Forgot your password?
typodupeerror

Do Unsubscribe Links Stop Spam? 521

Posted by timothy
from the click-here-to-find-out dept.
Kaiten writes "Brian McWilliams of Spam Kings fame has just published a fascinating spammer exposé over at Salon. Using a pseudonym, he was hired to send junk email on behalf of a spam operation that has been burying people (me included) with spam for fake Rolex watches. The article details how the spammers handle the 200,000-plus unsubscribe requests they get each month. Seems that LOTS of geeks actually cross their fingers and click those remove links. And, surprise, surprise, the spammers usually ignore the unsubscribe requests."
This discussion has been archived. No new comments can be posted.

Do Unsubscribe Links Stop Spam?

Comments Filter:
  • by killmenow (184444) on Wednesday December 15, 2004 @12:20PM (#11093028)
    NO
    • by beh (4759) * on Wednesday December 15, 2004 @12:40PM (#11093287)

      I'm actually (at the cost of some traffic) using this to help me fight spam...

      It's not just that spammers are ignoring these requests, they will actually just merge their lists with the responses (on the off chance that you might try to also unsubscribe some of your other email addresses / or a friend's email address).

      In fact, if you enter just a random address in there, you can be pretty sure that this address will get spammed in the future, too.

      If you use bayesian filter software, like bogofilter or spamprobe, you can turn this into an advantage. I've actually "unregistered" some previously non-existent email address on my internet domain that I'm not going use anywhere else. Now I know that any email coming in for that address is definitely spam - and can hence use it to automatically improve bogofilter/spamprobe by passing that email from procmail into them with the spam "learn" flags set.
      • by severoon (536737) on Wednesday December 15, 2004 @02:18PM (#11094521) Journal

        Actually...I hate to tell you guys this, but most spammers use those unsubscribe requests all right. They use them to verify that the email address is active, and it goes into a higher priority hit list. Even if they're in the US where the law says they must honor your unsub request, there's nothing that says they can't sell the information to other spammers that this is an actively used email address with a real live person on the other end of it.

        About 18 months ago I did a little experiment. I set up my own junk inboxes at different email services and started handing them out. Three of them I unsub'd every spam email I got, and the other three I didn't. Guess which one eventually ended up getting buried in 10 times more spam...

        I have a friend that is quite intelligent. He did a spin on the same idea, and I recommend it to anyone that wants to cut their spam to one or two mails per week (or you could just get a gmail account--I only get a few spam messages per week over there). Here's how it works...

        Go out to every free email service you can get your hands on that supports POP3 download. Hand those addresses out to every spam list you can get your hands on. Periodically (every hour or so) download those messages into your Bayesian spam filter, marking them as spam (salearn that comes with spam assassin, for instance). I know of no better way to train your filter system and keep your spam stats up-to-date.

        Of course, this isn't totally free of manual intervention. There's the initial setup of all this, which is more or less a one-time thing, but for it to truly work well, you have to make sure you also pipe all your regular mail (ham, as spam assassin calls it) into your Bayesian filter as non-spam mail, and if any spam does show up at your regular address, make sure you sort it into a separate folder and deal with it as spam. The spammers are getting more and more clever every day, and the line between spam and ham gets ever fainter, requiring that much more learning by the filtering system to keep straight what's what. But it's really not more work than you go through anyway, and you'll collect far more stats to use against the spammers than you otherwise would.

        And let's not forget the best part, either. Signing up for and collecting all that spam costs spammers a little change (though, you could argue it also costs the hosts of your spam accounts, though you can delete the downloaded messages off the server every hour as part of the d/l to try and minimize impact on them).

      • by Ozwald (83516) on Wednesday December 15, 2004 @05:44PM (#11097256)
        I'm wondering, you can kill a goldfish by giving it too much food. It just keeps eating and eating until it runs out of food or dies.

        Running Spammers out of money just isn't happening, not sure why. But what if we did the opposite? We run the "unsubscribe" link with a script that creates millions of invalid email addresses (on an non existant domain please, not mine). Their system will automatically add it to their database. If enough people do this, what if anything will break? I'm thinking that the signal to noise ratio on their distribution CD's will give them a nightmare of a maintenance issue or make it take to long to transmit overwhelming their SMTP service, but I dunno.

