of Mass Disruption
By Cindy Chick
Information Resources Manager
Knowledge Systems, Latham & Watkins
As I walk my German shepherd through our neighborhood,
it seems that people can't resist commenting "Are you
walking him? Or is he walking you?" I'm always tempted
to point out that first, he is a she, and secondly,
I'm not the one with the collar around my neck, but
instead I just smile and nod, confident in the fact
that I am, in fact, the one in charge, regardless of
E-mail is a bit like a large German shepherd. It
will take over your life if you let it. The trick is
to handle it calmly, consistently, and with a great
deal of patience. Mind you, there's no way to automate
effective training of a German shepherd. But luckily
there are tools out there to help you manage your e-mail.
That's a good thing. These days almost anyone with
a computer has an e-mail address. Some people buy a
computer simply to get e-mail access. At work, e-mail
has become a ubiquitous and essential mode of communication.
And so the skills to manage e-mail effectively have
become more and more critical.
But before we can discuss the bright side of e-mail,
we must fact the dark side, the biggest threat to e-mail
as we know it: spam.
There are certain equalizers in life, things that
affect rich and not-so-rich, tall and short, weak and
strong, young and old. Spam may be one of them. Even
Bill Gates gets spam, and has had enough. (See "Even
Gates Gets Spam," PC World, June 23, 2003, http://www.pcworld.com/news/article/0,aid,111318,00.asp.)
And though you and your neighbor may not agree on
the war in Iraq, Americans stand united in their hatred
of spam. According to a recent poll, 79 percent now
favor making mass-spamming illegal and only 10 percent
oppose doing so. (The Harris Poll, #38, July 16, 2003,
Spam may be the biggest threat to e-mail as we know
it, but drowning in the stuff is not as inevitable
as death and taxes. You can fight back. Because it
is such a universal problem, there are many people
trying to solve it, from congresspersons pondering
legislative methods to software programmers creating
spam filters. Until things get better, however, you
should do what you can to prevent spam and fight back
with one of the many anti-spam products in the marketplace.
I consider myself well qualified to discuss spam
because I am a case study in how to get on every spammer's
e-mail list from here to China. I had an Internet e-mail
account almost from the time the Internet first became
available commercially. I started creating Web pages
when Lynx was the only Web browser and Mosaic just
a twinkle in Marc Andreessen's eye. In those
days, posting your e-mail address on a Web site or
participating in newsgroups and mailing lists seemed
harmless enough. And I did both.
Then I started publishing on the Web, obtaining additional
e-mail addresses specific to that Web site and posting those e-mail
addresses on the Web. Little did I know that I was
setting myself up for the deluge of spam that followed,
which worsened over the years, and, at its peak, totaled
hundreds of spam e-mail messages daily.
Obviously, I'm not the only one. In a recent editorial
in Presentations magazine, Tad Simons listed
several "laws of the technological universe." Last,
but not least on his list: "Spam's Curse: The amount
of spam in your inbox is inversely proportional to
your desire to marry someone from Russia, use Viagra,
lend money to the heir of a Nigerian fortune, earn
$1 million in real estate, or correspond with anyone
name Desiree or Stormy." He tactfully left out "and
increase the size of a part of your anatomy that you
may or may not possess." And I don't know about you,
but I don't have a septic tank.
In my life on the Net, I've seen them all. I'll never
forget the first time a former Nigerian official politely
requested my help, in exchange for a percentage of
the funds, to transfer money to the U.S. (For more
information on the Nigerian spam craze, see the FTC
site at http://www.ftc.gov/bcp/conline/pubs/alerts/nigeralrt.htm.)
An Ounce of Prevention
So let's talk prevention. It's arguably impossible
to completely avoid spam. But at least learn from my
mistakes. Don't post your e-mail address to a Web page,
either in the text, e.g., firstname.lastname@example.org, or in
an html mailto tag. If you must include an e-mail address
on a Web page, spell it out, e.g., george at hotmail
dot-com, or put the address in an image where it can't
be harvested. There are other ways to hide e-mail addresses
on the Web. For more information see SpamBot Beware
or NetMechanic Design Tip: Hide from Email Spiders
If you post to listservs and/or newsgroups, consider
obtaining a free e-mail account on Yahoo!, Hotmail,
Spam Motel, etc., to use just for this purpose. You
can easily shut down the account and move on should
the spam get out of control. Do the same if you frequent
chat rooms, another spammer's dream. For more information
on spam prevention, visit the FTC article "You've Got
Spam: How to 'Can' Unwanted Email" at http://www.ftc.gov/bcp/conline/pubs/online/inbox.htm.
