Do Unsubscribe Links Stop Spam?
Kaiten writes "Brian McWilliams of Spam Kings fame has just published a fascinating spammer exposé over at Salon. Using a pseudonym, he was hired to send junk email on behalf of a spam operation that has been burying people (me included) with spam for fake Rolex watches. The article details how the spammers handle the 200,000-plus unsubscribe requests they get each month. Seems that LOTS of geeks actually cross their fingers and click those remove links. And, surprise, surprise, the spammers usually ignore the unsubscribe requests."
NO
A reply confirms there is a live person behind the email address. And for those with a HTML-enabled email client, a cleverly placed (and sized, ie 1 pixel) embedded image to an external site with a unquie string keyed to your email address is yet another trick spammers have for confirming your address.
And if you like what you read you can come and hear the author speak at the MIT Spam Conference on January 21.
John.
..But the big corps too. Coincidentally, I tried to remove myself from the iTunes list (which I had accidentally enlisted for when downloading QT) only the find that the unsubscribe-URL "contained no data". Hmm. Double hmm.
Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
Do Unsubscribe Links Stop Spam?
While they don't exactly stop spam, they do prove useful. You can immediately sort possible-spam by whether it offers an unsubscribe option. If it doesn't have it, it's definitely spam. If it does have an unsubscribe link, it's either legit (newsletter perhaps), or spam disguised with a fake unsubscribe. While the fake unsubscribe doesn't really help the end user, it offers a way to track and prosecute those who violate CANSPAM which requires that the unsubscribe option be present in some form, and that it work.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
That's how I introduced myself last month, when I sent Casper an e-mail asking to join his spamming crew. I fibbed to him that I was a full-time bulk e-mailer looking for a new sponsor. I said that one of my business associates had recommended his program. (For authenticity, I lightly sprinkled typos and grammatical errors throughout the message.)
I wanted to be one of Casper's sales affiliates. In today's world of spam, a sales affiliate sends out junk mail on behalf of a spam-site operator or "sponsor," who assigns the affiliate a special tracking code to include in his e-mail ads. For every sale the affiliate's spams generate, he is paid a commission by the site operator. Sponsors also provide "remove" lists, spamming software, and other support to help their affiliates successfully market the site.
Since September, Casper and his associates had been clogging my various e-mail accounts with ads for a watch shop called Royal-Replicas.com (formerly onlinereplicastore.com). I filed several complaints with the Chinese Internet service provider hosting the site, to no avail.
I suppose I could have just clicked the "unsubscribe" links in the dozen or so spams they sent me every day. But I didn't trust these people one bit. I was sure that if I could get inside Casper's operation, I would find hard evidence confirming what savvy Internet users instinctively know: Trying to unsubscribe from spam is a fool's game.
Just look at the place. Royal-Replicas.com provides no physical mailing address in its junk e-mails or at the site. The domain's registration record lists someone in Spain as the owner. The site is hosted on a server in China, but the order page cites prices in Indian rupees as well as U.S. dollars. The headers of the spams reveal that many have been sent via "zombied" home computers. Even the headers of Casper's private e-mails are a fraud. (He routed all his messages to me through proxy computers in South Korea.)
The "About Us" page at Royal-Replicas.com doesn't help much, either. It contains little more than a bizarre rationale for buying its $300 knockoffs rather than the real thing: "Many people purchase watches that cost thousands of dollars and render the wearer liable to get their hand chopped off while walking home from a posh cocktail party."
Bulk e-mailers are required to honor list-removal requests under the U.S. CAN-SPAM law. But still it's common knowledge that clicking an unsubscribe link or handing over your e-mail address on a junk e-mailer's remove page is insane. The U.S. Computer Emergency Readiness Team (US-CERT) warns that unsubscribe links are "often just a method for collecting valid addresses that are then sent other spam." The FTC has sent warning letters to at least 77 marketers for their failure to honor unsubscribe requests.
Sure, a few spammers might take your name off to avoid trouble. But to most, you're merely confirming that they've found a live one. Next thing you know, they'll have sold your e-mail address to other spammers as "validated" -- or, in other words, ready for spamming.
At least, that's what I thought until Casper brought me onboard. My undercover mission into the heart of fake-Rolex spam didn't turn out exactly as I had expected.
I tried flattering Casper in my e-mails, gushing that he had astutely tapped into a timely and lucrative spamming niche. (You could probably find similar watches on the streets of Chinatown for $25, but hey, some people prefer the convenience of holiday shopping from home.) But Casper doesn't let just anyone join BlackMarketMoney.com. After I sent my introductory e-mail as "Chris Smith" from a free webmail account I had created, he asked to know the name of the person who had referred m
Dent: No, how much?
Prosser: None at all.
