Death to Spam is an objective overview of unsolicited e-mail and the techniques available to defend your IN box. Learn about tracing mail, message filters, legal issues and more.
But first, a word from our sponsor...
Some of the graphics at this page were created, managed and enhanced with Graphic Workshop Professional and GIF Construction Set Professional from Alchemy Mindworks. You'll no doubt see banners here that were assembled with Animation Workshop. To learn more about these applications, please click on the foregoing links or visit the Alchemy Mindworks home page.
The Alchemy Mindworks page also features Pagan Daybook to start your day with whichever god seems appropriate — the painting to your immediate right was drawn from its database of artworks — Presentation Wizard to assist you in creating multimedia Windows presentations, The Ultimate Screen Clock to give you unprecedented mastery over time and space... well, over time, anyway... and various other epic works of software.
Modesty would forbid my mentioning the extensive listing of my books herein if I were at all modest.
PLEASE DON'T COPY THIS PAGE
The contents of this page are copyright © 1995 — 2014 Alchemy Mindworks. Some portions are copyright © 1995 — 2014 Steven William Rimmer. The copyright holders specifically prohibit reproduction, transmission, duplication or storage of this page or any portion thereof in any electronic or physical medium, under any circumstances. Reproducing all or part of this page against our express wishes may result in severe civil and criminal penalties. The lawyers made us say that.
Please contact us for reproduction rates if you'd like to reproduce all or part of this page on paper. If you like this page and wish to share it, you are welcome to link to it, with our thanks.
This page is an overview of the problem of unwanted, unsolicited e-mail, a persistent threat to the usefulness of the Internet — and a frequent reminder that we share this planet with people who are not the brightest bulbs on the tree. In most cases, spam will appear merely as unwanted commercial e-mail — junk e-mail advertising — albeit at times advertising some fairly distasteful products. Of late, a substantial volume of spam has proven to be considerably less innocuous — unsolicited e-mail frequently includes computer viruses, attempts to defraud its recipients, extreme pornography, bomb plans, offers to sell prescription drugs and other matters that were exclusively the stuff of really bad pulp novels until a few years ago.
Perhaps more objectionable than its content is the volume of spam. Finding several hundred messages from idiots in your IN box every morning is a problem, no matter what they're actually trying to sell you.
Death to Spam will help you better understand the sources of these messages, and what you can do to prevent further abuses of your e-mail. Wax dolls wearing tiny Gucci loafers and boxes of pins are available for a modest fee.
Lawyerspeak: Please note that I'm not a lawyer and none of the information at this page should be interpreted as legal counsel. You are responsible for ascertaining the legality of the issues discussed herein for the jurisdiction in which you live. By reading this page, you accept any consequences which arise out of your use of the advice you find herein. The real lawyers made me say that.
Overview and Introduction: To begin with, your e-mail is just that — yours. In most cases, it's a resource that you must pay for as part of the cost of connecting to the Internet. Reading and responding to your e-mail also represents an investment of your time, and as such has a value attached to it.
If someone sends you junk mail through your e-mail account, they're wasting your time and money. If you consider it abusive when a Jehovah's Witness wakes you up at nine o'clock on a Saturday morning to sell you a magazine, a telephone solicitor interrupts your dinner to interest you in investment opportunities in Guatemala or your daily snail-mail is buried in flyers for supermarkets you'll never shop at and health clubs you'll never sweat in, you have just as much right to feel abused when you receive e-mail you didn't request, never gave anyone permission to send you and don't want.
Receiving one or two such messages a day is annoying. Receiving hundreds of them is a genuine drain on your time and resources, and one you should not put up with. Unlike traditional junk snail-mail, it's not even good for use as kindling.
Despite the relatively unpoliced nature of the Internet, there are steps you can take to reduce the amount of unsolicited e-mail you receive. They're by no means completely effective — however, if you undertake them, you'll probably keep your junk e-mail down to a reasonable level of hugeness. If you don't, you'll eventually get swamped by it.
Your best defense against unwanted e-mail is an understanding of the people who send it, and of the nature of the parties who run the servers which make up the Internet.
Spam from Suits: One of the most prevalent sorts of junk e-mail is commercial advertising. A few years ago, most of it originated from spammers who were essentially ignorant of the prerogatives of users of the Internet — judging by the content of most of these messages, their perpetrators had all just signed up with an Internet access provider, and were given complimentary copies of one of the many "How to Make Lots of Money on the Internet" books. Some of them were genuinely inconsiderate of the rights of other users of the net — the bulk of them, however, were merely confused, deluded and ignorant.
These spammers still exist. While no one's really sure how many users access the Internet on a regular basis — numbers from several hundred million to well over a billion surface from time to time — there are certainly a hell of a lot of them. Would-be entrepreneurs, former pizza-delivery technicians turned prospective millionaires and commercial gods without portfolio are rarely able to resist the appeal of "reaching" them, no matter how badly none of them wish to be reached.
They seem to feel that junk e-mail is no more objectionable than junk snail-mail, and that the recipients of it will just delete it if they don't want it. Keep in mind that these are people who read "How to Make Lots of Money on the Internet" and actually believed it.
Spam from Grunts: It must be said that the foregoing marginal — if misguided — businesspeople have largely been supplanted in the hearts, minds and spam filters of the 'net by spammers several levels lower in the food chain. A huge volume of spam is generated by idiots hoping against hope to find "customers" with fewer working brain cells than they have. The odds against this happening make even state-run lotteries look promising by comparison — but spam is essentially free to send, and it's a safe bet that none of these guys can deal with large numbers.
These are the spammers who advertise magic penis enlargement pills; totally legal, entirely free pay TV; get rich quick schemes that can earn their participants billions of dollars before tea time; infallible plans to attract women, men, sheep and erotic vegetables and prescription drugs for the price of a bag of licorice all-sorts. No one in his right mind could take these clowns seriously, but they no doubt figure that if they send out a few hundred million messages, they'll eventually luck onto someone who isn't.
Spam from Viruses: The third common manifestation of unsolicited e-mail is that which is generated by viruses attempting to propagate themselves across the Internet. Depending upon the intent of the author of a virus, having your computer infected with one might entail it becoming the source of a great deal more virus-laden e-mail, sent to every e-mail address stored on your system — this is not likely to endear you to your friends, colleagues and business contacts. Viruses can also attempt to compromise your personal information to third parties — several of them have appeared of late to steal credit card information. There have been a number of viruses which have been designed to turn the systems they infect into "zombies," to be controlled by the virus authors, typically to send out more spam. A few viruses have been the work of malicious vandals who just want to nuke the machines they infect.
As an aside, one of the lesser problems with computer viruses is that many of the parties who write them aren't nearly as good at the craft of writing programs as they imagine themselves to be. Viruses which weren't designed to be destructive often turn out to be so anyway.
Never open attachments to e-mail unless you're really certain you know who it comes from. Especially nasty are attachments with the extension .EXE, .COM, .PIF, .BAT and .SCR. Use a virus checker to scan your hard drive at frequent intervals, and keep its virus database up to date.
It's usually not that difficult to determine whether your spam has been sent from by a live human being with a personality disorder or a virus. For one thing, new viruses make CNN on a regular basis. They invariably include executable attachments, and you'll usually receive a lot of identical or similar e-mail when a new one pops up. If you receive spam from a virus, don't respond to it as you would spam from suits, to be discussed below. The owner of the machine that sent it to you is having the mother of all bad hair days trying to clean up the virus — there's no need to make it any worse.
There's another nasty trick spammers use to attack innocent users of the Internet. It involves sending out bogus spam which appears to be an advertisement for the innocent third party being attacked. Having been spammed, millions of recipients will vent their wrath on the apparent author of the spam. If you think you're receiving spam from suits, it's a good idea to check the message header — as discussed later in this article — before you retaliate.
