I know there are some people in the world that never get spam email, but unfortunately I am not one of you. Between my email being publicly available on the Internet for the past few years and the fact that I have to sign up for all sorts of random things with a real email address, it’s just added up, and I get inundated. It’s funny to talk to others about spam email. Either they understand because they, too, have fallen victim to the scourge of the Internet, or they look at you like your advanced-stage leprosy has caused you right ear to fall off and your left leg to rot.
So, in the interest of protecting the reputations of those of us who unwillingly receive tons of junk mail a day, let’s take a look at how and why spam reaches our inboxes. Hopefully some who read this will learn something new, others will realize the errors of their ways and stop calling their spam-laden friends perverts, and still others will pick up a few hints about how to avoid becoming a victim (in the cases where it can be avoided, that is).
Remember one thing walking into this: Spam is almost completely about money. If there wasn’t a potentially big payoff in sending spam, no one would do it. If people did not reply to spam email messages and offers, no one would do it. It’s a business, albeit one that most of us hate with a passion.
Before I get too far down this road, let me say that every day I receive in excess of 200 junk mails in just one of my email accounts. I have other email accounts that get none. So, since I am one person with multiple accounts, something tells me the issue here is not me personally, but instead about how the world of email and spam works, and how the spammers started using my email address in the first place.
The fact of the matter is, much of what many people believe about spam and how one starts getting it is patently false. Certain assumptions are correct, although often the facts are twisted around, and people often wear blinders, assuming there is one root cause or one simple solution. It’s not that easy, friends. So, here are a few (admittedly random) things I think everyone should know about spam:
Myth Number One: If You Get Spam, You Must Be One Of Those Porn Surfers
Just like in junior high school, where your friends laughed at you and pointed in the hallway when they found out you did THAT (never mind that it wasn’t true, of course), people tend to assume that if someone gets spam email, it’s because they went to an “adult” web site and registered with their credit card and email address. As a result, you were added to an email list, and so now you get tons of junk email about V1agra and S3X – but hey, if you get that kind of email, it’s entirely your fault and you got what you deserved.
Not true. As someone who has *never* registered for online porn or anything even resembling such, especially with my work email address (I mean, come on, how stupid can a person get?), I can tell you that you don’t need to be a perverted Internet sex addict to become a spam victim.
I can also tell you that people really do think along the lines of this particular myth. Not many, but at least some do: A couple of years ago, I was standing in front of the entire company, showing off the new secure, web-based email interface. I switched from the PowerPoint slide to the browser where I had my email account open, and sure enough, right there on the screen was a spam email with the words “XXXPORN SUPERSTORE” in bold red letters. Luckily it was just text in the email, and while surprising to many, there was nothing vulgar displayed. Needless to say, many laughed and I still get (lighthearted and friendly) comments about it to this day. A few people followed the pattern of the myth and assumed I *must* have signed up for porn using my work email account (uh, yeah, sure), while others stopped by to see me later and tell me privately that they, too, had a problem with nasty, offensive spam and that they had no idea why or where it came from. It wasn’t long before we started working on ways to combat the spam at work. More on that later.
Myth Number Two: It’s Completely Your Fault
Another assumption people make is that if you get spam, it’s because you signed up for *something* somewhere on the Internet and voluntarily made your email address available when you filled in a registration form. If you had not done that, they say, you would not get the spam email.
Similarly, some say that if you get spam, it’s because you must have posted your email address somewhere on the internet, like on a web page, and so you advertised it for spammers to eventually find (this is one form of a technique called email address “harvesting”). And so – again – it’s all your fault.
Ok, so it is true that if you register with your email address on a web site that does not respect privacy, or if you put your email address on a web site somewhere, you could end up becoming a spam victim. It’s reasonable to say that these are two ways email addresses might get on a spammer’s list. However, it’s important to understand that you don’t *have* to do these things in order to get on a junk email list. There are many other ways, and some take no action on your part. More on that below.
Myth Number Three: People Who Get Spam Are Irresponsible, Don’t Think Ahead, and Cannot Be Trusted
This sounds almost comical, I know, but I actually stood on the edge of a conversation where one person said to another (seriously), “I would never hire anyone who gets spam email. It’s just an indicator they don’t know what they’re doing and that they’re basically stupid.” Wow. If there was ever a false, way-over-the-top generalization made about junk email, this has to be the one. The guy who made the statement was serious as a heart attack, and went on to explain that because people can completely avoid spam if they would just be more careful and use common sense in the first place, spam was an example of how you can tell whether or not someone will be a good employee. He even includes the question, “Have you ever received spam email, and if so what do you think about it?” in his interviews. I’m just glad this guy doesn’t work at my company. If he wasn’t actually serious, I’d laugh, but the fact of the matter is there are people out there who make off-the-cuff, uninformed decisions about lots of things based on completely irrelevant data. Amazing.
Myth Number Four: Spam is Totally Preventable – You Just Didn’t Do Enough
People just don’t seem to get it. Spam is *not* totally preventable. While there are ways you can protect your email address from getting on spam lists, there is no sure-fire set of things you can do that will guarantee your account will stay junk-mail-free.
By way of example, I set up a catch-all account on a domain I own recently. Any email sent to any email address on the domain was all funneled into this one email account. I did not set up a web site, did not set up or submit any email addresses anywhere. I just set up the brand new domain with it’s single show-me-everything email box and waited.
Within a few days I started receiving spam at random addresses on the domain. Some of them you might expect: email@example.com and firstname.lastname@example.org for example. But others were more creative and sneaky. Random first initials and last names, first names followed by last initials, common first and last names combined, etc.
So, there’s the proof – you don’t have to sign up for anything, post your email address anywhere, or take any action at all to start getting spam. Now, granted – if you are not prudent about how you handle your email address or if someone else mishandles it (intentionally or otherwise), you are more likely to fall victim. But sometimes you just have to do nothing.