        Oz
    • Re:That's easy... (Score:5, Informative)

      by baryon351 (626717) on Wednesday December 15, 2004 @12:43PM (#11093327)
      I'm not so sure. As an experiment early this year, march I guess, I went through my entire junk mail folder in an attempt to get as much spam as I could. What the hell, hey, I'm getting several hundred messages a day and more can't hurt, and even if it trebled it'll help train my spam filter, right? I entered my email address in all the unsubscribe links I could find.

      I forgot about it for a while, and it wasn't until 2 months later I noticed an EXTREME drop in the number of spam emails. My last entire week of spam totals 51 emails. Curiously, not one of them contains an unsubscribe link. It's not down to "stopping spam" but it's a couple of orders of magnitude less. I never kept detailed stats on exactly when the drop off occurred, so I can't for sure say the unsubscribe links stopped it, but they certainly didn't add to it.

      This story has inspired me to test entering a brand new unguessable email address into unsubscribe forms online, to see what happens coming from the other direction. That's going to take effort to dig up email archives though. I just don't have any spam available WITH unsubscribe links any more.
      • Sorry for the latin, but I've always wanted to use that bit seriously just once...

        Just because your spam dropped at that point that doesn't mean it was due to your unsubscribing session. There are many reasons why your spam levels fell. Perhaps your ISP/mail provider installed better spam filtering, perhaps the spammers responsible for a large proportion of your junk mail were shut down one way or another, etc.

        There are many possible causes for the effect, so don't assume that you using the unsubscribe li
      • With suggestions like that you're a spammer, aren't you... go on, you can tell me, I won't tell anyone else :-)
      • Re:That's easy... (Score:4, Interesting)

        by Alphi1 (557250) on Wednesday December 15, 2004 @01:23PM (#11093812)
        I'm not so sure. As an experiment early this year, march I guess, I went through my entire junk mail folder in an attempt to get as much spam as I could. What the hell, hey, I'm getting several hundred messages a day and more can't hurt, and even if it trebled it'll help train my spam filter, right? I entered my email address in all the unsubscribe links I could find. I forgot about it for a while, and it wasn't until 2 months later I noticed an EXTREME drop in the number of spam emails. My last entire week of spam totals 51 emails. Curiously, not one of them contains an unsubscribe link. It's not down to "stopping spam" but it's a couple of orders of magnitude less. I never kept detailed stats on exactly when the drop off occurred, so I can't for sure say the unsubscribe links stopped it, but they certainly didn't add to it. This story has inspired me to test entering a brand new unguessable email address into unsubscribe forms online, to see what happens coming from the other direction. That's going to take effort to dig up email archives though. I just don't have any spam available WITH unsubscribe links any more.

        I did something similar a little while ago... I've had my home e-mail address for many years (going back to when I was more naive than now, with my e-mail posted on web pages, newsgroups, and the like).

        Because of all of that, I used to get a bunch of spam e-mails (I don't remember off the top of my head, but I thought it was around 90-120 a day.


        I was very close to just closing the account and opening a new one (to get a fresh start), when I decided to try something.


        I figured I'd try clicking all the unsubscribe links I could, all the while tracking (weekly) how many spam e-mails I was getting.


        To make a good experiment, I kept statistics for a few weeks before I even started, and got my averages then.


        Then I clicked the "unsubscribe" links every time I could find one in the spams coming to me.


        I did that for about a month.


        After that month, I *DID* notice a significant drop in spams (down about 50% on average), which was a pleasant surprise.


        The bad thing, is that it was only temporary. After a few months passed, I was right back up to the original level.


        So long story short - it seemed to help in the short-term, but long-term it didn't help. On the other hand, long-term didn't exactly hurt either (I'm still not getting MORE spam e-mails on that account than before I started my experiment).

