Green eggs Spam Green eggs Spam You've got SPAM! Spam Green eggs Spam Green eggs

Sure, Flyers are annoying. Sure, we might be sick of the MMMyriad of commercials for title loans and ways of Living even closer to the line than $$paycheck to paycheck$$. We're uneasy opening the door to Strangers trying to $ell us things...

...but that Pales in comparison to the Number of con men, scam artists and downright Lies that are waiting to SpamSpam FILL SpamSpam up your electronic Mailbox.

If they Haven't found you yet, then you either have a .mil or .gov E-mail address, or you're Lucky so far. Don't let them Find you!

"I don't get any" or "Just delete it" or "E-mail's free anyways"?

If you have a .mil or .gov e-mail address, i.e. you Work for the military or government, you are Unlikely to get much spam. Why? The folks doing the SpamSpamming Spam want to stay under the )))Radar. If politicians see none of this at Work, they're unlikely to see it as much of a Problem. If there's no Problem, then why seek a Solution?

Flyers come the closest to the "Invasiveness" of SpamspamSpam. You have to go >-Through-> them to get at your regular mail. However, unless the companies that make the flyers are Psychopaths, they are unlikely to send you the Same flyer 15 times a Week, every Week. Why? It's because they bear some of the Co$t; paper, printing and distribution aren't Free. (Some flyers are even Relevant and useful because they're Local and for Real businesses)

SpamSpamming Spam, on the other hand, is predicated on Theft of service. You're paying to pick it up. Your Service provider is paying to try and block some of it. You're paying for the electronic mailbox it's being held in (and Just like with too many flyers, if you get too much Spam, real mail won't fit in your MailMailbox any more) If you're >forwarding or receiving your mail on a Mobile phone or PDA, you're not only typically paying More, but you're getting intrusive ((Alerts )) that have N0thing to do with friends, family or Job.

Over a 2 week period, I received in excess of 150 (actual number 153) pieces of Spam Spam Spam. This is now normal traffic for my Mailbox Mail The highlights Include:

Not to Mention the e-mails for enlarging your Gonads, getting fake Diplomas (i.e. diplomas from "non-accredited Universities" for money), or the highly dangerous African scams... (see Here for the vast variety and some interesting 'Counterstrikes' against the Scammers)

MISDIRECTION says he's following the rules...

Just a little tidbit... if you receive a spam Saying that it's from you can be 99.5% sure that it Did not come from Hotmail.

The Vast majority of spam headers are faked. If someone has the Right piece of software (or codes it themselves), they can Fake the From:, the Mailer:... they don't even Have to have your name listed in the To: (Think of how the BCC/Blind Carbon Copy works), and often times will Address it to someone else to make it look like you somehow Received it "by mistake". Make no mistake... they Meant you to receive it.

This means that you have to work ,`Harder to actually complain to the Right people...

What you Usually see in your e-mail package are the Abbrev.iated headers for the e-mail. Most e-mail packages have a way to see the FULL headers. These often begin with Received: from and contain Information about how the e-mail got to you. Wait... it gets worse before it gets Better...

SpamSpammers can't completely fake this information, but they Can do something almost as bad by Ins_erting some fake information. They can also route mail through someone else's badly-Configured mail server to further hide their identity (These badly configured mail servers which relay Mail that doesn't start or end at the mail server are called Open relays). This can make it tough to trace by Hand...

Green egg Green egg Green egg

Fortunately, there is a little bit of Help out there. There's SpamCop **1, which can do a bang-up job of Sorting through the faked crud and help you submit Reports. There's also SamSpade, a browser that can Interpret e-mail headers and let you Safely surf without being hijacked. (NOTE: sells spamming services. Yeah, Nice to make it close to the, you Jerks)

With these Tools comes some responsibility, of course. Make sure you don't report a mailing list you're a Regular subscriber to (it happens). I'd advise a relatively Simple rule: if they fake it, bake it. If it says it's from hotmail or lycos and it's not, or the Removal address is, or the List of names is large and alphabetical and all from the Same domain, then Report it!

