Help with Spam and Phishing: How They Got Your Address, What to Do

Help with Spam and Phishing
...and Other E-mail Pests
by Randy Cassingham
The basics of spam, "phishing" and other e-mail pests, how they got your address in the first place -- and what to do now that you're inundated.

Well, Then What Should I Do?
So, once you're on these lists, how do you get off? The spam messages themselves often include instructions on how, but often the instructions are either bogus or a way to collect more addresses. Typically, if you reply to the mail to complain, your message will bounce back because the return address has been forged and doesn't actually exist (or, looking at the "From" address, it's obvious that it's fake). Worse, if it does manage to get through to the spammer's site, they will often not only not remove you from their mailing list, they'll see your complaint as evidence that your address is valid and spam it all the more! They do not care that you're irritated or angry, since they figure if even .01% of the millions of people they send junk mail to send them money for the advertised product or service, they're coming out ahead. They literally do not care about the other 99.99% -- yet another indication of the quality of the businesses that use spam.

What's All This in My Mailbox?! It never stops! Is this any way to run an online business? No! Do not buy from spammers or it will never stop! (Detail from The Scream by Edvard Munch, 1893.)
#1 Most-Important Thing to Know: Thus my first advice is never, ever, ever buy anything from someone who sends you unsolicited advertising by e-mail, even if the product is something you want! Many of these offers are fraudulent, and the advertising method is, by definition, underhanded, especially if the "from" address is forged. Why in the world would you want to give your hard earned money to people who would forge their return address, or make you pay to receive their advertisements that you didn't even ask for? Film critic Roger Ebert urged people not to support spammers by buying their junk in a speech in Boulder, Colorado. His plea is now well known as the "Boulder Pledge".
But more importantly, consider this: even if it's not a scam, by buying from a spammer you legitimize spam, and thus add to the problem. If only 1 recipient out of million messages buys from the spammer (and that is approximately the number), and you are one of those buyers, that pretty much makes you responsible for a million more spam messages coming into mailboxes -- yours and everyone else's. Is that what you really want? It is simply not worth it to encourage spammers. Think of the corollary: If no one bought anything from spammers, they'd stop spamming -- it wouldn't be worth their effort if everyone ignored them. But since a very small percentage does buy, it encourages spammers to continue or even expand their operations, resulting in ever-more spam -- just like you've seen over the past 10 years. Thus, the major blame for spam is the people who buy from the spammers, making it profitable for them to continue filling your mailbox with garbage.

#2 Most-Important Thing to Know: My second, related bit of advice is never, never, ever reply to spam, or use the suggested "remove" method that is often shown at the end of the mail. Warning: Even simply clicking on a link can confirm your address. If you see a link to (say) http://www.spam.site/?23&xa-123754, that often indicates your address in coded fashion. If you click, they know that the spam to the address associated with the code 23&xa-123754 is not only a valid address, but that the person there reads their spam and clicks on the URLs in them -- a very valuable address indeed! Those addresses, then, are sold for premium prices (read: even more spam for you because you just proved you open spam and click on the URLs!) Important: You don't even have to click the link for them to verify you in some cases. Why? If you have your mailer set to fetch image links contained in HTML e-mail, they could just as easily have a graphic, perhaps just one pixel, called (say) 23&xa-123754.gif; if your mailer goes out and fetches that graphic when you open the message, they've got you -- that your e-mail program tried to load that coded GIF tells them you've opened the mail, and your address is thus verified. Luckily, most newer e-mail programs are set up to not automatically fetch hosted images. Don't change that setting without really thinking about it first.
Back to opt-out requests: there are some businesses that do honor them, but it's difficult to know if the spam you got came from one of them. Of course, why should you have to beg them to stop sending mail you didn't ask for? But if you can't stand it anymore, the best way to tell if they'll honor your request is: 1) Does the spam come from a real address? (Like list@companyname.com, not like 23r8g4@yahoo.com), 2) Does it come from the same address each time? 3) Are the opt-out instructions the same every time? If the answer to #1 is yes, and either #2 or #3 is yes, it's probably safe to follow the directions to opt out. After all, it's quite possible you did request the mail, and simply forgot about it.
Shouldn't I File a Complaint?
Probably not. I do not think complaining helps. Spam victims have complained a lot, and for a long time, but the complaints really don't do anything to stop spam. Worse, because spammers are pretty good at hiding their tracks and using fake addresses (or, much worse, real addresses belonging to innocent bystanders), it's sometimes very difficult to track down the real culprit. There's only one thing worse than spam: accusing the wrong person of doing it!
If you want to complain anyway, learn how to "reveal full headers" on your mailing software. Most e-mail software normally only shows the basics -- the "To", "From", "Subject", etc. headers. That's not where the real information is: "extended" headers show the servers the message was routed through. So even if "spammer@aol.com" is shown on the "From" line as the sender, the advertiser may not only have not sent the message from AOL, he probably never even had an account there. By revealing the full headers, you can see, in the vast majority of cases, where the message really came from. Very often, they're simply relayed through foreign servers where laws are lax, where providers are happy to take money from spammers to send their mail, or where technicians aren't savvy enough to know how to protect their servers from spammers who want to steal their resources.
If you really want to complain, you should forward the message with those full routing headers to the first server provider that handled the message, saying politely that you don't want such mail. What specific address? Abuse@[domain]. If that bounces, you'll have to hunt down a real address. The better ISPs have an abuse address; if they don't, you should encourage them to implement one. Don't complain directly to the spammers; they truly don't care that you are irritated, and they'll just mark your address down as "good".
There are services that help you complain. I have tried some of them, but found I got very few positive responses from the people I complained to. They do a pretty good job of tracking the origin of the spam if you feed them the full routing headers. However, I got far more responses from spammer ISPs when I sent a complaint manually. Many ISPs throw out automated complaints without looking at them, in part because most of them hide your identity -- few ISPs will take action on anonymous complaints, nor should they.
Important! If you did ask for the mail (such as signing up for an e-mail newsletter), do not report the mailer as a spammer when you decide you don't want it anymore! By signing up for the mail, you made it your responsibility to follow their directions for leaving the mailing list. Reporting a legitimate mailer as a spammer is an obscene abuse of their good names. Such complaints also send a very clear message, which is people who complain about spam are clueless idiots who don't know the difference between mail they asked for and spam, which just encourages ISPs to give up and not do anything about any complaints. Save your complaints for real spam, and make sure you are sending your complaints about the right people to the right people.
The bottom line: it's very difficult to stop this kind of junk e-mail advertising, but if we all refuse to do business with spammers, we can make a difference in the long run. Meanwhile, the U.S. Federal government has stepped into spam regulation.
Continue to Page 3: The New Spam Law Will Stop It, Right? (Dream on!)

Please pass the URL for this site to others you think could benefit from the information here. The more people that truly understand spam, the harder it will make things for spammers.
Copyright © 1996-2008 by Randy Cassingham, All Rights Reserved. All broadcast, publication, retransmission, copying or storage, including on CD- ROM, listservers, BBSs, Web sites, "FTP" archives, or anywhere else, is strictly prohibited without prior written permission (contact the author).
"This is True" is a registered trademark of ThisIsTrue.inc and is used with permission.

This page: http://www.SpamPrimer.com/2-nowwhat.html
About This Site and its Author
Site Map