home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Frequently-asked questions about spam e-mail

Here’s the obligatory website FAQ page, where I’ll try to answer common questions about spam and give you some background for your further study.

What is SPAM™?

SPAM™ (in all-caps with the TM sign, as the company prefers) is a tasty luncheon meat (Spiced Pork and hAM) produced for many years by the Hormel Corporation of Austin, Minnesota. And, yes, there is a SPAM™ website (http://www.spam.com/, of course), where you can see that Hormel takes the appropriation of their venerable trademark with surprisingly good humor (I suppose it’s true that any publicity is good publicity). SPAM™ is a worldwide favorite, and is even considered a bit of a delicacy in some parts of the Far East. That, however, is not the sort of spam we’re here to discuss.

What is (the other kind of) spam?

Spam (with a small-s and no ™) is the term currently applied to unsolicited mail or postings to newsgroups, mail lists, etc., usually sent out in bulk and without any particular targeting, and usually of a commercial nature (i.e., they want you to send them your money) or very often of criminal nature (i.e., they want to trick you out of your money, your personal info, etc.).

Spam is the kind of rude, low-rent mass advertising engaged in by marginal business people (whom some anti-spammers call “chickenboners”), swindlers, crooks, and con-artists.

Spam is also often called UCE (unsolicited commercial e-mail) or UBE (unsolicited bulk e-mail) by suits who want to steer clear of trademark infringement problems.

Remember always this simple definition (it’s my rule #2):

 unsolicited + bulk delivery = spam 

What isn’t spam?

It is important to understand that not every unwanted e-mail you receive is spam. For example, if your Aunt Edna unwittingly sends you a virus warning hoax, this may be annoying but it isn’t spam (not bulk-delivered). If you registered some purchase or subscribed to some service over the internet and agreed to receive messages from the seller (or failed to indicate that you didn’t want such messages), subsequent messages from this sender really aren’t spam — you effectively agreed to receive them (you solicited them).

Reputable businesses will generally happily remove you from their mailing lists if you ask them to do so. As for your Aunt Edna, I really can’t advise you.

Unsolicited but legitimately targeted e-mails represent a category of mail that is at most only somewhat spammy. For example, if you’ve publicly established your interest in a particular topic, don’t be surprised if you get a lot of unsolicited commercial offers related to that topic (as I frequently do in conjunction with my hobby of fountain pen collecting). It’s a judgement call here, but I’d say that these are most often not bulk-delivered, and the sender has at least gone to some effort to ensure that you might be interested in the message. You may, by all means, politely tell the sender that you wish to hear nothing further from him or her, or you can simply ignore the message. It probably isn’t warranted to report the mail as spam.

On the other hand ...

If someone sends mail to you for no reason other than that you’ve publicized your address on your website (as a webmaster) or in the whois database (as the owner of a domain or address block), this is not what I consider to be legitimate targeting.

I find that since acquiring my own domain I’ve gotten lots of spam sent to certain “generic” or “role” addresses at my domain that I don’t use (e.g., sales@, info@); apparently my virtual domain setup routes this role mail to me anyway even though I’ve not activated the addresses for use. Since most of these messages show evidence of spam mailing techniques (e.g., forged headers) and have not been targeted to my presumed needs (they’re really “dictionary attacks” since the senders assume that these addresses exist), I consider them to be spam and report them as such.

There are spam hucksters who target webmasters or domain owners with advertisements for logotype development, software coding, search engine optimization, and other rather dubious services. Also, you will frequently get requests to exchange links with marginal businesses, exchanges that would tend to be of much more benefit to the requester than to you. Finally, there are those fraud-artists who prey on naive online merchants; read about one very common type of racket here.

Where did the term “spam” come from?

Ah, yes, the inevitiable question. In the early 1970s, the television comedy series Monty Python’s Flying Circus (see left for a contemporary pic of the Pythons) featured a famous sketch in which an English couple’s attempts to order a nice breakfast are squelched by a horde of Vikings who chant “Lovely SPAM™, Wonderful SPAM™” over and over (SPAM™ being a popular breakfast side meat in the UK). In this context, “spam” represented something in plentiful supply that you didn’t really want (just about the only food item actually served in the café was spam), or more likely a lot of extraneous noise that drowns out the business at hand.

