Location: Home :: Commentary :: Spam Spam Spam Spam Email Spam Spam and Spam

Spam Spam Spam Spam Email Spam Spam and Spam

How to Stop Spam :: How to Prevent Spam

Spam. No, I'm not talking about the spiced ham product made by Hormel Foods . I'm talking about the unsolicited and unwanted junk email, rapidly clogging every email inbox on the 'Net. How do we stop it? And once we stop it, how do we prevent it from starting up again?

If you already have boxes full of the junk, it may be too late to stop it, but it's not too late to stem the tide. If you have a new box, you must practice these spamfighting techniques to perfection if you wish to remain spam-free.

Throughout this article (a combined rant and how-to essay), I scattered appropriately useful links to references on the subject of spam. All links marked as external lead to sites outside of the Thornton2.com domain. Because they are outside of my domain, I can not control their content, quality, or availability.

• Stopping Spam : Stamping Out Unwanted Email and News Postings - O'Reilly & Associates
• CAUCE - Coalition Against Unsolicited Commercial Email
• Spam expert says avoidance, not filtering is key to junk email reduction - PR Newswire, via Spam Slicer
• SPAM and the Internet - Hormel Foods' official position on the use of the term "spam"
• Spam is Bad - A Wisconsin Internet Community Against Spam

Spotting Spam

First, let's be clear on what spam is, and what it is not. Although spam is unsolicited junk mail, it is not all junk mail. When you provide your email address to a company, you are inviting that company to send you email. This includes letters, flyers and other email-based announcements for anything the company sells. These kinds of email are not spam. Unsolicited email from official partners and affiliates is a grey area, but still isn't real spam. When you have to provide your email address to a company, make sure you read whatever privacy and solicitation policy that company has. Know what you're submitting to when you click "Submit." Whether you opt in or out of any subscriptions, nothing the company sends you is spam.

Anything you receive from a person, company or organization that you have never done business with (or even heard of) is unsolicited email. If unsolicited email advertises a product or service, it's spam. Simple as that.

The most likely way that spammers get your email address is by purchasing a list of supposedly "confirmed opt-in" email addresses. Companies less than reputable will sell your address to companies with even worse reputations or greater gullibility. Once that happens, your address is shared and resold, and there's no way to eliminate a single name from every copy of every list. No way, that is, except time, patience, and a few feats of self-discipline.

• About the Problem - CAUCE
• The Story of "Nadine" - A Tale of Mailing Lists
• Eliminating Spam Perception - How to make solicited email not look unsolicited. (Opt-In News)

How to Recognize Spam

When it's sitting in your inbox waiting to be read or processed, what does it look like? Spam can look like a variety of things.

Spam can take the direct approach by being up front about what it's selling, thus lending an air of legitimacy to a completely illegitimate email. This kind of spam has a fairly well written subject line, and is addressed from a company name. Examination of the headers often reveals the actual sender addressed in the form of "somecompany@somefreewebmail.com"; hotmail.com, yahoo.com, and aol.com are the most well-known and most often abused free email providers.

Spam can be shady, by wrapping the sender and subject in vague and empty words, such as "Hi", or "Re: Here's the info you requested." Senders are usually common first names with no surnames. Usually, the sender's address doesn't even come close to matching the sender's supposed name.

Spam can be evasive or deceptive, by including a bunch of misspelled or curiously-spelled words, easily mistaken for l33tsp33k. Even though the subject appears to have been written by preschoolers, it's usually intentional; this is the sneakiest way for spam to make it past filters and rulesets and land in your inbox.

Finally, spam can be either deceptively or blatantly profane and pornographic. The subject usually describes violent, obscene, unnatural, embarassing, or voyeristic sexual perversions. The sender, however, is named as the victim of whatever acts are described in the email subject. On occasion, the "sender" is a well-liked or well-hated celebrity.

More often than not, the subject falls into one category while the sender falls in another. A developing trend in spam is to send spam addressed from an individual with a common girl's first name and a strange or obviously fake surname.

• You've Got Spam - The Weekly Standard
• Re: That spam I sent you - CFO.com

Inside Spam

If you ever have the curiosity to open a spam and look inside it (warning: read on before actually doing that), you will discover that it often sells something useless, worthless, and (when the price is ever named) overpriced. It plays on impulsive and thoughtless desires. This is always the case for porn spam, and nearly always so for other kinds of spam.

