[This information was obtained from an article in PCmag]

• What is Spam?
• Life cycle of Spam and how they get your email address
• Sending the Spam
• Catching Spam on the server
• Catching Spam on the client
• Spam that's not caught
• One desktop at a time
• The devil is in the details
• Top anti-spam tips
• Spam and the law
• Disposable email services

What Is Spam?
Supreme Court justice Potter Stewart's description of obscenity rings just as true for Internet spam: We may have a hard time defining it, but we know it when we see it.Industry pundits define spam as "unsolicited commercial bulk e-mail": advertisements that marketers blindly send to as many addresses as possible. Some definitions add other unsolicited messages, including those carrying chain letters, urban legends, jokes, and frivolous multimedia files. All of these definitions leave out one crucial point.
Spam isn't just e-mail you didn't ask for. It's e-mail you didn't ask for and don't want. There may be certain kinds of unsolicited bulk e-mail you don't consider spam. We at PC Magazine welcome unsolicited e-mail plugging computer products and services. You may not. Because the definition of Internet spam is so difficult to pin down, there's disagreement about the size of the problem, even among experts. In December, the Pew Internet & American Life Project published a survey in which 71 percent of respondents said that very little of the e-mail they receive is spam. But most experts agree with Brightmail and Jupiter.

The Lifecycle of Spam ~ How They Get Your E-Mail Address
A spammer has several sneaky ways of getting your e-mail address. Here are the most prevalent:
• from your registration at unscrupulous sites (think sweepstakes)
• from your newsgroup postings
• from your chat sessions
• from spambots that crawl the Web for anything including an @ sign on a Web site
• from e-mail lists the spammer buys
• from mailing lists to which you subscribe
• by randomly generating name combinations for your domain
• by harvesting all the e-mail addresses on your company's server.

Sending The Spam
A scalable SMTP e-mail server can send up to a million messages per hour. To hide their identities, spammers often piggyback on top of an unsuspecting third party's mail servers and relay spam through them.

Catching Spam On The Server

Corporate spam-filtering hardware, software, or services can stop a good percentage of spam before it even gets to your PC. They check for known spamming techniques and patterns by examining the header, source, and contents of each message, to which they apply rules-based filtering and antispam algorithms. Antispam software can support collaborative altering, where recipients report on the spam they receive, and it can block messages coming from servers on blacklists. But the software may also block legitimate messages the recipient wants, known as false positives. Many products do help prevent directory harvesting and denial-of-service attacks, and they can detect traffic irregularities that spell trouble.

Catching Spam On The Client
Desktop software products can block spam after it gets to your local machine. Like the server products (and like antivirus software), they check mail against known patterns in the header, contents, and originating address. These packages also benefit from frequent updates to counter new spamming techniques.

Spam That's Not Caught
If you're not running any antispam software and your e-mail address is on a Web site, mailing list, or chat room, your mailbox is vulnerable to spam hell. If you respond to the bad e-mail, even in an attempt to take yourself off the mailing list, you're only confirming that your e-mail address is real, and you can expect even more spam.

One Desktop at a Time

Ideally, spam should be stopped by ISPs and IT departments before it reaches individual in-boxes. This kills two birds-spam and network traffic-with one stone. But if your company or your personal ISP isn't getting the job done, you'll have to fight spam from the desktop.

How do these products identify spam? Most use more than one method. Deersoft's SpamAssassin, for example, checks messages against various real-time black hole lists, or RBLs-public catalogs of known spammers and open relay servers that spammers use as conduits for their messages. (The danger is that nonspammers occasionally get placed on RBLs, and removal is problematic.) SpamAssassin also looks for words or phrases typical of spam. And it examines the header of each message, looking for signs of the circuitous routing spam typically takes.

Brightmail, whose software blocks spam for such ISPs as WorldNet and EarthLink and such corporations as Cisco and Microsoft, operates a network of undisclosed e-mail accounts. Mail delivered to these accounts is by definition unsolicited. Using proprietary algorithms, Brightmail boils each piece of spam down to a specific signature, a unique way of identifying the message, and compares the signatures with customers' mail.

