What is Spam?
of Spam ~ How They Get Your E-Mail Address
Ideally, spam should be stopped by ISPs and IT departments before it reaches individual in-boxes. This kills two birds-spam and network traffic-with one stone. But if your company or your personal ISP isn't getting the job done, you'll have to fight spam from the desktop.
How do these products identify spam? Most use more than one method. Deersoft's SpamAssassin, for example, checks messages against various real-time black hole lists, or RBLs-public catalogs of known spammers and open relay servers that spammers use as conduits for their messages. (The danger is that nonspammers occasionally get placed on RBLs, and removal is problematic.) SpamAssassin also looks for words or phrases typical of spam. And it examines the header of each message, looking for signs of the circuitous routing spam typically takes.
Brightmail, whose software blocks spam for such ISPs as WorldNet and EarthLink and such corporations as Cisco and Microsoft, operates a network of undisclosed e-mail accounts. Mail delivered to these accounts is by definition unsolicited. Using proprietary algorithms, Brightmail boils each piece of spam down to a specific signature, a unique way of identifying the message, and compares the signatures with customers' mail.
Cloudmark's SpamNet takes another approach, relying on a user community, not dummy mailboxes, to identify spam. When a user receives a community-designated spam, it's removed from the in-box. MailFrontier and Mailshell use similar techniques.
Of course, since the definition of spam differs by person,
many antispam products let you train their engines to adjust what they
block. Some let you set up your own blacklist, designating specific
addresses to block. In other cases, you can fine-tune the spam identification
Yet, even with training, some spam gets through. The consumer products we tested typically blocked about 75 percent of spam; the corporate products, 85 percent. Worse, these tools can block legitimate messages. Avoiding these false positives is perhaps antispam vendors' toughest task. To block enough spam, they must be aggressive, but if they're too aggressive, they're likely to cause false positives. If you must continually search your quarantine folder for false positives, you might not be saving any time.
Most programs let you specifically white-list (allow
mail from) senders, but this has limited effectiveness. It's a balancing
act. In fact, our Editors' Choice for personal antispam didn't stop
the most spam, nor did it have the lowest false-positive rate; instead,
it had the best balance between the two.
1. Guard your in-box. Don't give out your e-mail address to anyone but the people you actually expect to correspond with. For dealing with everyone else, see tips 2 through 4.
2. Use free Web mail accounts. For merchants and legit others you don't correspond with regularly, use Web mail, such as Hotmail's or Yahoo!'s. You can abandon it if it gets spammed. Many have spam filtering built in.
3. Use a disposable e-mail address. Disposable e-mail addresses are great in-box insulators. Give them out in place of your real address, which remains hidden. You can always dispose of the address if it gets spammed. (For more, see the sidebar "Disposable E-Mail Services.")
4. Use fake addresses. Most Web-based sign-up forms require an e-mail address, but ask yourself, do they really need it? If you don't want to hear from the site (and don't need a confirmation e-mail or tech support), don't give a real address.
5. Don't post your address. Resist the impulse to post it on Web sites, guest books, contact lists, newsgroups, chat rooms, and so on; spammers harvest from these places. If you absolutely must reveal yourself, use a Web-mail account or a DEA. You can also put something extra in your e-mail that humans will know how to read but harvesting robots won't: firstname.lastname@example.org could become sean AT pretend DOT com.
6. Don't answer spam. Ever. You won't stop spam by writing to the spammers, even if you ask nicely. At best, you'll flame a robot, which won't mind. At worst, you'll confirm that your e-mail address belongs to a naive human being-a valuable commodity for spammers. Ignore the "remove me" e-mail addresses, too. Many of these lead to dead or inactive e-mail addresses.
7. Opt out. When you do sign up for or buy something online and you have to give out an e-mail address, remember to opt out of everything you're not absolutely sure you want to receive.
9. Use a spam filter. Even if you follow tips
1 through 8, you're going to get spam. If you get more than you can
handle, try one of the products we reviewed in this roundup. Some Anti-spam
programs for consideration, SpamAssassin Pro, MailWasher, McAfee SpamKiller,
to name a few.