Don't Stay Home Without It: While there are a number of things you can do with spammers, actually doing business with one should never be an option. As a rule, legitimate businesses do not advertise their products through unsolicited e-mail. Aside from demonstrating their contempt for your priorities by sending you spam, ostensible businesses which do so should be assumed to be untrustworthy. Unless you routinely upload your credit card information to newsgroups just to see how many unauthorized transactions can fit on a single Amex statement, you should never enter into any type of transaction with the author of spam e-mail.
This is especially true for any spam that involves medication. While prescription drugs are often unreasonably expensive, buying them from someone who could very well be mixing them up in his kitchen is hardly an intelligent substitute. Prescription drugs are prescribed by physicians rather than sold in a 7-11 because doctors know which ones will make you healthy and which ones will make your nose fall off. Kids who serve Slushies for minimum wage have not received equivalent medical training.
Here's another bit of interaction with spammers you'll want to avoid. Some spam messages include ostensible opt-out functions — links you can click on to remove yourself from the list that sent you the spam in question. Don't use these removal functions — in most cases, what they're really there for is to verify that your e-mail address is valid and its mail is being read by a live human being. Using a spam removal function will typically guarantee that you'll receive a lot more spam.
A Few Good Frauds: Every year, people lose millions of dollars to Internet frauds — at least, the ones who make the news do. I suspect there are a whole lot more of them who are too embarrassed to admit to being deceived by these scams.
You can avoid being defrauded by the operators of these things by keeping your credit card in your pocket and your check book in another room. If it looks too good to be true, it almost certainly is.
While innovative new frauds turn up from time to time, many of the ones that are common on the Internet originated long before there was anything to click on or spider to. The details will vary, but here are a few of the popular schemes to separate the unwary from their cash.
Investment Clubs, Pyramid Schemes and Ponzi Games: Charles Ponzi was an Italian immigrant living in Boston. At the beginning of the twentieth century, European immigrants living in the United States frequently wished to send letters back to their familiar in the old world. Postage to the United States was prohibitively expensive back home, and as such, they included postage reply coupons with their letters so their relatives could write back. A postage reply coupon was exchangeable for enough stamps to mail an international letter from any post office in Europe, no matter what the stamps actually cost. During the 1920s, Ponzi observed that these coupons could be sold for more in Europe than they cost in the United States, and he offered to double the money of his investors using a plan to manipulate the postage reply coupon market.
Yes, this does sound fairly preposterous now, but a huge number of ostensibly intelligent people bought into Ponzi's investment scheme at the time. What he actually did was use the money his recent investors put into his scheme to pay off the ones whose investments had come due. After a while, the number of new investors couldn't keep up with the demands of the mature investors, and the scheme collapsed. About 40,000 people invested over fifteen million dollars with Ponzi — that would be on the order of 140 million dollars today. If he'd actually been buying postage reply coupons with all that money, he'd have been sitting on about 180 million of them. In fact, as nearly as anyone could tell, he'd bought a total of two coupons.
Charles Ponzi was sentenced to five years in prison.
There are a lot of latter-day Ponzi games on the Internet. They typically promise returns substantially higher than anything a bank, mutual fund or other conventional investment could possibly offer you. Some of them claim to be risk free, or secured in some form. Keep in mind that in the unlikely event that such assurances aren't comprised entirely of smoke, you still won't be able to get your money back if the author of the scheme has disappeared, or has no money.
It's probably worth keeping in mind that not all contemporary Ponzi games are illegal — government pensions work in pretty much the same way.
The Nigerian Bank Scam: Not all Nigerian Banks scams involve either Nigeria or actual banks, but the structure is fairly consistent. If you find yourself to be the target of one of these things, you'll receive an e-mail message — usually all in capital letters, for some reason — from someone purporting to be a government official, or a relative of the local dictator, a dishonest civil servant... or in some cases a bank official. The message will swear you to secrecy, and tell you that there's a stash of money in a private account somewhere. In some cases, you might actually be entitled to it for some obscure reason — most of these messages just trust you'll get greedy when you see all those zeros. The message will tell you that the money's yours, but you'll need to cough up a finder's fee, settle a few outstanding debts against the money's former owner, bribe the dictator's brother-in-law or otherwise grease the wheels of the machine.
In the event that you actually cut one of these people a check, you'll probably never hear from them again. In some cases, they'll get back to you asking for more money for unforeseen expenses.
In another variation on this scheme, the message will tell you that the money's all yours — all you need to do is provide its sender with your bank account number and other details to facilitate the transfer of funds. Keep in mind that this will be enough information to permit the operator of the scam to empty your bank account.
The Nigerian bank scam always takes place somewhere far away and reasonably hostile, so you'll never be likely to go there. It's so common that the American State Department maintains a travel advisory warning as of this writing specifically for people who want to visit Nigeria in the hope of getting their money back.
In February 2003, Michael Lekara Wayid, the Nigerian consul in the Czech Republic, was shot by an elderly Czech citizen at the Nigerian embassy in Prague. His killer had been defrauded of his life's savings by someone operating a Nigerian bank scam, and believing himself to have been deceived by a genuine Nigerian bank, he'd gone to the embassy to demand his money back.
Credit Cards for People with Bad Credit: Most banks won't issue conventional credit cards to people with questionable credit histories — arguably with good reason. If you have credit problems, you can probably get a secured card from your bank — you'll need to leave money on deposit with the bank which can be used to cover the charges to your card if you're unable to pay your monthly bill. Spam which offers to provide you with a credit card when your bank won't typically involves neither a "real" credit card nor a secured card. You'll likely be asked to provide cash up front either for processing fees or to secure your credit card. In most cases, you'll receive nothing at all, or you'll get a card that can only be used to purchase items from a single catalog of overpriced items.
An illegitimate sibling of credit card scams, magic credit repair spam typically offers to clean up your credit report in the wake of unpaid bills and large-scale financial difficulties. If you have a bad credit history and the information in your credit report is essentially accurate, you're stuck with it. No one can make it go away — managing your finances responsibly will eventually improve your credit report. Spam which advertises to erase your bad credit history for a fee is flat-out lying.
Multi-level Marketing: In its simplest sense, multi-level marketing works by finding stupid people with even stupider friends. It's a pyramid scheme in reverse. At the top of the pyramid, the operator of the scheme will sell large quantities of stuff to the scheme's distributors — that would typically be you — who will in turn mark the stuff up and resell it to multiple friends, colleagues, family members and other suckers.
In other variations on this practice, you might be persuaded to distribute the stuff through local stores, which will pay you a commission on the products they sell for you — in your dreams.
As the distributor in a multi-level marketing scheme, you would be expected to buy a whole lot of stuff, paying for it up front. Having parted with your cash, the operator of the scheme will almost certainly disappear. At the very least, he'll suddenly develop an inexhaustible supply of reasons why your money can't be refunded when you discover that no one wants the stuff you're selling.
Businesses — home-based or otherwise — take a lot of work to set up and run, and no one can magic one into existence for you. If the stuff being offered by the operators of MLM schemes was as hot as they'd like you to believe, they'd sell it themselves and keep all the profits.
If there isn't a spam-based fraud that says "make millions -- send me $29.95 for my book entitled Make Millions by Getting People to Send you $29.95 for a Book," there no doubt will be one shortly.
Internet frauds are based on offers intended to cause the latent greed of their recipients to overwhem their intelligence. There really is no such thing as a free lunch, and you can easily spot the perpetrators of frauds as parties attempting to convince you otherwise.
Addressing your spam effectively involves appreciating what you're actually receiving, and dealing with it accordingly. In some cases you can get back to the sources of spam and either convince its authors to get a life, or talk their Internet providers into taking away their bandwidth privileges. This typically works with commercial spam — spam from suits. It's substantially less effective with spam from other sources — we'll get to this presently.
It's important to have a clear understanding of the nature of the spam you're receiving when you choose a spam defense strategy. There's not a whole lot of point in attempting to contact the authors of Viagra adds or deliberate financial frauds and informing them that you're not pleased with their business ethics. For one thing, they're probably better at hiding than you are at finding them, and your messages are unlikely to reach them. Secondly, they know what they are.
