[spamfaq.net]


An FAQ for news.admin.net-abuse.email
Part 2: The Evils of Spam

Maintainer: James Farmer
Last Modified: 27-Dec-2003

TABLE OF CONTENTS

Recent Changes
 
Disclaimer
 
Preface
 
2.1  The Problem with Spam
 
2.1.1  What are UBE and UCE? What is SPAM?
2.1.2  Why is spam a problem?
2.1.3  Junk Email is bad, but won't anti-spam efforts stop us emailing anyone?
 
2.2  Advertising by Email
 
2.2.1  I want to advertise my business using bulk email! How can I do this?
2.2.2  I'm not a porn-spammer, I'm a legitimate company using bulk email!
2.2.3  Is it okay to spam if I use a remove list?
2.2.4  What if I use a global remove list?
2.2.5  What's opt-out? Opt-in? Confirmed/Double/Raspberry Opt-in?
2.2.6  What methods of opting-in are the best?
2.2.7  We bought an opt-in list but people still said we were spamming. What gives?
2.2.8  Our opt-in mailing list is contaminated with non-opted-in addresses. Can I send one last mail to its members asking them if they want to remain?
2.2.9  Are there other ways to market on the Internet?
2.2.10  I Don't Care about the Welfare of the Internet or Any of these Moral Issues, I Just Want to Make Money. Does Spam Work?
 
2.3  Legal Issues
 
2.3.1  Is spam illegal?
2.3.2  What's this about an American law legalising spam?
 
2.3.2.1  The Murkowski Bill
2.3.2.2  The CAN-SPAM Bill
2.3.3  Isn't spam protected by the First Amendment?
2.3.4  Can I get legal advice in this newsgroup?
 
2.4  Spammers
 
2.4.1  Spammers all live in trailers and eat KFC, right?
2.4.2  Spammers don't make any money, right?
2.4.3  Spammers are all scumbags, right?
2.4.4  But some spammers are scumbags, right?
 
2.5  Organisations
 
2.5.1  What is "The DMA"?
2.5.2  What is "CAUCE"?
2.5.3  Who is "MAPS"?
 
Credits
 
Use Policy

(Questions highlighted in red have been modified since the last release of this document.)

Recent Changes

Had to add a new section 2.3.2.2 about CAN-SPAM

Removed or fixed lots of dead links.

Added links to:

Disclaimer

The following document should, where not otherwise stated, be understood to represent the opinions and beliefs of the FAQ-maintainer only. I endeavour to ensure that these opinions and beliefs are as correct as possible, but take no responsibility for any problems caused by errors herein. This document should not be considered to represent the opinions of any individuals or organisations other than the FAQ-maintainer.

Please note that in this document, "we" is intended to collectively refer to all regular or semi-regular posters to the news.admin.net-abuse.email newsgroup, including those of all persuasions, and should not be read as indicating the existence of a "clique" comprising persons of similar viewpoints.

Preface

This is one of three documents I have compiled to comprise an FAQ for the news.admin.net-abuse.email newsgroup. Each document addresses points in a given area, specifically:

The SPAMFIGHTING OVERVIEW offers a taste of the many techniques people use to fight spam. The objective isn't to teach you how to fight spam (there are many far superior documents that do just this), but rather to introduce some of the techniques you can use and refer you to some more detailed works.

THE EVILS OF SPAM covers the more ethical, moral, and legal aspects of spam, including just what constitutes spam and the types of people who become spammers.

UNDERSTANDING NANAE aims to introduce all of the weird, wonderful, and sometimes impenetrable terminology that people use in news.admin.net-abuse.email (nanae). It covers both colloquialisms (e.g. "chickenboner") and technical terms (e.g. "direct-to-MX").

These three parts are designed to stand alone and don't have to be read in order; feel free to pick and choose just the bits you're interested in.

These documents shouldn't be considered to be "the" FAQ, as there are plenty of other FAQs that are superior in insight, detail, or depth of coverage. They are just an FAQ that I hope will answer some questions that have been troubling you.

These documents are currently maintained by James Farmer. If you have any suggestions for additions or corrections, then feel free to send an email to faqmaster@spamfaq.net.