Early internetters, among whom were many Python fans, adopted the term “spam” to refer to any kind of random, irrelevant message traffic via mail or newsgroup that lowered the “signal to noise ratio” of the forum and threatened to drag discussions off topic (a cardinal sin in such forums). Often, such spam came in the form of “trolls” (outrageous statements posted with the intention of drawing angry comments from participants), and could if successful escalate to flames (excessively hostile or indignant postings, which many poor souls seem to enjoy both reading and writing). Brad Templeton also notes that the Monty Python Spam Sketch was a popular tool of annoyance among early internet chat forum users (MUDders, circa 1985), and the term was also used by those who wanted to chase them away.

Since then, the meaning of the term “spam” in the popular arena has narrowed to refer to unsolicited postings and mass e-mails, generally of a commercial nature. Unlike the trolls, spammers don’t really care to participate in any discussions, or even to sidetrack them; they just want to drop off their ads like supermarket parking-lot leafletters and then get back to the shop to wait for the orders to roll in.

What kinds of goods and services are sold via spam?

You’re liable to see most anything being sold in spam e-mails, from NASCAR collectibles to fine art reproductions, but the usual suspects include the following (also see my page on classic spam rackets):

And, of course,

You’ll notice that most of these goods and services are of little monetary value; that is, the spammer doesn’t have to make a particularly large prior investment to offer them. Even the mortgage spammers are simply trawling for leads that they can sell to “real” mortgage companies for a bounty; they certainly do not have the money on hand to loan you. Spammers don’t really care what they sell, as long as they sell some of it.

Many of these schemes actually pre-date the e-mail age, and are well-known scams and ripoffs. Even where a spam message offers something you might like to have, I’d advise you to not to touch such offers even with the aid of a ten-foot pole. See Rule #1a.

Is spam an effective way to advertise?

It depends upon what you mean by “effective.” Spam is a very cost-efficient way to send a message out to the largest possible audience, but very few in that audience will be happy to get a message delivered in this fashion. Sure, spam will reach a wide audience if done properly, but few in that audience will be receptive to the message; most, in fact, will be decidedly hostile.

Nevertheless, we continue to receive spam by the carload, so this suggests that it must be at least somewhat effective, at least among those who ignore common-sense advice about dealing with such people.

What makes spam worthwhile for some is the fact that if only a couple of recipients out of every thousand respond to an ad mailed to millions, the spammer stands (in theory, at any rate) to make some money. Plus, a spam operation doesn’t need a storefront and the perps don’t have to stick around for things like “customer service” (hey, they’ve already thoroughly “serviced” their customers).

So what’s wrong with spam?

Yes, spam is stupid and annoying, but that’s not the only reason, or even the best reason, why it should be stopped. Simply put, spammers exploit the peculiar economics of the internet to get other people to pay for their mailings. What other people? The recipients. That’s you and me. Yes, we spam recipients are actually subsidizing these clowns.

Conventional advertisers usually pay to have their ads placed; this revenue helps “content providers” (magazine publishers, TV broadcasters, etc.) offset the costs of their operations, thus lowering (or even eliminating) the cost to the end-user for these media. Even if the advertiser isn’t subsidizing some product of interest to the consumer (which might be the case, for example, with billboards or direct-mail coupon packs), he’s at least footing the whole bill himself, and not requiring the consumer to pay for the delivery of the ads.

Spammers, on the other hand, pay only a tiny fraction of the total cost incurred to deliver their advertisements. They can get away with this because of the way that e-mail and internet service is paid for: they need only pay to get their messages launched on the network, and not for them to be delivered to the millions of recipients at the other end of the internet backbone.

It is technically quite feasible, for example, for a spammer to use a standard dialup or broadband account to send his mail, and he would not have to pay any premium for all the extra mail he sends (although most reputable ISPs will shut down his account for AUP violations if they catch him at it).