Cloudmark's SpamNet takes another approach, relying on a user community, not dummy mailboxes, to identify spam. When a user receives a community-designated spam, it's removed from the in-box. MailFrontier and Mailshell use similar techniques.

Of course, since the definition of spam differs by person, many antispam products let you train their engines to adjust what they block. Some let you set up your own blacklist, designating specific addresses to block. In other cases, you can fine-tune the spam identification algorithms.

The Devil's in the Details

Yet, even with training, some spam gets through. The consumer products we tested typically blocked about 75 percent of spam; the corporate products, 85 percent. Worse, these tools can block legitimate messages. Avoiding these false positives is perhaps antispam vendors' toughest task. To block enough spam, they must be aggressive, but if they're too aggressive, they're likely to cause false positives. If you must continually search your quarantine folder for false positives, you might not be saving any time.

Most programs let you specifically white-list (allow mail from) senders, but this has limited effectiveness. It's a balancing act. In fact, our Editors' Choice for personal antispam didn't stop the most spam, nor did it have the lowest false-positive rate; instead, it had the best balance between the two.
On our tests, the consumer products scored 1 false positive for every 22 pieces of legitimate mail; the corporate tools blocked 1 in every 500. Though they may not be perfect, these tools can help fight spam, a problem is only going to get worse. So even if you don't think you need one of these tools today, you probably will soon.

Top Antispam Tips

1. Guard your in-box. Don't give out your e-mail address to anyone but the people you actually expect to correspond with. For dealing with everyone else, see tips 2 through 4.

2. Use free Web mail accounts. For merchants and legit others you don't correspond with regularly, use Web mail, such as Hotmail's or Yahoo!'s. You can abandon it if it gets spammed. Many have spam filtering built in.

3. Use a disposable e-mail address. Disposable e-mail addresses are great in-box insulators. Give them out in place of your real address, which remains hidden. You can always dispose of the address if it gets spammed. (For more, see the sidebar "Disposable E-Mail Services.")

4. Use fake addresses. Most Web-based sign-up forms require an e-mail address, but ask yourself, do they really need it? If you don't want to hear from the site (and don't need a confirmation e-mail or tech support), don't give a real address.

5. Don't post your address. Resist the impulse to post it on Web sites, guest books, contact lists, newsgroups, chat rooms, and so on; spammers harvest from these places. If you absolutely must reveal yourself, use a Web-mail account or a DEA. You can also put something extra in your e-mail that humans will know how to read but harvesting robots won't: sean@pretend.com could become sean AT pretend DOT com.

6. Don't answer spam. Ever. You won't stop spam by writing to the spammers, even if you ask nicely. At best, you'll flame a robot, which won't mind. At worst, you'll confirm that your e-mail address belongs to a naive human being-a valuable commodity for spammers. Ignore the "remove me" e-mail addresses, too. Many of these lead to dead or inactive e-mail addresses.

7. Opt out. When you do sign up for or buy something online and you have to give out an e-mail address, remember to opt out of everything you're not absolutely sure you want to receive.

8. Read the privacy policy. Make sure you understand what a Web site promises to do (and not to do) with your e-mail address. If there's no privacy policy, see tips 2 through 4.

9. Use a spam filter. Even if you follow tips 1 through 8, you're going to get spam. If you get more than you can handle, try one of the products we reviewed in this roundup. Some Anti-spam programs for consideration, SpamAssassin Pro, MailWasher, McAfee SpamKiller, to name a few.

Spam and the Law

Spam is maddening. It can feel like an invasion of privacy. But are spammers actually doing anything illegal? Are they committing fraud, or do they have the law on their side?

Most of the legislated action against spam happens at the state level. In fact, more than half of the states have identified and prohibited several behaviors that distinguish spam from legitimate e-mail. (For your state's position, visit www.spamlaws.com.) In legal terms, the battle against spam isn't about content-commercial, political, or religious-it's about spam techniques like false subject lines, ineffective opt-out links, falsified routing information, and third-party domain names used without permission. Yet despite these laws, spam thrives. According to Jared Blank, a Jupiter Research analyst, "The laws are nice in theory, but actually going after and tracking down spammers is extraordinarily difficult." Anyone who has ever tried to track spammers through their complicated relays and tortuous routing will attest to that.