You must never open suspicious email in a less than secure environment. Spam almost always contains Web content; if it doesn't have pictures or other active content embedded, it downloads them from the Internet. Even a static picture, which doesn't cause any damage or changes to your computer, can have a serious negative impact on your environment; a seemingly harmless subject may hide a rather large and explicit obscene image.

• Beware Trojans Bearing Gifs - About a UK Defence contractor fired and tried for receiving child porn spam (IT Week U.K.)
• Symantec Study Reveals More than 80 Percent of Children Using Email Receive Inappropriate Spam Daily

How Spam Singles You Out

Spam contains Web content for a simple reason: it's so easy to trick you, and it's so easy to track you. Any page or message with Web content usually downloads that content from the Internet. This is done by sending a file request to a server, and embedded within that request can be any and all kinds of information. The best way for spammers to identify your email address uniquely is to embed an identifier in the requests. This identifier, if sent back to the spammer's server, lets the spammer know that his email was opened by a live human being, and therefore your email address is valid. This means money, as the spammer can now sell your address to other spammers. Identifiers can be sent as magic cookies or Web form data.

Another popular technique spammers use is including a unique identifier in the subject line, then tricking you into forwarding or replying. The default behavior for all email clients is to include the original subject line in all forwards and replies, which in this case includes the unique identifier.

Although these techniques are used in only a moderate percentage of spam, fully 100% of spam to which you actually follow up singles you out by requesting personal information from you, including that all-important piece of spamming information: your valid email address.

• Privacy.Net - The Consumer Information Organization
• Non-Solutions - What not to do (CAUCE)

How Spam Suckers You In

Actually, spammers don't have to use active Web content to sucker you; they don't even have to use any special-request pictures. All they have to do is give you the impression that what you're reading is legitimate instead of spam. They do this by giving you an opt-out or removal address to email. You must remember that you never opted in to spam. Sending email to opt out of spam never works. Even if you state quite clearly that you don't want spam, spammers will always use that as a license to spam. If you use the removal option in spam, you might as well reply, "Spam me!"

Spammers will also use the following claim of immunity:

Under Bill S.1618 TITLE III passed by the 105th U.S. Congress this message can't be considered Spam as long as I include a way to be removed. To be removed from future mailings, simply reply to this email with the word "REMOVE" in the subject line. Not following these instructions exactly will not get you removed automatically. Do Not incriminate your self by reporting a faulty Spam complaint if you have not attempted to get removed first.

First off, the Senate did in fact pass Bill S.1618 during the 105th Congress, but the bill was never signed into law. In the United States, there is no such law. Second, if any message claims that it isn't spam, it most certainly is spam. Next, you should never reply to, or try to opt out of, anything you never opted into. As stated earlier, the key difference between harmless junk mail and harmful spam is that harmless junk mail comes from companies who explicitly asked for (and got) your permission to email you. Finally, in this particular claim, you're bullied into silence until letting the spammer know that your address is valid, thus opening yourself up to even more spam.

Thanks to legislation like the "Can Spam Act" made law in the United States, spammers are tailoring the above claim of immunity by using the following. This was clipped nearly verbatim from an actual spam I received; I changed the "remove link" to point to CAUCE, when it had originally pointed to a spammer's Web site and contained a personal identification code. The original subject of the email was "Find and F"[Censored]" Your Dream Girl In Three Easy Steps!"

<p>As per new US Federal Law "can-spam" This email was sent with a working remove link which we will use to remove you from any database we may have in 10 days of your request.<br>

The problem with the Can Spam Act is that it permits mass marketers to send you unsolicited commercial email (UCE), or in plain English, it permits spammers to spam you, as long as they include in the body of the email a "working link" to remove you from their mailing list, if you so desire. First, if the link works, the spammer knows your address is valid, and the spammer has no legal obligation to not sell your address to another spammer (or even use it himself under the cover of another company). On top of that, you cannot bring any kind of legal action against the spammer because the spam complied with the law. Second, if the link doesn't work, the spammer has you, while you're left high and dry with no way, legal or technical, of stopping the spammer or his spam. In either case, as long as the Can Spam Act remains law, spammers can and will spam you more than ever if you use the "remove link". Can it yourself instead.