This is doubly true for spam generated by innocent systems which have become infected by viruses. Giving the service provider of an infected machine a hard time will do little more than make life still more miserable for the unfortunate soul who's just discovered his hard drive is toast.
These latter two species of unsolicited e-mail are more effectively nuked with a mail filter, to be discussed later in this article.
Stopping genuine commercial spam often entails showing its senders the error of their ways, that is, convincing them that rather than locating new customers through their abuse of the Internet, they're succeeding in enraging and alienating vast numbers of users, who will subsequently want nothing to do with them. Even polyester androids who drool visibly every time they pass a corner office won't persist in an activity which is clearly driving away their would-be clients.
When you receive unsolicited commercial e-mail, reply to it with a message which states unequivocally that you're not amused. Don't use profanity or speculate on the sexual preferences of the sender's parents, however tempting it may be to do so. You want to sound like a serious potential customer who has just been put off by the business practices of the party in question.
Here's the message we use:
Our private e-mail facilities are not your advertising medium. People who use them as such abuse our resources and waste our time, which are extremely valuable. We have entered your e-mail address and company name in our corporate blacklist database. We will not do business with you now, nor will we consider other requests from you in the future. Remove this e-mail address from your junk mail list immediately and do not contact us again in the future.
It's always sent unsigned, and with no signature tag.
You might find that this message bounces off the destination server because the recipient's mail box is full. Typically, your message will have been preceded by several hundred-thousand others just like it. Wait for a day or two and send it again.
Locating the Real Spammer: More experienced junk e-mail generators use dummy return addresses to bounce replies like the one above — their real address will be somewhere within the body of the message. This assumes that if you have no interest in buying mail-order mutual funds or subscribing to a newsletter about aerobic bread making, you won't read the whole message and find the real e-mail address. If your original reply bounces because its recipient doesn't exist, check out the source message for the real address.
If you receive spam e-mail which references a web page, you can find the real address of the owner of the server which hosts the web page, and direct your comments to him or her. The InterNIC domain name registry can be searched to locate the owner of a commercial domain, that is, one that ends in .com, .org, .net, .biz and so on. To have it successfully search for a domain, you must provide it with the domain name only. For example, if you find a web page at http://www.megaspam.com, the bit that the search engine wants to know about is just megaspam.com.
For national top-level domains — those ending in two-letter suffixes, such as .ca — see the list of top-level registries.
In many cases, this procedure will work to locate the owners of e-mail addresses too — the domain is the bit that appears after the @ sign in an e-mail address. Specifically, it's the last two sections of an e-mail address. If you receive spam from firstname.lastname@example.org, the domain is megaspam.com.
This can be a very effective tool in reducing the volume of commercial spam you receive. While the party that spams you might choose to ignore your replies, the owner of the domain from which it originated or the administrative or billing contacts who sponsored the domain will be much less likely to do so. Most domain owners don't want their domains used for sending spam, and those with an initially more tolerant attitude about spam will often change their minds when they're confronted by numerous messages urging them to do so. It often takes no more than a few tens of thousands of outraged e-mail messages to achieve this.
It's easy to make yours one of them. To use this feature, bookmark the foregoing link. When you receive commercial spam, go to the InterNIC page, enter the domain the spam came from, hit Enter and CC your message to the e-mail addresses listed by the InterNIC response.
If the InterNIC search engine doesn't find a listing for what appears to be a valid domain, you have probably received spam with a bogus source. Some spam generators don't exactly want to be held accountable for their work. Color me shocked.
If you find yourself being spammed from a domain with a national top-level domain — a two-letter suffix which indicates a specific country — you'll probably have to do some digging at the top-level registries list, above, to find its owner.
Finding Upstream Providers: You can usually defeat the attempts of spam generators to hide in the endless forest of the Internet by finding out where their mail comes from. While this might not get you a valid e-mail address to contact the spam generators in question directly, it will put you in touch with their upstream providers, the companies which sell them Internet access. In many respects this is more useful still. Most upstream providers will not appreciate getting buckets of e-mail about the poor behavior of their customers.
Note that your computer must be on line to the Internet to use the following.
If you have Windows, there's a very useful gadget included with your operating system software called TraceRoute. Given a domain name or an IP address, it will walk the 'net from your server to the server you've specified, showing you all the "hops" along the way. The last hop will be the domain or IP address of the source of the spam you received. The next to last hop will be the domain of the upstream provider of the owner of the domain you specified.
As an aside, an IP address is the four groups of numbers which actually define where a server is on the Internet. The IP address for this server, for example, is 184.108.40.206. Many spam generators seek to provide the recipients of their messages with a web page address that does not disclose the domain to which reply e-mail can be sent by using their IP addresses. For example, the main Alchemy Mindworks web page can be addressed as http://220.127.116.11 rather than http://www.mindworkshop.com — but you can't send e-mail to 18.104.22.168. If you don't know how to work around this, it might look like the spam generators have successfully disguised themselves.
The TraceRoute function included with Windows is a DOS command — you must get to a DOS prompt to use it. Type TRACERT followed by the domain name or IP address you'd like to find and hit Enter.
If you don't have a Windows system — or if you're of the opinion that the DOS prompt is a tool of unclean spirits — you can use one of the many on-line TraceRoute functions. These TraceRoutes work the same way the command included with Windows does — enter the domain name or IP address into the field provided and hit Enter. They will actually trace from the host server you've selected to the domain you've entered, but this doesn't really matter, as it's the other end of the trace you'll be interested in.
Here's an example of TraceRoute at work. In this example I've had TraceRoute look for the path to yahoo.com, decidedly not a spam generator.
Tracing route to yahoo.com [22.214.171.124]
over a maximum of 30 hops:
1 151 ms 161 ms 162 ms iah14.barrie.connex.net [126.96.36.199]
2 164 ms 159 ms 163 ms bcicor1-100bt-e1.barrie.connex.net [188.8.131.52]
3 270 ms 327 ms 234 ms spc-tor-7-Serial3-1.Sprint-Canada.Net [184.108.40.206]
4 261 ms 260 ms * core-spc-tor-2-POS2-0-0.sprint-canada.net [220.127.116.11]
5 * 180 ms 179 ms sl-gw21-pen-1-1-0-T3.sprintlink.net [18.104.22.168]
6 177 ms 189 ms 195 ms sl-bb10-pen-5-2.sprintlink.net [22.214.171.124]
7 231 ms 245 ms 233 ms sl-bb22-stk-6-0.sprintlink.net [126.96.36.199]
8 230 ms 232 ms 259 ms sl-bb21-stk-9-0.sprintlink.net [188.8.131.52]
9 258 ms 234 ms 244 ms sl-bb21-stk-0-3.sprintlink.net [184.108.40.206]
10 291 ms 287 ms 320 ms isi-border2-hssi4-0-0-T3.sprintlink.net [220.127.116.11]
11 325 ms 294 ms 326 ms fe4-0.cr1.SNV.globalcenter.net [18.104.22.168]
12 288 ms 266 ms 307 ms pos0-0.wr1.SNV.globalcenter.net [22.214.171.124]
13 305 ms 305 ms 262 ms pos1-0-OC12.wr1.NUQ.globalcenter.net [126.96.36.199]
14 310 ms 320 ms 306 ms pos5-0.cr1.NUQ.globalcenter.net [188.8.131.52]
15 310 ms 295 ms 311 ms yahoo.com [184.108.40.206]
If I wished to get in touch with the upstream provider for yahoo.com, I could send e-mail to email@example.com. Unlike return addresses, the route a message takes over the Internet cannot be faked by a spam generator. They can run... and slither, crawl, ooze and burrow... but they cannot hide.
Decoding Obfuscated URLs: Some spam generators like to express their URLs as somewhat impenetrable-looking numbers, such as http://3637542882. This looks a bit daunting, as it's not a domain and it's not an IP address. At least, it doesn't seem to be one.
