Return to Sender
If you have been on the net awhile, you have probably been seriously bothered by unsolicited e-mail advertising, commonly known as "spam". If you haven't had any yet, you are extremely likely to be bothered in the future as it is a growing problem. (Note: I know the term "spam" originally referred only to a Usenet problem, but the term is also used for unsolicited e-mail ads, so don't write me to tell me about it. If you want to know more, see http://spam.abuse.net/spam/ -- a site also discussed more below.)

Spam does not include paper "junk mail" that you get at home. Reducing that is also nice, because you're reducing the amount of natural resources that are consumed sending you ineffective advertising, but that is beyond the scope of this document. For excellent information on reducing your home junk mail load (as well as some information on reducing spam), see http://www.junkbusters.com.

Spam very often advertises fraudulent or low-quality service or merchandise, and you pay (with your fees to your service provider) to receive it; anyone who would use "spam" advertising to promote a business by making the customer pay to get the ad is either completely out of touch with his customers or, by definition, underhanded. To confirm or report suspected fraud, see http://www.fraud.org.

With my well-known e-mail address, I get more spam than most. But even a little bit can be rather irritating. Even with filtering software installed to automatically reject spam from the most obnoxious advertisers, I still get 15 to 25 spams per day. I don't bother to count the ones that are rejected by my filters. If your e-mail address gets on the spammer's distribution lists, you will eventually start getting this much unsolicited junk mail clogging your e-mailbox. Something must be done!

How Did They Get My Address?
E-mail spammers do NOT get your address because you're on the This is True distribution list! Some mailing lists are completely unsecured -- pretty much anyone can grab the list of subscribers. Netcom's lists suffer from that kind of poor security, so I had to institute my own security for my list. That got rather out of hand, so I moved my list from Netcom to Lyris, which has excellent list security. (Some other list services are also well secured. But if you can retrieve a list of every member of a list you're on, so can a spammer. Trust me: they know how.) I do not, by the way, ever sell, rent, give, or otherwise provide True subscriber addresses for any mailing, whether or not I think it's legitimate. (See This is True's E-mail Privacy Notice.)

So where do these spammers get your address? If you have ever posted in a Usenet newsgroup (also called "discussion groups" on some systems, "bulletin boards" [not to be confused with BBSs] on others), that is where. Newsgroups are "publically" readable, whether you post your message on your local ISP or on a major net service, your message is typically spread worldwide by Usenet in a matter of hours, and it -- with your attached address -- is easily sucked up by advertisers.

Another common place to get your address is from web pages. If your e-mail address is listed on a web page -- such as your own space on your ISP's server -- anywhere on the net, spammers will find it. I've seen the scanners in operation, and it's amazing how quickly they work. The software can, for instance, ask a search engine for any page that has the word "cat" in it and grab the addresses off those pages for a "targeted" list of people with an interest in cats. It takes only minutes to gather the addresses.

Also, list merchants (typically spammers themselves) sell lists of addresses gathered by any means possible -- even if a message you sent privately is forwarded to a large group (which happens all the time, especially if you're telling a funny story), your address can easily be culled from the headers and sold. There are other places, such as open e-mail discussion lists and, ironically, web pages that say "put your address here if you want to be on a "do not mail" list; often, these lists are sold to the very advertisers you want to avoid! This is another indication of the honesty of the advertisers!) There are legitimate anti-spam web sites that ask you to sign up in anti-spam campaigns. Such support is important, but how do you know if they're really anti-spam, or fronts for the spammers themselves? Be suspicious of any sites you aren't sure of! We are confident of the sites listed here -- they are run by very-well-known anti-spam activists. The sites they list are also very likely trustworthy.