• The Ghost of Murk : States Enact Pro-Spam Laws (Ed Foster's GripeLog)
• Non-Solutions - What Not To Do (CAUCE)
• Discussion: "Why Don't You Just Unsubscribe?" - From the Story of "Nadine"

How Spammers Get Away Clean

Internet email is a simple and unchecked medium, routed with almost no accountability. This makes email incredibly easy to forge and, thanks to spammer-friendly mail exchangers, astoundingly efficient to send en masse. Even on a dialup connection, a spammer can send thousands or even millions of spam very quickly.

Forging email headers is how spam tricks spam filters into letting it pass. This is why some of your spam appears to come from fake addresses, celebrities, major corporations, and addresses that can't possibly exist on the Internet. This is also why spam is so difficult to trace.

Not only do spammers harvest email addresses for targets, they harvest addresses for forging; when you try to trace the spam to its source via forged headers and addresses, you will often dead-end at an innocent party. When this happens, the addresses in the headers rarely matches any names or addresses in the body or footer of the spam. If you follow up, the spammer has you. If you reply, you get a fellow spam victim, if you find anyone at all.

If you know the nitty-gritty details of email headers, you can usually spot forged headers by the route they take to your inbox. There may be a logical gap in the routing, or it may mysteriously go offshore between the supposed origin and destination. This isn't always a dead giveaway, because spammers can easily hijack poorly secured servers and routers near their forged origins, thus hiding the true origin behind a logical path.

• Email Mishap Shuts Down Genealogy Service - Spammers forged headers (CAUCE)
• Spammers Hijack IP Addresses - News.com Australia

Why Spam Is Dangerous

For genuine spam, purchasing any product or service through spam gives all spammers everywhere a license to spam you more than ever. The net result is that you will be too overloaded with junk mail, spam, and advertisements to make use of what you order. It's important to note that this kind of spam is so rare that it's virtually nonexistent; virtually all spam are scams.

For less than genuine spam, you will be scammed. If you receive anything at all, it will be overpriced, defective, modified, replaced with a substitute (false advertising), or a combination. For services, you will not receive what was advertised, or you will be charged for services not performed; you will almost always be charged up front, before the service is scheduled. For drugs and other highly sensitive items, what you get may seriously injure, sicken, or even kill you.

For the worst of spam, you will receive nothing at all, not even a point of contact through which you can get your money or identity back. There are a few scams that begin with spam, such as the Nigerian Fee Scam , that will lead to your virtual enslavement (or very real imprisonment) if you try to meet the scammer in person.

• Anatomy of a Penis Pill Swindle - MSNBC
• Internet ScamBusters - The #1 Publication on Online Fraud
• Beware Trojans Bearing Gifs - IT Week U.K.
• Behind the Spam Scams - Sydney Morning Herald
• An Open Letter to Spam Patrons - Jonathan's Corner

Fighting Spam

Make Filters or Rulesets for Spam

If there's something in common with most of your spam (such as a string of nonsense letters), filter it to your trash. Don't filter according to the sender's address, because most of them are either forged or disposable, and always unique. You will never capture all spam with filters or rules, but if you can capture most, do it.

Make Filters or Rulesets for Non-Spam

Make folders or boxes to categorize all of the email you expect to get, such as your family, your friends, and any lists you're subscribed to. Then make filters or rules to capture all of your expected mail, take them out of your inbox, and route them to their own spam-free folders. After doing that, all that's left in your inbox is unexpected mail, most of which will be spam.

Never Reply to Spam

Any reply, no matter what's in the reply, is a license to increase spam.

Think before Reporting Spam

Before reporting spam to the spammer's ISP, make absolutely certain that the ISP will take antispam action. Visit the ISP's Web site, if they have one, and see if it's the kind of organization that would provide email access to a third party. If it is, find their terms of service agreement or antispam policy, find the abuse reporting address, and report the spam. Make certain you give the abuse department as much of the original email as possible, including the headers. (Forward the spam as an attachment, if possible.)

If the Web site you get isn't that of an ISP, then the spam headers were forged, and tracing the spam to its true origin will be difficult, if not impossible. Don't report the spam to them, because they're most likely a third party, not even aware that their name is being abused in spam.