It's difficult to know how much spam is generated
from shopping on the Web, another activity that I took
to early on. But honestly, I suspect that only a fraction
of my spam is a result of shopping. I carefully check
the box asking NOT to receive notice of future sales,
specials, etc., unless I think that, in fact, this
information might be useful to me. (I DO like to be
notified of new versions of software that I've purchased,
for example.) And I believe that generally my preferences
are honored most of the time. A recent study by the
Center for Democracy and Education bears this out. "Most
of the major Web sites to which we provided e-mail
addresses respected the privacy choices we made when
a choice was made available to us" [http://www.cdt.org/speech/spam/030319spamreport.shtml].
Still, to be on the safe side, you may want to only
provide a temporary e-mail address as referenced above.
Should you attempt to unsubscribe from spam? Here's
my rule of thumb on that eternal question. If you want
to discontinue an opt-in e-mail, that is, an e-mail
that you asked to receive and so technically isn't
really spam, unsubscribing will probably succeed. I've
easily unsubscribed from opt-in e-mails resulting from
software I've purchased, mailing lists I've joined,
updates I've requested, etc., all by simply following
the instructions to do so.
However, if you're receiving run-of-the-mill, unsolicited
spam from senders you are certain you never would have
contacted or requested anything from in a million
years, regardless of their claims that you asked to
receive their e-mails, you must use a different strategy. Do
not succumb to their offer to remove you from their
list. You will only confirm the validity of your
e-mail address to the spammers. And the results won't
be pretty. It goes without saying that you should never,
never, never buy anything from a spammer.
If you do everything right, you still may receive
spam. That's because some spammers send to randomly
created e-mail addresses on the assumption that a certain
percentage will likely prove valid. According to Consumer
Reports ("E-Mail Spam: How to Stop It from Stalking
You," August 2003, p. 12+), a longer, harder-to-guess
e-mail address will reduce the amount of spam that
you receive. But of course it will also be longer and
harder to remember.
To Report Or Not to Report
Many people recommend reporting unsolicited spam
to the sender's e-mail provider. To do so, forward
the offending e-mail to the postmaster or abuse addresses
at the domain from which the message appears to have
come (for example, email@example.com or firstname.lastname@example.org).
To determine the appropriate abuse address for a domain,
you can use a lookup available at abuse.net http://abuse.net/lookup.phtml.
Another option is to forward spam to the FTC at email@example.com.
Just keep in mind that reporting spam isn't as straightforward
as one would hope. Most unwanted e-mails use fake "from" addresses.
So if you report the spam to the ISP listed on the "from" field,
you may not be reporting to the originating domain.
In my mind, the ultimate spam indignity is receiving
spam and viruses with my own e-mail address in the "from" field.
It happens to me all the time, another example of e-mail
addresses being harvested and used for nefarious purposes.
You can try to decipher the e-mail header to determine
the actual originating domain (see Genie Tyburski's "Instruct
on the Basics of Determining the Origin of Email," The
Virtual Chase, 9 Oct. 2001, at http://www.virtualchase.com/
but most of us will lose patience at this point.
If you get one or two spam e-mails a week, reporting
spam may be do-able, but if you receive large quantities
of spam, it just means spending still more time handling
the darn stuff, thereby increasing the burden that
spam places on your time. But if reporting spam makes
you feel better, there are tools out there to make
it easier. For example, Spamcop offers a free reporting
service at http://spamcop.net/anonsignup.shtml. You
can even use SpamDeputy to submit a report to the Spamcop
reporting service directly from Outlook [http://www.spamdeputy.com/].
If you're receiving spam on your employer's e-mail
address, report it to your IT department so that they
can filter out e-mails from that sender in the future.
Join the Battle
Perhaps for you, as for me, the ship has sailed on
spam prevention. Your address has appeared on Web sites,
you've participated in newsgroups and chat rooms, and
you've generally spread your e-mail address far and
wide. "What now?" you might ask.
Perhaps the simplest and most obvious method is to
simply start from scratch, that is, obtain a new e-mail
address and discontinue the old one. You may not even
need to close your account to do so. (Check with your
Internet service provider.) Then follow the instructions
above. The painfulness of this solution depends on
how many people already have your e-mail address and
how inconvenient it would prove to lose e-mail contact
with those people for even a short time.
If you're like me, and you'd like to hold on to your
e-mail address for time in perpetuity, you will need
some outside help fighting spam. But there's one thing
you have to understand going in. No spam fighter is
perfect. Depending upon the filter configuration, almost
all will, at some point, kill a legitimate e-mail message.
It's a trade-off. Most tools can be configured to be
very conservative about what is considered spam. But
the more conservative you are, the more spam that will
continue to invade your inbox. If you don't have the
stomach for it, and feel that even one legitimate e-mail
lost is one too many, you may want to forgo these tools.