The latest versions of all of these documents can always be found at http://www.lumbercartel.ca/archives/spamfaq.net/. There's also an index there, which is the easiest way to find the answer if you've got one question in particular - just find the word you're looking for and click on it!

These documents are somewhat extensive. For a quicker overview of the main things you'll need to know, have a look at George Crissman's excellent document "Your First Post to NANAE".

2.1 The Problem with Spam

2.1.1 What are UBE and UCE? What is SPAM?

These are all types of email abuse; that is, abuse _of_ the email system. They differ from abuse _on_ the email system (e.g. stalking, sexual harassment) in that they endanger the usability of electronic mail as a communications medium.

UBE stands for "Unsolicited Bulk Email" and is an email message that is:

  1. Unsolicited
    i.e. it wasn't explicitly requested by the recipient

    and

  2. Bulk (or Broadcast)
    i.e. substantively identical messages were sent to a non-trivial number of recipients

To put it another way, UBE is most of the junk email messages that plop into your email box every day. UBE isn't necessarily advertising, and emailed advertising is not necessarily UBE (advertising isn't UBE if you request it, or you knowingly request something that it is attached to, for example), but most UBE is advertising (because advertisers are the ones with the most interest in making you see something you don't necessarily want to).

UCE is often used as an alternative to "UBE" - it stands for "Unsolicited Commercial Email". Which term you prefer is largely a matter of style. UCE is easier to prove than UBE - it's easier for one individual to see if an email is commercial in nature than to see if it is sent in bulk - but UCE doesn't necessarily endanger the email system if it isn't UBE.

Of course, as a spam-victim, you will probably be in no place to judge whether a suspected spam you received really was sent in bulk, as you'll only get one copy of the spam yourself. For the most part, this doesn't matter, as you can make a jolly good guess based upon what it looks like and whether you solicited anything like it. Unsolicited advertising is rarely sent individually. As the saying goes, if it waddles like a duck and quacks like a duck then it probably is a duck.

While almost all UCE is also UBE, the converse is not true - there are whole classes of UBE that are not UCE, such as:

Five minutes spent thinking will throw up plenty more examples.

SPAM is a tasty luncheon meat produced by Hormel (http://www.hormel.com). Spam (note capitalisation differences) is a colloquial term with a large and sordid history; in news.admin.net-abuse.email it is generally used as a synonym for UBE or UCE.

The subtle differences between these terms can be confusing, but for the most part UBE and spam can be equated and UCE considered a subset of them.

Other people may have different definitions. For example, some maintain that spam is any unsolicited, non-personal email. Most definitions are broadly compatible but differ in a few places around the edges.


2.1.2 Why is spam a problem?

Many spammers (senders of spam) try to equate junk email with junk postal mail. However, there are several important differences:

So spam is a bad thing. And that's not even considering all the other problems associated with spam (crashed mailservers, scams, pornography adverts sent to children, etc)...


2.1.3 Junk Email is bad, but won't anti-spam efforts stop us emailing anyone?

As we explained above, spam is Unsolicited Bulk Email. However, when spam is discussed the emphasis is often on the "Unsolicited" - which can lead people to conclude, quite logically, that anti-spam efforts would prevent sending any email which wasn't explicitely asked for. So you wouldn't be able to send a birthday greeting to your auntie in Australia, or a private email to someone you know from a newsgroup. But this just isn't so.

But remember that the "Bulk" part of the definition - in neither of these cases would the message be sent in bulk, and thus it wouldn't be spam.

Of course, just because an email isn't spam doesn't mean that it will be welcomed by the recipient - just that it isn't abusive of the structure of the Internet.

2.2 Advertising by Email

2.2.1 I want to advertise my business using bulk email! How can I do this?

(For simplicity, I'm not going to cover ideas like sponsorship of Internet newsletters and the like, which, while technically advertising by email (and IMHO very good ideas), aren't really relevant to discussions on spam.)

You have two choices:

You can send an advert to the email addresses of people you are _sure_ have explicitly requested this advertising. This list could have been assembled by your company or it could be managed by another company who will handle sending the advert to the list for you.

Or you can send spam.

It's as simple as that.


