Email Spam

Well there’s egg and bacon – egg, sausage and bacon – egg and spam – bacon and spam – egg, bacon, sausage and spam – spam, bacon, sausage and spam – spam, egg, spam, spam, bacon and spam – spam, spam, spam, egg and spam – spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam – or lobster thermidor aux crevettes with a mornay sauce garnished with truffle pate, brandy, and a fried egg on top of spam.

Monty Python’s Flying Circus.

It would be useful for a Host to be able to decline messages from sources it believes are misbehaving or are simply annoying.

Jon Postel, On the Junk Mail Problem, RFC 706, Nov 1975.

Spam email is unsolicited, usually commercial email sent to you by someone you don’t know, and often carries messages involving products you don’t want, pyramid schemes, adult messages, frauds of all kinds, and computer viruses. Spam can significantly interfere with your use of email, but there are several options to help block spam and reduce the scale of the problem.

The fundamental rules are never to respond to an email that asks for personal information like a phone number or address, never send money to anyone who contacts you by email for any reason whatsoever, try to never open or preview any unsolicited email, and do not give your email address or anyone else’s to any website (news, greeting cards) unless absolutely required and worthwhile.

While it was first termed “junk mail” as early as 1975 in RFC 706, the popular term today is taken from the Monty Python skit where the word “spam” is used more and more frequently in each successive dish, which is kind of similar to the way spam email seems to endlessly build up in your mailbox. The first spam email was sent on May 1st, 1978, by a DEC marketing representative to every ARPANET address on the west coast of the United States. The general reaction was one of outrage, and it hasn’t abated since. Only 5% of email on the Internet was spam in 2001, rising to 50% in 2003, 70% in 2004, and almost 90% by 2007. The sheer amount of noise it generates increasingly threatens to drown out useful email sent legitimately.

There are some that argue that while technology might be able to provide solutions to spam, it should not be made illegal since it is a form of free speech. The fault in this argument is wide: spam is unsolicited commercial speech whose motive is not to trade in the marketplace of ideas but to benefit a single business, and moreover is magnified across geographical boundaries at such little cost that it has enabled commercial enterprises to raise their conversation level to the point that it is drowning out the free speech of the very individuals we started out to protect in the first place.

You can find references to anti-virus free open source software protection here. The following subsections provide information on confidentiality, filters, response, a poem, and additional resources.

Confidentiality. The most effective thing you can do to block spam is not divulge your email address to third parties. If they don’t have your address, they can’t send you email. The following tips can assist.

  • Name change. The most effective way of blocking spam is to change your email address to something not easily guessed, such as <> or <>, and then be very selective about sharing your address with others. However, that means notifying all your friends to update their address books, might mean throwing away an address you’ve had for awhile and prefer to keep, and could only be a temporary stop-gap if somehow your new address gets on a spammer’s list again.
  • Shhhh… Never reply to any spam email, especially if it is an offer to remove you from their mailing list. Particularly watch out for surreptitious connections: always delete spam email without the preview window open, because if you preview a spam email and it has an image link you are verifying your email address just the same as replying to a fake remove address, and invites even more spam.
  • Disguise. Never enter a chat room or post to the newsgroups without disguising your email address by either camouflaging it with nonsense words or using a temporary, throw-away address.
  • Remailers. For specific applications you can use a remailer to disguise your true address.
  • Safegaurds. Never give your address to a website unless necessary to complete a registration or transaction, they have a good privacy policy, and you trust them. This applies especially to offers to join notification mailing lists, send online greeting cards, or email web pages to a friend — all methods used to harvest email addresses for spammers.

Filters. Filtering services can provide powerful spam blocking through automatic processing techniques. There are four basic approaches:

  • ISP. Your first line of spam blocking should be at your Internet service provider. If they don’t already use a spam blocking service, you should ask your provider to join one. These blocking services use a variety of signature based schemes to identify spam and trap it at the email server, and can be reasonably effective at blocking most spam before it gets to your mailbox.
  • Commercial. There are a number of commercial spam blocking options available, such as the first peer-to-peer spam blocking service, which leverages the power of the Internet to enable people to share information, collects information from its users as they identify spam email, and then blocks those spam for all other users connected to the service.
  • Encryption. There is at least one application, the Tagged Message Delivery Agent (TMDA), which blocks spam with cryptographic methods to confirm the legitimacy of unknown senders, although these approaches introduce a layer of complexity that not everyone is willing to accept.
  • Application. As a last resort, you can block spam with your own application spam filter built with your email application’s built-in filter capability. Be forewarned that this approach requires set-up and regular ongoing maintenance to remain effective, and should be used only when other protective measures cannot be taken.