Your ISP may constitute your first line of defense
again spam. Make sure to check to see if your ISP has
anti-spam software on its servers that can be turned
on for your e-mail address. For example, Earthlink
offers the SpamBlocker to its users. This is an optional
tool and you must visit the Earthlink Web site to turn
it on and configure it for your account, which I did
shortly after it became available
Many other ISPs have similar services available at
no additional charge.
Other tools integrate into your e-mail client, such
as PC World's Best Buy, IHateSpam. It installs a toolbar
in Outlook that offers several options. You can flag
spam that the program missed, send a complaint to a
spammers ISP, maintain your own blacklist of spammers,
in addition to a "whitelist" of friends that you don't
want blocked. (See PC World, "Natural-Born Spam
Killers," May 2003, p. 113 [http://www.pcworld.com/reviews/article/0,aid,109698,00.asp] for more reviews of spam software.)
PC Magazine rates another integrated tool,
Qurb, as a Best Buy in its Spam Product Guide, http://www.pcmag.com/category2/0,4148,4795,00.asp.
Qurb uses a very different method of filtering e-mail
than IHateSpam. After you install Qurb, it populates
a list of legitimate e-mail addresses by looking at
your contacts list and your saved e-mail messages.
It continually and automatically updates the list and
allows you to manually update it as well. It doesn't
delete messages not in your "whitelist", but instead
puts them in a folder for messages from unexpected
sources, which you will want to review on a regular
basis. You can also opt to have Qurb require confirmation
messages, which are e-mail messages sent to unidentified
senders. The sender must respond for the message to
get through to you.
This kind of technology is the latest development
in spam-fighting e-mail with sender verification.
(See PC World article, "Email Evolves New
Spam Slammers," http://www.pcworld.com/news/article/0,aid,110921,pg,3,00.asp.)
Mailblocks [http://www.mailblocks.com], a Web-based
service, also uses this method. Here's how it works.
You provide a list of approved e-mail
addresses corresponding to those people you actually
WANT to hear from.
If an e-mail arrives from any of the
approved e-mail addresses, the e-mail is delivered
If an e-mail arrives from an e-mail
address NOT approved, an automated process begins
challenge e-mail goes to the sender, requiring
some kind of direct response.
The sender responds and the e-mail
then goes to you.
If the message is spam, the sender
will not respond and the e-mail will stay blocked.
As with all spam-blocking systems, there are some
downsides. You have to take special steps to ensure
that automated mail, such as mailing list e-mails and
order receipts, etc., can be delivered. The sender
has to take the time to respond, likely delaying the
delivery of the e-mail. And, of course, a legitimate
sender may choose not to take the time to respond.
Gonna Wash that Spam Right
Out of My Hair
So what do I use? I've been using Mailwasher from
Firetrust for some time now and have been relatively
satisfied with its slightly different approach to spam.
Mailwasher is a stand-alone program that does not integrate
into Outlook or any other e-mail client. (Warning:
I once tried a utility that attempts to integrate Mailwasher
into Outlook, but the problems outweighed the benefits.)
Here's the routine. I open Mailwasher and also open
Outlook. Mailwasher is set to automatically check my
account for e-mail, a feature which I have turned off
for Outlook. Mailwasher flags suspected spam and possible
viruses, checks my blacklist, and filters to flag additional
spam for deletion. If I spot an unmarked spam, I can
quickly and easily add the sender to my blacklist.
I can read the message in the Mailwasher window if
I so choose.
Here's the fun part. Once all this is done, I click "process." The
spam is deleted and bounced back to the sender,
indicating that there is no such e-mail address. The
idea behind the bounced message is that the sender
may then consider my e-mail address as no longer valid
and remove it from their list. Does this happen? Hard
to say. Most of the time I don't think so. But I find
it satisfying all the same. And if nothing else, the
spam never makes it into my inbox. Once the mail is
processed, I go into Outlook and click send/receive
to collect the remaining e-mail.
This may sound like a long complicated process, but
the whole thing is really quite easy once you get the
hang of it; it typically takes me less than a minute
and saves me quite a bit of time overall. The downside?
When I was collecting e-mail from several different
e-mail accounts all with their own spam and had to
review over 100 e-mails in one sitting, it was easy
to tag something to be bounced/deleted that was actually
legitimate e-mail. In that case, I'd usually get a
call from someone wondering if my e-mail address had
changed. Now that I review fewer e-mails per sitting,
this doesn't happen nearly as often. (For information
on the free or "Pro" version of Mailwasher, see http://www.mailwasher.net/.)
The Future of Spam
New tools for fighting spam are cropping up all the
time, so keep your eyes and ears open for even better
solutions in the future. After all, there is a lot
of money to be made in fighting spam.
And though spam is undoubtedly out of control, there
is hope. Ryan Hamlin, general manager of Microsoft's
antispam technology and strategy group, believes spam
can be contained within 2 years, given the combined
efforts of legislators, large ISPs including AOL and
Earthlink, and software companies such as Microsoft
Let's hope he's right. However, he does admit that
the situation will likely get worse before it gets
better. So my suggestion is to decide the right strategy
for you, hunker down, and fight back!