That each state's legislation can be enforced only within its own borders makes catching spammers much more difficult-and futile. If you actually do identify and catch a spammer, bringing him to justice could end up costing you more in legal fees than the average individual can pony up.

Spammers have, however, been successfully sued. AOL, for example, recently won a much-ballyhooed decision against a single spammer. Unfortunately, this is a drop in the bucket for a service that, despite claiming to filter out 20 percent of all spam before it reaches your in-box, is still awash in spam.

Most suits against spammers have been filed under unrelated and relatively ancient legislation. Trespass, trademark, product, direct-mail, and junk-fax laws have all been cited. Trespass-based arguments made by ISPs have been particularly effective against spammers who have overloaded and crashed servers. "Spam is really a way for an advertiser to shift his cost unfairly to everybody else," says Marc Willard, an attorney specializing in technology and e-commerce. "What it does is use the facilities, the time, the bandwidth, and the resources of the Internet service providers that have to carry all of this information."

The courts probably won't view costs alone as reason enough to find against spammers, according to Doug Isenberg, lawyer and recent author of The GigaLaw Guide to Internet Law. In the case of junk-fax legislation, the costs to recipients, including such things as toner cartridges and paper, are even more quantifiable than the costs of e-mail spam, but the courts ruled them negligible and too hard to measure.

Rare victories like AOL's aside, it's clear that state laws aren't defeating spam. So what's keeping the federal courts from slamming spam? The problem is, there are many more philosophical and constitutional issues entangled with prohibiting spam than there are with simply hating it.

A fine line exists between putting restrictions on worthless and annoying junk e-mail (or even forcing such messages to be prefixed by the header ADV, for advertisement) and banning the distribution of information that has the potential to be socially valuable. Direct marketers make the point that eliminating spam entirely limits consumer choices and the free market. It also restricts the potential success of small companies that can't afford more expensive types of marketing. The lack of consensus on the legal definition of spam (is it essentially unsolicited, bulk, or commercial mail?) makes this problem even trickier.

There are antispam bills pending in Congress, and they're notably similar to the antispam laws already passed at the state level. The basic proposals are to require working opt-in or opt-out links and accurate subject-line labeling.

Attorney Willard suggests that one solution might be a national spam opt-out list with a penalty of a fine, blanketing the spamming industry. Note, however, that in the case of telemarketers, the FCC argued (successfully) against a national database, preferring instead that each company maintain its own no-call list. Anyone who has attempted to get off a telemarketing list this way will know to take this suggestion with a grain of salt.

CAUCE (the Coalition Against Unsolicited Commercial E-mail, www.cauce.org) largely opposes the popular opt-out solution, pointing out that it won't improve the current state of spam and might even make the situation worse. "If you pass a law that says you're free to send spam until someone asks to be removed, you're essentially giving the green light to everyone who's ever wanted to send e-mail to anybody in the country," says attorney Ray Everett-Church, founding member of the volunteer organization. Additionally, a recent FTC study showed that more than 50 percent of tested opt-out e-mail addresses given were invalid.

Many suggest that antifax legislation should be considered as a model for antispam bills. The Telephone Consumer Protection Act basically bans the sending of unsolicited commercial faxes and gives recipients the right to sue for $500 per fax. "That created a reverse economic incentive," CAUCE's Everett-Church explains. "The law turned the economics of junk faxing upside down and made it more profitable to go after the faxers than for the faxers to stay in business."

Perhaps the toughest nut to crack is that much spam isn't sent from a domestic source. After all, if spammers a few states over are hard to pin down, how will American law ever stop spam coming from Russia or Taiwan? Evidently it's going to take a worldwide resolution against spam rather than simply a domestic one, and that's unlikely to happen anytime soon. Individuals and business owners will be better off making room in their budgets for antispam protection such as the products and services reviewed in this issue, rather than waiting for a congressional solution. Technology has a better chance of catching up with the problem than the law does.

