Complaining About Spam 101
Saturday, January 31, 2004
Posted by: Charles Oriez
Spam is like the weather. Everyone complains about it, but few do anything about it. If you reply to it with a nasty message, either your message bounces or you get the message delivered to someone whose e-mail address was forged who had nothing to do with the spam.
What to do, and not to do, if you are on a mailing list that you do not want to be on
1. Never respond to remove-from-list instructions, unless you actually signed up for the list in the first place. An FTC study found that most removal instructions are fraudulent, and the net result is more spam, rather than less. By responding to remove-from-list instructions you are telling the spammer three things:
- Your e-mail address is valid
- You read to the bottom of spams
- You're very gullible
2. Never do business with a spammer. If no one ever did business with spammers, spam wouldn't be profitable. The Boulder Pledge, which was first proposed by Roger Ebert at the Conference on World Affairs at the University of Colorado in late 1996, and described in his column in the December, 1996 edition of "Yahoo! Life," reads, "Under no circumstances will I ever purchase anything offered to me as the result of an unsolicited e-mail message. Nor will I forward chain letters, petitions, mass mailings, or virus warnings to large numbers of others. This is my contribution to the survival of the online community."
3.Never respond angrily to the e-mail. The originating e-mail address on spam is almost always forged. Usually, the address is non-existent. When it is a valid address, it belongs to someone who the spammer decided to harass. By helping the spammer to flood the victim's mailbox with irate responses, you are aiding the spammer in his harassment campaign.
4.Complain effectively. The address may be forged, but there are hidden headers that any mail reader will reveal that may identify the source of the spam. Spamcop http://www.spamcop.net/ can help you do that. If you want to try it on your own, see my links to tools and tutorials at http://oriez.org/junkmail.html.
5.Remember to include a full copy of the headers of the e-mail in any complaint you file with the spammer's provider. Most providers will ignore spam complaints that exclude the original message's header information.
6.Remember that if you asked to be on a mailing list, it isn't spam until you ask to be taken off and they fail to do so. If you asked to be on a list, ask to be removed. It is important to follow the directions for unsubscribing from the list, as not all list removals work the same way. Unsubscribing from a list you opted into is different from lists that you never asked to be on, which you are under no obligation to ask to be removed from.
7.If your ISP or employer has a filtering system, report the spam to the filtering mechanism.
Running a mailing list responsibly
Let's look at the problem from the other side, for a moment. You're an AITP leader. You want to run an e-mail list so local members of the IT community can get information about AITP dinners. Or perhaps you run the local Linux user group, or want to provide information about your company's products and services to people who really want to receive it. Or you want to know about the updates to the software you have on your PC.
How does a list operator ensure that they aren't sending out spam?
Spam is a slang term for unsolicited bulk e-mail. There is nothing wrong with bulk e-mail. It is the unsolicited part that causes the problem. Ethical list owners do not want anyone on the list who does not want to be on the list. A good, detailed explanation can be found at http://mail-abuse.org/manage.html, which is also linked from the AITP legislative page in the spam-fighting section. What follows are some of the high points.
First, some definitions are needed. An opt-out list is a list where subscribers are added without their knowledge or consent, and they have to ask to be taken off. An opt-in list is one where an individual asks to be on the list and is added, without any check being done to confirm that the person doing the asking owns the address. A confirmed opt-in list goes one step further. The list owner who receives a request to add an address first generates an e-mail to that address asking the address owner to confirm that he wants to be on the list and that the address belongs to him. To see how a confirmed opt-in list works in practice, join the legislative committee discussion list from our AITP legislative Web page. Spammers, incidentally, will try to redefine our confirmed opt-in list as a "double opt-in" list and define something else as a confirmed opt-in list. How they can call anything confirmed that doesn't contain a confirmation step eludes me.
With an opt-out list, no effort is made to determine whether the subscriber wants to be on the list or not. This type of list is almost never justified, and almost always spam. The sole exception would be a list that you are subscribed to as a condition of employment or membership. The AITP board of directors has a list of its board members. Being a subscriber to that list is a condition of being on the board. Any company is certainly entitled to create and use an e-mail list of its employees' office e-mail addresses and probably is even entitled to create a list of their home e-mail addresses. This is not to say that e-mail lists should not have an opt-out function. Even if I were legitimately asked to be on a list, I am entitled to change my mind. I'll discuss that opt-out function in more detail later.
An opt-in list without a confirmation function is a disaster waiting to happen. Without the confirmation step, you have no evidence that the person whose e-mail address got added to the list really asked to be on the list. My wife once asked me to add her new office e-mail address to a list. I did, but got her domain name wrong. The domain I used by mistake happened to be valid, and her e-mail address was still valid on that wrong domain. The domain owner complained. Fortunately, the list had the confirmation step in place, so other than the confirmation message the unintended recipient would never have received any messages from that list even if he hadn't complained. The same problem occurs if a subscriber on a large domain like AOL transposes a character by accident. Not all of the inaccurate subscriptions are accidental. One of your competitors could subscribe people to your list whom he knows will complain if they receive spam. Without the confirmation, those complaints would actually be valid, and your domain could be shut down.
A confirmed opt-in list has that extra step in it that makes sure that the person really wants onto the list, and gave you a valid address. If they do not respond to the confirmation message, either because the address doesn't exist or because someone other than the address owner entered it, the address doesn't get added. The best process will have a unique, un-guess-able token in the confirmation string as an added security measure. If, six months later, the person complains that they never asked to be on the list, you will have the confirmation message as evidence to the contrary.
Once on a list, it must be easy to unsubscribe. I recommend a Web-based unsubscribe function rather than one asking the subscriber to send an e-mail, since the subscriber may no longer have access to the e-mail address from which they subscribed. So, to run an effective unsubscribe process, I recommend:
- Provide unsubscribe instructions in every e-mail
- Provide a means for a list member to contact a live person if problems arise
- Handle the unsubscribe process via a Web page. E-mail can be an option, but not the sole option
It is important to respect the intentions of list subscribers. I recently provided the Denver Broncos with my e-mail address for communications related to my football season tickets. When the address I gave them showed up on a mailing for the Colorado Rapids soccer team, a team with which I had no prior business relationship and from whom I never consented to receive e-mail, the communication was reported to their ISP as spam. Because of multiple spams and multiple complaints, the IP address that this spam came from was listed as a spam source by Spamcop, and the traffic was blocked.
Lists should have acceptable use policies, a well-defined complaint process and diligent list administrators who take swift action against list abusers. A responsible list owner also responds quickly to complaints from list members when one member abuses the list by violating the list's policies.
Follow these procedures and respect the wishes of your list subscribers, and you'll have many years of happy communications without accusations of being a spammer.
Charles Oriez has an MS-CIS from the University of Denver and writes and speaks on e-mail issues in the Denver area.