Avoiding Spam / Fighting Back

Spam is the name given to unsolicited e-mail advertisement.

Acquiring e-mail addresses --

• Spammers use software (viruses on your PC) to harvest e-mail addresses stored on your PC.
• Spammers use software to harvest your e-mail address from Web pages and from news groups in which you may participate.
• Spammers sell their spam lists to other spammers.
• Online businesses may sell spammers the e-mail address you provide when you purchase or correspond with these businesses.
• Spammers can guess the address and confirm the guess with a probe. A spammer can send an e-mail to common names at a domain. If the spammer’s probe e-mail isn’t rejected as undeliverable, the probe confirms the validity of the address. Our logs sometimes reveal thousands of probes for possible valid e-mail account names.
• Spammers have sometimes been able to hack ISPs' servers and harvest e-mail addresses directly from the server. ISP insiders, with access to the ISP's servers, may have sold an ISP's e-mail address list to a spammer.

Confirming the validity of e-mail addresses --

• Spammers use any response to a spam message (particularly requests to be removed from spam lists) to verify that the e-mail address is valid.
• This confirmation can also be accomplished by simply coding a unique identifier associated with the spammer's message into the request to load a graphic that may be embedded in the e-mail message; this method results in an automatic confirmation that not only was the e-mail address used valid, but the message was actually opened.
• If you click a link in a spam message, the request to load a Web page can contain the unique identifier; now you're confirming that the e-mail address is valid, that the message was opened and that you're interested in whatever the spammer is pedaling.

Distributing spam messages --

• Spammers rarely use their own e-mail servers to distribute spam, so spammers are difficult to track down.
• Some spammers hire other spammers to distribute their spam. Many of these services are offshore.
• The spammer may use an open relay e-mail server to distribute spam but open-relays are becoming rare. An e-mail server should restrict who can use the server for distributing e-mail. Nearly all do.
• The primary method for distributing spam is via zombie computers. There are viruses that can convert a PC into a zombie mail server. The zombie waits for the spammer's instructions and then distributes the spam for the spammer. Unless vigilant, the owner of the infected PC won't know that it's being used as a zombie e-mail server. Spammers utilize networks of zombies. This type of network is called a BOTNET

Several precautions can be taken to avoid entry of your e-mail address into spam lists.

Use a throw-away address when you give an e-mail address to people you don't know. If you have your own domain name, throw-away addresses can be established under the domain name. This address is typically set up as an alias for your actual e-mail address. E-mail sent to the alias will automatically redirect to your actual e-mail address. If you start receiving spam on the alias, simply delete it and establish a new alias. Optionally you can create an automatic response (an autoresponder) for the old alias that explains that the address is no longer in use and to either phone you or use the new address shown in the auto-response. Spammers rarely see the auto-response because the From: address in their spam message is rarely their e-mail address.

A throw-away address can be an actual e-mail account. Free addresses are available from HotMail, Google, Yahoo and several other free services that can be used as throw-away addresses. These webmail accounts are accessible from your Web browser and can sometimes be accessed directly from an e-mail client such as Microsoft Outlook or Outlook Express. If you start receiving spam at a throw-away address, then deactivate the address - throw it away. Multiple e-mail accounts can be established in both Outlook and Outlook Express, so you can use a throw-away address without having to delete your primary e-mail address.

Make sure your website developer does not code the string of characters that make up your e-mail address as consecutive characters anywhere in the website. Spammers harvest e-mail addresses from websites. The typical method is to use harvesting software that looks for an @ sign in the website source code and then uses the characters immediately before and after the @ to harvest the e-mail address. The website developer can avoid this problem by using a Web form to capture information that would alternatively be placed in an e-mail message or by using scripts to build the e-mail address from variables rather than simply coding the e-mail address as a consecutive string of characters in the source code. There are well meaning organizations that will create a website for you (e.g. chambers of commerce). These organizations will often hard-code your e-mail address into your "free" Web page and thus make it easily accessible to spammers' harvesting software.

Don’t use guessable e-mail addresses such as sales@mydomain.com, info@mydomain.com, bill@mydomain.com, etc.

Don't configure the default forwarding option for your domain to redirect otherwise undeliverable e-mail to a valid e-mail address.

Use a throw-away address when posting to news groups or WebBlogs. If you decide to use a permanent address in your post, then disguise the address: e.g. bobATmydomain.com rather than bob@mydomain.com.

Use an e-mail service that filters e-mail for spam.

Never go to a website specified in a spam message, because the e-mail address the spammer used to send you the message can be automatically verified when you click the link.