If the Web site you get peddles the same thing (or kinds of things) that the spam does, never report spam to them. They're the ones who sent the spam, so any email you send to them will be harvested for even more spamming. Instead, find out who hosts the spamming site, whether the host allows spam-related activities, and decide whether to report the spammer to them or not.

If you decide to report spam, remain calm, courteous, and professional in your email. Use the same grammar and style that you would use in a handwritten complaint letter. Consult your favorite handbook of style for details.

Also, if you invoke the name of the law, you must remember that the laws of the spammer's jurisdiction prevail over all other laws. Know the appropriate laws and treaties before claiming that any of them are being broken.

• CAUCE - Coalition Against Unsolicited Commercial Email
• Spam.Abuse.Net - Fight Spam on the Internet!
• Spam Solution Worse Than Spam - Tech Central Station
• Stop spam! - Internet ScamBusters

Never Use Remove Addresses in Spam

Using the removal address provided in a spam is the same thing as replying to spam. It's all collected by the spammer and used to verify that your address is read by a real live human being.

Don't confuse spam with subscriptions and harmless junk mail. If you explicitly opted in, opting out via the removal address will indeed get you removed from that list. Again, don't confuse this with spam.

• Discussion: "Why Don't You Just Unsubscribe?" - From the Story of "Nadine"
• The Ghost of Murk : States Enact Pro-Spam Laws (Ed Foster's GripeLog)
• Spam: The Gotchas Never End - eWeek

Never Open Spam Online

While you're connected to the Internet, an open spam's active content can report back to the spammer that the spam was read. If you use an email client that has a message preview pane, such as Outlook or Outlook Express, turn off the preview pane. Previewing spam in the preview pane has the same effect as deliberately opening spam in its own window.

This tip is impossible to practice if your email provider is entirely Web-based, such as Yahoo or MSN Hotmail. The very nature of the Web requires that you be online to use Web-based providers. Just understand that defending your Web-based email address against spamming is much more difficult than other kinds of email addresses.

If I may take a brief tangent for one paragraph, spam can carry trojan or virus code as attachments. It's extremely rare, but it does happen. If you use an unpatched version of Outlook Express, certain kinds of virus content can be run automatically from merely opening or previewing an infected email. Virii can do real damage to your computer, whether you're online or not, but if a virus is designed to collect data and send it to a spammer, then it can't do so if you're not online. Install the patches from WindowsUpdate.com or Microsoft.com, or use a different email client.

Shop Around for Email Programs and Providers

At work you may not have much choice, but at home you have a wide variety of choices. Don't just blindly use whatever email client that came with your computer. Look around for what's available for your operating system, see what features it has and how many of them would be useful, and whether the price is right. Popular alternatives to Microsoft Outlook Express (which is bundled with Windows), Balsa (bundled with GNOME for Linux), and KMail (bundled with KDE for Linux) include: Netscape Communicator, Mozilla.org, Qualcomm Eudora, Opera Software's Opera, and Ximian Evolution. Many more alternatives exist, with varying degrees of spamfighting capabilities.

Web-based email providers have the edge with novice email users, because they use a Web browser as the email client. However, the very nature of the Web does not lend itself well to fighting spam. With many Web-based providers, managing large quantities of email is a slow and tedious process which can not be done offline. At least one popular Web-based provider seems to go out of its way to make fighting spam as difficult as possible.

If you can find an email provider which lets you use IMAP4, and if your email client is compatible, you can delete spam without having to download it. Providers and clients using POP3 require that you download all your email before even seeing what you got.

Changing email clients usually doesn't require you to get a new email address. All you have to do is plug your provider's settings into the new client. Changing providers, however, usually means getting a new email address. The better clients are capable of managing multiple email addresses, so getting a new address doesn't require abandoning the old.