Things get even cheaper and safer for the spammer if he can manage to steal services from others in order to launch his mail; this used to be done through the use of poorly-secured open-relay public mail hosts and mailback scripts, but is now done by using the infected computers of unknowing home users as “open proxies” to send mail. In this case, both the sending and receiving of spam are done largely at the expense of third parties, and not the spammer.

If internet service (and e-mail transmission in particular) could somehow be “metered,” the way most of us pay for utilities like electricity and water, then net users would be more vigilant over the hijacking of their services by outsiders (which would increase their bills), and bulk-advertisers (including spammers) would be forced to pay in proportion to the number of mails they send. The problem of spam would probably all but disappear in such a world. This kind of sweeping change, however, is unlikely to happen for a wide variety of technical, social, and administrative reasons.

How prevalent is spam?

Very. About one-half to three-quarters of the world’s daily total of e-mail is spam, depending upon whom you talk to and when you talk to them. This proportion is even higher in some parts of the world (e.g., in Russia, where one ISP estimated that between 80 and 95 per cent of total mail handled was spam). A few years back, one major cable internet provider in the U.S. estimated that its facilities were being abused to send spam at the rate of over six hundred million per day, thanks to their subscribers’ infected “open proxies” that can send spam outside the supervision of the ISP’s mail system.

This large volume of spam becomes even more remarkable when you learn how few people are responsible for it. Spamming is no longer a business for small-time chickenboners; it takes skill and resources not available to the average internet user. The anti-spam group spamhaus.org has for some time maintained that 80% of the world’s spam is sent by fewer than 200 known “spam gangs,” interrelated groups of specialists in open proxy “bot nets,” bulletproof web hosting, and other technologies that “enable” spam. So, this means that (in round numbers) fully 1/2 to 3/4 of the world’s billions of e-mail messages are sent by no more than a few hundred hardcore spammers who use the public net as their own personal marketing vehicle, to be used (or abused) as they see fit.

Who is responsible for spam?

These days, spam isn't simply a matter of one guy using one internet account to send a zillion messages (if indeed it ever were such). There are plenty of complicit parties, some of whom you’d expect (or hope) not to see.

Why do they keep sending the same messages over and over?

They say that repetition, they say, is one of the most effective of advertising techniques. That isn't why spammers use it, however. They're simply using brute force to break through the increasingly tight mail security to which most internet users have been forced to resort.

The effectiveness of anti-spam measures (filters, block lists, etc.) has been steadily increasing over the past few years, so that the chances are much greater that any given single spam message will be intercepted, rejected, or filtered away before it reaches your inbox. So, the spammers have retaliated by vastly increasing the volume of their mailings. The availability of inexpensive bandwidth (or free bandwidth stolen from hijacked home computers) makes this possible. Even the best of spam filters may not stop 100% of messages arriving at your account from all different directions — or at least that's what the spammers hope.

Why am I getting spam?

First of all, relax. You aren’t getting penis-enlargement ads because you’ve been revealed as having a small penis, or credit-repair spams because your credit rating is poor. The spammers generally have not screened you or picked you out personally; they just happened to find (or guess) your e-mail address and are using it simply because it might work. They do not expect any response from more than a small fraction of their recipients. They are really just casting a very wide net in the attempt to make money. The spammers have no idea of whom you might be personally; to them, you’re just another of the millions of e-mail addresses in their lists.

Just about everyone who has any presence on the internet beyond sending an occasional e-mail or surfing an occasional website ends up getting spam. Some of us get hundreds of spam e-mails per week. Spam really should be considered more of a nuisance than a threat (although it is an increasingly intrusive and expensive nuisance).

The spammer says I signed up for his list, but I don’t recall doing so.

More than likely you did not. At least, you did not sign up explicitly to receive that particular spammer’s mail. Most people don’t trust their memory enough to be absolutely sure of this, and the spammer figures you just might believe him if he says you put yourself on his list. DON’T believe him.