      • Re:That's easy... (Score:3, Interesting)

        by sootman (158191)
        Testing is definitely a good idea, especially if you have complete control over the new address. If you're with an ISP that you can tell to let all mail pass, or if you run your own server, great. I've seen mail (hotmail in particular, but I have many accounts) go up and down, from 100s of spams per week to 10s and back to 100s, as the provider changes filters.
    • Re:That's easy... (Score:5, Informative)

      by BMcWilliams (621149) on Wednesday December 15, 2004 @12:43PM (#11093333) Homepage
      Fwiw, if you make it to the end of the article, you'll see that the Rolex spammers actually DID remove me from their lists. (Don't try this at home.)
      • Silly reporter, thinking the people here actually read the beginning of the article, let alone the end...
  • Don't do it! (Score:5, Informative)

    by sjrstory (839289) * on Wednesday December 15, 2004 @12:20PM (#11093030) Homepage
    A reply confirms there is a live person behind the email address. And for those with a HTML-enabled email client, a cleverly placed (and sized, ie 1 pixel) embedded image to an external site with a unquie string keyed to your email address is yet another trick spammers have for confirming your address.
    • That is another reason I like gmail... when you open an email in gmail they won't open external images unless you specifically ask to....

    • Re:Don't do it! (Score:5, Informative)

      by NardofDoom (821951) on Wednesday December 15, 2004 @12:25PM (#11093104)
      Apple's Mail.app has a good feature that doesn't load messages in suspected spam unless you click a button. Quite handy. Not sure if it's in Thunderbird, though.
    • Since Outlook SP2 blocks images now, I'm wondering if spammers have found any other workarounds to finding ways to validate users through HTML, such as other embedded objects that Outlook has...*snicker*..overlooked.
    • Re:Don't do it! (Score:2, Insightful)

      by scooby111 (714417)
      WHich just so happens to prove the submitter is wrong in his assumption that any geek would actually click the "Unsubscribe" link. Any geek that displays external images or clicks on such a link needs to have his head examined unless he or she actually wants more spam.
    • Ohh paranoia.

      Look spammers are lazy. (otherwise maybe they'd get a real job)

      Using unsub links to confirm or small images to confirm is like effort. Lazy people don't like effort. They are more likely to just get the list and use it untill they get a new list, ignoreing all removels and maybe using 1 pixel images to produce a web server report to show clients spam is read.

      I'm not saying the things you say don;t happen just not as much as you seem to be indicating (ie less than 1% or the time probably lowe
      • Re:Don't do it! (Score:4, Insightful)

        by DigitalRaptor (815681) on Wednesday December 15, 2004 @12:41PM (#11093307) Homepage
        That may have been the case in the past, but it certainly isn't now.

        In the past you would get a little spam from a lot of sources, now you get a ton of spam from just a few sources, and these sources are very good at what they do. It's their business.

        Many of them have invested countless hours in custom tools to improve their profitability and the ease with which they spam.

        There are exceptions to this, of course.

        But as evidence that they are very proactive in grooming their lists, see the recent Slashdot story that turning off your mail server for just one day will get you removed from 90%+ of spam lists. That is a very fast response, and does not indicate laziness or complacency.

      • Analyze a few spam messages. Multiple versions of the *same* message come from multiple sources. Whoever hires the spammers supplies a pre-written message containing all that sneaky code, probably written by a disgruntled or greedy geek.

    • "And for those with a HTML-enabled email client"

      It's for this reason I have my OSX Mail app configured to not load embedded images and objects in incoming HTML.

      ---

      Cthulhu holiday songs [cthulhulives.org], for the gift that keeps on loathing.

    • Some people say spammers don't clean up their lists of email addresses of the ones that bounce.

      If this is true, then why would they bother with confirming that each address is "live"?
      • Re:Don't do it! (Score:4, Insightful)

        by Nerftoe (74385) on Wednesday December 15, 2004 @12:40PM (#11093294)
        Some people say spammers don't clean up their lists of email addresses of the ones that bounce.

        If this is true, then why would they bother with confirming that each address is "live"?


