Most wonder how spammers got their e-mail address. It is actually pretty easy for them: if your address is shown in any public place, spammers can and will find it. They use software to scan web sites, chat postings and more for any address they can find, and it's added to spam lists -- and you cannot get off those lists.
There are some ways to keep your address from spammers, but it's not as easy as you may think!
Once you start getting spam, it's too late: spammers won't "remove" you, and you will continue to get it forever until you get a new address that is not shown in any public place. (And even then, we show you how you can still get spam.)
There are, however, a few instances when you can reasonably safely ask to stop getting spam. We explain how to tell when it's safe.
There's a law, right? Right, but the federal "CAN-SPAM" law didn't help -- and actually made things worse. (What did you expect from politicians?!)
You can get some relief, however, by filtering spam from your own mail. We also give you tips on getting legitimate mail delivered -- whether you're trying to send it, or trying to receive it.
A very scary type of spam is phishing -- e-mail that appears to be from your bank warning that you must "update" or "confirm" your account information. Banks never send such messages. The e-mails are sent by identity thieves who want to drain your bank accounts.
Worse, you can become part of the problem: spammers want to take over your computer (make it a "bot") to send spam to your friends "from" your name and address! This can also happen if you don't use a good password on your mail account (which can also easily lead to breakins of your bank accounts!)
Spam isn't the only e-mail pest. For instance, there are urban legends -- silly stories passed along as if they were true. We explain the real danger here.
The Internet is a wonderful resource that can help you find out nearly anything you want to know. It's also home to the same types of people who inhabit the real world: thieves, con men, liars, cheats, exploiters and other ruffians. You can be robbed online just as easily as you can in a back alley.
If any of this is new to you, you really should read the entire text of this site, not just this summary. It includes the "whys" behind our advice, and obviously has more detail than this summary.
Want to Know More? Read the full Spam Primer starting here.
Last...
Please pass the URL for this site to others you think could benefit from the information here. The more people that truly understand spam, the harder it will make things for spammers.
It truly is up to you to be smart, to safeguard your computer, and to never buy from spammers. It's part of being a good citizen online. If you suspect your computer has been taken over by these thieves, get help to get it cleaned up -- now, not later! -- or you will be partly responsible for the problem! You could be responsible for your friends losing their life savings. It's that important.
I hope you've actually read the pages here: even long-time Internet "experts" have told me that they have learned things from this site, so it's worth a full scan even if you think you're an expert. And if you're not an expert? Well...!
And don't just read the Executive Summary, either: the full articles include the "whys" behind our advice, and obviously has more detail than any summary can.
Last, please do pass the URL for this site to others you think could benefit from the information here. The more people that truly understand spam, the harder it will make things for spammers. And that's really what this site is all about: making spam so unprofitable, the bastards that are doing it to us all will stop.
Well, we can always hope!
Thanks for reading, and for helping others learn more about spam.
--Randy Cassingham
Author and Publisher, This is True®
Back To: Home Page
The mail does everything it can to get you to click a link -- to a site that has a virus. This is no ordinary virus: it's not there to destroy your computer, or erase your files. No, they want your computer to be in good working order!
There are two things these virus programs want to do on your computer:
That's using your hard-earned reputation with your friends with the intent of stealing from them. Is that something you really want to be associated with? That's why it's hugely important to safeguard your computer: to keep it from being a "bot" for organized crime -- which may be domestic or, more likely, foreign.
A "bot" (short for robot) is a compromised computer connected to the Internet. One "bot" is not enough, since security-aware computer users can quickly get rid of them. No, they want thousands -- even tens of thousands -- of compromised computers to be part of a network of computers (a "botnet") to be used for malicious purposes by whomever controls it (a "bot herder" or "bot master").
When the controller wants to do something -- say, disrupt a web site with a Denial of Service Attack, break into a bank or government computer, or send a flood of spam, they use your computer to do it so they can keep their hands clean (and their Internet provider happy). And who gets their Internet connection shut down when spam or other malicious garbage is spewed from your computer? Certainly not them! You do!
Are you getting the idea that it's truly important to pay attention to this stuff?!