How can I stop getting spam?

This is a question that I get with some frequency. Ah, if only it took just some simple act to stop spam — like asking someone to stop, or else putting your address on some sort of do-not-spam list. If it were indeed this simple, then this website, like many other anti-spam resources, would be a lot smaller and a lot less busy, or else might not even exist at all.

The sad truth is that you cannot stop spammers from mailing you if they are determined to do so, no more than you can stop people from cutting you off on the freeway, blocking the aisles in the supermarket, or leaving flyers under your windshield. Hardcore spammers are not in business to make you happy — they are in business to blanket the earth with their fraudulent and criminal mailings, in the hope of increasing the pitiful handful of recipients who actually respond. They therefore have absolutely no interest in removing anyone from their mailing lists, except perhaps for people who are knowledgeable enough and well-placed enough to make a lot of trouble for them (and most of us do not fall into that category).

Unfortunately, then, if you’re getting spam now, then you are going to continue getting it for the foreseeable future. The best you can do is to figure out a strategy for filtering it out of your inbox; or, you can join those of us who report spam to the providers that support it.

If you are in a position to abandon your current e-mail address(es) and start over with a fresh one, then this might reduce your spam load substantially. However, unless (and sometimes even if) you guard this address very carefully, then it, too will eventually start getting spammed.

Why did my incoming spam actually increase after I tried some anti-spam product, service, or technique?

This is a very common question. If we take time or spend money to do something that someone tells us will reduce spam, we expect that our spam will immediately stop, or at least sharply diminish. When it does not, we often suspect that our efforts have been ineffective, or even that we have been betrayed by the software or service we used (i.e., maybe the people at KillSpamImmediately.com actually sold our addresses to spammers). This is likely not true. Spam volumes can vary greatly from day to day, and it may thus be unrealistic to see immediate declines in spam after taking some measure against it. What you are doing may actually be working, but its effects may be temporarily masked by the natural variations in spam volume.

Spam is so hugely prevalent and widely-diffused that it has come to resemble a statistically random phenomenon — that is, it seems to rise and fall according to chance, and can’t always be correlated to specific outside events. Therefore, we make a pretty fundamental error in reasoning (specifically, the post-hoc fallacy) to assume without proof that anything we have done is responsible for increasing (or even decreasing) our spam load.

When evaluating the performance of a spam filter, the statistic you need to watch is not the total number of spams that the filter lets through, but the total number of spams stopped. For example, suppose you keep track of the spam you get before and after you activate a spam filter, and you collect the following data:


Day
Filter
on?
Spams
sent
Spams
received
Spams
filtered
Filter's
effectiveness
Monday
No
20
20
--
--
Tuesday
Yes
100
20
80
80%
Wednesday
Yes
83
18
65
78%
Thursday
Yes
47
6
41
87%
Friday
Yes
127
23
104
82%

If you only pay attention to the "Spams received" column, you would have reason not to be terribly impressed. However, if you also look at the number of spams you were sent (a figure which most filters should be able to supply if you dig around a bit), and then compute the number that were stopped, you would find that your filter is about 80% effective on average. This good performance is masked by the wide variations in the amount of spam actually sent to you.

So, why did the spam increase so sharply from Monday to Tuesday? It is hard to say; one possible explanation might be that a new (to you) spammer has just acquired your address (from a dictionary attack or similar means) and has started to bang away at it. Or, your current spam correspondents may just have upped their volume of mailing substantially, or found some new conduit for spam that is (for the moment) less susceptible to filtering. Finally, it is also possible that your address was exposed or betrayed by the filtering service, but as we see, there are plenty of more plausible explanations that should be considered first.

Still suspicious, or merely curious? If this explanation hasn't satisfied you, then you can make a test: simply get a new e-mail account with a complex, unguessable address, and then apply your filter to it without sending any mails from it, publicizing it, or using it for any other purpose. If you begin to get spam to this unused “secret” address, this would be reasonable proof that something fishy is going on.

Should I remove myself from the spammer’s list, or otherwise reply to the spammer?