An +Additional note: claims of compliance with Laws are lies; claims of pending lawsuits or Charges for 'interference' are lies. It's all a GameGame to make you less sure about Reporting them. Here's an Exercise... the next time you see a notice saying "This e-mail complies with Bill S. 1618..." try Looking up the bill (you'll find that not only did it not Pass, but that the e-mail doesn't even comply to the bill Anyhow. Surprise, surprise :)

Think about this, too: Why would you want to do business with people who want so badly to hide their identities from you?

A rough guide on how not to get the disease

There are several ways spammers can get your e-mail Address Mail

If you have a web page, and you've put in a link that people can click to send an e-mail to you, then an e-mail address-harvesting "spider" program (so named because it can crawl around the web :) can interpret that same link and add it to a spammer's database. It doesn't have to be your own web page, either. If you've posted your e-mail address in a public guestbook or chat room, it is potentially harvestable there, too. Make sure you're safe by seeing whether another user can see your e-mail address or not.

You can add nonsense to your e-mail address and explain how to get rid of it (preferably in a format a computer can't figure out but a human could). Your only other defense is not to care about the e-mail account you're using.

Tip 1:Use an e-mail address for friends and family, but use at least one different e-mail address for your online activities, preferably addresses you can throw away

If you post to newsgroups using your real e-mail address... that's just begging for trouble!

Tip 2:If you post to newsgroups, munge your e-mail address

If your e-mail address is simple, spammers have another tool at their disposal: the "dictionary attack". The theory is pretty simple: take a database of names, and try sending to every possible combination of names, initials and numbers (e.g. 'alan' + 'm' + '39') at a given domain. The bigger the service provider, the more likely that a dictionary attack will be used, such as on AOL or AT&T. If the spammers are looking for bounces (and since they're taking the time to do a relatively 'expensive' dictionary attack), your e-mail address won't bounce, and they will add it to a list and sell it.

Keep yourself in the clear with an unpredictable name. Make it as long as possible if you can. Put numbers in odd places in your e-mail account name if you can. Use unusual words if you can... but make sure you can still remember it all! If you're "", don't be surprised if you still get spam regardless of all of your other precautions.

Tip 3:Use moderately complex e-mail addresses to avoid dictionary atttacks

Someone, some unscrupulous or naive bastard, may decide to sell a list of e-mail addresses they have access to... including your e-mail address for extra cash, as a typical business practice, or in revenge. If you have the patience and setup for it, using a separate e-mail address when subscribing to each web site or service you sign up for (or even online draw you enter!... like I said, patience), then you can at least track down where the breach occurred.

You'll be in a position where it does not matter so much - you can just abandon that e-mail address - but do "discuss" the situation with the company involved. After all, they likely have now screwed over hundreds of folks (who don't have your resources) into receiving unwanted spam.

Tip 4:Help others by tracking down sell-outs

Have you looked at that removal web site address or e-mail address they're giving you? Who do you think runs it? Is "" likely to honour your remove requests? How about ""?

The sad, probable truth about these removal lists is that it's unlikely (but possible) that it will remove you from that one spammer's list, but in the world of spam e-mail addresses, you have given them something really valuable... a verified e-mail address. They can sell this. Not for very much, mind you, but a cleaner list is faster and easier to send to than an uncleaned one. You won't get a confirmation of removal by e-mail. You now have only 240 more removal sites to visit to get them all. You will likely get more spam.

If you have access to throwaway addresses, I advise a simple experiment. Next time you get a piece of spam with a removal address in it, put together a throwaway address with the wackiest, longest, most random name you can. Then enter that name on the removal site. It might take a while, but you'll know incoming mail isn't going to be the result of a dictionary attack.

Tip 5:Never respond to remove requests

HTML e-mail sure is pretty. In being pretty, though, it can identify to the spammer that their e-mail got to you. If you're just web-browsing, there's no way that someone can find out your e-mail address. If you're looking at a piece of spam, though, it can be just like you typed in your e-mail address on their website. How can this be?

