Seattle Community Network
SCN Home  >  Help  >  E-mail  >  spam.html

Email Spam

Never Reply to Spam

now read carefully: if a spammer does anything with a reply, it is to collect the "REMOVE" addresses and put these on a list of known good addresses. Replies consist of deliberate replies and automatic confirmations by your reader.

That is the entire law of spam. The rest is commentary...



Index

  1. Overview
  2. What SCN is doing (why email was blocked)
  3. Reducing SPAM
  4. Taking Action Against Spam


(back to index)


1. Overview

Spam detection involves blocking use of email systems such as SCN's server, for the purpose of distributing Spam. In general most ISPs attempt to block their system from being used as a relay for spam. While it is desired to filter spam going into the user's mailbox, this is a small part of the problem. The reason for this strategy is:

  1. It's effective.
  2. Allowing spam to be relayed has the same effect as allowing spam. It will get the ISP "blackholed", causing users to be blocked.
  3. The spam itself burdens the system's resources.

The term "spam" originates from the Monty Python skit in which the menu repeats,

"Spam, Spam, Spam ... Well, there's Spam egg sausage and Spam. That's not got much Spam in it."
Spam threatens the utility of email, and burdens the server or ISP.

Spam is unsolicited commercial email. Lists which require the user to "opt-in" (deliberately requesting mailings) are not spam. If someone harvested your email addressee from a commercial transaction, it's spam. They did not ask your permission.

There are other forms of spam which are not addressed here:

Commercial newsgroup and list spamming
sending commercial messages to newsgroups or mailing lists (unless the commercial messages are approved for that list). This specifically includes including referral numbers in URLs and other commercial activities.
Noncommercial newsgroup spamming
Repeat posting of similar messages to an excessive number of newsgroups
Webpage spamming
This relates to deliberate attempts at spoofing search robots with content not intended for readers of the webpage, etc.


(back to index)

Spam Policy Issues

Here's the good news. It's in the business interests for most ISPs to block spam and to block ISPs which support spam.

Public policy issues on spam and blocking spam are addressed in detail elsewhere. (Search for <spam "free speech">.) Here is a brief summary of the issue:

Is it Censorship?
Yes, at least sometimes. There are several censorship issues involved:
  1. Spam is a form of speech and anything that blocks speech is a form of censorship. Most of us find this blocking acceptable, at least when applied to commercial speech.
  2. Anti-spam entities are telling spammers how they should run their business. Often spammers disagree with requirements for "opt-in" policies and other anti-spam policies. They claim that they:
    really do honour "unsubscribe" replies,
    that they paid good money to harvest the addresses,
    that they got your email address from another source,
    etc. (Our recommendations are to never reply to spam.)
  3. Spam is a cheap way to advertise and should be permitted. (After all, a commercially hosted webpage can cost $30./month.)
  4. Anti-spam blackholing sometimes makes non-spam sites unavailable. (A non-spammer then has the choice of asking their ISP to clean up their act or finding a different web host.)
  5. Anti-spam campaigns coerce ISPs to "unplug" "spamvertised" sites and other activities which support spam. Such host sites protest that they are not actually the ones sending out the spam, and that they are only hosting sites which are set up to benefit from the spam which goes out elsewhere.
  6. "Stealth Blocking" - Some users are not advised that their ISP is blackholing websites. This is a matter of disclosure rather than that of the blackholing policy itself. It is the author's opinion that an ISP which blocks "blackholed" sites and informs their customers is performing a useful service. (See "Coalition Statement" against stealth blocking for details.)
Most people who oppose spam point out that the blocking is not concerned with content and is content-neutral. If one defines "censorship" as based on content, spam blocking and blackholing of spamvertised sites would not be censorship.

What is Spam - These are a few of the issues:
Some mass-mailers who claim to use targeted addresses claim not to be spammers.
I'm sure there are others who claim they're not really spammers, or that they're not spammers because they aren't promoting pornography, etc.


Particular "opt-in" policies.
"You requested this spam because you didn't happen to see the pre-checked "opt-in" box." (If the box is pre-checked on a java form, what steps did the spammer take to make sure the user really elected to receive spam?)
Individual mailings from "friends".

Doesn't Washington (and a few other states) have a law to stop spammers?
This law is very effective, and in fact AOL has won several judgements against spammers. If you don't happen to be AOL, and for some reason aren't able to spend $30,000 for a $1,500 judgement, this may not help.
Anti-spam laws are useful in that they make it easier for ISPs to implement their "Acceptable Use Policies" and otherwise take action against spammers.