Myth Number Five: Out-of-Office Auto-Replies Are Totally Cool and Make My Life Easier
Ah yes, the ol’ OOF autoreplier – You know, it’s that thing that shows up in your mailbox when you send a friend or colleague an email and they happen to be, say, on vacation, or maybe at the mall shopping instead of working.
What, you ask, is so bad about that? And what does it have to do with whether or not I receive spam email?
Glad you asked.
Let’s say someone sends a spam email that happens to be directed at your email account. Here’s what happens.
1. Email sent by sorry, good-for-nothing spammer
2. Arrives at your email box
3. Your server sends your out-of-office autoreply back to the reply address specified in the spam email
4. That reply address is monitored
5. Spammer checks the account your server replied to, sees your autoreply, and thus has confirmation your mailbox is legitimate, working, active and – therefore – valuable to him/her.
6. Spammer adds your address to the list of email addresses confirmed to be good – the gold list, so to speak
7. Spammer sells gold list of known-working email addresses to other spammers for a premium
8. You get more (and more and more and more) spam
Moral of the story: Don’t use Out of Office autoreplies, or configure them so they only work for internal emails. And yes, I know there are legitimate business reasons for wanting to use them – it’s a trade-off decision that has to be made. You just need to understand the potential effects.
Myth Number Six: Antivirus Software Has Nothing to Do With Spam
Wrong again. AV software certainly can protect your computer and its data from damage, theft and a lot of other nasty things, but what you may not have known is that it can also protect you from becoming a spam victim. The only problem is, everyone has to use AV software (and use it correctly) for it to really work.
For the uninitiated: A “Worm” is a virus-like application that replicates via email. Generally speaking, once they get on your computer they scan your system in a few common places (address books, cached web pages from sites you have browsed, text files, documents, etc.) for email addresses. *Any* email addresses. They then use those email addresses to send emails (which generally include an attached copy of the same worm) to the email addresses found on your computer. So, you see how it works – the worm sends itself all over the place, to thousands of people, and each step of the way it collects email addresses so it can send itself again to more victims.
But wait a minute – that’s not always the extent of what they can do. In addition to installing other software that might, for example, allow a hacker to gain access to the files on your computer or to use it to launch attacks against other computers, some worms take those email addresses and (as long as they are being gathered) send the addresses off into cyberspace where spammers and others can get them.
So, in other words, if you don’t use anti-virus software on your computer and you get infected with one of these harvesting worms, you’re not only making yourself a victim – you’re dragging along all the innocent people listed in your address book and the other files where the worm does its harvesting, as well.
Using current AV software is part of being a good Net citizen. By doing so you protect more than just yourself.
Myth Number Seven: Well, That’s All Fine and Good, But There’s Nothing You Can Do About It Once It Starts
Again, not true. There are a number of companies out there that sell software that is quite effective at blocking spam from reaching you or your end users.
Why would you want to use it?
If you’re an individual, then you want to rid yourself of the mess. Maybe it offends you (depending on what kind of spam you get). At least you’d like to segregate email that is determined to be likely spam so you can filter through that separately from your legitimate email.
If you’re a person with responsibility for a company’s information systems, the reasons are bigger and more important. You have a responsibility as an employer (or the agent of an employer) to make sure the working environment is positive (or at least not offensive or hostile). Depending on the type of spam email your end users are receiving, you may have a responsibility to them to make sure you are doing what you can to combat the problem. Remember, ignorance is not bliss. And as easy as it is to put measures into place to help curb spam these days, not doing something when there is a problem is – truly – ignorant.
Where I work we use Mailfrontier’s anti-spam gateway. There are a number of other products from a variety of vendors that also do a good job. But for our part, we like what we’re using just fine; Mailfrontier is highly customer-oriented as a company, and continually combats the latest techniques spammers are using to get their junk through to you.
Myth Number Eight: If I click the link to remove myself from the spammer's list, I will stop getting spam from that sender
Please hear me on this one. I know people would like to believe that spammers are good, honest, ethical people just trying to make ends meet, and that they follow industry-accepted standards for conducting business. We all want everyone to be good and wholesome people, concerned primarilly with doing the right thing, always telling the truth and helping old ladies across the road.
But in the real world - not true.
Spammers want to know if you receive their email, because if you do, they can sell your email address to others and make more and more money. The best spammer email address list is the one that contains the highest percentage of known-good email addresses.
So, when you click to “unsubscribe,“ more often than not you are not actually unsubscribing. Yes, I realize you may be shocked at the dishonesty of it all, but there's a good chance the spammers are simply tricking you into clicking a link that simeply lets them know you received their spam email. You never get taken off the list.
On a related note, people who are using Outlook 2003 (and when Windows XP SP2 comes out, Outlook Express will also include this behavior) have probably noticed that Outlook blocks images from being loaded from Internet servers unless you specifically allow them to be loaded. Why? Because the address used to contact the server and load the image can contain a code that uniquely identifies you, thus (again) validating your email address.
UPDATED: My friend Travis emailed me with some valid comments about Myth Eight:
I think the validity of the unsubscribe link is directly proportional to the legitimacy of the spammer's business. If you get porn spam, or "V1AGRA" ads, you're probably better off not clicking the link, sure, but ads from job posting sites and such generally do actually unsubscribe you if you click.
That's a good point. Travis continues with his own opinions about spam:
Spammers should be punished by death. A brutal, painful, horrible death. Something that's probably specifically in the "cruel and unusual punishment" class.
Spam sucks. There’s no one root cause. You can’t always prevent it. But there is something you can do about it.
Anyhow, when it comes to spam, that’s about all I have to say about that.