Use anti-virus tools. Ask for help from a knowledgeable techie friend when your computer acts strangely, and (especially!) when your friends tell you they got spam from you!
Even if you're very careful with your computer, there could still be problems like this. How? Your webmail and other online accounts (such as Facebook) can be broken into. Once into your webmail, they get your address list so they can send spam to your friends in your name, trying to get them to buy garbage -- or get a virus in their computer.
Worse, these criminals can go to major banks and click the "I forgot my password" links, putting in your address. No harm if you don't have an account at the various banks (and brokerages, and other money-holding places) they try. But if you do, because they have access to your e-mail, now they have your bank password! See why this is so important?
In late 2011, it was revealed that more than 600,000 Facebook accounts are broken into every day -- about seven per second! Trust me: they're not interested in your family photos, they want access to your friends there. They'll post spam on your Facebook account trying to get your family members and friends to click it. Use good passwords, and learn about the tools your mail provider and other sites provide to keep your account secure! Otherwise, you will become a huge part of the problem.
Next Topic: Urban Legends: Innocuous E-Mail Can Still Be Irritating
Most "virus warning" mails are fake too, and keep going despite being years old. The "Good Times", "Deeyenda", "Irina", "AOL For Free" and "Ghost.exe" warnings (and certainly many others) are all hoaxes, and spreading them around causes nothing but resource drains, bother, and sometimes panic to the people you send them to. For more on 'net hoaxes in general, see http://www.nonprofit.net/hoax/. For more on fake viruses, see http://hoaxbusters.org.
There are real viruses, of course. However, if you keep your e-mail program updated (especially MS Outlook: always keep an eye open for new security "patches"!), keep your Windows updated (check Microsoft's "Critical Update" service at least weekly, if you don't have it set to automatically load updates), and never click on attached files that you don't know are safe, you'll be quite safe from viruses. For added protection, use a virus scanner and update it regularly.
Then there are the urban legends. You get stories in your e-mail all the time that say they're true. A ship telling a lighthouse to get out of the way. The jet-equipped car crashing in Arizona. The good-ol' Southern boys accidentally blowing up their truck while ice fishing. The lawyer who insured his cigars against fire, and then turned in a claim after he smoked them. People waking up in ice finding a kidney has been surgically removed. Spiders under toilet seats. Bill Gates (or the cancer society) will send you money for forwarding e-mail. All are urban legends and are not true. Think about it: cancer societies accept donations, they don't send money out to idiots who forward e-mails! And Bill Gates isn't rich because he does the same thing. Don't be stupid and fall for such obvious hoaxes! For details on these and many others, see Snopes.
If you see any plea or warning floating around the net, especially if it tells you to "send this to everyone you know!", the best bet is to assume it's a gag, hoax, or urban legend unless proven otherwise by going to the source. Please delete it, and do not send it on, either to me or anyone else.
Next Topic: Conclusion
If you're not sure if the mail is legit, do not click on the link! You're betting all the money in your account that you're right. If you want to check your account and make sure it's OK, then use your regular bookmark, or carefully type in the correct link address yourself. But never click a suspicious link to check your account. The risk of losing money there is huge, and you may never get it back once a scammer gets hold of it. If you're really unsure, call your bank's service center on the phone.
The #1 Most-Important Thing to Know: If you're foolish enough to click on links in "phishing" e-mails, you'll see what looks like your bank's real web site, but it's not. You're asked to put in your banking ID and password, or your credit card number, or other private information to "confirm your account." What you're actually doing is providing your bank information to scammers who are more than happy to use your password, which you just gave them, to drain your bank account for you. Don't be an idiot: your bank does not need you to "confirm" your credit card number or password!
The #2 Most-Important Thing to Know: Your bank account is not the only thing at risk if you accidentally give a scammer your personal information. Sure, they'll grab all the cash they can as quickly as they can, but what if they have your credit card number, your password, your Social Security number? They can use your account info and password to try other banks, brokerage houses, and more, and drain those accounts too! They can use the information to apply for new credit cards in your name -- identity theft -- and make life a living hell for you.