Anyone who wants to advertise on the internet can do so economically, for example by posting a webpage. It is also considered acceptable to have a web form which requires that a user affirmatively request being sent commercial email (provided that the user can also cancel). People have attempted to establish generic "opt-in", but few people have subscribed.

Several well-known companies had been blackholed because of spam policies. Typically, this happens when someone in marketing suggests harvesting the company's own customer's addresses for spam ("customer maintenance").

As a practical matter, you are paying (or SCN is paying) for the service that the spammer is using.




(back to index)

2. What SCN is doing (why email was blocked)

SCN blocks email based on known patterns of spammers.

In general spam blocking includes an analysis of email for patterns, which are visually apparent in the TCP/IP activity. Detailed information, and "workarounds" is found at www.scn.org/help/email/spamblock.html.

Other Things SCN Does

SCN's most obvious action is the requirement for doing a POP call (retrieve email) before sending email with an SMTP program (email reader). This is explained at www.scn.org/help/email/popmail.html. This means that an actual SCN user must logon before sending email. In anti-spam jargon, it's called "POP-before-SMTP".

Due to the nature of our organization, there's always someone looking at the blackhole lists to see if we have a problem.

(back to index)

WHAT TO DO


Check the ISP

If email is blocked, the ISP will probably also be on one or more blackhole lists. Go to a blackhole search site and see if you can find your server there. If the listing describes spam or an open relay, that's the reason. (READ what the listing says. Some are not blackhole lists and are only used for heuristics. One example is a listing of country-specific IP blocks.)

If your ISP is blocked, consider sending the "blackhole" report data to the administer of your ISP (if the report data is relevant).

Work-Arounds

This is for individuals who can't send mail to SCN (or another ISP).

Usually a free mail site such as Yahoomail or Hotmail is all that's needed. Other options include using an alternate email account which is not forwarded to the blocking IP, and asking the user to reply to that account. (Some readers allow optional "replyto" headers for specific people.)

(back to index)




3. Reducing SPAM in your Inbox

This explains basic stuff to reduce spam in your inbox.

Focus
Don't Reply to Spam
"Lazy HTML" and Email Readers Linked to a Browser
Bad Information
Automation, Known Good Addresses and Address Collection
Confirming Mail
Web Forms
Email from Browser
Webpages
Select an Anti-Spam ISP
Miscellany
Email Software
Responding to the Domain


Focus

The following is focused on reducing receipt of spam. Serious anti-spam techniques such as use of nslookup, tracerroute, blackholing and the like are addressed elsewhere. (See Responding to the Domain)

1. Never respond to spam.
Spammers have gone to great efforts to "clean up" their spam lists by using only known good addresses. Bounced messages are a dead giveaway to an ISP that spam is routing through. The larger ISPs have installed software that uses dead addresses to detect spam. SPAMMERS NEED YOU TO REPLY TO THEM. This verifies that they have a known good address.
Responding only confirms a valid address, especially when it includes a message on removal! Believe me, nobody has the time to read these replies and the last thing spammers want to do is remove valid names from their lists. I am seeing some extraordinary attempts at validating addresses -- including messages which obviously don't relate to anything meaningful. (One was for an Alcupulco radio station which had its "REMOVE" instructions in English.)

These guys need you to reply to them. That verifies that they have a known good address.

Ploys to entice submission of replies include:
the "remove" instructions (duh)
Statements that the address was picked up from browsing a website
Do you think they'd admit to that one if it were true?
Statements that the mail is never sent unsolicited (Unsolicited mail is always sent solicited!)
Fill-in forms on webpages


2. Block Return Receipt on your Email Software
Pegasus calls this "Confirm Reading." Search your browser's help menu for "confirm." Of course if you confirm with slightly munged addresses, you help clog a spammer's list.

Some flavours of Outlook allow selective confirmation, meaning that you can confirm mail from people in your addressbook, but ignore unknown "confirm" requests. Confirming to known senders is obviously safe.

3. "Lazy HTML" and Email Readers Linked to a Browser (Outlook/Outlook Express and Netscape)
Lazy HTML is HTML in email which uses external links on the Web.
HTML on the web uses separate files for images and frames. HTML on email normally includes these "in-line images" as part of the email. "Lazy HTML" goes out on the web for parts of the page.
The problem is that "Lazy HTML" in email, it is possible to include specific data in these pages to confirm receipt of spam. Usually these appear as the code,
<img src=http://spamdomain.com/cid:xxxxx>.
These are sometimes called "web bugs" because of their electronic eavesdropping function.