        I believe that a very small majority of spammers go through with the efforts of tracking their "spamees". What incentive do they have to clean up their e-mail lists? Why take a chance of eliminating any possible "spamees"? Do they really care if they send out 500,000 spams instead of 750,000 spams? Of course not.
    • Evolution++ (Score:4, Interesting)

      by Doc Ruby (173196) on Wednesday December 15, 2004 @12:38PM (#11093264) Homepage Journal
      Evolution lets you skip loading external/embedded images, by default, if that option is selected. I'd like to have an extra filter in there: white/blacklists (in my contact list) for message senders and image SRC URL patterns - all default to "NO". That way, senders/servers I trust - they already have my email/IP#/existence confirmed from other messages - send mesages that aren't broken. The rest can go to hell. A good filter would find messages that point at untrusted servers, and add their senders to the blacklist. That kind of Evolution plugin, with spamfilter against the blacklist, would go a long way towards suffocating the spammers drowning us in privacy invasions. And also make Evolution a much more attractive draw than, say, Outlook, for people who use their computer to communicate with other people, not with machines or reptillian spammers.
    • Re:Don't do it! (Score:4, Informative)

      by famebait (450028) on Wednesday December 15, 2004 @12:47PM (#11093372)
      A reply confirms there is a live person behind the email address.

      Yes, but a live address that isn't likely to respond well to spam. I find it remarkable that so many people love to try to look smart by repeating that old abiout unsubscribe just getting you more spam lists, while obviously noone has actually checked if it is the case.

      Well, I have. At one point my spam bucket just became too big to check in any case (~200/day), so I thought "what the heck; let's see what happens".

      I unsubscribed everything that worked for two days straight. Spam went down 50% over the next few days. Then started to slowly rise again, and after a couple of months was back on the curve that previous history would have predicted.

      Interestingly, it seemed least effective for viagra and penis enlargement spam (which was also the class that often didn't even have a link), and almost 200% effective against porn spam (for the next two months, only one easily recognisable source kept bugging me).

      So the idea that you will necessarily only increase your spam load by using the links does seem to be just a myth, and even the percetion that no spammers heed them.

      Now, that doesn't mean I'm claiming the famous opt-out exploitation has never happened, that the majority of spammers will effect your unsubscribtion, that the effort is worth it, that unsubscribing is any sort of good alternative to a proper filter, or that spammers don't deserve to die in screaming agony in any case. Just reminding people that hearsay is hearsay, even if it sounds like the "expert" opinion.
      • by MooseByte (751829) on Wednesday December 15, 2004 @01:05PM (#11093579)

        "almost 200% effective against porn spam"

        So... it reduced your incoming porn spam by 200%. Which means you somehow processed negative numbers of porn spam. Which, to balance the books, must mean you became a net exporter of porn spam? :-)

        ---

        Cthulhu holiday songs [cthulhulives.org], for the gift that keeps on loathing.

      • Re:Don't do it! (Score:3, Interesting)

        by _Sprocket_ (42527)


        Yes, but a live address that isn't likely to respond well to spam. I find it remarkable that so many people love to try to look smart by repeating that old abiout unsubscribe just getting you more spam lists, while obviously noone has actually checked if it is the case.

        A friend of mine worked for a spammer. The outfit wasn't as shady as these guys - they did sell legitimate products, as far as that goes. But they purchased email databases and didn't use any opt-in verification.

        My friend was hired

      • Re:Don't do it! (Score:4, Interesting)

        by droleary (47999) on Wednesday December 15, 2004 @03:46PM (#11095774) Homepage

        Well, I have. At one point my spam bucket just became too big to check in any case (~200/day), so I thought "what the heck; let's see what happens".

        This is where your little experiment went wrong. You used an address that was already on all the spammers' lists. You saw a drop when they shifted from one temporary domain to another (brand new domain == brand new unsubscribe necessary, according to spammer logic), but you never left their master lists and you were never added to any new ones. I suggest trying again with a fresh address that has only just begun to receive spam.

        I unsubscribed everything that worked for two days straight. Spam went down 50% over the next few days. Then started to slowly rise again, and after a couple of months was back on the curve that previous history would have predicted.