In fact, those long numbers are IP addresses — they're just expressed in a way intended to make them hard to work with. You can create one by treating the four sections of an IP address as four distinct numbers. The IP address for the Alchemy Mindworks web server, for example, is 220.127.116.11. Here's how to convert this address into a quasi-meaningless string of numbers:
This probably looks like the sort of light party conversation that gets tossed about when retired high school mathematics teachers get together for an evening. In fact, it makes sense to a web server. The first of the four numbers of an IP address is multiplied by 224. The second is multiplied by 216. The third is multiplied by 28. The last is multiplied by 20, which is one. The resulting four numbers are added together.
There's a complete discussion of dealing with obfuscated URLs at PC-Help.
Having ascertained the real IP address for a spam generator's ostensibly hidden URL, you can use TraceRoute to get in touch with the upstream provider of the server that's hosting its page.
Reach Out and Touch a Spammer: One of the most convincing bits of evidence that the originators of most junk e-mail know little about the Internet is the frequency of their messages containing toll-free numbers to call for more information about whatever they're hawking. Note that in addition to 1-800 numbers, 888, 877, 866, 855, 844, 833 and 822 numbers are also toll free, a recent innovation of the phone company as the supply of 800 numbers began to diminish. A toll-free number is just like a regular number, except that the owner of the number will pay for all calls to it, rather than the originators of the calls. Every time you call a toll-free number, the owner of the number will get billed.
This is an opportunity to demonstrate in concrete, bottom-line terms that junk e-mail is wasting your valuable resources. Call the toll-free numbers in these messages. Call them after hours so you can leave voice-mail messages for the people who sent you the unwanted e-mail. Again, be polite and businesslike. Tell them that you didn't appreciate having your e-mail resources abused. Ramble on for as long as possible. Read a poem. Put the telephone down in front of your stereo and leave it there for a while. Let your kids play with it for a few minutes. Explain why the air to fuel mixture of the carburetor used in a 1958 Edsel is so critical, and how your brother in law can adjust one with a can opener. Recite the value of PI to eleven hundred decimal places. Make it a very expensive call.
I should point out that in some jurisdictions, it's illegal to make multiple calls to a toll-free number, and most 800-number providers will include the phone numbers used to place calls to the 800 numbers they manage in their billing statements. It's also arguably a point of questionable ethics to behave no better than spam generators. One really verbose call will probably do it — there will no doubt be many other callers waiting their turn.
In many cases, the toll-free numbers in spam merely connect to canned messages, which hang up when they're done. In this case, pressing zero on a touch-tone phone will typically interrupt the message and get you to a voice mail recorder.
Under United States telecommunications law, it's technically illegal to send someone unsolicited advertising over any common carrier telephone, or telephone data device, such as a FAX machine. A computer connected to a modem and a printer can serve as a FAX machine, and can be regarded as a FAX machine if you stretch the point. As such, if you're in the United States, you might want to add this to your message:
Your message is in violation of the Federal Telephone Consumer Protection Act of 1991, and Collateral Code of Federal Regulations (47 CFR 64.1200). The TCPA allows a private right of action against the sender of unsolicited advertising. The recipient can sue for $500, or actual damages (whichever is greater).
There's more information about this statute at the Legal Information Institute.
Freedom of Expression Issues: Many spam generators will claim that their activities are protected under the first amendment of the United States constitution — assuming you can track 'em down and get them to claim anything at all. It might well be argued that few if any of them have actually read the United States constitution. While this is probably another matter that would require a lot of lawyers and no small amount of court time to resolve absolutely, you can make up your own mind. Here's what the first amendment actually says:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
As spam exists very much in a legal vacuum at the moment, it could be said that as august as this declaration is, it does not bear upon the issue of unsolicited e-mail. In any case, your attempting to prevent other parties from spamming you does not constitute congress making a law, and as such is not addressed in the first amendment.
Most national constitutions which seek to codify the protection of freedom of expression make this important distinction — lawful individuals have the freedom to express themselves, but not to coerce or compel others to listen to them while they're doing it. Here are the opinions of several American jurists on the subject:
US Federal Judge Stanley Sporkin: "[The spammers] have come to court not because their freedom of speech is threatened but because their profits are; to dress up their complaints in First Amendment garb demeans the principles for which the First Amendment stands."
Chief Justice Berger, U.S. Supreme Court: "Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit. We categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another. If this prohibition operates to impede the flow of even valid ideas, the answer is that no one has a right to press even 'good' ideas on an unwilling recipient. The asserted right of a mailer, we repeat, stops at the outer boundary of every person's domain."
The Internet is a network of networks. It's comprised of thousands of servers all over the world. Every e-mail account is hosted by one of these servers. Most large companies have dedicated servers of their own, but these companies also typically have system administrators to enforce reasonable behavior on the net — you're unlikely to have your e-mail spammed by General Motors or IBM. For the most part, commercial junk e-mail originates with the servers of commercial Internet providers.
Commercial Internet providers typically have enough of a sense of Internet propriety not to condone this sort of thing if they know about it. As such, the second step in preventing the abuse of your e-mail resources is to complain to the owner of the server from which the offending commercial spam originated. This is usually easy to do, because Internet providers typically set up accounts on their servers called root and postmaster. Of late, many of the larger Internet providers have also created accounts called abuse to receive mail specifically dealing with abuses of the net by their users.
If you receive junk e-mail from someone called firstname.lastname@example.org, you can send a message to the system administrator for the server in question at email@example.com.
You might want to include some common account names when you reply to spam in this way. These are good choices:
Once again, it's important to be polite and businesslike when contacting the system administrator of a server. Chances are they don't know about the abuse being conducted over their server. Here's the message we use in this case:
The above user has been sending unwanted and unsolicited e-mail to this address. We would like to request that you instruct this person to delete our e-mail address from his or her junk-mail list immediately, and to never contact us again for any reason.
Our private e-mail facilities are not an advertising medium. People who use them as such abuse our resources and waste our time.
Append the original unsolicited message to your message to the system administrator, including all its headers.
Keep in mind that most e-mail readers suppress part of the block of headers which accompanies each message. These headers, while of little interest if you just want to read your mail, will identify the real author of spam e-mail even if said author is not sufficiently proud of his or her work to use a genuine return address. Always reveal these headers when you're dealing with spam, and especially if you're contacting the owner of the server from which it originated. The function for revealing the complete header block of a message varies among e-mail reader packages — if you're using the Eudora software, it's handled by an otherwise mysterious button at the left side of the tool bar labeled "BLAH BLAH BLAH."
Some commercial Internet providers are more responsive about spam issues than others.
Free e-mail providers will allow you to set up an e-mail address from which you can send and receive e-mail without having to use a dedicated mail reader application. You can do so with complete anonymity if you like — while most of these services include dire and fairly impenetrable terms of service documents by which they require that you swear by whichever deity works for you that you'll tell them who you are without fibbing, they have no way of checking the information you provide them.
If you've had any experience with unsolicited e-mail, you'll probably be familiar with these services. Spam generators often use them as bogus return addresses for their messages.
There are several serious limitations in using free e-mail accounts on a long-term basis, especially if you really object to receiving unsolicited advertising. Specifically:
- They have rudimentary filtering facilities at best — filtering will be discussed in detail in a moment.
- There's fairly compelling evidence that some of them actually sell their user lists to spammers. Not wishing to find myself being chased across the steppes of Siberia by a pack of rabid lawyers, I don't propose to suggest which specific free e-mail providers seem to do this.
To expand on the foregoing, many free e-mail providers offer what they describe as "spam filters" or "spam blockers." It's unclear in most cases what these actually do, and most of the ones I've experimented with didn't do what they did very consistently. They also don't provide a fraction of the filtering functionality of a stand-alone mail reader. You can't devise much of a strategy for identifying spammers with them.