But the email reader must cooperate by going out and "fetching this fake image. In other words, it must automatically read "lazy HTML".

Highlighted (click-on) links are not "Lazy HTML". They're hyperlinks. (Hyperlinks usually also display at the bottom of the reader when you point your mouse to them.)

Unless the linked browser have a way of separately turning off images and other functions for email, these email readers will send information out without your consent. They will confirm your email address to spammers.
This is a major security hole in Outlook, Outlook Express and probably Netscape. I have not yet seen the corresponding "patches" but they may exist. At present, the browser settings still control the email settings.

On Outlook/Outlook Express and Netscape, it is possible to block these functions by setting the associated browser to turn off "everything" (image loading, cookies, scripts, etc.) Then use a different browser for the Web.

This is normally not a problem with off-line email reading.
Alternatively, if you reader offers the option, set it to read "plain text only". This may mean you need to draft a standard "bounce" to people who send HTML-only messages.



4. Provide Bad Information to the Spam Monsters
If you've dealt with an organization who uses its customers or members as spam targets, go to their website and change your email address. This also works for phone numbers. (Example: The author of this page had to do that with AARP, which was providing members' addresses to intellimedia.com for a steady stream of emails in 2002. The AARP web form displayed no "opt-in" boxes checked for the member, but inserting an invalid email address seemed to fix it anyway.)

If you have friends who send "broadcast" mailings to everyone in the known universe, ask that they put your name in the "bcc:" section of these emails. (If you're lucky, these people may get so disgusted with you that they won't even send you the next description of Osama bin Ladin's 10 favorite songs!)

If you send "broadcast" mailings to everyone in the known universe, remove the addresses from the email copy.

5. Don't use your active email address for random Web forms. Use a known bad address, or the like. Examples include:
  1. An address from a "4-1-9" spammer (Nigerian advance fee fraud)
  2. A generic address such as "nobody@nowhere.com"
  3. The abuse address for the ISP of the people with the form.
  4. Spam reporting addressees


6. Email from Web Browser (Netscape, Mosaic, Explorer)
If you normally use an unrelated mail reader for email, corrupt the email address on your web browser, or use a spam reporting address. I saw an attempt by a spammer to just get people who object to spam to visit his website. No problem if your browser has a mucked email address. Browsers will allow you to edit legitimate mail, or cut and paste the address to your email reader.

Lynx does not provide such data except by a user's intentional email reply. (It even crushes its cookies after a session.)

Using a non-standard directory location to store your email headers may help. Distribution of email addresses is not a normal browser function, and so a Java program would have to guess where to look. This is not hard to guess because most people use the browser's default location for such information. (Normal Web requests only yield the ISP domain and the user's browser.)

(back to index)

7. Protecting Your Webpage
Be careful where you place an email address on the web, so it is not machine readable. This applies to webpages and newsgroup postings.
Robots can pluck your e-mail address from Web pages, so be careful about leaving your e-mail address scattered around on too many Web pages.
The following techniques can be used to make email addresses less likely to be useful to spammers:
The classic technique is to use a munged email address. This is a problem on webpages because most users won't understand them. See below.

"HTML ASCII"
All characters have a numeric equivalent in ASCII, so email addresses can be rendered in "HTML ASCII"
For example the following is written in "HTML ASCII":
"<user@scn.org>". The "HTML ASCII" of this is "<user&#64;&#115;&#99;&#110;.&#111;&#114;&#103;>". (It also works with as few as one munged character.)
Note that your browser is rendering the first sample of this, and will be able to send the mail in a normal fashion. This is because your browser is HTML-compliant. Spam bots are not HTML-compliant, and so they render the "HTML ASCII" instead. Basically, if they don't find the "@", they aren't going to render the address at all.

Use Formmail. These are javascript forms which are provided by the ISP to create an email message. (SCN is currently revamping Formmail because the most popular one can be abused by outside spammers.)


8. When selecting an ISP, ask if they use blackhole lists to block spam (or "use realtime blackhole lists").


9. Use spam filtering software


10. If you're at a business, use a designated person who is familiar with procedures for responding to spam. This is particularly advantageous if your business is receiving targeted spam (eg., to people on a researched list.) The MIS department may also be able to hide "mailto's" behind scripts on your website.


(back to index)


Techniques Used by Spammers


Automation and Known Good Addresses

Email spam requires address collection and email software:

Address Collection

In order to pick up addresses, someone must scan the internet. Typically this is done by bots which scan the internet for addresses. These appear on web statistics much as the bots for Altavista, Infoseek and others, but have the purpose of gleaning addresses. (I saw one bot belonging to a website promotion company take 5 days to hit about 30 primary pages of a domain, but that was an unusual case. Maybe they were being over-cautious to avoid detection.)

