All right, I'm angry. I'm fed up with spam (junk email, sometimes known as unsolicited commercial email), and I'm almost as fed up with the hopelessness of the current methods of stopping it. I assume you're all familiar with spam - if by some stretch of luck you're not, you probably will be before long, especially if you post to Usenet or put your email address on a Web page.
We all saw the rise of spam coming: unlike paper-based bulk mail, spam is essentially free to send, and so purveyors of spam are happy with a response rate far lower than the standard 1 to 2 percent achieved by traditional direct response campaigns. Now, the spam problem is getting ridiculous, with no signs of abatement in sight. In the last two months, I've gotten about 250 individual pieces of spam. Sure, I have a well-known address, but that's a lot of spam, and it's increasing in volume all the time.
In this article, I'll examine the efficacy of some anti-spam tactics and technologies. In an upcoming issue, Glenn Fleishman will cover the upstream part of this problem - how to stop spam at the source and how to keep your own or your ISP's mail servers from being hijacked.
Delete -- The simplest method of dealing with spam is the Delete command in your email program. It probably takes a few seconds for you to recognize that a message is spam, and only a few more to delete the message. Even multiplied by the number of messages I received since I started counting, I would only have spent two or three minutes of those months dealing with spam. This technique also has the advantage of being familiar - we do exactly the same thing with paper junk mail. However - in the United States at least - we don't directly pay to receive paper junk mail, whereas we all pay in some form or fashion to receive spam. More concerning, what happens when the ratio of spam to real email flips, so we're getting 98 percent spam? The Delete command won't work so well then, and believe me, it's only a matter of time before that would be true.
Complaints -- You can also complain about spam. You can return nastygrams to the spammers, ask to be removed from their lists, and complain to the postmasters of the ISPs involved.
At this point, however, replying to spammers has an efficacy of about zero. Sure, you might hit a novice spammer at some point who doesn't realize that no good email ever comes from spamming, but that's an exception. Most spam is forged in such a way that there isn't a valid email address to which you can reply. This makes pointless the idea of replying with a note that tells spammers that the next time you receive spam from them, they'll owe you money.
Using remove features when offered sounds like a nice idea, but why would a spammer want to honor remove requests? After all, getting a remove request means that the recipient has a valid email address and actually read the message. To the scarred and twisted minds of spammers, that must mean that the person sending the remove request is a prime target for more spam. Replying to an email address in spam that actually works virtually always gets you added to more lists.
Of these ideas, complaining to postmasters (nicely) is the only tack that has any hope of succeeding. I wrote and used a KeyQuencer macro that actually did all of these things (it replied to the message with full headers, put the word "remove" in the Subject line, put abuse and postmaster addresses at the domain involved in the CC line, and typed a short and pointed note at the top of the message). In several months of using my macro, I got email from a couple of abuse addresses (most of the big ISPs were pretty good) thanking me for the information and saying that they had kicked the person off. Most of the time, though, there was no recourse, and all my messages either bounced or disappeared. I figure I had at best about a 2 percent success rate.
Filters -- What about using the filtering capabilities built into all good email programs, like Qualcomm's Eudora and Claris Emailer? All you have to do is identify common aspects of spam and then you can filter it all to the Trash, or (until you're confident of your filters) into another mailbox where any real messages caught by your filters can survive. If you don't have the time or energy to create your own filters, others have done so for Eudora and other programs.
Unfortunately, filters are problematic for several reasons, and although you're welcome to use them, in the long term they're simply not the solution.
Most spam email has been forged anyway - how can you possibly hope to keep up with spammers who can just forge another address?
Filtering on the Received lines in the message header fails if the spammer hijacks an SMTP server to force it to deliver the spam. It's far too easy to do.
Filtering requires constant updates and constant vigilance to make sure real mail hasn't been captured accidentally.
To filter email, you must first receive it, which means in essence that you're paying for it, either in money directly (not everyone has flat-rate Internet access) or in time or bandwidth.