• Mozilla - The cutting-edge all-in-one Internet application suite, featuring a Web browser, email client, news reader, and IRC client
• Mozilla Thunderbird - The cutting-edge email application from the Mozilla Foundation: "Reclaim Your Inbox"
• Netscape - Owner and primary sponsor of Mozilla, Netscape's branded browser adds features and value (Pop-under alert!)
• Pegasus Mail - The Internet's Longest-Serving PC Email System
• Ximian Evolution - Integrated Workgroup and Personal Information Management for Linux and UNIX

Preventing Spam

Choose Your Provider Carefully

Some email providers are natural targets for spam. The critical factors are the size of the provider and the effectiveness of the provider's antispam measures. Of course, the more widespread the provider is, the more likely it will be a target. Popular targets include Web-based email providers like MSN, Yahoo, and America Online; and download-based email providers like America Online, Earthlink, and Road Runner.

The feature that more than any other exposes you to spam as soon as you sign up is a directory or White Pages. This directory exposes email addresses to the entire world. If membership is free, restricting the directory to members only is not protection enough to prevent exposure to spammers. Spammers can simply sign up for free (under an assumed name, if necessary), harvest the directory, spam from different accounts, and sell the addresses to other spammers.

Choose Your Mailing List Membership Carefully

If you sign up for membership in online groups or mailing lists, find out how much the group or list is exposed to non-members. If emailing members is as easy as a single click, if you're not logged in, your own address will be exposed to potential spamming. If spamming isn't as simple as a single click, or cut-and-pasting "name@provider.com" into an email program, then your own address is reasonably restricted to members only. The same applies to online Web forums.

If the group or list allows non-members to post to the list, then you may still get spam, but the target is the group/list at large and not you individually. If this is the case, preventing spam is as simple as unsubscribing from the offending group or list. If you're the moderator of the group or list, preventing spam from reaching any of your members is as simple as closing it so only members can post to it.

Mung Your Address in Usenet Newsgroups

If you decide to subscribe to newsgroups, do not provide your real email address. Instead, provide a mung'd address. Mung is an acronym which means "mash until no good." The best way to mung your address is to add something after the @ sign in your account settings, then add instructions in the body of every email you send on how to de-mung your address. Don't do this when sending email to the Internet, only when posting to Usenet.

An example of munging is for, say, joe6pack@noname-isp.com to post as "joe6pack@noname-nospam-isp.com", then including the instruction, "I want no spam, so take out -nospam to reply," in the body of his posts. Spammers need to harvest such a large collection of addresses that they'll take the obviously fake addresses without instructions (or the time) to turn them back into valid addresses.

The best way is, if your email client will let you, make a new account in addition to your normail email account, specifically for newsgroups. Plug in your provider's newsgroup settings, but mung your address in the account settings. Make a signature for your newsgroup account that includes de-munging instructions, to save you the trouble of remembering to type it out manually with every post.

Don't mung the username part of your address (the part before the @ sign), because that will cause your ISP to be spammed with mail destined for an invalid account. It won't take much for your ISP to figure out that it's for you. If you mung your address, mung the domain part; spam destined for domains not even on the Internet will never make it past the spammer's ISP.

Never Post Your Address in Newsgroups

Whether you mung or not, never post your valid email address in the body or signature of a Usenet post. Newsgroup messages are archived by services such as DejaNews.com, and that includes any email addresses in the body of each post. Also, when replying to a post, mung or delete the addresses of everyone you're replying to in the body of the post. Leaving it as something like "At 12:18pm, joe6pack@noname-isp.com wrote:" is bad. Changing it to something like "At 12:18pm, joe6pack@n... wrote:" is fine. Changing it to something like "joe6pack at noname-isp dot com wrote:" is fine as well.

Get Disposable Email Addresses

If you have to provide an email address in a Web form, such as a request for a price quote or a "free" service that just needs "a little bit of information about you", don't use your main email address. Sign up for a free email address and use that instead. Don't worry if it starts getting spammed, then close it down or abandon it if the spam gets to be too much. Don't use your disposable addresses for important or long-term correspondence.

• TrashMail - Free Disposable Email Addresses to Stop Spam Mail
• MailMoat - Don't Use Your Real Email Address, Use a Disposable Email Address Instead
• Spam Gourmet - Disposable email addresses, spam filtering

Conclusion

With a bit of self-discipline, avoiding spam can become easier than fighting it. The important things are to control who gets your email address, and even if you must provide one, controlling which one is provided. Managing multiple email accounts is much easier than hunting through a single spam-laden account for a single vital message. Managing multiple accounts is even easier if at least one of those accounts is a disposable address.