Spam is maddening. It can feel like an invasion of privacy. But are spammers actually doing anything illegal? Are they committing fraud, or do they have the law on their side?
Most of the legislated action against spam happens at the state level. In fact, more than half of the states have identified and prohibited several behaviors that distinguish spam from legitimate e-mail. (For your state's position, visit www.spamlaws.com.) In legal terms, the battle against spam isn't about content-commercial, political, or religious-it's about spam techniques like false subject lines, ineffective opt-out links, falsified routing information, and third-party domain names used without permission. Yet despite these laws, spam thrives. According to Jared Blank, a Jupiter Research analyst, "The laws are nice in theory, but actually going after and tracking down spammers is extraordinarily difficult." Anyone who has ever tried to track spammers through their complicated relays and tortuous routing will attest to that.
That each state's legislation can be enforced only within its own borders makes catching spammers much more difficult-and futile. If you actually do identify and catch a spammer, bringing him to justice could end up costing you more in legal fees than the average individual can pony up.
Spammers have, however, been successfully sued. AOL, for example, recently won a much-ballyhooed decision against a single spammer. Unfortunately, this is a drop in the bucket for a service that, despite claiming to filter out 20 percent of all spam before it reaches your in-box, is still awash in spam.
Most suits against spammers have been filed under unrelated and relatively ancient legislation. Trespass, trademark, product, direct-mail, and junk-fax laws have all been cited. Trespass-based arguments made by ISPs have been particularly effective against spammers who have overloaded and crashed servers. "Spam is really a way for an advertiser to shift his cost unfairly to everybody else," says Marc Willard, an attorney specializing in technology and e-commerce. "What it does is use the facilities, the time, the bandwidth, and the resources of the Internet service providers that have to carry all of this information."
The courts probably won't view costs alone as reason enough to find against spammers, according to Doug Isenberg, lawyer and recent author of The GigaLaw Guide to Internet Law. In the case of junk-fax legislation, the costs to recipients, including such things as toner cartridges and paper, are even more quantifiable than the costs of e-mail spam, but the courts ruled them negligible and too hard to measure.
Rare victories like AOL's aside, it's clear that state laws aren't defeating spam. So what's keeping the federal courts from slamming spam? The problem is, there are many more philosophical and constitutional issues entangled with prohibiting spam than there are with simply hating it.
A fine line exists between putting restrictions on worthless and annoying junk e-mail (or even forcing such messages to be prefixed by the header ADV, for advertisement) and banning the distribution of information that has the potential to be socially valuable. Direct marketers make the point that eliminating spam entirely limits consumer choices and the free market. It also restricts the potential success of small companies that can't afford more expensive types of marketing. The lack of consensus on the legal definition of spam (is it essentially unsolicited, bulk, or commercial mail?) makes this problem even trickier.
There are antispam bills pending in Congress, and they're notably similar to the antispam laws already passed at the state level. The basic proposals are to require working opt-in or opt-out links and accurate subject-line labeling.
Attorney Willard suggests that one solution might be a national spam opt-out list with a penalty of a fine, blanketing the spamming industry. Note, however, that in the case of telemarketers, the FCC argued (successfully) against a national database, preferring instead that each company maintain its own no-call list. Anyone who has attempted to get off a telemarketing list this way will know to take this suggestion with a grain of salt.
CAUCE (the Coalition Against Unsolicited Commercial E-mail, www.cauce.org) largely opposes the popular opt-out solution, pointing out that it won't improve the current state of spam and might even make the situation worse. "If you pass a law that says you're free to send spam until someone asks to be removed, you're essentially giving the green light to everyone who's ever wanted to send e-mail to anybody in the country," says attorney Ray Everett-Church, founding member of the volunteer organization. Additionally, a recent FTC study showed that more than 50 percent of tested opt-out e-mail addresses given were invalid.
Many suggest that antifax legislation should be considered as a model for antispam bills. The Telephone Consumer Protection Act basically bans the sending of unsolicited commercial faxes and gives recipients the right to sue for $500 per fax. "That created a reverse economic incentive," CAUCE's Everett-Church explains. "The law turned the economics of junk faxing upside down and made it more profitable to go after the faxers than for the faxers to stay in business."