> The article details how the spammers handle the 200,000-plus unsubscribe requests they get each month
By a strange coincidence, "none at all" describes the actions taken on 200,000 remove requests a day by a bunch of ape-descended spammers targeting a group of fellow ape-descended lifeforms so amazingly primitive that they still thought that ch33p r0l3x watches were a good idea.
I didn't... then I tried it.
I went from 100-150 spam emails a day, to perhaps 5.
(identity hidden cos there's always assholes who'll be contrary turds and try adding me to spam lists just for saying that)
No, I know for sure that they don't help. For years I have been trying to get MORE spam. The main way I have done this has been unsubscribing from lists! In fact, I even "unsubscribe" an address that was never subscribed. Indeed, that new address is now getting plenty of spam.
Unsubscribing from spammer's sites will get you more spam. Unsubscribing from mailing lists will work, of course, but mailing lists != spam.
"Seems that LOTS of geeks actually cross their fingers and click those remove links"
I really don't agree. Any respectable geek shouldn't be getting spam in the first place, let alone be stupid enough to click the unsubscribe links.
Personally I haven't had more than 30-50 spams in the last 3 years or so.
I have my main address, which only 'real people' know, friends and family. It never gets any spam because it's totally secret.
Then for everything else I assign a throw away address on one of my domains, the mail on these gets checked only when I'm expecting something (like a signup confirmation/verification etc).
I also have a semi-secret address to give slightly less trustworthy people and to date that hasn't had any spam either.
Obviously I make sure none of my addresses get posted in plain text on the internet either.
It is simply a matter of keeping your address clean. The only way spammers can send me mail right now is if they brute force my email address, and that doesn't happen very often.
Unsubscribe generally does work for legitimate mass mailings, ie the ones you had to sign up for in the first place. It doesn't work for true SPAM, and indeed as others have pointed out, tends to actually make the problem worse.
It's amazing that this is considered "news", but I guess you have to repeat experiments every so often to prove that the theories they provide support for still hold water.
You see? You see? Your stupid minds! Stupid! Stupid!
Evolution lets you skip loading external/embedded images, by default, if that option is selected. I'd like to have an extra filter in there: white/blacklists (in my contact list) for message senders and image SRC URL patterns - all default to "NO". That way, senders/servers I trust - they already have my email/IP#/existence confirmed from other messages - send mesages that aren't broken. The rest can go to hell. A good filter would find messages that point at untrusted servers, and add their senders to the blacklist. That kind of Evolution plugin, with spamfilter against the blacklist, would go a long way towards suffocating the spammers drowning us in privacy invasions. And also make Evolution a much more attractive draw than, say, Outlook, for people who use their computer to communicate with other people, not with machines or reptillian spammers.
--
make install -not war
Yea it is nice. But unfortunatly I wish I had a feature to select all my spam. and forward it to spam@ftc.gov keeping all the headers.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I'm actually (at the cost of some traffic) using this to help me fight spam...
It's not just that spammers are ignoring these requests, they will actually just merge their lists with the responses (on the off chance that you might try to also unsubscribe some of your other email addresses / or a friend's email address).
In fact, if you enter just a random address in there, you can be pretty sure that this address will get spammed in the future, too.
If you use bayesian filter software, like bogofilter or spamprobe, you can turn this into an advantage. I've actually "unregistered" some previously non-existent email address on my internet domain that I'm not going use anywhere else. Now I know that any email coming in for that address is definitely spam - and can hence use it to automatically improve bogofilter/spamprobe by passing that email from procmail into them with the spam "learn" flags set.
One thing really missing is a national or perhaps even a global unique "company ID". Law makers are so eager to tag and trace individuals, but ignore company tracking. It is time for a national company-ID number.
Any company that wants to do business in the US would be required to have such a number and include it in any email they send across our borders, perhaps as a new email header attribute. Ideally it would be globally enforced and the US could pressure problem countries such as China to crack down on businesses that abuse email and/or the company number.
There are too many fly-by-night companies running around.
Table-ized A.I.
Much of spam that I get doesn't contain ANY usable information or links at all. And sometimes there are links, but they aren't even valid URLs.
What the hell is the point of spamming people with ads when they won't be able to get back to you to buy your product?
"almost 200% effective against porn spam"
So... it reduced your incoming porn spam by 200%. Which means you somehow processed negative numbers of porn spam. Which, to balance the books, must mean you became a net exporter of porn spam? :-)
---
Cthulhu holiday songs, for the gift that keeps on loathing.
www.salon.com/news/cookie.html
make it the first page before you visit the main salon.com site and it will bypass them forcing you to watch an ad.
I use it religiously.
-Meow.
John Walsh once found me while looking for some other kid. He was not amused.
i've never ever gotten a personal email asking me if i want to opt out, so i set up a filter to block anything that has the word "unsuscribe" in it. worked out well.
swanker than you
The best way is to run your own mail server and simply prevent the spammers from connecting. One way is to add blackhole lists to your MTA (Sendmail, or whatever). That really did cut my spam quite a bit. But recently I noticed I was still getting quite a bit of spam directly from China and Korea decided to get tough and start blocking net ranges completely. I had tried blocking SMTP from a few /8 address ranges before, but this time I didn't want to unnecessarily block Australia or Japan, so I took the time to look at the /16 level to find sub-ranges to block.