Spam Prevention in a Nutshell
Don't post your e-mail address to a
Use a temporary, disposable e-mail
address in chat rooms, for listserv subscriptions,
Unsubscribe from bulk e-mail only if
you know that the e-mail is the "opt-in" variety.
Never purchase from a spammer or respond
in any way to obvious spam.
Shop only on Web sites with stated privacy
policies, and make sure to "opt-out" of future e-mail
distributions from that Web site.
Check with your ISP to see if it has
a spam filter that can be turned on for your account.
When choosing your e-mail address,
make it long and difficult to guess.
Purchase a spam-filtering product.
Spam Motel, a new source for "disposable" e-mail
addresses [http://www.spammotel.com], offers an interesting
twist on spam prevention. First, you set up an account.
Then the next time you need to provide an e-mail address,
let's say to register to use a Web site, it will create
a random @spammotel.com e-mail address that you use
instead of your "real" e-mail address. When you request
the address, you can also type in reminder notes, e.g.,
to whom you gave the address and why. Any e-mail sent
to that address in the future is forwarded on to you.
If, at any time, you want to discontinue receiving
any e-mails sent to that specific address, you can
Don't Get Conned
The first time I received the classic Nigerian e-mail
spam, I wondered whether there were really people out
there who would fall for what seemed like such an obvious
scam. Apparently there were. Many, in fact. However,
many other spam scams make their way around the Internet
that could easily trap even the more cynical amongst
The newest version typically arrives in the form
of an e-mail which states that you need to update your
credit card number, password, mother's maiden name
or Social Security number on such mainstream sites
as eBay, AOL, or Paypal, among others. Upon clicking
on a link, you are directed to a site that looks just
like the real eBay, AOL, or Paypal site, but, in fact,
is an unauthorized copy designed to lure you into providing
your personal credit information to people who no doubt
shouldn't have it.
Ironically, I recently received an e-mail from eBay
saying that my credit card information wasn't accurate,
and I discarded it, assuming it was a scam. After some
second thoughts, I decided to double-check. I went
to eBay, looked under "My Account," and found that
in fact, I DID need to correct my credit card info.
So go figure. All I can say is, "Be careful out there."
For more information on e-mail scams, see Steve Bass'
article, "Home Office: Caution! It's an E-Mail Impersonator," Feb.
12, 2003, http://www.pcworld.com/howto/article/0,aid,108949,00.asp,
and "Caution! Even More E-Mail Impersonators!," Feb.
19, 2003, http://www.pcworld.com/howto/article/0,aid,108957,00.asp,
which includes tips for protecting yourself from such
There's a new breed of vigilante out there who some
might consider to be the heroes of the cyber-world.
Spam vigilantes. Anti-spammers.
The New Zealand Herald (August 22, 2003) reported
that one such intrepid soul located a prolific spammer
by taunting him repeatedly until he responded from
his home e-mail address. Peter Bennett, a 43-year-old
director of a small IT company, then distributed the
spammer's identity and whereabouts to the anti-spam
community, resulting in a barrage of phone calls and
There are worse things than having your contact information
distributed to hostile parties. One unnamed systems
administrator tracked down a spammer, hacked into the
spammer's computer, downloaded the information on the
computer compete with nude pictures of her, and posted
it all to the Internet.
There are plenty of hackers putting their skills
to good use harassing spammers in a variety of imaginative
ways. For example, one day all 24 of the office phones
at Scott Richter's e-mail marketing company started
ringing at once, the result of an anti-spam attack
on the phone system. Some use simpler methods, tracing
spam e-mails back to their source and spamming back,
thousands of messages at a time (The Times Union,
Albany, New York, May 26, 2003).
Even some members of Congress would like to encourage
those who track down spammers. U.S. Rep. Zoe Lofgren
includes in her bill, the Reduce Spam Act of 2003,
a bounty as an incentive for reporting spam violators
But if you're tempted to take on the spammers yourself,
think again. Amateur "anti-spammers" can easily get
in over their heads. Responding to spam and/or giving
the spammers a piece of your mind can result in a flood
of additional spam. So please ... don't try this at
home. Leave it to Robin Hood.
FTC's Spam Email Harvesting Your Email
Silicon.com's Spam Report Channel
Paul Ruschmann's Anti-Spam Laws page
"How Much Spam Do We Get?"
"Study Puts a Price on Spam: Spam costs $874 per
employee per year, Nucleus Research says," PC
World, July 2, 2003,
Can Spam Be Banned?
"Legislative Attempts to Control Spam"
"Uncle Sam vs. Spam," PC World, August
Spam and the Law, PC Magazine, Feb. 25,