The ability to just email 100,000 messages is limited and any domain which permits that will quickly become blackholed. Here's where spamming becomes difficult.

The addresses must be verified because the spammer must use an acceptable percentage of good addresses.

If the spammer generates a large number of bounced addresses, that's a dead giveaway of the spam. An ISP then knows where to look for a pattern, and can t-can the mail. The ISP administrators may then send the appropriate messages upstream to stop the spammer.

Bad addresses are another problem with a large ISP, such as AOL, Prodigy, Juno, etc. These large ISPs are able to detect percentages of bad addresses coming from different sources. An inordinately high percentage of bad addresses is a dead giveaway of spam. It appears that some of the large ISPs have automated spam elimination in this way, making a number of email lists and fake routings totally worthless.

That is why it is important for a spammer to only use known good addresses.

ISPs which don't cooperate to stop spamming find that their domain gets blackholed by other ISPs as a spam-friendly site. The same applies to ISPs which host websites for spammers. So if a source of spam is identified at the ISP level, it can usually be shut down.

People who wish to send notes to domains which appear to host spam should look up how to distinguish true and fake email addresses.

(back to index)

Email Software

Spammers will often forge mail headers and relay through an unsuspecting ISP. Spam software will also try to hide the repeat patterns of spam, so that the spam is not initially detected.

Here are a list of features listed by one piece of spam server software. Note that at the top of their list is 99% delivery, followed by avoiding getting shut down. Don't give them known good addresses!

 > Features:

 > 1.) 99.99 % delivery of your mail (avoid filters and blocks)
 > 2.) Avoids using your isp's resources and getting shut down
 > 3.) Verifies domains (prevents bounce backs and saves time)
 > 4.) Bypasses your isp's smtp server (never crash a server again)
 > 5.) Allows you to send in HTML (colors and fonts)
 > 6.) Send at speeds up to 40,000 per hour (based on a 33K modem)
 > 7.) Randomize header info
 > 8.) Personalize your letter to each recipient

Note that except for items 5 and 6, the features of this software are directed to getting as much crap through the internet as possible before someone stops them.

(back to index)



Miscellany

On outside postings, blogs, and other people's webpages, use a homepage address. You have limited editorial control over these, so be careful with email links.

Munged Addresses
This primarily affects newsgroup postings, and perhaps the reply-to address in your browser. You probably know by now, but munged addresses are "From:" and "Reply to:" headers which have "anti-spam" characters in them. Typically a tagline (signature line) specifies to remove these characters to reply. Be specific and concise with your instructions.
Here's an example:
<href="mailto:user_MUNGED_ADDRESS@domain.com"> user @ domain.com </a>.
Note the spaces in the human-readable part of the link.
Caution: The use of munged addresses on web pages will sometimes confuse users, and even sophisticated users don't always look at those email addresses. Sometimes it's better to just use an easily understood human readable address without a mailto: tag or link:
"user_address     -at-    domain.com"

Include a tagline that explains how to fix the email address.
Here's a website describing Address Munging FAQ: Spam-Blocking Your Email Address.

Usenet
Since many junk e-mailers harvest e-mail addresses from newsgroups, munged and anti-munged addresses are a good idea here.

Mailing lists
These are much less of a problem. Some mailing list programs will return a list of all subscribers to a list when asked, but this hasn't been especially fruitful for spammers. Listserv will let you tell them to not show your entry in such a query.

E-mail readers
Again, turn off the confirmation "receipt" feature. Never respond to offers to "remove".

Read Your Headers
Email yourself from your reader and browser's email reader and examine your full set of headers.


(back to index)


4. Taking Action Against Spam

The first thing to remember is to enjoy yourself. Start out slowly, and don't try to go after everything. The high volume stuff is pretty much covered by others anyhow.

There are several websites which describe how to stop spam. This can be divided into three categories:

  1. Ask your ISP to be "proactive" against spam.
  2. Complain to the host ISPs (for the spam and the "spamvertised" website)
  3. Don't patronize spammers.


1. Ask your ISP to be "proactive" against spam.

If you favour the concept of "blackholing" spam sites and open relays, you can encourage your ISP to use blackholing. "Blackholing" is effective if a significant number of ISPs take action. Encourage your ISP to implement anti-spam blackholing, and let them know that you don't mind if "blackholing" occasionally blocks people from reaching your own email.

"Blackholing", in addition to discouraging spam hosting, is convenient because reduces the spam which makes its way to the individual user.