If you have some time to kill — and if you'd like to test the integrity of a prospective free e-mail provider — try setting up a new e-mail account and tell absolutely no one about it. Use a long, convoluted account name so there's no likelihood of your account name having been used previously by someone else, who might have caused it to appear in spam mailing lists. Leave the account idle for a few weeks and then check its IN box. Don't be surprised if you find that your secret e-mail account isn't much of a secret.
Here's what one of the accounts I set up accumulated in a week. For legal reasons, I've modified this listing so the free e-mail provider in question is not identifiable. I've also omitted about a dozen offers of cybersex, on-line adult entertainment and other diversions in questionable taste.
|firstname.lastname@example.org...||`bogusbob616162` Reverse Aging & Lose Weight Fas...|
|investigate@stmxway....||`bogusbob616162` Find Virtually Anything on Anyo...|
|Member Services...||Fight spam with Spam Blocker|
|Fast Diets||NEW! Lose 10-12 Pounds in 2 DAYS! GUARANTEED!|
|info@home-loan-quote...||bogusbob616162- Attention Home Owner|
|SuperNews@zoneblast....||SuperCharge Your Sex Life bogusbob616162!|
|email@example.com||Quick & EZ Debt Consolidation! `bogusbob616162`|
|firstname.lastname@example.org...||Home Loans... Quick Quotes... Fast Approvals!...|
|info@fast-quotes-dir...||bogusbob616162- Save Up To 70% On Life Insuranc...|
|info@debt-consolidat...||bogusbob616162- Debt Consolidation (100% Confid...|
|improvements@homefire...||`bogusbob616162` Thinking about doing some home ...|
|Summer Dieting||NOW! Lose 10-12 Pounds in 2 DAYS! GUARANTEED!|
|hold systems||Turn your phone into a powerful marketing too...|
|do_not_reply187363@...||Lenders compete, you win!!! RE-REFINANCE AND ...|
|Boox on CD...||3000+ BOOKS ON CD-ROM - IT WILL READ TO YOU|
Free e-mail accounts are to a large extent worth what they cost. Unless you have a high degree of tolerance for unsolicited advertising or you don't mind changing accounts periodically when the spam they attract gets unmanageable, you should give serious thought to using a real account with a real mail reader.
Regrettably, some spam just won't go away voluntarily. There are spam generators who feel that flooding the IN boxes of the known universe with advertisements for the unthinkable, unnamable and unwanted is an inalienable right, or something they're just entitled to get away with. Perhaps more to the point, there are spammers who take a long, long time to appreciate that no one is buying their stuff, even though they blast out tens of millions of e-mail messages a week.
Finally, there are spam advertisers who have gone to considerable lengths to defend themselves from the outrage of their victims, and as such rarely appreciate that they're making few friends in cyberspace.
If persuading the originators of the spam you receive to get a life doesn't work — and there's almost certainly a spammer somewhere offering lives for sale at a serious discount — you'll probably need to defend your castle yourself. A mail filter will watch your incoming mail, search it for indications of unsolicited content, and suffer fools on your behalf. Properly thought-out and maintained, a mail filter can substantially reduce the volume of spam you have to address.
Mail filters are essentially the only workable solution to the latter two classes of spam outlined earlier in this document. In that it's virtually impossible to reason with a computer virus or one of its still dumber cousins, a grunt spammer, your only recourse will be to block their mail before it reaches you.
Mail filters exist in various forms. A growing number of Internet providers offer some form of spam blocking, to a large extent because it looks good on TV. These things are usually relatively ineffective spam remedies, and they embody some serious catches. They work in one of several ways:
Source Lists: The IP addresses from which mail originates is compared against one or more "black hole" lists, that is, lists of ostensibly "known" spam sources. Mail which appears to originate from said sources is blocked. This system works poorly for two reasons — spammers change sources addresses a lot, and they're usually adept enough to forge their mail headers, and secondly, many of these "black hole" lists are maintained automatically. It's pretty easy for an entirely innocent address to find its way onto said lists — your spam blocker might well be blocking mail you actually want to receive. It's hard to know when you're not getting mail.
As an aside, the owner of one of these lists appears to have added our IP addresses to it in retaliation for our saying less-than-favorable things about this type of spam blocking. Our lawyers would scream if we identified the list in question — if you use it to block spam, you won't be able to communicate with us, or presumably, with anyone else its owner doesn't like.
Heuristic Spam Identification: The most popular of these as I write this is Spamassassin, which in fairness, is well thought-out and moderately effective. It applies a set of rules to each message being filtered — looking for things like excessive quoted text or lots of white space — and assigns the messages it handles a rating which specifies the likelihood of their being spam. The catches in using a filter like Spamassissin are that they also rely on "black hole" lists to some extent, and that a sufficiently determined spammer can inspect the rules used by popular heuristic filters and design spam to work around them. Keep in mind that these guys have nothing better to do with their time.
Global Block Lists: Some spam blocking functions are just lists of words or phrases commonly used by spammers... hopefully updated more or less constantly. While this is the basis of personal mail filtering, to be discussed in a moment, they're difficult to manage in a more global setting. Spammers typically work around them by implementing minor variations in words — replacing the letter O with the number zero, for example — and because you won't be determining the list contents, they're likely to trap the occasional innocuous message you actually do want to receive.
While the thought of letting your Internet provider deal with spam for you will no doubt be appealing, you should give serious thought to whether you really want to let software be your first line of defense against spam. It frequently does more harm than good — you can make a mail server absolutely spam-proof by unplugging it, but this hardly qualifies as a sound real-world solution to the problem.
Sender Verification: One of the mail filtering functions that's becoming increasingly popular among larger Internet service providers is sender verification. Sender verification blacklists everyone, and then allows senders to add themselves to a permitted sender whitelist if they can prove they're human beings, rather than software. The usual form of these things is as follows:
- Someone sends you some e-mail.
- Their e-mail is intercepted by your spam blocker, which holds it and replies with an automatic message that says "sorry for the inconvenience" and requires the sender of the e-mail in question to read a code from a graphic designed to be difficult for a machine to read, and enter it in a field.
- Assuming that the sender jumps through the foregoing hoops, his or her e-mail will be delivered.
Sender verification is an effective way to deal with spam if you don't mind missing a lot of genuine e-mail as well — it's analogous to swatting flies with a cruise missile. While it looks good on paper, it encounters a number of problems in the real world:
- Its automatic replies look like spam to other mail filters, and are often trapped before anyone sees them. Genuine e-mail from senders with more sophisticated spam solutions never get delivered.
- This system effectively nukes all sorts of automatic e-mail, such as order confirmations, newsletters, service notifications and so on — things you'd probably want to receive. These messages are typically sent from addresses that aren't attended by human beings, and verification requests sent back to them are as such never seen.
- Several of these systems have fairly elaborate verification procedures with several screens and lots of hoops to jump through. Some of them are a bit confusing. Many senders either don't jump through all the right hoops, or can't be bothered to try.
- Busy people often just don't notice the verification requests, and their e-mail doesn't get delivered.
These sorts of spam blockers seem like they work — in that they'll block your spam — but you'll probably discover in time that they've been blocking a lot of other mail as well. As was noted earlier, it's hard to know when you're not getting mail. Don't go there.
Personal Mail Filtering: If you use a reasonably robust mail reader application, such as Eudora, you'll have access to a built-in mail filter. This is arguably the most workable way to manage a filter, as you'll most likely wish to update it on a daily basis to trap new instances of spam. Filtering your own e-mail — rather than letting your Internet provider do it for you — will allow you to fine-tune your filters to nail the spam you typically encounter without blocking mail you really want to see.
As I touched on earlier, free e-mail accounts typically come with no filtering functions, primitive filtering functions or filters that only work when they feel like it. Most of what you can do with a mail filter and a reasonable degree of forethought and cynicism won't be workable unless you have a real e-mail account and a real mail reader.
It's also worth noting that as of this writing, none of the e-mail functions built into the popular browsers have useful filtering functions. The Outlook mail reader which installs with most versions of Windows does some mail filtering, albeit in a somewhat clumsy, unintuitive manner.
