About spam

Probably you have received e-mail from individuals or organisations you have never heard of. Likely, you have received a lot of this e-mail. Most often, this e-mail contains proposals of a commercial nature. Some contain unsolicited religious or political propaganda, and a few are proposals to carry out illegal activities. Most of these proposals cannot possibly interest you (often you are located in the wrong continent to buy any of the offered items), and several do annoy you. This e-mail is called SPAM.

Spam has been rising for several years, and is still on the rise. It now constitutes one of the largest sources of Internet traffic, and is making e-mail useless for its intended purpose. This is so because (1) spammers use automated means to collect e-mail addresses and to send their e-mail, and (2) because you as a recipient (or your ISP, which is pretty much the same thing) pay for the delivery of spam. In the end, governments will have to put in place laws and mechanisms that criminalize spamming and act forcefully against spammers. Things are already moving in this direction.

In the mean time, here are my present recommendations for coping with spam. These recommendations have changed over time, because new situations have made some of my earlier recommendation useless or not viable. Among the latest developments, a few major spammers have been sentenced to lengthy prison terms. This is obviously the way to follow in the future in order to kill spam at its source. Also, major ISPs, companies and institutions filter spam out of incoming and outgoing mail. If properly done, this has a major effect in reducing the amount of spam reaching your computer. This is also an effective strategy, if implemented properly. However, this page concentrates on things you can do, as opposed to your ISP, company or government.

On earlier versions of this page, I used to recommend that Internet users wanting to fight spam do so actively by reporting spammers to their ISPs. I still recommend doing so in those instances that clearly represent violations of the law. Examples of this type of spam are:

  • invitations to break the law (such as participating in pyramid-schemes),
  • scams aimed at obtaining private information that can be used to steal from you or otherwise damage you (e.g., invitations to reveal log-in information, account information etc. by individuals posing as representatives of companies or financial institutions and using misleading e-mail or web pages). This category of spam is growing very fast, and is potentially very dangerous if you fall for it.
  • Nigerian letters, i.e., invitations to help individuals (usually posing as relatives of deceased politicians or businessmen) to transfer large amounts of money to another country (not only from Nigeria) by using one of your bank accounts, with the promise of a sizeable share of the money as your reward. Needless to say, the only money that will ever be transferred is from your account to theirs, either by their request of helping with an endless series of bank fees, bribes etc., or by their fraudulent use of the account information you may provide to them. Things will rapidly get worse, should you agree to travel to their country to expedite the process. In more than a few cases, this has resulted in naive westerners being threatened, beaten, murdered or "disappearing". Just keep in mind that money extorted with Nigerian letters often goes to finance drug- or weapon-trade, so they will not think twice before committing violence or murder, and you should not think twice before reporting this type of spam.

The present amount of spam is way too large to report all of it manually. I used to recommend web sites (like SpamCop) that provide a semi-automatic way to report spam to ISPs. Many ISPs are now rejecting this semi-automatic and automatic reporting because its sheer volume is too large to handle. This option, therefore, is no longer viable. Some of the reasons for this are:

  • several ISPs are making money by hosting known commercial spammers, so they are not interested in taking action against their source of income.
  • some spammers have been known to flood ISPs with false reports of spam in order to prevent them from acting against true instances of spamming.
  • several companies now insist that you report spam and other abuse by using web pages on their sites instead of e-mail, because this makes it more difficult to flood their sites with false or automatic reports.

Before you start receiving any spam, I recommend that you never give your true e-mail address to anyone, for any reason. The true e-mail address for a user called Richard Brown could be something like rbrown025@mmycorp.com. Usually, his ISP or sysadmin also creates an alias that looks more meaningful, like rick.brown@mmycorp.com. An alias is not a real e-mail account, only a name that tells the e-mail server that all incoming mail addressed to rick.brown@mmycorp.com should be put into the inbox of rbrown025@mmycorp.com. An e-mail account can have an unlimited number of aliases, and it is very easy to create and delete them (you can do it yourself if you own your own domain name like rickbrownmm.com).

Use one or more aliases to give away to others, and for use as the sender of your e-mail. If possible, obtain several aliases and use different aliases for different purposes. You may use one for friends and family, another for work contacts, a third for registering on web sites and for obtaining responses from web businesses, etc. This way, when you (inevitably) start receiving spam on one of your aliases, it is easier to delete it, create a new one, and inform all authorised persons of the new alias. Any e-mail (including spam) addressed to the deleted alias will be returned to the sender as undeliverable, so legitimate users will be alerted that they need to contact you in another way, e.g. by telephone. Returned spam is never read after being returned to the sender (usually the sender is a fake address anyway), so this is no longer your problem. If you use aliases judiciously, you may even be able to guess in which way your alias ended up on a spammer's list. If you change often the aliases you use for high-risk activities like web forum memberships and downloads of trial versions of software, you may even be able to cut spam before it starts arriving. A safe way of disposing of unwanted aliases is to remap them to an e-mail address like [any name here]@example.com. The example.com domain cannot exist on the Internet, so any e-mail remapped to this domain bounces back safely and with a minimum of processor time spent by your e-mail server. It may also be a good idea to have a catchall alias for your domain, like *@rickbrownmm.com and remap it to example.com. In this way, any e-mail sent to a non-existing alias on your domain will safely bounce back, thus preventing spammers from trying to guess the names of existing addresses on your domain (e.g., webmaster@rickbrownmm.com) and from sending spam to catchall addresses.