It's already working, too. Here are the ranges I've added so far. (The second column is the number of connection attempts that were rejected.) At this point, I only plan to add new blocks as I encounter them in actual spam.
Oh, and those first two lines? Google for Cyvelliance and you'll understand why they're there.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Two years ago, it had gotten to the point that I was getting over 200 pieces of spam a day, and not the yummy kind that comes in a tin. Before initiating an email address change, I decided to try an experiment: see if clicking those unsubscribe links actually did anything. So, for one week, I followed the unsubscribe instructions on every piece of spam I got. The result: a 2/3 reduction in spam. That's pretty significant, but hardly worth the effort in my case, as I was still getting dozens of piece of spam a day, and unless you keep up with the unsubscribing, it just goes back up to the previous level within a few weeks, anyway.
So, yeah, you CAN reduce the amount of spam, but it becomes a regular maintenance task every day, and really isn't worth it in the end.
My advice: get your own domain and handle your own email accounts. Create special ones that simply forward to your main email address, to use on sites that require an email address for full functionality, and when you start getting spam, you know where it came from, and can shut that particular email forwarder down. It's a bit of a pain, but a LOT LESS pain than trying to unsubscribe from spam.
Obviously, anti spam tools like bayesian filters and what-not are always a good idea, but can let spam get through, and can block some wanted emails.
YMMV (but probably won't).
Actually...I hate to tell you guys this, but most spammers use those unsubscribe requests all right. They use them to verify that the email address is active, and it goes into a higher priority hit list. Even if they're in the US where the law says they must honor your unsub request, there's nothing that says they can't sell the information to other spammers that this is an actively used email address with a real live person on the other end of it.
About 18 months ago I did a little experiment. I set up my own junk inboxes at different email services and started handing them out. Three of them I unsub'd every spam email I got, and the other three I didn't. Guess which one eventually ended up getting buried in 10 times more spam...
I have a friend that is quite intelligent. He did a spin on the same idea, and I recommend it to anyone that wants to cut their spam to one or two mails per week (or you could just get a gmail account--I only get a few spam messages per week over there). Here's how it works...
Go out to every free email service you can get your hands on that supports POP3 download. Hand those addresses out to every spam list you can get your hands on. Periodically (every hour or so) download those messages into your Bayesian spam filter, marking them as spam (salearn that comes with spam assassin, for instance). I know of no better way to train your filter system and keep your spam stats up-to-date.
Of course, this isn't totally free of manual intervention. There's the initial setup of all this, which is more or less a one-time thing, but for it to truly work well, you have to make sure you also pipe all your regular mail (ham, as spam assassin calls it) into your Bayesian filter as non-spam mail, and if any spam does show up at your regular address, make sure you sort it into a separate folder and deal with it as spam. The spammers are getting more and more clever every day, and the line between spam and ham gets ever fainter, requiring that much more learning by the filtering system to keep straight what's what. But it's really not more work than you go through anyway, and you'll collect far more stats to use against the spammers than you otherwise would.
And let's not forget the best part, either. Signing up for and collecting all that spam costs spammers a little change (though, you could argue it also costs the hosts of your spam accounts, though you can delete the downloaded messages off the server every hour as part of the d/l to try and minimize impact on them).
but have you considered the following argument: shut up.
1) Use a long email address that is difficult to brute-force
2) Only give it to real people
3) Use a mailinator address for online registrations and whatnot where you have to read a reply.
4) For those sites that force you to reply from a real email address to complete registration, use a spam webmail address.
This has stopped almost all spam from bugging me.
Anecdote: My first email address ever was from Cornell in 1990. Cornell has a policy that lets you keep your email address for life by setting up an auto-forward after you graduate. The irony is that Cornell, back in the days before spam, unfortunately picked an address format (initials+number@cornell.edu) that turned out to be easy to brute-force, and that I've since had to turn the auto-forward feature off due to too much spam, defeating the purpose of the "lifetime email address". oh well...
I have an account at my university that I used when Usenet was the thing, aka 15 YEARS AGO. I never played with it outside of there, and I used to have a few thousand emails waiting for me every few months. Only recently did I forward everything to /dev/null.
More recently, I returned to a consulting job I had left 6 years prior, around the start of the WWW days, when Usenet was pretty much the big thing. I re-opened my closed account, and received 50 spams within 30 minutes. Eesh.
My addresses were obviously harvested from Usenet archives (or maybe groups.google.com, but I digress). I pity the people who buy these 'guaranteed' lists of email addresses, expecting all addresses to work.