You can nuke a lot of incoming spam by creating a filter which locates strings of text in some element of your messages which are present in the spam you'd like to destroy — and which don't appear in messages you actually wish to receive. This will typically require a bit of forethought, and as spammers continue to kid themselves into believing they're getting smarter, the frequent updates.
The filter function in Eudora allows for checking various header fields, such as the return address, the sender's address and the subject — or just all the header fields — as well as the message body. Here are a number of strategies for using filters to identify incoming spam:
- Create filters which search for profanity. You'll feel really stupid typing dirty words into your e-mail reader's filter dialog, but unless you have a lot of rude friends, this sort of language will only turn up in advertisements from the more puerile pornography spammers. You can shut down almost all of them this way.
- If you find yourself receiving persistent spam from a single source, filter for its e-mail address. This is usually more effective if you filter the body text of incoming messages for the web page domain of whatever the spam in question is flogging, as this substrata of spammers use bogus return addresses the way the rest of us use soap. For example, if you notice a lot of spam trying to get you to visit http://www.spendyourmoney.co.tw/nomind/index.html, create a filter that traps the string spendyourmoney.co.tw.
- Some spammers seek to legitimize their activities by providing their victims with opt-out functions — typically offering to remove you from their spam lists if you visit a particular web page. While it's decidedly inadvisable to actually use these functions, you can create filters to look for them. Filter for strings like "click here for removal" or "to be removed" and have your filter delete any mail that contains them.
- Spam is usually sent by programs designed to mass-mail documents from e-mail address lists. Some of the people who write these things aren't a lot smarter than the spammers who use them. They have their spamming software add a tag to the end of each message being sent, along the lines of "This message was sent by MightyMailBlaster 4.1." Inasmuch as MightyMailBlaster isn't likely to be used for anything else, create a filter to trap any message which contains the names of the mail programs you get sent spam from.
- As of this writing, a lot of spam seems to be originating from overseas sources — in overseas languages. While looking for common textual elements in these things to filter for is largely impractical, you'll probably notice that most of their Subject fields contain the same strings of meaningless characters. If you don't read any of the affected dialects, it's safe to assume that all such messages are spam. Find these common character strings and filter for them.
- Spammers like to sell things that sound as if they might be trendy, or hard to get, or vaguely illicit. You might want to create filters that look for phrases like "Viagra," "Human Growth Hormone," "DVD Copier," "Credit Repair," "College Degree" and so on.
The things your filters need to look for will be determined by the nature of the spam you receive. You'll also want to consider the likely content of the legitimate e-mail you'd like to receive, and make sure your filters don't mistake any of it for spam. Inasmuch as most spammers appear to have been sent here from an alternate universe that just couldn't stand them any longer, this won't be too difficult in most cases.
In some situations, you can shut down all your spam by using your mail filters to create a "white list." A white list is a black list in reverse. If you only want to receive mail from selected sources, create a filter that sends all your incoming mail to your Trash folder — filter for the space character, for example — and copies mail from the addresses you wish to hear from to your In folder. This is typically a bit draconian for conventional mail users — you might want to consider it if you create an e-mail account for your kids.
Most filter functions can be set up to perform a variety of actions when they find an incoming message that contains whatever they've been set up to filter for. Among the useful choices are:
- Reply to the spammer with a canned message that informs them their spam has been deleted automatically, and instructs them to stop sending you unsolicited mail. This is satisfying, but typically more work than it's worth. Few spammers are sufficiently brave as to use a genuine return address and read their mail. In most cases, your message will be returned a few hours later, necessitating that you delete it manually.
- Send the spam directly to your Trash folder, from whence it will be deleted without your ever knowing it existed.
- Create a Quarantine folder and have your spam sent to it. You'll be able to peruse your quarantined mail from time to time to see if it contains something from Aunt Blothelda when she was having a really bad day. Most people who set up filters to do this redirect them to send the spam they find directly to Trash after a while.
Creating and maintaining a mail filter entails a substantial amount of effort, although arguably a lot less than would be required to shovel out several hundred spam messages a day. While finding a way to compel spammers to leave you alone would be eminently more satisfying, nailing them on the way in with an effective, Cerberus-like filter is often the most workable compromise.
As a final note on filters, you'll no doubt receive spam that offers to block spam for you — these messages possess a kind of symmetry, even if they are still more desperate than most spam. Needless to say, these guys most assuredly won't help you with your spam problems.
The foregoing remedies to junk e-mail work — most of the time. Entrepreneurial suits who think the Internet is just a huge wall upon which they can staple posters can usually be dissuaded of their misconception. Most system administrators hate spam e-mail more than you do. Legitimate businesses with new blood in their marketing departments who feel that spamming their customers usually don't take much persuading of the errors of their ways. Now and again, however, you'll encounter someone who needs a bit more convincing. A mild threat might help.
Here's the threat:
If this waste of our resources does not cease immediately, please be advised that we may activate a Revenge(tm) program for this user. Revenge would automatically sign this user up for over 300 mailing lists to provide a graphic illustration of what it's like to receive unwanted junk e-mail.
Several such programs actually exist, and even if you have no access to one and wouldn't use it even if you did, it's a very nasty threat. Some of these automatic mailing lists can take months to get dislodged from. I certainly wouldn't consider actually turning one loose — I can't help feeling that doing so would lower its user to the ethical sub-stratum occupied by the authors of spam. I don't feel that deluding someone who abuses my e-mail into believing that I'll do so when all polite persuasion has come to naught constitutes a serious lapse in ethics, however.
I should note that we have received one reply to this message from a spam generator. They were of the opinion that this threat constituted some manner of criminal action against their client, that is, that this message threatened to mail-bomb their server. The spam that prompted this message began "Dear Adult Webmaster" and contained fourteen spelling mistakes.
While another matter for the real lawyers to sort out, keep in mind — should you receive a similar reply to it — that it does not threaten to mail-bomb anyone. It threatens to cause an indeterminate number of list servers to send a lot of unsolicited e-mail to the author of the offending spam. Inasmuch as the author of the spam has clearly indicated that he or she feels that unsolicited e-mail does not constitute abuse, they can hardly object to your use of it to communicate your feelings on the matter.
You might also be comforted in considering that while people who can't spell "lawyer" can hire one, they rarely do so.
It might well be questioned whether sending what could be construed as a threat to a spam generator — someone who's probably been swimming in the shallow end of the gene pool, judging by how he or she makes a living — is an altogether good idea. People who claim to know how spam generators think and behave will probably suggest that it's not. Many will tell you that it's a bad idea to reply to them at all, as doing so will confirm that your e-mail address is valid, and hence insure that you receive further unsolicited messages.
Both of these issues are valid to an extent. A spam generator could choose to construe the foregoing as a threat to mail-bomb them, or to direct a denial of service attack at them, even though it's clearly neither of these things. In some jurisdictions, issuing such threats can be in itself illegal, even if you have no intention of carrying them out. If you really feel a threat is called for, you need to sort out the legal situation surrounding your sending one.
The argument that responding to spam generators at all is likely to bring you further spam seems somewhat convincing on the surface, but is highly questionable if you consider it. It's predicated on the belief that spam generators use software which searches the towering spires of unpleasant replies they receive from their mass-mail programs, and somehow uses this information to decide who will be spammed next time. Were this to be the case, people who didn't reply would never get mailed again. Sadly, keeping silent rarely has this effect — it might thus be concluded that spam generators don't use the replies to their spam as signs of life.
Here's another handy threat, and this is one you can easily carry out. You'll need to locate the genuine contact e-mail addresses of a spam generator or his ISP to use this.
We have requested that you desist in sending us unsolicited e-mail, which you have thus far refused to do. Please be aware that as of today, we have installed a mail filter which will automatically forward all spam from your domain to you. You can either stop sending us spam, or you can clean it up when it arrives in your mail.