What Didn't Work for Me

Even though I have been using computers since the mid-1970s and the Internet since the late-1980s, it wasn't until December 1997 that I got my first email address. It was with Hotmail.com, before Microsoft bought it. During that time, I got a little bit of spam, but not much. In the late spring of 1998, Microsoft bought Hotmail for integration into its own portal network, MSN.

By May 1998, Hotmail boasted of having more than 8 million subscribers, more than any other Web-based provider at the time.

After being placed under the Microsoft umbrella, my rate of spam grew exponentially. Even after adding spamfighting measures like sender blocking and a junk mail folder, the rate at which I received spam continued to increase. Nearly one third of the spam I was receiving came from email addresses that could not possibly exist on the Internet, addresses such as ".@.".

Hotmail made reporting spam even more difficult than other providers by requiring that spam be forwarded to abuse@hotmail.com with all headers intact, yet providing no means to forward email as attachments, and no means to forward any mail with complete headers intact.

I made the mistake of using the removal addresses in spam, with no effect except an increase in spam. At least one of the removal addresses pointed to an innocent third party's site, so I ended up flaming more than one company for spamming me when in fact they did not.

I also made the mistake of replying to the sender on occasion. Most of them either came back undeliverable or landed in an innocent party's inbox.

When the spam rate reached more than 100 new and unblocked spam per day, I asked Hotmail to close down and delete my account. I spent three months in the spring of 1999 begging, pleading, and demanding that Hotmail close down my account. They refused, citing their policy that my account would be automatically closed down after three months of inactivity. By the time I finally gave up and abandoned my Hotmail account, back when the worldwide spam volume was less than 1/3 what it is today, I was receiving nearly 1,000 new spam per day.

Just to be sure, I waited nine months before visiting Hotmail again, and I discovered that my account was still active. Microsoft had endured several highly embarassing Hotmail security breaches in '98 and '99, including one vulnerability that allowed anyone to read and use any Hotmail account without ever logging in, or even being a member.

From third person accounts, a few MSN and Hotmail users report not getting much spam, but the majority report that it still has inadequate spam protection. Your results may vary.

What Worked for Me

At the time I used Hotmail, I actively used addresses from download-based and other Web-based email providers, including Cable & Wireless, Yahoo, Net@ddress (now USA.Net), and EudoraMail. By the time spam started arriving in those other boxes, I had learned why my Hotmail experience had been such a dismal series of failures, and which failures were a direct result of my own actions.

By that time, the spring of 1999, I had learned and begun practicing all of the tips and tricks I advocate in this essay. Since doing that, I have kept my main address reasonably spam-free, receiving about one spam a week; and all of my other addresses, even disposable ones, don't get more than about five spam a day.

I have one address registered with the U.S Department of the Navy (a .navy.mil address) which I've been using for the last two years at my present duty station. I've never used it for anything but official Government business. Until last month (May 2003), I never got a single spam.

Today, I'm getting spam at even that address, but I know precisely how that address fell into the hands of spammers, and I'm cooperating with my chain of command on holding the guilty party accountable. I know how it happened precisely because I practice what this essay preaches.

What Will Work for You

Patience and self-discipline, basically. Whatever email program or provider you settle on, learn its spam-blocking and spam-fighting features inside out. And online or off, be extremely mindful of who you're giving your address to and why. And which address you give.

If you get spam and you want to track it down, be mindful of the environment you're reading it in. Make sure you have (or can get) all the information you need, without accidentally sending any information to the spammer. Do lots of research, and make absolutely certain you don't accuse an innocent party of spamming.

If you just want to control it and get it down to a manageable level, try as hard as you can to separate spam from legitimate email, or to separate your legitimate email from spam. Then nuke the spam without daring to open it.

Practice these tips, and you should see your spam count drop. The drop won't be instant, but you should see positive results soon.

June 14, 2003 (C) Don Thornton II. For Internet media, permission to link to this page or to include this page within a Web frame is granted. For non-Internet media (such as television, radio, and print), permission to reproduce this article's full textual contents, from the article title to and including this notice of copyright, is granted.

Except for the terms stated in this notice of copyright, all rights are reserved. The URL http://www.thornton2.com/comments/spam.php is the original Internet location for this article.