Never use the same login and password info on more than one financial account. Never make your password easy to guess. Your spouse's name is a terrible password; "XcM-4&Q" is a great password. How can you keep track of such weird passwords? Software! Look into RoboForm (a commercial product) or Lastpass (free). You only have to remember one password: the one to access your software. It remembers the rest for you, and types them in for you when you need it.
Next Topic: You May Be Spamming Your Friends and Enabling Crime!
It's thus very likely that mail you've sent -- completely legitimate messages to your friends, co-workers, family, and others -- didn't get through because they are trying to reduce their own spam level, and your mail got caught up in their filters.
First, always use a proper subject line! Blank subject lines are a common spammer trick, so never leave it blank, since many spam filters assume blank-subject messages are more likely spam. Never use one-word subjects, another spammer trick, such as "hello", "hi", or similar.
Second, and it's sad to say it, avoid common trigger words (like "naked", or any variant on the word "Viagra"!) until you're sure that your recipient will get your mail; see "whitelisting" below.
You signed up for a newsletter, or sent a vendor an order, but don't hear any reply. Rude and nasty companies? Probably not: it's more likely they did respond, but you simply did not get it. It's very important that you find out what your e-mail provider is doing to cope with spam. Are they filtering your mail? Do you have any control over those filters? What if you're fighting breast cancer? Wouldn't you want to get mail from your support group? You must have control over the filters used to evaluate your mail! That way, you can "whitelist" (allow) all mail from your support group so it can get though no matter what -- even if (gasp!) people in your breast cancer support group send mail with the word "breast" in it.
The time to do something is before you sign up for a newsletter or send a customer service request. When you expect a reply, make sure you've whitelisted the domain or address the reply will come from. Legitimate mailing lists will send a confirmation request to ensure you really want the subscription (rather than, say, someone else who put your address in the signup box).
It's also a good idea to whitelist your own friends. It's also possible to set up a password that someone can put in the subject line to get mail through. This is True, for instance, has a huge subscriber list, so it's impossible to whitelist them all. How, then, do they get responses from readers? A password that readers can put on their message to get through the filters. It's shown prominently on True's Contact Page so readers can easily find it. Spammers are pretty lazy, so they don't try to find such passwords, but even if they did, it's easy to change it and post the new one on your web site.
Whitelisting and passwords work great if you run your own server with SpamAssassin, but may not work if you use (for instance) Google's Gmail filtering. No worries: they do it for you, when you "train" their filters using the "spam" and "not spam" buttons.
Worse, legitimate sites can get all of their mail blocked. There are "blacklist" services that mail server owners can use to try to block mail based simply on where it's sent from, even if it doesn't otherwise trip filters. The problem: some of these blacklists are poorly constructed: even an anonymous complaint that's in error can cause the sending site to be blocked, at least for a time. Such a tactic is thus adding to the problem of legitimate mail being blocked, rather than really helping the situation.
The bottom line: spam causes many more problems than simply clogging your inbox. You may be getting lots of spam, but still not get the mail you truly want. Legitimate mail that's blocked is a true casualty of the war on spam.
Next Topic: Phishing and Other E-Mail Scams
"Challenge-Response". A more recent concept is the "challenge-response" system. When you get a message from someone not on a "safe" list of senders, your ISP will hold that message while it sends a "challenge" to the sender that says, essentially, "We don't know if you're a spammer or not. If you are, you won't read this, so your message won't get through. If you're not, prove it by going to a certain web page and passing a little test."
While that sounds cool, what it does is change your problem with spam into a problem for everyone else -- the people you actually want mail from, while not impacting spammers whatever. This is not a reasonable exchange. If you have a spam problem, it's up to you to deal with it, not the people you want mail from. The appropriate response by a legit mailer who receives a challenge is "forget it" -- meaning you may not get order confirmations, shipping alerts, newsletter subscriptions, and other mail you actually want.
There are several ways to filter spam: on your own server, if you have one; on your provider's system, if you're an individual user; or, you can do a combination of the tactics. (My own technique is detailed in the Spam Primer book -- see the front page of this site for details).
Many e-mail programs have spam filtering built-in, such as Microsoft Outlook. The problem is, that doesn't save your server-based inbox from piling up with junk (and perhaps sending you over the limit if you don't have a large "mail quota"), and it doesn't save you from having to download it all, which takes time and bandwidth.