2. Complain to the host ISPs

All spam complaints require that you forward the "full headers" (or the full headers minus personal identification information). If you start looking at headers, you may start to learn how to read them, but this is not always necessary.

Note that the commonly read headers "from", "replyto" and "return path" headers can be forged, so use SpamCop or other lookup tools before complaining to the "sender's" ISP!

Some opinion is at our How to Be a Good Complainer (spamcomplaint.html) page.

The following sites explain about sending complaints:

Spam Info
Reading Email Headers
SCN's Email Abuse Site
NANAE FAQ: Spamfighting Overview - (this website has a substantial amount of detail)
Paul Hsieh's ANTISPAM page
Spamming - Radiográfica Costarricense S.A.
Spam: How to Fight it - Elsop's Anti-Spam Page - several good links
SpamCop FAQ: Help for abuse-desks and administrators
Karen's Koncepts Anti-Telemarketer & Anti-Spam Page
Spam Reaper


Decoding Spam Text:
SpamCop FAQ on decoding spam text
to display text and html tags in human readable form. This is different from simply showing full headers.
David Carter-Tod: Web-Based Base64 Converter


On SCN:
SCN's Email Abuse Site
How to Be a Good Complainer
spamblock.html page
This is an explanation of why particular email is blocked, linked above


Spam Submission Sites and Spam Analysis:
SpamCop
Spamcop is easy to use. They will remove most of your personal information from the headers. If you wish, you can remove any personal information from the body of the spam before sending the complaint. On spam with your address in the "To:" header (single addressee spam), look for identifying information in the body, including " <img " tags which don't point to images.
combat.uxn.com/tracing.html
- somewhat more technical than SpamCop
How to write a complaint


IP Address Lookups (whois, dnslookup, etc.)
SamSpade.org
samspade.org has information on analyzing headers, and I believe has a lookup function.
DNS Stuff
DNS Report
drbcheck: dr. Jørgen Mash's DNS database list checker


DNS Blackhole Lists
Note that not all of the listings represent blackhole lists. At least one is a test site which will report every valid IP address. Another site identifies each national region, which obviously is not an indication of spam (except perhaps one or two countries). These lists are useful in developing anti-spam heuristics but do not indicate the site you input is blackholed.
DNSBL database check
openrbl.org: DNSBL Lookup
MAPS Realtime Blackhole List
Open Directory - Computers: Internet: Abuse: Spam: Blacklists
list of blacklists
List of All Known DNS-based Spam Databases
list of blacklists
google net-abuse search
This will display previous spam "sitings". Make sure you know what your are reading before you cut-and-paste from there! These newsgroup search results are filled with irrelevant posts as well as the headers of the users themselves.
These newsgroup snippets are most useful if you are reporting spam disguised as legitimate communication. At the beginning of the spam copy I state "'Evidence of spam' follows spam copy. I then include the copied text under a separate heading which follows my own spam copy. Consider that the sysop will be reviewing a huge number of notes, and so it helps to make it extremely simple for the sysop to deem the spam to be spam. SpamCop uses quoting carrots (";> line of text") for these user headnotes.
Open Directory - Computers: Internet: Abuse: Spam: Blacklists


(back to index)

Some Other Links Follow


4. Don't patronize spammers

If you get an email offer you like, go to a search engine and find the same thing elsewhere. As to otherwise legitimate companies which spam their own customers, let them know what you think.




Some Other Links

Anti-Spam Policies
Outblaze - Anti-Spam Policy


4-1-9 (Nigerian Advance Fee) Spam
Don't respond. - www.secretservice.gov/alert419.shtml
(Google search, "4-1-9 advance fee")
Respond anyway - Mugu Baiters
These guys make a hobby of responding to 4-1-9'ers.
Scam Joke Page
Scam o Rama, or The Lads from Lagos
Quatloos 4-1-9 Museum
Nigerian Slang
Fego Slangs
SLANG
NigeriaExchange - Nigeria - Babawilly's Pidgin English Dictionary


Other Marketing Issues
These are hosted on SCN, but their content does not represent official position or policy of SCN.

CCCS - Citizens' Commission for Commercial-Free Schools
"The Telemarketing Scum Page"



and ACT NOW SO YOU CAN BRING IN THE BIG BUCK$$$$.

(back to index)


The opinions herein do not represent an official position of SCN other than the fact that SCN is opposed to email spam.


site first posted October, 1998; rev 8 Nov 06.

SCN Home Page
Seattle Community Network
SCN help index

Comments about this site: email me