Well, Now What?
So, once you're on these lists, how do you get off? The spam messages themselves often include instructions on how, but often the instructions are bogus, or a way to collect more addresses. Typically, if you reply to the mail to complain, your message will bounce back because the return address has been forged and doesn't actually exist (or, looking at the "From" address, it's obvious that it's fake). Worse, if it does manage to get through to the spammer's site, they will often not only not remove you from their mailing list, they'll see your complaint as evidence that your address is valid and spam it all the more! They do not care that you're irritated or angry, since they figure if even 0.1% of the millions of people they send junk mail to send them money for the advertised product or service, they're coming out ahead. They literally do not care about the other 99.9% (yet another indication of the quality of the businesses that use spam). Thus:

My first advice is, never, never, ever buy anything from someone who sends you unsolicited advertising by e-mail! Many of these offers are fraudulent, and the advertising method is, by definition, underhanded, especially if the "from" address is forged! Why in the world would you want to give your hard earned money to people who would forge their return address, or make you pay to receive their advertisement that you didn't even ask for? If no one bought anything from these people, they'd quickly stop -- it wouldn't be worth their effort if everyone ignored them. But a very small percentage does buy, which encourages them to continue, or expand, their operations.

I no longer think complaining helps. Spam victims have complained a lot, but the complaints really don't do anything to stop spam. Worse, because spammers are pretty good at hiding their tracks and using fake addresses (or, much worse, real addresses belonging to innocent bystanders), it's sometimes very difficult to track down the real culprit. If you want to complain anyway, learn how to "reveal full headers" on your mailing software (but don't ask me how, since I don't know how your mailer works. Ask your service provider, or check your manual). Most mailers normally only show the basics -- the "To", "From", "Subject", etc. headers. That's not where the real information is: "extended" headers show the servers the message was routed through. So even if "spammer@aol.com" is shown on the "From" line as the sender, the advertiser may not only have not sent the message from AOL, he probably never even had an account there! By revealing the full headers, you can see, in the vast majority of cases, where the message really came from.

If you want to complain, you should forward the message, including the full headers, to the services that handled the message, complaining that you don't want such mail. What specific address? Use both abuse@[domain] and postmaster@[domain] -- for instance, if you see the message was routed through Interramp, then send it to abuse@interramp.com and postmaster@interramp.com. Why both? Many services don't have an "abuse" address (so your complaint may bounce back to you as "undeliverable"). If you know that a service does, you can omit the postmaster copy. The better ISPs have an abuse address; if they don't, you should encourage them to implement one. All servers are required by Internic to have a postmaster address, though many don't or, if they do, don't actually read any mail sent there. Don't complain directly to the spammers; they don't care that you are irritated.

It is mentioned above that complaining to the spammers doesn't help, and even encourages more spam because it validates your address for them. The same goes for using the "remove" instructions that may be included in the spam. Do not follow these instructions! They typically fall into two categories: 1) bogus, a "show" of "we care", but they don't actually work, and 2) fraudulent, a way to get validated addresses that they know are good! This is not just my opinion: the U.S. Department of Energy's CIAC team agrees that "remove" systems not only don't work, they should be actively avoided. For details on CIAC and their recommendations, see http://ciac.llnl.gov/ciac/.

The bottom line: it's very difficult to stop this kind of junk e-mail advertising, but if we all refuse to do business with these people, and complain to their service providers, you can make a difference in the long run.

Complaining Isn't Working Well: Now What?
Thousands of spam victims have been complaining regularly. Is the situation thus improving? No: it's getting worse. Much worse. Why? Because spamming is profitable. Just a small portion of the millions of victims find the ads interesting, or the product touted potentially useful, so they buy. They are typically disappointed (see info on fraud, above!) So, again, don't buy from them! Don't double your own victimization!

There is a federal law in the United States (47 USC 227), commonly known as the "junk fax law", that makes it illegal to send unsolicited advertising by fax. When faxes first became very popular, fax machine owners were inundated with advertising on them (sound familiar?) The federal government responded to calls to outlaw this practice because 1) it was tying up the recipients' fax machines (e-mail analogue: junk e-mail can fill up your mailbox, thus using space that might have been used to store the messages you want to get), and 2) it "shifted" a significant portion of the cost of the advertisement to the unwilling recipient (e-mail analogue: you are paying not only for your own mailbox space, which is being used by the spammer, but you're also paying, as part of your online fees, for a portion of the Internet's "backbone" traffic -- the capacity the spammers are using to carry their messages). This law does not apply to e-mail! The opinion of lawyers in the anti-spam movement is that any attempt at bringing lawsuits against spammers using this law will fail in court.