If you run your own server, the most common spam-filtering method is to use SpamAssassin. This is an open-source non-profit initiative that is fairly effective. Your server provider may have it available for you, and that's an effective way to get it, since installing it yourself is difficult unless you're very familiar with unix and system administration tasks. See my blog entry (linked above) for more: you can do some of it even if you aren't techie.
Next Topic: Casualties in the War on Spam
]]>In 2004 a U.S. federal law, commonly known as CAN-SPAM, went into effect. Finally, spam is "illegal"!
What happened? Spamming increased. So much so that wags called CAN-SPAM the law that says criminals "can spam" you!
Why? Two reasons:
1) the law is virtually unenforced, since the Federal Trade Commission, which is tasked to enforce the law, works at the speed of government, and
2) the law makes much spam legal!
Yes, really: it is now essentially legal -- they "can spam" you! Any of tens of thousands of companies may send you spam, and stay within the law, by simply marking the spam as an ad, allowing you to "opt out" if you ask, and by following several other simple steps. How is it reasonable for you to demand to be left alone by tens of thousands of spammers that you didn't ask to get mail from in the first place? It's not. But that's the law. Pathetic! But the law is so weak, few spammers actually bother to follow those rules!
There is hope, however: in addition to federal action, Internet Service Providers are also allowed to sue spammers who violate the law, and the law allows for significant damages. Several ISPs have indeed taken action against the worst of the spammers, and I say more power to them!
Occasionally, you'll see a headline about a spammer that has been prosecuted under the federal law and jailed. Usually they're big operators who sent millions of spams per day. When they go to jail, do you get less spam? Nope: they're getting so few of the spammers, it's a drop in the bucket when one goes to jail, and there are always more spammers to take up the slack. It's truly an ineffective law.
Those who are against legislative solutions say the Internet should be self-policing, that we should not invite politicians in to solve our problems. It's a good theory, but one that hasn't been terribly effective -- the tools to stop spam are crude and often ineffective, or (much worse) they have high "false positive" rates that block legitimate mail. (Have you ever sent an e-mail to a friend and had it bounce back with a message implying your e-mail was spam? Very irritating, but it's worse if a business doesn't get e-mail from customers!)
Next Topic: Can You Filter Spam? (Yes!)
Of course, why should you have to beg them to stop sending mail you didn't ask for? But if you can't stand it anymore, the best way to tell if they'll honor your request is:
1) Does the spam come from a real address? (Like list@companyname.com, not like 23r8g4@yahoo.com)
2) Does it come from the same address each time?
3) Are the opt-out instructions the same every time?
If the answer to #1 is yes, and either #2 or #3 is yes, it's probably safe to follow the directions to opt out. After all, it's quite possible you did request the mail, and simply forgot about it.
No! I do not think complaining helps. Spam victims have complained a lot, and for a long time, but the complaints spam hasn't been reduced, it has increased. Worse, because spammers are pretty good at hiding their tracks and using fake addresses (or, much worse, real addresses belonging to innocent bystanders), it's sometimes very difficult to track down the real culprit. There's only one thing worse than spam: accusing the wrong person of doing it! In many areas, spam is a crime, so you're potentially accusing an innocent person of committing a crime. Are you sure you have the right person? Are you sure you won't be sued for slander if you get the wrong person?
There are services that help you complain. I have tried some of them, but found I got very few positive responses from the people I complained to. They do a pretty good job of tracking the origin of the spam if you feed them the full routing headers. However, I got far more responses from spammer ISPs when I sent a complaint manually. Many ISPs throw out automated complaints without looking at them, in part because most of them hide your identity -- few ISPs will take action on anonymous complaints, nor should they. But it rarely helped: I was wasting my time. I gave up and used filters to get rid of most of it (more on that soon!)