Report Spam. See www.spamcop.net. Spamcop and services like it will notify the spammer's ISP that spam messages have been received. Since spamming is contractually prohibited in nearly all ISP service agreements, the ISP will nearly always either convince the spammer to stop the practice or deactivate the spammer's service. An additional motivation for legitimate ISPs to aggressively suppress spam is to avoid being placed on a block list. If the spam originates from a rogue ISP (e.g. often overseas ISPs who's business is principally distribution of spam), reporting the spam can still be useful since the block list produced by Spamcop (and similar services) may be used by your ISP for filtering spam at your ISP's e-mail server.

You can file a spam complaint with the Federal Trade Commission or forward the spam message to SPAM@UCE.GOV.

If you are already receiving spam, then what?

If you've done everything you can to avoid spam and you're still getting an unacceptable volume of spam, then the only solution is to deactivate the e-mail address and then follow all the recomendations above when you start using the new address. The pain of changing e-mail addresses can sometimes be mitigated by setting up an autoresponder on the old address that explains how to get the new address.

Can government fix the e-mail spam problem?

12/16/03, President George W. Bush signed the CAN-SPAM bill. It went into effect January 1, 2004. To understand the bill go to http://www.ftc.gov/bcp/edu/pubs/business/ecommerce/bus61.shtm. The bill prohibits spam that does not comply with this law and legitimizes spam that complies with the new law. It also trumps all State spam laws; spammers now have just one law to comply with instead of several.

The new Federal CAN-SPAM law both prohibits and allows spam, depending on the spam message. It is a corporate welfare law that allows companies to send you "legitimate" spam: basically any spam that truthfully identifies the spammer and offers an opt-out option. The aptly named CAN-SPAM bill ensures that all businesses now have the right to spam; they now CAN SPAM, provided, that they carefully comply with the law.

There could have been another approach. Congress could have outlawed e-mail spam in the same way they outlawed fax spam several years ago; see http://www4.law.cornell.edu/uscode/47/227.html. The fax spam law works, and that is the problem: it very effectively discourages businesses from sending unsolicited advertisement via your fax machine. Congress wanted to make certain that businesses - the ones that finance re-election campaigns - have access to your e-mail box. Therefore, Congress chose to regulate e-mail spam rather than prohibit it.

Other problems with CAN-SPAM:

• A law that legitimizes spam should require recipients to opt-in to the business's e-mail advertisement distribution list. CAN-SPAM doesn't.
• CAN-SPAM requires spammers to offer an opt-out link. Once spam victims become convinced that opt-out links are legitimate and start to routinely click the link, both legitimate and rogue spammers will have unambiguous confirmation that they've found a victim who actually reads their junk e-mail: a live one.
• Since the Federal Government is operating in the red and criminal investigation resources have been diverted to terrorism investigation, will the Feds have the resources to enforce CAN-SPAM? This potential problem would have been mitigated, if CAN-SPAM allowed lawsuits, which so effectively work to combat FAX spam and was the enforcement club in the California spam law trumped by CAN-SPAM.
• CAN-SPAM exempts politicians from the spam regulation imposed on the rest of us.
• Worst of all, CAN-SPAM authorizes establishment of a national Do Not Spam Registry. This registry has great potential to be the mother load of e-mail addresses for spammers, particularly offshore spammers. See June 15, 2004 FTC report regarding effectiveness of CAN-SPAM.
• Update -- Jan 17th, 2007: Mercury News in Los Angeles (www.mercurynew.com) reported "the first conviction" under the CAN-SPAM Act. Billions of spam messages are sent to Americans every day and the law has been in effect for several years. A Google search reveals a few other convictions, so Mercury News may not be entirely accurate. However, there have been very few convictions under this act.
• Update -- Feb 16th, 2009: Today's search for CAN SPAM convictions produced few results. The Feds are still dragging their feet, spam volume is still huge and constitutes about 85% of all e-mail (see Feb, 2009 Symantec State of Spam Report).

Is State government an answer?

State anti-spam laws were never very effective for two reasons. First, nearly all of them attempted to regulate spam rather than just prohibiting it. Second, they were unenforceable for spammers outside the state's legal jurisdiction.

An exception may have been a California law which also was scheduled to go into effect 1/1/04. The California law appeared to be modeled after the existing Federal fax spam law: it allowed Californians to sue companies referenced in spam messages. It would have been interesting to see if the new California law worked. But, since the Federal legislation trumps state law, all existing state spam laws have been invalidated.