It is unwise to use this indiscriminately — you'll need to make absolutely sure you're not targeting an innocent third party before you establish such a filter. This is, however, a remarkably effective way to convince reluctant spam generators that they'd probably rather leave you alone.
It's worth knowing how the perpetrators of junk e-mail come up with the e-mail addresses to send their messages to. There are several sources of mailing lists, and once you get on one, you can expect your e-mail address to be passed around pretty much until the sun goes nova. In understanding how spammers find their recipients, you can do a lot to ensure that you're not among them. Once again, keep in mind that most spammers own shoes that are smarter than their owners, and out-thinking them doesn't take much effort.
Here are a few of the common sources:
Usenet Postings: Using your real e-mail address when you post to newsgroups virtually guarantees you'll be up to your neck in spam long before anyone responds to your posting. The remedy for this will be obvious.
Web Pages: If you maintain a web page with your e-mail address somewhere therein, e-mail harvesters will eventually drop by looking for anything with an @ sign. E-mail harvesters will be discussed in detail in a moment. Check out the Alchemy Mindworks e-mail page — there are no e-mail addresses with human-readable accounts anywhere on it. You might want to consider using a form like this at your page.
Recent Purchases: While it's by no means true of all on-line businesses, there are otherwise reputable companies which collect e-mail addresses from their customers, and use them to send said customers unsolicited advertising. In some cases, you'll find the on-line order forms you buy things from have opt-out functions — some of which can be pretty hard to find.
In fairness, we have a mailing list to tell our customers about software updates and new products, but it's an opt-in feature at our order page — it won't send you anything unless you actually tell it to do so.
If you have to provide an e-mail address to an on-line form, it's a good idea to enter something other than the address you use for "serious" e-mail. The simplest way to arrive at this is to create an account with a free e-mail provider, as discussed above, and then abandon it when the spam it attracts gets too intense. A more sophisticated approach is to use disposable addresses. Mail servers have a feature called "aliases," which lets them relay mail from any number of non-existent accounts to real addresses. When I want to provide an e-mail address to someone I'm not sure I can trust, I create a disposable address and then delete it when it's no longer needed, or when it starts receiving advertising.
There are several dedicated providers of disposable e-mail addresses which will set you up with essentially the same facility for a fee.
It's worth keeping in mind that the middle management of some bricks-and-mortar companies aren't entirely up to speed with the Internet — some of these guys still seem to regard junk e-mail as being no more objectionable as junk snail-mail, and they've convinced themselves that the latter isn't an issue as they've been getting away with it for decades. It's a serious slap in the face to do business with someone and have 'em come back and spam you — you'll do well to communicate this to the management in question, right before you filter them into oblivion.
Viruses: There have been several viruses of late which appear to have been written to harvest personal information and e-mail it to the authors of the viruses in question. As these sorts of viruses usually start by looking for contact lists, you could have your e-mail address compromised because the computer of a friend or colleague has your address stored somewhere.
Flooding: Some spammers don't use mailing lists per se. They'll pick a domain and run software to send messages to innumerable possible account names. Most of them will bounce, of course, but spammers are used to that.
It's worth keeping in mind that any situation in which you disclose your e-mail address constitutes some degree of risk of it being compromised to spammers. Having said this, keeping it entirely secret rather defeats the purpose of having it. You can reduce the amount of spam your account receives by keeping its distribution to people you trust, and using one of the alternative e-mail accounts discussed above for everyone else.
The Further Adventures of Address Harvesters: The software that gathers e-mail addresses from web pages is referred to as a "harvester". E-mail address harvesters are programs which work through the world wide web looking for e-mail addresses. An e-mail address is fairly easy for software to spot in the text of a web page, as it has a space before and after it, and an @ sign in the middle. If you know a bit about harvesters, you can undertake to defend your web page against their privations. Specifically, you can poison them.
Unlike their namesake, web page harvesters don't have a windburned old guy wearing a John Deere baseball cap to guide them. They simply spider from page to page, blindly collecting any e-mail addresses they find and visiting all the links they encounter. Good programmers are hard to find, and they can make a lot of money if they really know their stuff. Specifically, they can make a lot more than generating spam is likely to pay them. The e-mail harvesters seem to have been written by less than gifted software development teams, and as such are usually easily fooled.
The WPoison software is a product of E-Scrub Technologies of Roseville, California. It's freeware as of this writing. Ideally, WPoison should run as a CGI program on your web server, but E-Scrub also provides a link to the software running on their own server, should you be unable to run CGI programs on your own.
At least as far as an e-mail harvester knows, a link to the WPoison program looks like a conventional web page link. If it's the very first link in your page, it's the first thing most harvesters will look at. When they link to it, it will generate a page with a number of randomly generated — and wholly bogus — e-mail addresses. The page will also contain some meaningless text to make it look like a real web page, and several additional links for the harvester to follow. All the links will point back to WPoison, such that when the harvester follows them, it will get another page of bogus addresses and links.
This process is similar to calling the IRS or Revenue Canada to find out what happened to your tax refund.
Depending upon the architecture of the harvester in question, a link to WPoison can be sufficient to protect the genuine e-mail addresses at your page from inclusion in spam lists. Because the web of links created by WPoison is infinitely deep, a harvester that links to it may never extricate itself from the WPoison web.
At the very least, it will help fill the spam list being generated with an enormous volume of monkey dandruff.
With the growing controversy and general level of shouting surrounding spam, you might well ask whether there are any laws available to deal with the unauthorized use of your e-mail resources. As of this writing, none exist in most western nations. The American government has just passed anti-spam legislation, although at first reading appears to be of questionable effectiveness.
Quite a few proposed measures have appeared before the government of the United States to deal with spam — while none of the following made it into law, they offer a measure of understanding of the thinking behind anti-spam legislation, or perhaps, of the lack thereof. Few of these guys seem to have much to do with the Internet.
Bill H.R. 1748, "The Netizens Protection Act of 1997", or the "Smith Bill". This bill sought to make it possible for the recipients of spam to sue the parties responsible for sending it, to a maximum of $1500 per message. While it meant that the recipients of spam would have had to take legal action on their own behalf against the spammers responsible for sending them unsolicited e-mail, at $1500 a pop, the bounty on spam generators would have been fairly attractive.
The Torricelli Bill, S.875, would have effectively legalized spam and required that parties not wishing to receive it provide their addresses to a filter. In effect, it sought to legitimize spam by providing a somewhat impractical but technically workable way to prevent extreme abuse. Of course, to completely eliminate spam, you'd have to track down every list your e-mail address might have found its way onto, a largely impossible task. This is a bit like pinning a note to your kid that reads "please don't sell me any crack."
The Murkowski Bill, S.771, would have legalized spam and made ISPs responsible for filtering it. It would have required that spam be addressed in such a way as to make it identifiable as unsolicited advertising. ISPs who failed to comply with the filtering requirements would have faced severe fines. This is somewhat like the Torricelli bill, except that if you failed to pin a note to your kid that reads "please don't sell me any crack" and someone succeeded in getting your kid hooked on drugs, they'd send you to jail rather than the dealer.
The Tauzin Bill, H.R. 2368, was arguably the funkiest of the lot. It would have legalized spam and created an advisory panel to establish guidelines for the responsible use of commercial spam. Adherence to the guidelines would have been voluntary. To continue the analogy, I think of this one as buying lunch for a group of crack dealers and asking them to tell all their friends to leave your kid alone.
Bill S.759, drafted by senators Murkowski and Torricelli, would have required that unsolicited e-mail include valid contact information, prohibited forged headers and required that spam generators remove addresses from their lists when they were requested to do so. Domain owners would have been permitted to block unsolicited e-mail, but they would have been required to maintain lists of their users who didn't want to have their unsolicited e-mail blocked, and to make said lists available to spam generators. Domain owners would have been required to make arrangements at their expense to allow their users to opt out of the domain owner's spam blocking. Domain owners would have been required to register the status of their domains with regard to blocking unsolicited e-mail with the Federal Trade Commission. To continue the earlier analogy, this one's like giving drug dealers permission to get your kid hooked on crack, as long as they agree to leave their name and address with the drugs and to promise not to get your kid hooked on crack again if you ask them nicely. It would have permitted and largely legitimized spam, while placing the burden of avoiding it on the shoulders of its recipients.