Respond. There was a time, a brief period in the late 1990’s, when responding to spam email might do you some good – maybe you could get their ISP to close their account. Today, if you want to respond to spam, you first have to ask yourself if it is worth the effort since there are so many more productive things you could be doing instead. Second, consider that there are so many spammers, so much spam, and so very, very little you can do to change the tide. Third, remember that response to a spammer themself will only get you on many more spam lists and boomerang a hundred-fold, so you need to be careful only to respond to legitimate umbrella organizations supporting the spammer’s business.

If you nevertheless feel moved to proceed despite the considerable risk, essential futility, and enormous effort required… then there are a few options available depending on the information the spammer has revealed:

  • Offline reply. If the spam email requests feedback through off-line means such as paper mail, phone number, or fax, then almost certainly all of the rest of the information in the email is faked. You can choose to respond by the offline means, but don’t reveal any return information, don’t phone any expensive long distance phone numbers, and don’t expect any lasting effect. I do know of one fellow that used to phone 800 numbers he found in spam email and try to sell whoever answered discount carpet cleaning, which he said was fun, although he never made a sale.
  • Email address. While return addresses are almost always faked, sometimes the body of the email will request a response to a temporarily legitimate email address such as <>. If the address is hosted at a legitimate provider, they usually have a team to address violation of their terms of usage such as spamming, and you should be able to find an address or response form at their web site to report the problem. They will often close the account, directly depriving the spammer of any further revenue.
  • Web site. Sometimes everything in a spam email is fake except a link to a web site where the scam resides. If that page is part of a larger site like a community home page site, then you can complain to that site’s administrators — they will often close the user’s account, depriving the spammer of further revenue. If the web site is used solely for the spam and there is no legitimate contact, then only the most determined experts should consider one of the remaining options described below.
  • Domain name. You can look up the site’s domain name in the Internet whois database to find out who manages it. If it can be confirmed that the contact is not the spammer themself, then you can email them requesting resolution.
  • Name servers. Domain name contacts for spammer sites are often the spammer or fakes like <>, neither one of which you want to contact. You can sometimes follow the trail one level deeper by contacting the administrative contacts for the domains listed as the name servers. If you even considering this, you should already be familiar with the role of a DNS administrator and their workload.
  • IP address. If you can decipher the originating IP address from the full header listing (see Header tracing below), or the spam contains a web site address in the form of an IP address alias in an attempt to shield it from domain name attacks, then you can look up the address in the Whois databases and let the upstream owner of the larger block of addresses know one of their users might be violating their acceptable use terms. If you are even considering this…
  • Header tracing. Long ago, back in the twentieth century, the art of locating people by following the trail they left behind was called “tracing”, and its equivalent in spammer pursuit today refers to analysis of email headers to follow the originating email server or IP address back to its source. This is a detailed activity best left to experts, although there are some online resources available to assist.

Poetry. The worst tragedies in life inspire the greatest artistic responses. The feelings of many people about spam are summed up nicely by Daniel Macks in the following poem, which hit the right online nerve and was distributed widely around the Internet in the late 1990’s.

Ode to Spammers

I do not want your MLMs;
I don’t want to see nude teenage femmes.
I do not want psychic advice,
So there’s no need to mail me thrice.
I do not like New Jerseyan swearing,
And I don’t want the panties you’re wearing.
I do not want your Asian chicks;
I don’t care about your lame stock picks.
I do not want to see Pam’s bod,
Don’t care about your views on God.
I don’t want calling cards prepaid,
Nor Herbalife’s new diet aid.
So, Dave Rhodes, lawyers Seigel and Canter,
And the “I am so great” ranter,
And all you others who have no name–
Whether small-time or of nanae fame:
I do not want to sound too crass,
But I think someone should kick your /dev/null.

– by permission of Daniel E. Macks.

Resources. The following Request For Comments discuss spam related issues:

  • RFC 3685; C. Daboo; SIEVE Email Filtering: Spamtest and VirusTest Extensions; February 2004.
  • Spam This! – Drawing a spammer down a rabbit hole.

The following resources provide more information about spam blocking and prevention:

The following sites provide information about tracing spammers, mainly interesting for historical purposes:

  • alt.spam FAQ — Titled “Figuring out fake E-Mail & Posts”, describes how to find out which computer a fake post or e-mail comes from, and who you should contact.
  • Fighting E-mail Spammers — By Todd Burgess, describes how to use the received headers of email to find the real sender or site that sent it.