NO. Let me repeat that: NO. You should never send a return e-mail to a spammer, use any “remove” links, or try to make direct contact in any other way (even to threaten or harrass). This can avail you nothing, except possibly to be put on a list of “live” e-mail addresses to which more spam can be sent.

This is as good a place as any to point out the first of my spam rules: Never believe ANYTHING that a spammer tells you, not even that he’ll remove you from his list and not pass your address on to anyone else. Maybe one particular spammer will keep his word, but there are a helluva lot who don’t, so don’t be a sap.

How did the spammer get my address?

No, he didn’t break into your computer or spy on your internet connection to get your e-mail address. It’s much simpler than that.

It is actually pretty easy to harvest large numbers of prospective e-mail addresses from the web, using various means, and without the knowledge of the victims or their service providers. More than likely, your address turned up in such a scan. The spammer may have collected his list all by himself using a harvesting “bot,” or more likely may simply have purchased it from another spammer.

It’s also possible (and has often happened) for spammers to get lists of addresses from poorly-secured internet services or by bribing crooked system administrators.

Finally the spammer can simply guess at random e-mail addresses and then check them for deliverability using directory harvest attacks.

You may want to read my tips for avoiding spam to see what kind of behavior raises your level of exposure.

Is spam dangerous to my computer?

Back when all spams were simple text messages, the answer to this question would have been a resounding NO. Despite what some urban legends and hoaxes would have you believe, there is nothing that a plain text e-mail can do to harm your system (unless you count taking up otherwise useful disk space as “harm,” or unless you follow whatever dubious advice such messages might offer).

Today, however, e-mail programs and web browsers can automatically execute instructions or bits of code that are embedded in e-mail messages, and spammers have exploited some of these tricks to launch pop-up windows, cover their tracks, or collect information about you without your knowing. These tricks have at least the potential to do harm to your system, or to subvert it in ways of which you wouldn’t approve.

I suspect that the last thing your typical prescription-drug spammer wants to do is to terrorize his audience or break their computers (if he did, his victims would be unlikely or unable to send him any money). Others, however, are not so considerate: for example, the bulk-mailers who spread viruses that implant keystroke macros or proxy mail agent software, or the phishers who use bulk mail to trick people into giving up their bank account info or other sensitive data.

Even if most spam advertising won’t harm your computer, it can still hurt you personally if you buy into the schemes it promotes. For example, many “free membership” pornography websites can trick you into making expensive toll calls on your modem, or surrendering your credit card number for “identification purposes” (and you can imagine what they’ll do next with that number). Many spammers’ websites don’t follow proper practices in collecting your ordering info (including credit card numbers), and may not protect your info from theft once you’ve given it over. Some spams attempt to involve you in illegal transactions that could, in extreme cases, cost you your life. These threats, however, don’t materialize unless you actually take the bait and respond to the message (and, of course, you do not want to do this).

Why are so many spam messages so full of gibberish?

What’s up with all the nonsense text, misspellings, made-up words, and weird quotations we see in many spams? It isn’t that the spammers are illiterate or addle-brained (although many of them may be), it’s simply that they are trying to evade spam filters.

There are ways to hide this “noise” from the recipient, but the laziest spammers don’t even bother. They are so obsessed with getting these messages delivered that they don’t even care what sort of demented image they present to the reader.

You can read more about these techinques in my page on spammer tricks, and you can also find examples in my sample spam analyses.

Can’t somebody just find out where the spammers operate from and shut them down?

Ah, if only ...

Actually, there are thousands of people around the world trying to do just that, every hour of every day, either by themselves or in conjunction with organizations like SpamCop, Spamhaus, and the like. Still the hardcore spammers are very good at hiding their operations and making things very difficult for those who choose to track them down.

Our current spam pandemic is a bit like an infestation of cockroaches. Everywhere you look, you see lots of bugs, but it can be hard to tell at a glance where they come from. Tracking down their nest and destroying it can take time, trouble, and expense — and, even if you succeed in doing so, there’s no guarantee that a couple of roaches won’t survive and set up shop somewhere else.