Important! If you did ask for the mail (such as signing up for an e-mail newsletter), do not report the mailer as a spammer when you decide you don't want it anymore! By signing up for the mail, you made it your responsibility to follow their directions for leaving the mailing list. Reporting a legitimate mailer as a spammer is an obscene abuse of their good names. Such reports also send a very clear message, which is people who complain about spam are clueless idiots who don't know the difference between mail they asked for and spam, which just encourages ISPs to give up and not do anything about any spam reports. Save your clicks on the "Spam" button for real spam.
The bottom line: it's very difficult to stop this kind of junk e-mail advertising, but if we all refuse to do business with spammers, we can make a difference in the long run. Meanwhile, the U.S. Federal government stepped into spam regulation. But like many laws, it didn't really address the core problem.
Next Topic: Why the Federal CAN-SPAM Law Didn't Help
There are some which will honor such requests (next page), but it's rare that you should bother asking. After all, you didn't ask to get the junk mail, so why should you have to beg to not get it anymore?!
This is another indication of the honesty of the advertisers. All they are interested in is getting your money -- they do not care about ethics or honesty. (There are legitimate anti-spam web sites that ask you to sign up in anti-spam campaigns. Such support is important, but how do you know if they're really anti-spam, or fronts for the spammers themselves? Be suspicious of any sites you aren't sure of. We are confident of the sites listed on these pages -- they are run by very-well-known anti-spam activists. The sites they list are also very likely trustworthy.) The bottom line is, even if you are careful never to post on a discussion list, or ever to have your address listed on a web site, you can still get onto spam lists. And you cannot get off -- ever!
These resulting lists of addresses are often collected by list merchants (often spammers themselves) who then sell (usually by using spam, of course) the lists to other spammers. Even if you (or the police!) manage to shut down one spammer, there are always more who already have your address -- if you are getting spam now, you will continue to get it for as long as you have that address. Sorry, but the bottom line is, you cannot stop all spam to address that has been compromised. Ever. Sad, but true.
So you can see, it's not enough that anti-spam laws just make spammers take you off their lists if you ask them. Is it really reasonable to ask every new spammer that comes along, "Pretty please, don't send me any more junk mail that I never asked for in the first place"? Heck no! Such laws do nothing but make spam legal and accepted! You would be spending all day, every day, jumping through "opt-out" hoops. Spamming is so easy that there are thousands of spammers. And what is to stop them from changing their name and starting over? Then you have to start over too. Clearly, "opt-out" is not the answer.
Next Topic: When Is It Safe to "Opt Out"?
So the next tip is to keep your address "non-obvious" -- simple dictionary words or names (like Bob@) will almost certainly get spammed, even if you never give the address out to anyone.
Other sources for addresses include open e-mail discussion lists and, ironically, web pages that say "put your address here if you want to be on a 'do not mail' list"; often, these lists are sold to the very advertisers you want to avoid!
Next Topic: Why Spammers Don't Honor "Unsubscribe" Requests
Of course the key there is "legitimate" e-mail publications. If you're not sure, check the publication's web site for a privacy policy. For example, This is True's privacy policy explicitly states that we do not ever sell, rent, give, or otherwise provide our subscriber addresses to outside parties, whether or not we think they're legitimate.
So where do spammers get your address? The number one place used to be posts on Usenet newsgroups (also called "discussion groups" on some systems, "bulletin boards" on others). Newsgroups are "publicly" readable; whether you post your message on your local ISP or on a major 'net service, your message can be spread worldwide by Usenet in a matter of hours, and it -- with your posting address -- is easily sucked up by advertisers.
The current most-common place to get your address is from web pages. If your e-mail address is listed on a web page anywhere on the 'net, especially if that page is listed in a search engine or directory, spammers will find it, and fairly quickly. Tip: try searching for your own e-mail address in Google (put quotes around it -- like "name@example.com"). If you can find your address there, spammers can too -- easily.
Spammers "harvest" fresh addresses by going to web sites and "scanning" for e-mail addresses anywhere on the site. I've seen the scanners in operation, and it's amazing how quickly they work. The software can, for instance, ask a search engine for any page that has the word "cat" in it and grab the addresses off those pages for a "targeted" list of people with a presumed interest in cats. It takes only minutes to gather thousands of addresses. Of course, how "targeted" that list might be is a matter of opinion. A "cat" might refer to a feline animal, a tractor, an abbreviation for "category", etc. But spammers don't really care if you're interested in their message or not. The key, for them, is to blast out their nonsense to as many people as possible because a very tiny percentage of them will be stupid enough to fall for their ad and send them money. That is their only goal -- they don't care how many people they offend in the meantime.