Filtering on the domains of network service providers (the most notable one being filtered is a company called Apex Global Information Systems or AGIS) casts far too wide of a net. For instance, it turns out that the first part of the IP address we had some time ago for our mailing list machine, 205.199.*.*, is the same as the first part of the IP address used by arch-spammer Cyber Promotions. People who thought they were being clever by filtering on the start of that IP address effectively filtered TidBITS out as well, causing us major headaches when we got the complaints about missing issues. Also, since it's so easy to hijack an SMTP server, filtering on IP addresses is just as doomed as any other technique. Cyber Promotions recently got kicked off this network by AGIS; they're threatening to build their own network - which would make them much easier to filter out.
ISP Filters -- Perhaps the problem should be pushed upstream, to the Internet service providers? After all, if they filtered the spam out before it hit our mailboxes, we wouldn't have to deal with it all.
Nice idea, but I think it's fatally flawed. After all, who's to say that ISPs can avoid filtering real email any better than you can? And if the ISP was doing the filtering, you'd never even know that email from some friend of yours was being caught by the filter. Besides, even if you're not receiving, and thus paying for, the spam, the ISP is. Why should an ISP want to pay to carry spam any more than you?
Glenn has a slightly different viewpoint on this and will discuss it in his upcoming article about stopping spam at the source.
Voluntary Restraint -- Spammers had talked about forming a voluntary organization, and the Internet Email Marketing Council (IEMMC) was formed under the aegis of AGIS to develop industry guidelines for unsolicited commercial email, establish lists of people who didn't want to receive spam, and monitor compliance. However, according to news accounts (see URL above), the IEMMC was allegedly thrown out of AGIS's headquarters at the same time AGIS discontinued service to three major spam companies. It's unclear what will happen next with the IEMMC. In any case, this idea was flawed from the start. Anyone who believes this kind of a proposal will stop (or even stem) the tide of spam, should look into the purchase of this very nice bridge I have for sale. It's just not logical - anyone can spam, and whether or not the industry group has good intentions, they can't stop others from spamming any more than anyone else can.
Legislation -- The final and, I've come to believe, only effective method of stopping spam is by legislation. If sending spam is illegal, then spammers will be subject to civil penalties, which, of all the methods discussed so far, pushes costs back on the spammers rather than forcing all of us to bear the costs of being spammed. Unfortunately, all the bills currently introduced just allow victims of spam to recover damages; none of them actually turn the spammers into real criminals.
Keep in mind, we're talking about legislation in the United States. But since the U.S. represents the largest consumer market on the Internet, bills that ban spam here should have repercussions elsewhere, especially in places where electronic privacy rights are already more highly protected, such as the European Union. If these bills drive spammers outside the U.S., it will become even easier to filter those sites out completely - cutting them off from the Internet, effectively - until they agree to stop. Most Internet traffic in and out of the United States flows over networks owned by a few U.S. companies; these companies might face fines if they fail to block spam from international sources.
There are four anti-spam bills being introduced before the U.S. Congress. The most direct is by Representative Christopher Smith (R-NJ); the other three are by Senator Frank Murkowski (R-AK), Representative Billy Tauzin (D-LA), and Senator Robert Toricelli (D-NJ). The four bills (others may be on the way) are not equal; three focus on opting out, and Smith's focuses on opting in.
Opting out means you have to ask to be removed from a list, but your request must be honored or the sender will face civil penalties which you can collect from them. However, there could be thousands or tens of thousands of lists you'd have to opt out from. Opting in means that a company can't send you a single piece of email without your request or your setting up a documented business relationship with them.