What can I do about the spam I get now?

Spam is a bit like herpes; once you start getting it, there generally isn’t much you can do to stop getting it, short of closing your mail address and starting over with a fresh one (if you do, you’ll want to read my page on avoiding spam), and even this may be only a temporary solution. What you can do, however is to filter the spam to keep it out of your inbox, or to segregate it to some manageable corner of your inbox, where you can report or discard it. See my page on filtering spam for more info.

I don’t get any spam right now. How can I keep it this way?

Lucky you. You’ll want to read the tips I offer for avoiding spam.

Isn’t spam illegal?

The short answer to this question, at least for those of us here in the USA, is “yes, but so what?” We also have laws against theft, murder, and double-parking, but we still have appreciable numbers of thefts, murders, and double-parkings.

In December of 2003, US President George W. Bush signed into law the “CAN SPAM act of 2003,” which made spamming a federal crime punishable by up to eight years in prison, depending upon the circumstances. So far, so good. However, the law is hardly a final solution to spam, and in fact can even be considered spam-friendly:

In short, the CAN SPAM law might encourage some spammers or spamhaus customers to “go straight,” but there’s liable to be plenty of slack in its enforcement that might allow your typical hardcore spammer to continue as before with relatively little fear of being stopped.

The CAN SPAM act also requires the government to “study” whether to create a “do-not-spam” list (comparable to the currently-successful “do-not-call” list for telephone marketers), but the U.S. Federal Communications Commission has already expressed its skepticism regarding such a list, a skepticism that I wholeheartedly share. Getting the hardcore spammers to use such a list would be like giving burglars your home address and asking them to sign a pledge not to rob you; such spammers would be just as likely to use all those addresses on the do-not-spam list as targets for their next wave of ads.

When the months immediately following CAN SPAM did not see an instant reduction in the volume of spam, many wags took to calling the law the “YOU CAN SPAM” act. Many spammers, in fact, put up some window dressing to make it look as though they were in compliance with CAN-SPAM (although they are usually demonstrably not). There are signs, however, that the law may be having some effect (at least in my own case): I have noticed a definite and substantial drop in the volume of spam I receive both at home and in the office. In particular, “mainsleaze” spam (promotion of “mainstream” companies through spam) and porn spam have pretty much disappeared from my inbox, as well as much of the “one-shot” spam, leaving behind the hardcore industrial-strength serial spammers, mostly selling mortgages, prescription drugs, counterfeit luxury goods, and pirated software. These folks are hard nuts to crack, and are probably largely fortified against routine federal law enforcement.

Of course, many spams involve activities that are at best unethical, and sometimes criminal and fraudulent. Whenever spam crosses the line and becomes scam, the government can and does step in (as in the recent case of the colloidal silver anthrax cure racket, or in another recent case of a spammer selling reconditioned inkjet cartridges as brand-new ones). We also come across the occasional reports of notorious and flagrant spammers being arrested (usually because they are illegally selling drugs without valid prescriptions, or breaking other laws in conjunction with their spamming). However, most spams never get to this stage of actionability. Again, most spammers aren’t selling anything of particular value, so it’s harder to cry fraud.

Spammers often claim that their activities are constitutionally protected free speech, or that they meet the conditions of particular laws or bills. You might like to read about some of these rationalizations on my page about spam wrapped in fig leaves.

Even with strong federal or state laws against spam, nothing can really happen without vigorous effort by law enforcement personnel. These days, the actual damage done by individual spammers usually isn’t sufficient to warrant such attention, and probably won’t be for some time. Plus, since much spam originates from offshore hosts or fom hijacked home computers, it isn’t clear what the U.S. (or any other single country) could do about it. Therefore, it is best not to look solely to the government for protection from spam.

Then, what can I personally do about spam?

What you will want to do about spam depends upon how much you get and how much it ticks you off. Here are some of the things you can do about spam:



 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2007, Richard C. Conner ( )

07009 hits since March 28 2009

Updated: Fri, 23 May 2008