Needless to say, in order to be safe you should never place any of your aliases on a web page that is publicly accessible. You are still relatively safe if you put your alias on a web page as a picture (e.g., a JPG file containing a picture of your e-mail alias; see the example on my home page), especially if the picture contains a background pattern and/or small disruptions in the text characters. These small defects make it very hard for automated software to read the picture back to text, but pose virtually no problem to human readers. No spammer is going to harvest an address manually by reading and typing it - a spammer needs millions of addresses, not the few dozens that he might be able to collect by manually reading web pages in one day. Someone who is out to get even specifically with you might do it though, in which case a periodic shift of alias will take care of it. You might even be able to get a good guess about who this person is by examining the logs of your web server. Unfortunately, aliases can be harvested from e-mail in transit on the Internet, from web sites the contents of which you cannot control, and from other people's computers by worms and viruses (you do have a good protection against these on your own computer, don't you?), so an alias shift now and then will be needed.

After you receive spam, my present recommendation is to use automatic filtering to separate spam from real e-mail. There are two types of filtering. The first is carried out by your ISP, and is not discussed here. The second is performed by software installed on your computer, and usually takes place after incoming e-mail is downloaded to your computer (so this type of filtering will not save bandwidth on your Internet connection, which may be a concern if you are using a telephone modem or another slow connection). I tested just a few of these filters, and my results and opinions for one of them are listed below. This is not meant to be a fair review of this product or a comparison with any of its competitors.

Eudora 6.0 and later - Arguably the best e-mail client for the PC, and one of the most popular. Version 6.0 includes for the first time spam filtering (this function is available only in the paid, licensed version of this product). I highly recommend Eudora for several reasons, one of these being that it cannot execute web scripts and other programs embedded in incoming e-mail, and therefore it is intrinsically immune to most worms (but the software you use to open attachments is not, so you still need protection).

Spam filtering in Eudora is carried out by an external plugin, which apparently cannot be configured. You can choose a few general criteria for spam filtering within Eudora, but apparently not design your own junk  filters. However, you can still design your own Eudora filters (which at one time I used to filter spam, but now I have largely deleted except for a few obvious ones, like "Viagra" and "mortgage"). Eudora filters direct filtered messages to any mailbox of your choice, but these filters act outside of the spam plugin. In my version of Eudora, this plugin and its databases are several months old. Since I am manually transferring all unfiltered spam to the "junk" mailbox, the filter continues to learn the characteristics of new spam, and typically catches over 95% of it. Occasionally, real e-mail gets filtered as junk, so you should check you junk mailbox before emptying it (the most effective way I found is by looking at the sender).

Links

www.abuse.net has a lot of information.

spam.abuse.net also has a lot of information, this is their index.

You can read here my introduction on how you can manually trace spam and report it.

For over two years, I kept on this site a collection of false e-mail addresses (one and a half million, refreshed every night) generated by a little program written by a friend. All addresses generated by this program are fakes (except for rare chance cases in which a randomly generated address can be identical to a real one). There are many individuals and organisations that harvest the Web and collect e-mail addresses to sell to spammers, or to use for spamming. In the past, adding my fake addresses (in total over one billion) to their lists polluted them and made them much less valuable. My web site was harvested on a daily basis by several uninvited web spiders that scanned all pages, including those marked as off-limits in robots.txt and HTML tags. However, lately commercial tools have become available to test lists of e-mail addresses. These tools verify each address by connecting to their mail servers, and therefore can weed out fake addresses (at the cost of a relatively large use of Internet bandwidth). Therefore, these tools (which, incidentally, have also legitimate uses besides being helpful to spammers) have made the use of "spammer bait" rather ineffective, at least for those spammers (or address harvesters) who can afford the cost of verifying the addresses. Hence my decision to discontinue my collection of fake addresses. The fight against spam has other, still effective tools (see above).

Are you curious to know how I generated these e-mail addresses? As explained above, this type of program is no longer effective, and therefore I have discontinued its use. However, if you are interested, here is a readme file about the program, or download the program itself (note: download is not available at present) (it runs on Windows 95/98/ME/NT/2000/XP), complete with source code.