As of this writing, all of these bills have failed to be passed into law, and all are effectively dead.
Bogus Legal Notifications: One of the most frequently mentioned ostensible laws pertaining to spam is bill S.1618. You'll probably find references to it in spam, such as:
This is an "Unsolicited Commercial Email", not "Spam".
This message is sent in compliance with the new e-mail bill:
SECTION 301. Per Section 301, Paragraph (a)(2)(C) of S. 1618
This message complies with the United States Federal requirements
that allow the sending of commercial email.
This notification is, of course, nonsense. Bill S.1618 did pass the United States senate, but it died in conference and never became law. Notifications like this one are clearly intended to add legitimacy to spam, and to frighten its recipients into believing that its authors had a right to send it. You can safely ignore them.
The CAN-SPAM Act: The CAN-SPAM act of 2003 — bill S.877 — has just become law in the United States as I write this. It might be argued that more thought went into its ostensibly catchy acronym than into the legislation itself — its complete title is "The Controlling the Assault of Non-Solicited Pornography and Marketing Act." Someone must've been patting themselves on the back for a solid week over that.
Under the CAN-SPAM act, spam will have to be labeled as such. However, spammers will be free to choose how they want to label their spam, making it difficult to devise a filter to trap the labels. Spam will have to include opt-out instructions — this means, in effect, that every spammer on earth can legitimately spam you once, and you'll have the responsibility to jump through whatever hoops they can think up to be removed from their mailing lists. Spam will be required to include the physical address of the spammer. Deceptive subject lines and forged mail headers will be prohibited. The American Federal Trade Commission will be empowered to create a "do-not-spam" registry, although it will not be required to do so. Penalties of up to $250 per message, to a maximum of six million dollars per spammer, can be imposed on parties who violate this law.
Sadly, CAN-SPAM supercedes several state anti-spam laws with bigger teeth than it has.
Think of this law as being comparable to a bill that prohibits the sale of crack to your kid unless the crack comes in a professional, attractively-printed package with a picture of a drug addict on the front.
On a good day with the wind blowing in just the right direction, the CAN-SPAM act might be used to prosecute some of the really objectionable industrial-strength spammers, if any of them turn out to be sufficiently brain-damaged as to be spamming from within the United States. It includes loopholes which lesser spammers will be able to drive a bus through — that's one of those enormous interstate tour busses that takes up eleven parking spaces and has room inside for a hot tub and a sunken living room.
The CAN-SPAM act doesn't do anything to address spam from overseas, which is where almost all of it originates. Doing so would require international treaties and agreements — an undertaking with some real work behind it, rather than just a few pages of vague legislation.
About Laws and Lawyers: Many users of the Internet will be dismayed at the prospect of the net's inherent freedoms being diminished by the passing of legislation to regulate it. I certainly am. It's important to keep in mind, however, that laws are what society usually does when it's confronted by a small group of its members who do not share its values. Laws which seek to restrict the ability of spam generators to abuse your e-mail resources, if they come to pass, will be enacted for the same reasons that laws which seek to restrict thieves from access to your house at two in the morning were created.
Here's an important legal pontification. All legislation is, by its nature, somewhat restrictive. It embodies a tradeoff — we give up some freedom to behave any way we like in exchange for protection from others who, in behaving any way they like, would stomp on our prerogatives. It's arguably preferable to give up the right to enter anyone's home whenever you choose in exchange for the security of knowing that your home will not be invaded at regular intervals. In the case of spam legislation, if it's enacted correctly, it's preferable to give up the right to mass-mail unwilling recipients — something you'd probably never actually want to do in any case — in exchange for protection from less-principled users of the Internet flooding your mail box with advertising.
This abstract precept does not, of course, address the very real concern that legislation which seeks to protect users of the net from spam might be poorly drafted, and do more harm than good. The place where the rubber meets the road is a good deal less predictable than the spot where it meets the floor of a wind tunnel.
There are far darker sorts of unsolicited junk e-mail. We receive a fair bit of mail from religious extremists. I regard most of this as being another sort of commercial solicitation, and usually deal with it the same way as I would advertisements for condos and adult videos. God appears to have become just another commodity to some of her creations.
Virtually all of the religious junk e-mail I've encountered has been from christians — clearly from a very tiny, weird minority thereof. If you're into scripture, you might be able to think up something in the old testament to send back to these characters illustrating the evil of their ways. Mention that the number of the beast has an @ sign in it — this always gets 'em a bit steamed.
Clearly, telling the authors of religious tracts that appear in your e-mail that you don't want to do business with them isn't of much use — however true it might be. Outraging them is somewhat more effective. If you're not fortunate enough to actually be pagan, pretend to be one for a few minutes. The goddess will understand.
Racial and sexual junk e-mail is a rather more serious matter, because some of the people who send it are genuinely messed up. Toying with these characters — or in fact even replying to them — is a really bad idea. In many cases it's hard to know where they're located.
If you receive e-mail of this sort, get in touch with the postmaster of the server from which it originated. Most ISPs are very helpful about this sort of thing — the last thing they want is to have the police at their door brandishing a warrant to arrest anything with a microprocessor in it.
Sexual or racial harassment by e-mail is no less a crime than similar harassment by telephone. If it looks serious or it persists, call the law. In the United States, the FBI has been taking these sorts of cyber-crimes really seriously, and they have the resources to trace through the Internet and find the originators of these messages.
The Internet is arguably one of the most profound technologies of the twentieth century, and if you've built a web page or just e-mailed a really good pasta recipe to your cousin in Idaho, you've contributed to it. Spammers are termites chewing at the foundations of this grand castle — it might be appropriate to think of anti-spam legislation — workable, well thought-out antispam legislation — as being the Orkin man called in to spray them.
At the moment, the Orkin man's still waiting in his truck on this particular issue — most government attempts to address spam have been side-tracked by special-interest groups and parties in bed with direct-marketing advocates. It would be unwise to count on your elected officials to assist you in dealing with spam any time soon.
You can reduce the flood of spam you receive to a manageable trickle — although doing so will take some work on your part — and on a good day, you can make life more unpleasant for spammers than insufficient oxygen at birth has already done.
Getting even is the best form of revenge. I think it was actually Archie Bunker who said that, but it's a pleasing sentiment none the less.
As a final suggestion, when all else fails, use this:
After repeated requests to remove our e-mail address from your junk e-mail list, we are still receiving unsolicited advertisements from your company. Please be advised that I have this day posted a live female tarantula spider to your company in an unmarked brown package. This spider was pregnant at the time of mailing, and may have produced offspring by the time it reaches you. Female tarantulas are exceedingly unstable in this condition. I recommend that your employees wear thick leather gloves when opening mail until the package arrives. Have a nice week.
There are probably a few users of the net who bought one of those "How to Make Lots of Money on the Internet" books and are wondering exactly how to go about making all that money in light of what's appeared on this page. The answer is before you — commercial resources on the Internet belong on the World Wide Web. If you create a page which has enough content to make it worth browsing, people will come and look at, and they'll read your ads. They won't even threaten you with live tarantulas.
PLEASE DON'T COPY THIS PAGE
The contents of this page are copyright © 1995 — 2014 Alchemy Mindworks. Some portions are copyright © 1995 — 2014 Steven William Rimmer. The copyright holders specifically prohibit reproduction, transmission, duplication or storage of this page or any portion thereof in any electronic or physical medium, under any circumstances. Reproducing all or part of this page against our express wishes may result in severe civil and criminal penalties. The lawyers made us say that.
Please contact us for reproduction rates if you'd like to reproduce all or part of this page on paper. If you like this page and wish to share it, you are welcome to link to it, with our thanks.