Disposable E-mail Services

An increasingly popular and very effective-though high-maintenance-way to fight spam is to use disposable e-mail address (DEA) services. The premise is simple: When, for example, an online merchant asks for your e-mail address, you just use the service to generate a disposable one. The service then forwards any e-mail sent to this address to your real e-mail account. If the disposable address gets spammed, you can simply close it. As a bonus, if you use multiple addresses and keep track of which one you give to whom, you'll know who's to blame if you start receiving spam at any of your addresses. At that point, you have to decide whether to trust the source of the legitimate mail with a new disposable address or not.

Some of the disposable address services do a better job than others of helping you associate addresses with the accounts on which you've used them. But there are other things to consider: If someone sends you a message on a disposable account and you reply to it, you will probably end up disclosing your real address in the From: field.

• Product: Emailias

Emailias ($19.95 per year) adds a convenient JavaScript button to your IE Links bar for auto-creating a new disposable address and associating it with one of your real addresses and the Web site for which you created the Emailias-a feature that's much appreciated. Addresses can be set to expire at a given time, and as with Spamex, your real address is kept secure because it isn't part of the disposable addresses that you create. When you get a spam in which you're listed as a BCC:, Emailias helps you determine which disposable received it by adding a header with the address listed. Emailias's main drawback is the lack of support for known-spammer blocking. Emailias gives you unlimited addresses, and the maximum size of messages passing through the service can be up to 50MB.

• Product: Mailshel

The most comprehensive service is Mailshell ($35 direct per year), makers of the client-side antispam tool SpamCatcher, reviewed on the next page. In addition to providing DEAs, Mailshell can apply its spam filtering to any existing ISP or Web mail service. You can read the mail through Mailshell's Web interface or in your regular mail client. In addition, you get an unlimited number of disposable addresses. The base price gives you a domain like @larry-seltzer.mailshell.com, and you can make up any address you want to go with it-for example, pcmag@larry-seltzer.mailshell.com. For an extra $16.95 per month, you can eliminate the mailshell from your domain.

Addresses can be set to auto-expire after a set amount of time. The service also automatically puts any e-mails sent to addresses in your domain that you haven't activated into a Pending folder. This defeats most dictionary attacks while preserving messages to addresses you've forgotten to create. For example, you may have given out a new address to your child's school but forgotten to add it to the system.

• Product: Spamex

Spamex ($9.95 per year) is very reasonably priced and allows you 500 addresses. Maximum message size is 500K: smallish but enough for everyday correspondence. You can create custom addresses, or they can be auto-generated and, as with Emailias, automatically associated with a Web site (a great feature). Addresses are set to expire after a user-specified number of messages have been received or days elapsed.

• Product: SpamGourmet

SpamGourmet (free) has some interesting innovations, but it also has limitations on how many messages each address will be able to accept. There are two modes, No-brainer and Advanced. In the former, you get a user name and then you can give out self-destructing addresses in the form whatever.n.username@spamgourmet.com, where whatever is some word you choose and is the number of messages (up to 20) that you can receive at that address until it self-destructs-after which messages will return errors.

For example, crazylegs.4.larryseltzer@spamgourmet.com will be able to receive four messages, and then senders will get error messages. The problem is, anyone can send you a message using a disposable account that you did not create: for example, IAMSPAM.20.larryseltzer@spamgourmet.com.

There are advanced options to limit the number of possible disposable addresses, but if this product became widely used it would be easy for spamsters to work around the limits. Advanced mode has several other features, the most interesting being that you can also add trusted senders-people who can send messages without contributing to the maximum message count for that address. This will let you use a disposable address forever for legitimate purposes-until it gets used by a spammer, at which point it'll pass away.

• Product: Spam Slicer

Spam Slicer ($4.95 per month or $19.95 per year) maintains a blacklist of known spammers and prefilters messages from them before forwarding e-mail to customers' disposable addresses. Spam Slicer works with any ISP or Web mail service.

Essentially, you make up a disposable e-mail address in the form LarrySeltzer.whatever@spamslicer.com and fill in the whatever differently for each address. The drawback is that a malicious person who finds one of your DEAs and knows how the service works could put anything in the whatever field and reach your in-box. With Spam Slicer, there's no way to separate e-mails from DEAs not that haven't been activated.

Find out about Spam in the Corporate World
[Site Map to War on Viruses]