There is thus a serious move afoot to amend 47 USC 227 to specifically include e-mail "spam" prohibitions. The law would make spammers financially liable for every unsolicited commercial e-mail advertisement received by an unwilling recipient. You can help this happen! As soon as you're done reading this message, please go to http://www.cauce.org and register your support for this amendment in the law. Much more information on why this is a good idea, and what exactly is involved, is available there.

CAUCE, the "Coalition Against Unsolicited Commercial E-mail", was started by a group of dedicated anti-spammers who understand the technical and legal issues involved. Please spread the word about CAUCE, but please do not "spam" the message yourself! Even this important message is not important enough to be spammed around the net -- see the next section for more thoughts on this.

Another anti-spam organization that's worth a look is FREE, the "Forum for Responsible and Ethical E-mail", http://www.ybecker.net/.

The "Technical Solution" (New)
Those who are against legislative solutions, such as those promoted by CAUCE (see above), say the Internet should be self-policing, that we should not invite politicians in to solve our problems. It's a good theory, but one that hasn't been terribly effective -- the tools to stop spam are crude and often ineffective, or (much worse) they have high "false positive" rates that block legitimate mail. (Have you ever sent an e-mail to a friend and had it bounce back with a message implying your e-mail was spam? Very irritating, but it's worse if a business doesn't get e-mail from customers!) Thus, many ISPs don't even try to block spam.

Another tactic is to try to filter spam at the client level -- on the user's computer. This has several shortcomings, including the fact that you still have to pay for the time and bandwidth to download the spam to your computer to be filtered. You have to keep up with the latest spammer tactics and keep your filters updated -- and most users don't have the technical skill to do this. It is a poor way to stop spam.

As of Spring, 1998, there is finally a workable technological solution.

Our list processing software provider (Walter Shelby Group, publisher of Lyris) heard over and over from their customers that a major issue in e-mail is spamming. Their own server was being abused by spammers, making it hard for them to serve their paying customers. And, they saw spammers try to break into the distribution lists on the Lyris server (unsuccessfully, of course!), trying to steal the addresses stored there so they could be spammed. Rather than just watch it all happen, they decided to fight back. "MailShield" is the result.

MailShield comes with about 50 different tools to combat spam and other e-mail abuses. It is not software for you to run with your e-mail client, but rather a tool for your ISP -- or your organization -- to install on its mail server.

Briefly, MailShield closes off servers from spammer relaying, but still allows wanted relaying, such as when you want to send mail from the road. It identifies spam quite well and either refuses to accept it at all (which saves significant bandwidth), or (if the administrator prefers), accepts it and shunts it off to a backup location, or lets it through and puts a "flag" on it to alert the user s/he may not want it. (And, if desired, each user on the system can be set to any of these modes separately!) It can send back custom "bounce" messages that either just say the message was rejected, or with full explanations as to why it was rejected. It even has a feature I've never heard of before that ISPs will love: it can stop their own customers from sending spam without seriously impacting legitimate users! And, it has an incredibly low "false positive" rate, so you don't lose the mail you want to get.

For details, see http://www.mailshield.com. The "About" button gives you an overview of features. I'm so impressed with MailShield that I have offered my services to the company as a "celebrity" spokesman.

But I did say this is server software. If you're not a system administrator, you can't run it. So how does this help you? It gives your ISP or organization an incredibly useful tool to stop spam. Since spam is a significant portion of the mail load on a typical server, stopping it means that bandwidth needs are reduced, server hardware requirements are reduced, and thus costs are reduced. Your ISP running this software not only means you won't be bothered by spam anywhere near as much, but it might actually keep your ISP from needing to raise its rates, as AOL recently did. You need to tell your ISP about MailShield and tell them you want them to run it. Coming soon to the MailShield site: a list of ISPs that use the software so you can threaten your ISP that you will switch if they don't do something about the spam you get, and the information to make good that threat. That, finally, is how to stop spam!