2.2.2 I'm not a porn-spammer, I'm a legitimate company using bulk email!

Because most spammers are selling pirated software, sleazy pornography or sex-aids, or obviously illegal scams such as pyramid schemes, or cheap goods that may well have fallen off the back of a lorry, some people think that's it okay to spam if you're a legitimate mainstream company selling a product that is both legitimate and not sex-related. This is an incorrect assumption; the spam issue is about Consent Not Content. Whether promoting pornography, copyright violations, t-shirts, pizzas, medical services or books, spam threatens the Internet in exactly the same way, and if you don't have verifiable consent to send bulk email to every address on a list, you shouldn't send it.


2.2.3 Is it okay to spam if I use a remove list?

No. There are several big problems with "remove" lists:

  1. They have an inhumanly bad reputation because people have found that, on average, trying to be removed results in them being _added_ to more spam lists.

  2. Trying to get on the "remove" list of every company out there just isn't practical.

  3. Even if an email address gets removed, what's to stop it being added again later?

The technical term for using a remove list is "opt-out", which will be discussed in more detail later.


2.2.4 What if I use a global remove list?

Still no. A "global" remove list (i.e. one remove list used by everyone) sounds okay to start with, but when it's been tried, there have been problems:

  1. All too often, when spammers have got hold of the "global remove list" they've used it as a spam list - i.e. they've purposely spammed the email addresses on the global "remove" list! This is because, of course, each and every address on the global remove list is a confirmed "real" email address being read by a real person.

  2. To be effective, a global remove list would have to allow entire domains to be added. For example, anything sent to <anything>@twinlobber.org.uk will end up in my mailbox - if I wanted to be on the global remove list, would I have to add every single possible twinlobber.org.uk email address (of which there are an infinite number)? Yet if you do allow domain-wide opt-out then immediately most ISPs will opt out all of their customers, which would render this solution unattractive to much of the Direct Marketing (junk mail of all varieties) industry.

  3. Many people object to the principle of the thing. I didn't ask to receive spam, so why should I have to make the effort to be "removed"?

Around 1998, there was a "spam summit" between a group of leading antispammers and representatives of the Direct Marketing industry. One of the results was an understanding between the two sides to develop a global remove list. This caused mass controversy in the anti-spam newsgroups, which quickly subsided as the Direct Marketers allegedly reneged on every commitment they had made.


2.2.5 What's opt-out? Opt-in? Confirmed/Double/Raspberry Opt-in?

Opt-Out email marketing is similar to spam with a remove list. A company collects email addresses, sends as much advertising to them as they like, but have to remove an email address if its owner asks them to ("opts-out").

Opt-In email marketing is a system in which companies send advertising to lists of email addresses to which people are only added if they explicitly consent. Note that opt-in consent to be added to a mailing list should only be considered as consent to be added to _that_ mailing list, and not consent to be added to any other mailing lists as well.

Verified Opt-In (sometimes known as Confirmed Opt-In or Complete Opt-In) is a system by which people have to "confirm" or "verify" their wish to join a mailing list if the initial request came through a non-secure channel - e.g. an email message (the sender can be trivially forged) or a WWW form (ditto). The confirmation typically takes the form of an email message containing a unique token or URL; the recipient must reply to the message or visit the URL to confirm that they really do want to be on the mailing list.

Double Opt-In is the Direct Marketing community's name for Verified Opt-In, reflecting their belief that this makes it too difficult for people to join mailing lists.

However, many believe that Verified Opt-In is essential for these reasons:

  1. With Unverified Opt-In, anyone can "opt-in" someone else to a mailing list. (There is a common revenge tactic, known as a "list-bomb", in which you subscribe someone to a few thousand high-traffic mailing lists and watch their email box die.)

  2. People do mis-type their email address; by verifying it you can avoid spamming an innocent third-party. (See The Story of Nadine for an example of this.)

  3. Given all of this, it is impossible to tell the difference between Unverified Opt-In and Opt-Out. If you receive an advertisement supposedly sent to a "100% opt-in" mailing list when you know you haven't opted-in, the list-owner can just say "someone else must have signed you up; here's how you can remove yourself" when you challenge them about it. Are they being honest or are they opt-out spammers? If the list is run using Verified Opt-In procedures, this situation is impossible.

