A Practical Guide to Dealing with SPAM

By Ephraim Feig, Ph.D.

If you’re the typical e-mail user, you know about SPAM. You’re angered by it, frustrated by it and, very likely, resigned to living with it. Still, you probably hope anti-SPAM efforts will yield better and better results in the future.

Various studies have shown that SPAM now accounts for more than half of all e-mails, and yielded more than $40 billion in financial losses last year — more than double 2003 figures.

Moreover, a lot of SPAM leads to further intrusion and fraud. SPAM mail might contain “spyware” that’s installed on a user’s machine upon opening the SPAM e-mail.

More ominously, SPAM e-mail might deploy “phishing” techniques. Typically, these are legitimate-looking e-mails from familiar-looking sources sent to surreptitiously capture private information. A common phishing scheme is to send a link to a website that appears to the user to be a legitimate financial institution. (Yes, they know where you do your online banking and shopping.) The e-mail asks him or her to update sensitive information. Of course the website is a fake, but it’s constructed so well that it fools the user.

Fortunately, you can take relatively simple proactive steps to mitigate the debilitating effects of SPAM. We’ll address several types of users — end users (receivers of e-mail, both individuals and organizations) and organizations that send out large amounts of legitimate e-mail.

The former group wants to isolate as many SPAM e-mails as possible while minimizing false positives (non-SPAM e-mails that are classified as SPAM and isolated). The latter group wants to make sure that as many of their legitimate e-mails reach their desired destination and not be classified by the receivers’ systems as SPAM. Furthermore, even if their e-mails reach their destination, they don’t want their recipients or, even more threateningly, legal authorities to consider them SPAM.

Don’t respond to any e-mail from an unfamiliar source. A response rate of even one in several thousand makes it worthwhile for spammers. Plus, by responding — even if you ask the sender to cease and desist — you’re telling spammers that your e-mail address is valid.

Likewise, don’t click on any links in unsolicited e-mails, even “unsubscribe” and “remove” links. Again, this just confirms that your e-mail address is valid.

Don’t respond to e-mails that ask you to send personal information or that link you to a website that asks for it. Avoid this even if the source of the e-mail is familiar and the linked website looks legitimate. Limit the number of websites with which you register.

Don’t open unsolicited e-mails, unless you’ve blocked HTML graphics. Modern e-mail systems can track if you open HTML e-mails. If you use Microsoft Outlook, turn off the preview pane.

Otherwise, any e-mail that is previewed is actually opened, and spammers will have validated your address. If you want to see more details, change the “current view” to enable “messages with AutoPreview.” You will only see parts of text content, no HTML.

If you’re overwhelmed with SPAM, change your e-mail address. Make sure you let your contacts know your new address. This is drastic, but very effective. Remember, you must be vigilant with your new address and follow the aforementioned suggestions.

You can minimize the amount of SPAM that’s sent to you, but you can’t stop it altogether. For you and your organization to divert SPAM that has been sent to you from actually reaching your inbox, you’ll either have to install a SPAM checker on your computer or use an ISP that already provides such a service. If you do it yourself, you can do it on your personal computer.

Or, at work, your organization might decide to install an enterprise-grade system on its mail server. These will scan your incoming e-mails and parse them according to which ones it determines are SPAM or not. SPAM e-mail will go to a special folder; the rest will flow to wherever they usually flow (most often your regular inbox, unless you direct e-mails from specific addresses to other folders).

Most people are familiar with these filters, even if they’ve never installed one. For example, if you use Yahoo mail, you may configure your system to direct identified SPAM (by Yahoo’s own SPAM-checking filter) to its “Bulk” folder. You may scan e-mails in your SPAM folder if you’re worried about false positives, but be careful. Most people just delete them.

Simpler SPAM checkers scan e-mail content for telltale signs of SPAM; typically, these are familiar SPAM words or phrases often called “filter triggers.” Unfortunately, spammers are adept at avoiding them.

Moreover, these simple filters often classify legitimate e-mails as SPAM (so-called false positive). More sophisticated filters are provided by specialized services that, in almost real-time, identify IP addresses of servers that send out SPAM. They then send these addresses to their subscribers, who install special software on their computers, where continuously updated “blacklisted” server lists are maintained. When an incoming e-mail comes from any of these blacklisted servers, it’s isolated.

Finally, here are some suggestions for those who send e-mails and want to ensure they’re not SPAM or mistaken for it:

Always use accurate header information. If you’re promoting or advertising, include your valid postal address.

Only use domain names that are registered to actual people or entities. Include a prominent return e-mail address and a convenient option to opt out from receiving further e-mails.

Honor opt-out requests as soon as you can. This should definitely be done within 10 days of the request.

Avoid trigger words or phrases. You can find lists of SPAM filter triggers online. A Google search for the words “spam, trigger, words” yields several.

Test your e-mails before sending them in bulk. You can do this by sending e-mails to yourself, colleagues and friends, or by using special tools that test for triggers. Some are free online, such as www.enetplace.com/spam-checker.html.

Check if your domain is blacklisted. Some services will do this for a fee, or you can do it free online. For example, www.mxtoolbox.com will give you the status of your domain with many common blacklists.

The SPAM tug-of-war is a cat-and-mouse game. As technology is improving in detecting and stopping SPAM, spammers are finding new ways to evade them. SPAM is illegal. (Read about the SPAM laws in www.spamlaws.com ). So far, however — even with several famous applications of the law against spammers — the abuse is still rampant and growing.

Legal approaches should mitigate the problem in the future. I believe the most significant influencer will be average users who adopt common-sense protocols of e-mail etiquette and practice SPAM avoidance, both as receivers and senders.

Ephraim Feig, Ph.D., represents San Diego-based Kintera, an innovative provider of software as a service to help nonprofits foster a powerful sense of community to achieve their mission. For more information, log on to www.kintera.com.