There are two things that susceptible mail browsers do to make you vulnerable like this: load external (not embedded) graphics, and run javascript. Spammers will include an image tag like this: <img src=""> When Outlook Express sees this in your e-mail, it goes out and tries to grab that image for display. The image comes up, you're none the wiser, and the spammer has now verified your e-mail address.

The other technique, Javascript, simply has to include a Javascript popup to a web address that uniquely identifies you. If a web window comes up while you are browsing your mail, it's too late. If you can disable Javascript, do so. Be aware that many products keep Javascript on, even in "High Security" mode, unless you specifically turn it off.

If you're using a vulnerable product, there's likely to be little that can be done. You can make yourself a little safer by disabling the preview window and NOT opening the spam e-mails (in Outlook, this means that you won't be able to report Spam because you can't get to the e-mail headers without opening the e-mail). The only alternatives are to find an e-mail client that isn't vulnerable or can be set to be not vulnerable (Eudora is vulnerable by default, but you can go into Tools->Options->Viewing Mail and uncheck the "Use Microsoft's Viewer" box), or find a service that can filter that kind of spam out (if anyone knows of a service that covers both Javascript and external, but not embedded, images, please let me know).

I'll list susceptible and safe products here as I find out about them.

Tip 6:Don't use vulnerable products

Once an e-mail address is out in "the wild", there's no getting it back again.

A proposal

There are two things I want to address here: Subscription practices, and Mailing practices.

There's an interesting matter of naming conventions between "Direct marketers" and spam-fighters. It concerns a Method of "opting-in" to receive mail. There is a Method in which you sign up for a list, it sends you an e-mail, and you Reply to that e-mail, or type in the Code inside that e-mail or what have you...

The Direct marketers call this "Double Opt-In". Spam-fighters call this "Confirmed" or "Verified" Opt-In. There is a passionate debate on this subject. What I think it boils down to are these few Points:

It's not that I have a problem with the concept of Single/Unconfirmed opt-in itself (Although I worry about the potential for abuse), but I feel there should be some civil liability for the Company that runs the list or a third party for Signing up unwilling participants en masse. Running a "millions" (of e-mail addresses) list though the E-mail server does not count as any "opt-in". The onus should be on the company not to lose its Opt-in and opt-out records, with but a small grace Period for problems caused by faulty hardware (as an Extenuating circumstance, not a de rigeur Defense).

Green egg Green egg Green egg

As to mailing practices... one simple rule first: No falsification of headers for commercial e-mail. P.e.r.i.o.d. The End. (Even enacting that simple rule would either cut down or 'legitimize' my Spam to about 5% of its current flow)

Other e-mail practises that I would recommend should be made Illegal or liable for Civil damages:

The focus of the above is to recognize that mailers must Respect users' rights to privacy, and not Trespass on the users' hardware (scripting in this Belligerent manner should be treated as though it were a Worm attack)... I don't care much either way about whether "ADV:" is used in Front of advertisements, though I do think it questionable Behavior to add random numbers to subjects (I believe it is done expressly to bypass simple e-mail Filters), or large unique alphanumeric strings to the e-mail (I believe that is done sometimes to track down people trying to report Spam through some sort of Anonymizing service, and sometimes as a "Hashbuster", to screw up e-mail filters that work on Hashes or checksums to filter out unwanted Mail)

Green egg Green egg Green egg

As always, I invite Comment... Fight the Good Fight!

Footnote **1: For those of you who have been on "the wrong side" of a SpamCop report, please don't overreact. People spend a lot of time going through their mailboxes to track down spammers and open relays. If the reports are overwhelming in the "abuse" mailbox, you can ask SpamCop to deposit them in a special mailbox. If it was someone reporting a mailing list they subscribed to, report them back to SpamCop; there is precious little patience for SpamCop users who use the service inappropriately. If it's a report of an open relay, pay attention - sometimes it's the sign of other potential breach points as well.

Use the Homing beacon