A small clarification about U.S. civil and criminal law, too, for those of you fortunate enough to never have had to tangle with either: Criminal law covers crimes prosecuted by the government. These may be ridiculous, but the penalties involve fines, jail time, community service, and other court-imposed duties. Civil law governs individuals' and companies' actions against each other, in which the final settlement generally involves either injunctions or consent decrees (in which one side agrees to stop or start doing something) or civil penalties (in which one side wins a monetary judgement against the other). The bills below all involve civil penalties, which mean you personally could file suit against the offender and, if you can prove their violation of the act, get cash money. In the case of spam, thousands or even hundreds of thousands of individuals could file civil claims across the country against single companies. Failure to appear in response to a suit often means a forfeit and having to deal with court-sanctioned liens. Since spammers annoy so many people, their financial risk would be enormous.
Current Bills -- Let's look at the current anti-spam bills. Senator Toricelli's <email@example.com> bill, to start with, makes a civil offense of any attempt to forge email addresses or create fake domains. Further, it requires that if you request to be removed from a list (opt-out), these requests must be honored. The civil penalties are $500 for sending mail to you after you opt out, and $5,000 for various forgeries or misuse of service provider resources. The bill doesn't provide for specifics of how fast you have to be removed from lists. It also doesn't specifically limit coverage to commercial email, so anonymously sent private email could be covered. It's possible that legislating private speech in this manner could be unconstitutional; commercial speech has always had less constitutional protection.
Representative William Tauzin's bill is also an opt-out bill, but is exceptionally vague. It essentially says that spam might be bad, and that spammers should voluntarily join an organization that will create guidelines for the industry. It doesn't specify civil penalties, and only appears to recommend that spammers honor opt-out requests. The bill provides relief to spammers in that if they join the trade organization, they're exempted from most penalties if they follow guidelines the group develops.
Senator Frank Murkowski's <firstname.lastname@example.org> bill is problematic. It would require spammers to label spam and avoid forgeries so ISPs can filter the spam at the server. Murkowski's bill graciously gives large ISPs one year to set up such filters, whereas smaller providers get two years. There are other provisions: users can request to be removed from spam lists, and must be removed within 48 hours; furthermore, ISPs would be forced to terminate service to anyone using their network to send spam without the required labelling and identification information. Penalties would range up to $11,000. These penalties could apply to ISPs if they fail to meet the bill's requirements, too, which has ISPs a bit nervous - it's not quite the Communications Decency Act, but it's potentially a case of "killing the messenger."
Unfortunately, Murkowski's bill forces the ISPs to pay for carrying the spam, not to mention the costs of setting up and maintaining software to do the filtering. The basic problem, though, is that Murkowski's bill is an "opt-out" system (I'm sure there are a few people who like to receive spam, but there are people who enjoy self-mutilation as well). Cyber Promotions, one of the largest of the spam companies, brags about having 9,000 customers. I really don't want to spend my days removing myself from every spam list around, especially when they can just be regenerated from new sources.
Representative Smith's bill is based on an amendment to the Telephone Consumer Protection Act 47 USC 227, the law that makes it illegal to transmit junk faxes and sets a fine of $500 per incident, payable to the recipient, and $1,500 per incident if it can be proven that the originator of the junk fax knowingly violated the law. The amendment resembles suggestions from CAUCE (Coalition Against Unsolicited Commercial Email), and would expand the law and the penalties to apply to junk email as well. The existing law has been tested, both in the real world and in court, and has been found both effective and Constitutional. Junk faxes are essentially unknown now because of it.
I've read through all of CAUCE's material, and I find them to be realistic and level-headed about the entire situation. I strongly encourage you to go to their site and read their explanations of why they feel legislation is the only course of action remaining. Essentially, CAUCE recommends an "opt-in" solution, where the only commercial email you receive is that which you ask for. If you agree with CAUCE's stance, consider joining and helping to spread the word... through non-spam techniques, of course.
There are tons of anti-spam resources available on the Internet these days - here are a few that I've visited. Note that they may have different opinions or propose different courses of action than I have above. Take everything you read here and elsewhere with a grain of salt. No one has a monopoly on the truth or even the one right way.