Opt-out is, by the way, an important component of opt-in; it should be possible for a person who has opted in to a mailing list to opt out of it at some later date. This tends to preclude opt-in lists from being passed from party to party - if you send a copy of an opt-in list to a third party, and subsequently one of your subscribers wants to be removed, how can they also be removed from the copies of that list held by the third party and anyone they might have passed the list to?

Many proponents of opt-in email marketing have stated that it produces a vastly superior response-rate than purely opt-out email marketing.

Other people will have their own definitions of these terms which differ somewhat from those I've described here (e.g. http://www.permissionmail.org/glossary.html). As ever, the FAQ-maintainer advises you to read around.


2.2.6 What methods of opting-in are the best?

Always a good favourite for an involved discussion is just what opt-in means beyond the typical setup of a mailing list. Let's look at a few examples:


2.2.7 We bought an opt-in list but people still said we were spamming. What gives?

There are a number of possibilities:

In any of the first three cases, I suggest you take it up with your list supplier... and bin that dodgy list now. In general, it is always good practice to ensure that you know exactly where the email addresses on a mailing list came from before you undertake to make use of it.


2.2.8 Our opt-in mailing list is contaminated with non-opted-in addresses. Can I send one last mail to its members asking them if they want to remain?

Ah; a tough one. There are two schools of thought on this:

Again, think things through for yourself, weigh up the pros and cons, and make an informed decision.


2.2.9 Are there other ways to market on the Internet?

Yes. Email is by no means the only way to market online, just as postal mail isn't the only way to market offline. From banner ads through sponsorship and the like, to attention-gathering innovation, there's a whole host of ways you can market. Here's just a few links to get you started:


2.2.10 I Don't Care about the Welfare of the Internet or Any of these Moral Issues, I Just Want to Make Money. Does Spam Work?

Let me put it this way; if:

  1. The reputation of your business has no value to you,

  2. Being kicked off the Internet and turned into an online pariah will not inconvenience you,

  3. You only need make a tiny number of sales to make a profit,

  4. You aren't worried about any existing or future anti-spam legislation,

  5. and You have no moral scruples whatsoever

Then it may be possible to make money using spam. Maybe. Perhaps. If you're lucky. That's why you receive spams from people selling spamware for ridiculous prices; people buy spam-sending software and find that all it's really good for is selling itself. After all, spamware doesn't have a reputation to worry about, as it's lower than mud already.

Think carefully before you start down the spam road, as it won't be easy to turn back. Sanford Wallace (see 3.2.41), for example, still has an immensely poor reputation as a result of his spamming antics in the mid-1990s.

(See also section 2.4.2.)

2.3 Legal Issues

2.3.1 Is spam illegal?

Perhaps. It depends on where you live, and may depend on certain interpretations of certain laws. I Am Not A Lawyer, but the spam laws website seems like quite a good resource for finding out about specifically anti-spam laws:

Many contend that spam is "theft by conversion" (because the spammer is "stealing" your resources to send his spam) and "trespass by chattel" (because the spammer is gaining entry to your computer (your mailbox or mailservers) against your will). These issues are beyond the legal expertise of this FAQ-writer, so if anyone can supply links to some discourse on these matters it would be appreciated.

Spam may also form a Denial of Service attack if it is sent in sufficient quantity (it can cause legitimate email to be lost as mailboxes fill with spam, can cause the network to slow down, and can even crash mailservers). This may be a crime in your locality.

Spam which forges header information to appear as if it's from another entity is very probably illegal in your locality, and it is in this area that most successful court actions have thus far taken place. Yahoo, for example, won a well-publicised court case against spammers who had forged "yahoo.com" in their spams. In another case, the owners of "flowers.com" successfully sued some spammers who had forged their domain. Here's a few links about this affair:

Spam which contains content that's illegal in your locality is, of course, illegal. But in this case it's illegal not because it's spam, but because of what it is, and thus this isn't a spam issue.


2.3.2 What's this about an American law legalising spam?

2.3.2.1 The Murkowski Bill

I'm guessing you've seen something like this in a lot of spam messages:

Under Bill s. 1618 TITLE III passed by the 105th US Congress this letter cannot be considered spam as long as the sender includes contact information and a method of removal. This is a one time e-mail transmission. No request for removal is necessary.