Perhaps the toughest nut to crack is that much spam
isn't sent from a domestic source. After all, if spammers a few states
over are hard to pin down, how will American law ever stop spam coming
from Russia or Taiwan? Evidently it's going to take a worldwide resolution
against spam rather than simply a domestic one, and that's unlikely
to happen anytime soon. Individuals and business owners will be better
off making room in their budgets for antispam protection such as the
products and services reviewed in this issue, rather than waiting for
a congressional solution. Technology has a better chance of catching
up with the problem than the law does.
An increasingly popular and very effective-though high-maintenance-way to fight spam is to use disposable e-mail address (DEA) services. The premise is simple: When, for example, an online merchant asks for your e-mail address, you just use the service to generate a disposable one. The service then forwards any e-mail sent to this address to your real e-mail account. If the disposable address gets spammed, you can simply close it. As a bonus, if you use multiple addresses and keep track of which one you give to whom, you'll know who's to blame if you start receiving spam at any of your addresses. At that point, you have to decide whether to trust the source of the legitimate mail with a new disposable address or not.
Some of the disposable address services do a better job than others of helping you associate addresses with the accounts on which you've used them. But there are other things to consider: If someone sends you a message on a disposable account and you reply to it, you will probably end up disclosing your real address in the From: field.
The most comprehensive service is Mailshell ($35 direct per year), makers of the client-side antispam tool SpamCatcher, reviewed on the next page. In addition to providing DEAs, Mailshell can apply its spam filtering to any existing ISP or Web mail service. You can read the mail through Mailshell's Web interface or in your regular mail client. In addition, you get an unlimited number of disposable addresses. The base price gives you a domain like @larry-seltzer.mailshell.com, and you can make up any address you want to go with it-for example, email@example.com. For an extra $16.95 per month, you can eliminate the mailshell from your domain.
Addresses can be set to auto-expire after a set amount of time. The service also automatically puts any e-mails sent to addresses in your domain that you haven't activated into a Pending folder. This defeats most dictionary attacks while preserving messages to addresses you've forgotten to create. For example, you may have given out a new address to your child's school but forgotten to add it to the system.
Spamex ($9.95 per year) is very reasonably priced and allows you 500 addresses. Maximum message size is 500K: smallish but enough for everyday correspondence. You can create custom addresses, or they can be auto-generated and, as with Emailias, automatically associated with a Web site (a great feature). Addresses are set to expire after a user-specified number of messages have been received or days elapsed.
SpamGourmet (free) has some interesting innovations, but it also has limitations on how many messages each address will be able to accept. There are two modes, No-brainer and Advanced. In the former, you get a user name and then you can give out self-destructing addresses in the form firstname.lastname@example.org, where whatever is some word you choose and is the number of messages (up to 20) that you can receive at that address until it self-destructs-after which messages will return errors.
For example, email@example.com will be able to receive four messages, and then senders will get error messages. The problem is, anyone can send you a message using a disposable account that you did not create: for example, IAMSPAM.firstname.lastname@example.org.
There are advanced options to limit the number of possible disposable addresses, but if this product became widely used it would be easy for spamsters to work around the limits. Advanced mode has several other features, the most interesting being that you can also add trusted senders-people who can send messages without contributing to the maximum message count for that address. This will let you use a disposable address forever for legitimate purposes-until it gets used by a spammer, at which point it'll pass away.
Product: Spam Slicer
Spam Slicer ($4.95 per month or $19.95 per year) maintains a blacklist of known spammers and prefilters messages from them before forwarding e-mail to customers' disposable addresses. Spam Slicer works with any ISP or Web mail service.
Essentially, you make up a disposable e-mail address
in the form LarrySeltzer.email@example.com and fill in the whatever
differently for each address. The drawback is that a malicious person
who finds one of your DEAs and knows how the service works could put
anything in the whatever field and reach your in-box. With Spam Slicer,
there's no way to separate e-mails from DEAs not that haven't been activated.