk and then run it!". Or why even bother going to that much effort, just pretend it's a $300 bill that's overdue. Or if you just block the .EXE filetypes outright and don't let users access it, the next virus will come in a .ZIP file. And if you add support for scanning within .ZIP files, the next virus will come in a password-protected .ZIP file that tells the recipient what the password is in the body of the message.
  • If you create an email address on a popular email service or at a large company that has only a few characters in it, you will get more spam, regardless of the quality of your spam filters, because you will be subjected to dictionary attacks.[3] Gmail doesn't even let you create an address with fewer than 6 characters - kudos for them for that small attempt to prevent users from shooting themselves in the foot.[4]
  • If you build the most awesomely secure website for your credit card with checks and balances up the wazoo, and ensure that no user will ever be able to make a purchase online without also sharing that doubleplussecret code on the back, you'll have to cross your fingers and hope that the minimum wage employee accepting your users' credit cards isn't careless or holding a grudge... and boy howdy I hope that nobody ever calls one of your users claiming to be you and telling them "Your account has been hacked, and can you please share your credit card number and expiration and secret code because that way we can verify we are talking to the true owner."
  • If your email service requires super strong passwords, see how many of your users will give up their password in exchange for the rich reward of a free pen or some chocolate.


[1] My gmail account is full of thrice-a-week emails from, I think because three years ago, I turned on google checkout in order to get $10 off when making a order, and apparently missed a checkbox that must have been checked by default begging them to spam me.

[2] Although, come to think of it... I honestly can't remember the last time I saw a spam message in my inbox for my work email. I've got my fair share in my junk mail folder, with almost zero false positives - and no false positives that I care about. And I even see some messages in there advertising VSLive that I certainly don't remember signing up for. Awesome. It's great to see the industry making progress in this area. It makes me slightly less embarrassed about how Bill said at a conference in 2004 that spam would be gone by 2006.

[3] I used to work with a guy that got randomly assigned an alias with only four characters in it. He got gobs of spam, way more than anyone else at work. Once he changed his alias to a longer number of characters, it magically stopped and never came back.

[4] Hotmail seems to support addresses of four and higher characters. I will send this suggestion to that team.

[5] "Spammers are turning a profit despite only getting one response for every 12.5m e-mails they send, finds a study"[6]

[6] Footnote #5 wasn't referenced anywhere. Did I just blow your mind or what?