What happened was that a few years ago Senator Frank Murkowski (R-AK) championed a spam law that was widely panned by most anti-spam activists as being an effective green light to spamming. The bill, as it happened, died in Congress (i.e. the 105th US Congress ended before the bill could become law). That's why in all these disclaimers, it's called a "bill" - not a "law".

So no, there's no American law legalising spam. Almost all of the spam that quotes this disclaimer doesn't comply with the terms of the bill anyway. If you're interested you could have a look at the text of this bill; technical reasons prevent me giving a direct link but go to http://thomas.loc.gov/home/c105query.html and enter "S. 1618" in the "Bill Number" field, then select either the version passed by the Senate or referred in the House.

Senator Murkowski recently championed another spam-related bill. More information is available at:


2.3.2.2 The CAN-SPAM Bill

In one of the charming acronyms of which the U.S. legislature seems so enamoured, the full title of this one is "Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003". It has been dubbed the YOU-CAN-SPAM bill in many anti-spamming circles due to a general disgust with its measures.

Unlike the Murkowski bill, this one did become law; it was passed by the U.S. Senate on 25th November 2003, agreed by the House of Representatives on 8th December, and signed by President Bush on 16th December. It takes effect on January 1st 2004.

The law makes it an offence to falsify message headers and sue deceptive subject lines in spam, and requires the use of appropriate warnings in commercial email of a sexual nature. However, it rescinds the much tougher anti-spam laws of several U.S. states, and includes no right of private action; only ISPs will be allowed to pursue spammers. It has been speculated by some that this is an attempt, encouraged by bulk mailing firms, to clear away the current slew of porn-spammers and "chickenboners" and leave the ground clear for so-called "honest spam" from big companies.

Only time will tell the true effects - if any - of the CAN-SPAM law, but an Internet search on CAN-SPAM will find you lots of speculation, both informed and uninformed.


2.3.3 Isn't spam protected by the First Amendment?

No. Sanford Wallace and Cyberpromo tried to argue this in court back in the mid-1990's, but the courts ruled against them. As I understand things, freedom of speech gives you the right to speak but not the right to force people to hear you. Plus it only affects the right of government to restrict speech, and doesn't extend to private entities such as ISPs. (But I am not an American and I am not a lawyer.)

For more information, see:


2.3.4 Can I get legal advice in this newsgroup?

Many of the denizens of news.admin.net-abuse.email will be only too happy to furnish you with legal advice on any spam-related issues. However, you should remember two things:

Should you really need legal advice, this FAQ-maintainer suggests that you seek the paid hours of a trained professional.

Incidentally, these points apply also to this FAQ. The FAQ-maintainer is not trained in law and the descriptions of legal issues are merely the way this untrained monkey believes things to be.

2.4 Spammers

2.4.1 Spammers all live in trailers and eat KFC, right?

There is a popular stereotype of spammers as penniless, jobless wasters who dream of making it big and meeting a girl (see also 3.2.30 in part 3 of this FAQ, "Understanding NANAE".) While some spammers are undoubtedly like this, many are not. In fact, spammers aren't all that different from normal, regular people. In fact, spammers tend to _be_ normal, regular people. Spammers can come from any walk of society; so suit-wearing businessmen can be spammers, caring mothers can be spammers, your granny can spam and so can a kid wearing a baseball cap backwards.

And not all spammers are fly-by-night one-man businesses either; some large companies have been known to use spam. In general the stereotypes, while amusing, can distract us from the important business of dealing with spammers as fellow human beings.


2.4.2 Spammers don't make any money, right?

Despite our best efforts, some spammers do manage to make money from this business. You only have to contrast the kind of prices some professional spammers charge (a randomly chosen spammer charged $375 for a 500,000-address spamming) for their spam runs, with the cost of the resources they need (a dialup account, a piece of spamware and some harvested email addresses) to see that they're still laughing all the way to the bank even if they only ever have two or three customers.