Be Sure to Pass This On
Another pestilent phenomenon is chain mail, "send this to everyone" mail, "virus warnings" and the like. If you get e-mail that requests -- even urgently -- that you spread the message far and wide, that's a warning sign that you should dump it. These campaigns often claim they are "helping" a "good cause", like the cancer-struck kid that wanted to get in the Guinness Book of Records by getting as many cards in the mail as possible. Yeah, the kid exists, and got 16 million cards the first year -- but that was in 1990! Not only did he not die, he is begging for the cards to stop. Yet the story lives. Lately, the Internet version of the story switched to "send the cards to the Make-A-Wish Foundation in Arizona"; they are getting so many cards that it is interfering with their very worthwhile mission to help sick kids. So, people trying to be helpful are inadvertently causing true harm (see http://www.wish.org for info on M-A-W and the "Craig Shergold" problem).

The "virus warning" mails are fake too, and keep going despite being years old. The "Good Times", "Deeyenda", "Irina", "AOL For Free" and "Ghost.exe" warnings (and certainly many others) are all hoaxes, and spreading them around causes nothing but resource drains, bother, and sometimes panic to the people you send them to. For more on 'net hoaxes in general, see http://www.nonprofit.net/hoax/hoax.html. For more on fake viruses, see http://ciac.llnl.gov/ciac/CIACHoaxes.html.

This Really Happened
Then there's the urban legends. (Do not send me "submissions" to This is True that have anything to do with a ship telling a lighthouse to get out of the way, the jet-equipped car crashing in Arizona, the good-ol' Southern boys using a .22 caliber shell for a car fuse (or (sigh) accidentally blowing up their truck while ice fishing), the snorkeler dropped from the water-scooping plane onto a fire, or the hospital janitor unplugging the patients' ventilators for the vacuum cleaner. All are urban legends and did not happen. For details on these and many others, see http://www.urbanlegends.com.) If you see a plea or warning floating around the net, the best bet is to assume it's a gag, hoax, or urban legend unless proven otherwise by going to the source. Please delete it, and do not send it on, either to me or anyone else.

This Has Been a Public Service
This message is brought to you as part of a campaign by the owners of large lists, such as me, and another tireless anti-spam list owner, Vince Sabio of Humournet (for details on this highly recommended e-mail humor list see http://www.humournet.com/HumourNet/). Vince and I, and many other list owners, work hard to protect our lists, and to shut down spammers whenever we can. You can support an organized effort by surfing to the CAUCE site ( http://www.cauce.org). Another good site is maintained by the well-known anti-spammer Scott Hazen Mueller at http://spam.abuse.net/spam/ -- this site also contains useful information for sys admins on how to secure your site against abuse from spammers who want to steal your resources. It also contains very good general information on spam and how end users can filter it out -- in much more detail than I can fit here.

I thank you if you read all of this, and I thank you for your help to stop spam and other unsolicited Internet junk mail by giving your support to CAUCE (I am signatory #22) and following the advice given here.

This is True is a weekly newspaper column reporting on bizarre-but-TRUE news stories. To regularly receive True by e-mail for no charge, see our web site or send an e-mail message to join-this-is-true@lyris.net -- to protect you, you will receive a "confirmation" message before your subscription is completed. Our web site: http://www.thisistrue.com/. Comments are welcome: e-mail arcie@thisistrue.com or write Freelance Communications, PO Box 17326, Boulder CO 80308-0326 USA, or Fax 303 664-5388.

Copyright 1996-1998 by Randy Cassingham, All Rights Reserved. ALL Broadcast, publication, retransmission, copying or storage, including on CD-ROM, listservers, BBSs, Web sites, "FTP" archives, or anywhere else, is strictly prohibited without prior written permission. For a copy of this article that you can send to others, send a blank e-mail to a special e-mail autoresponder donated by DataBack Systems: nospam@mailback.com. All other use requires specific permission; contact the author at arcie@thisistrue.com. "This is True" is a registered trademark of Freelance Communications.

Go To: Our Opening Page / Our Main Page / Site Map