Next Topic: Keeping Your Address Off Spammers' Lists
Typically, if you reply to the mail to complain, your message will bounce back because the return address has been forged and doesn't actually exist (or, looking at the "From" address, it's obvious that it's fake). They do not care that you're irritated or angry, since they figure if even .01% of the millions of people they send junk mail to send them money for the advertised product or service, they're coming out ahead. They literally do not care about the other 99.99% -- yet another indication of the quality of the businesses that use spam.
Even worse is when spammers use the address of real people in the "From" line. They are thus forging real addresses, and who gets the bounces and complaints? People that had nothing to do with sending the junk mail. You may have experience with that already.
Thus, do not reply to complain: your message will not go to who sent it, and may go to a completely innocent third party. And even if it does go to the spammer, remember one thing: they do not care that you are angry! All you've done is prove your address is good (read: needs more spam!) and that you open your mail, including spams (thus you're a really good person to send more junk to!)
My most important advice, then, is never, ever, ever buy anything from someone who sends you unsolicited advertising by e-mail, even if the product is something you want! Many of these offers are fraudulent, and the advertising method is, by definition, underhanded, especially if the "from" address is forged. Why in the world would you want to give your hard earned money to people who would forge their return address, or make you pay to receive their advertisements that you didn't even ask for? Film critic Roger Ebert urged people not to support spammers by buying their junk in a speech in Boulder, Colorado. His plea is now well known as the "Boulder Pledge".
But more importantly, consider this: even if it's not a scam, by buying from a spammer you legitimize spam, and thus add to the problem. If only 1 recipient out of million messages buys from the spammer (and that is approximately the number), and you are one of those buyers, that pretty much makes you responsible for a million more spam messages coming into mailboxes -- yours and everyone else's. Is that what you really want? It is simply not worth it to encourage spammers.
Think of the corollary: If no one bought anything from spammers, they'd stop spamming -- it wouldn't be worth their effort if everyone ignored them. But since a very small percentage does buy, it encourages spammers to continue or even expand their operations, resulting in ever-more spam -- just like you've seen since you've been online. Thus, the major blame for spam is the people who buy from the spammers, making it profitable for the criminals to continue filling your mailbox with garbage.
Next Topic: How Spammers Get Your Address
Of course, any legitimate online retailer you do business with will stop sending you advertising mail if you ask not to receive it anymore (unlike a spammer -- more on that shortly), and no company should send you commercial mail unless you've gone through a "verified opt-in" process where you not only request the mail, but respond to a message sent to your address to confirm you really do want mail from them -- and that you actually own that address. That's what legitimate large e-mailers do. It's a reasonable and simple process for all parties, and the only reasonable exception to this is if you buy something from the company and they send you confirmations, shipping notices, etc. They might also send you future "specials" and such, but a responsible merchant will stop sending those on your first request.
Spam does not include paper "junk mail" that you get at home. Reducing that is also nice, not only to save your time and frustration but also because you're reducing the amount of natural resources that are consumed sending you ineffective advertising. However, that aspect is beyond the scope of this primer.
Spam most often advertises fraudulent or low-quality services or merchandise, and you pay (with your fees to your service provider) to receive it; anyone who would use "spam" advertising to promote a business by making the customer pay to get the ad is either completely out of touch with his customers or, by definition, underhanded. To confirm or report suspected fraud, see Fraud.org, a project of the National Consumers League.
With my well-known e-mail address, I get more spam than most. Even a little bit can be rather irritating, but more than 1,000 junk messages per day stream in to my main addresses. If your e-mail address gets on spammer distribution lists, you will start getting unsolicited junk mail clogging your e-mailbox. If you're lucky, you won't get as much as I do, but others get more! Most of the people who have been online for any length of time agree: something must be done about it.
Yes, there are definitely many things you can do to reduce your spam load. Read on!
Next Topic: Who is Sending This Junk?