And the authors of spamware do pretty well for themselves too. The kind of prices they charge ($299 for Desktop Server 2000!), for what are pretty simple programs, mean that the only way they can fail to make a profit is if they don't sell a single copy.

Other spam-support services must be similarly raking it in. www.bulk-isp.net for example charges $300/month for a (supposedly bulletproof) email account. Now admittedly I'm not privy to their hosting costs, but I can't believe they're not making a pretty packet out of that.

And of course there's the horde of other scams that take place over spam, from the world of "Pump & Dump" share scams (see 3.4.1 in "Understanding NANAE") to the good old favourite "You send us the money and we don't deliver the goods!".

Just about the only people I'm not so sure make money from spam are the businesses that have their websites advertised by spam ("spamvertised"). Are the few hits they'll gain from this really worth the pain and the damage to their reputations that the spam will cause? In many cases, I doubt it.


2.4.3 Spammers are all scumbags, right?

Would that the world were painted in black and white. Anti-spammers on one side, spammers on the other; a unanimous cheer would go up as we metaphorically malletted the spammers one by one. Unfortunately, it's not that simple.

It's not uncommon for otherwise good people to spam because they've been sold a service by an unscrupulous spammer. "I'll send your message to a list of 500,000 opt-in email addresses I've assembled", the spammer will say. Or maybe it's "Nobody minds getting email like this." Perhaps they've been sold on the "It's just like junk postal mail" rhetoric. Whatever the specifics, someone somewhere has sold them a boatload of lies and now they've spammed, and their business is paying the price. "What's happening? That nice Mr Spammer said nobody would mind getting our emails. After all, everyone else is doing it," they will cry.

Such people aren't the enemy; they've been wrongly advised, so now's the time to gently tell them the facts of the matter. Most people in such situations see very quickly the problems of spam and are undoubtedly feeling the extremely negative impacts on their business. They may even be able to help you to track down and eliminate the spammer who took advantage of their innocence.


2.4.4 But some spammers are scumbags, right?

Right. You've got folks selling apricot seeds as the cure for cancer, envelope-stuffing as the way of the future, viagra as the elixir of life, and information about anyone. Spammers are advertising porn to children, US dentistry in the UK, and "We'll remove you from credit blacklists!".

And even if you go beyond the obvious scams, lots of spammers are still knowingly stealing our computing resources to send their adverts, clogging up our mailboxes with their rubbish, lying, and cheating to get internet accounts.

Yup, there's a whole lotta scumbags out there.

2.5 Organisations

2.5.1 What is "The DMA"?

The Direct Marketing Association; a trade organisation and pressure group for the junk mail industry. Some parts of it are pro-spam; some parts of it are anti-spam; some parts of it don't give a damn. (Hey, I made a rhyme! :) ) For more information see:

While the DMA claims to be international, many countries have their own groupings of direct marketers, such as:


2.5.2 What is "CAUCE"?

CAUCE (Coalition Against Unsolicited Commercial Email) is an all-volunteer organisation created to advocate legislative solutions to the spam problem. CAUCE's website includes a look at the anti-spam legislation currently worming its way through the U.S. legislature. In addition, there are European, Australian and Indian versions of CAUCE.


2.5.3 Who is "MAPS"?

MAPS (Mail Abuse Prevention System) LLC is a not-for-profit organisation which has, in recent years, become an important combatant in the battle against email abuse. Amongst other things, MAPS publishes non-definitive lists of IP addresses classified according to various criteria. It is commonly believed that many Internet Providers and others use some or all of these lists, in a variety of ways, in order to reduce the amount of spam received by them or their customers. More information on MAPS can be found on their website at http://www.mail-abuse.org/.

Credits

No document of this magnitude can be the work of only one man. I would like to thank everyone who offered ideas and suggestions, everyone who pointed out grammatical errors and gaps in my logic, and places where I was just plain getting things wrong. This wouldn't have been possible without you, people.

Use Policy

You may copy and redistribute this FAQ in unmodified form by any means or media you see fit.

You may modify the presentation of this FAQ as you see fit, so long as the content remains unaltered.

You may modify the content of this FAQ so long as you appropriately credit both your changes and the original authors of this FAQ. At a minimum, the link to the FAQ's website _must_ remain in place.