        And that is the point (or pointlessness) of the issue with unsubscribe links. Whether or not you see a big jump after using one isn't really significant. What matters is that you never stop getting spam. Its volumes is always increasing; and there is no solution worth trying unless it permanently reduces the spew.

  • How many people... (Score:2, Insightful)

    by idobi (820896)
    expect the unsubscribe link to work?
    • Enough that spammers know that they can use them to further build their databases.
    • expect the unsubscribe link to work?

      Many people do. Most people are not tech savvy. My parents, aunts, uncles, cousins, sisters would expect them to work. Most people are none the wiser still and that is who it works on.
    • by Anonymous Coward
      I didn't... then I tried it.

      I went from 100-150 spam emails a day, to perhaps 5.

      (identity hidden cos there's always assholes who'll be contrary turds and try adding me to spam lists just for saying that)
      • 1. You unscribe to spam from Spammer A.
        2. Spammer A stops spamming you.
        3. Spammer A then sells his list to Spammers B, C, D, etc.
        4. Mail from Spammers B, C, D, etc start hitting your inbox.
        5. Eventually, Spammer A reacquires your name from a list he's bought.

        Etc, etc.

        Never tell the spammers your account is genuine. Better that they think it's either non-existant or dormant. They have less of an incentive spamming accounts that they believe to be dead than they do one which they know to be actively in use.
    • "expect the unsubscribe link to work?"

      It really depends. If it is a legitimate company, I expect unsubscribe to work. Since I do a lot of E-commerce, I end up on a lot of email lists. Unsubscribe has always worked on them. But we are talking about spam here. I don't even read spam. I delete it unopened.

      I use Yahoo for mail and most of it gets filtered before I even see is. I delete my bulk email without looking and I delete anything from an unknown user without opening. The only way a spammer will

  • I had to fire up Internet Explorer to read the article, as the ads didnt work in firefox :( ...
    • " I had to fire up Internet Explorer to read the article, as the ads didnt work in firefox"

      They worked perfectly for me. Maybe you nee to update or add plugins.

  • And this somes as a suprise to WHO?
    • Now, I don't see what the World Health Organization has to do with spam...
    • Lots of less-clued-up people, unfortunately. I tried to explain this to a couple of secretaries at my last job, but despite the fact that their efforts to unsubscribe from spam lists had zero, if not a negative, effect on the quantity of spam they were getting, they still didn't believe me. Some people are just born suckers.
  • MIT Spam Conference (Score:5, Informative)

    by JohnGrahamCumming (684871) * <slashdot&jgc,org> on Wednesday December 15, 2004 @12:21PM (#11093045) Homepage Journal
    And if you like what you read you can come and hear the author speak at the MIT Spam Conference [spamconference.org] on January 21.

    John.
  • by erikkemperman (252014) on Wednesday December 15, 2004 @12:21PM (#11093055)
    ..But the big corps too. Coincidentally, I tried to remove myself from the iTunes list (which I had accidentally enlisted for when downloading QT) only the find that the unsubscribe-URL "contained no data". Hmm. Double hmm.
    • by Anonymous Coward
      That sounds more like the usual WebObjects bugs...
    • by eMartin (210973) on Wednesday December 15, 2004 @12:57PM (#11093492)
      Much of spam that I get doesn't contain ANY usable information or links at all. And sometimes there are links, but they aren't even valid URLs.

      What the hell is the point of spamming people with ads when they won't be able to get back to you to buy your product?
    • ..But the big corps too. Coincidentally, I tried to remove myself from the iTunes list (which I had accidentally enlisted for when downloading QT) only the find that the unsubscribe-URL "contained no data". Hmm. Double hmm.

      That's shitty business. But for those of you unaware, you don't have to give them any info at all to download the software just unclick the subscription boxes and download away.

      Or if you insist on putting something in there, I've found that steve.jobs@apple.com works well.
  • by Anonymous Coward
    Using the link will

    a. confirm your address
    b. be ignored / or removed from that 'particular' offer list
    c. added to 100s of other lists

    unsubscribe is a bit fuzzy

    spammer may unsubscibe you from one list, company or offer while adding you to many others
  • by lordbry (46768)
    Usually I go through periodically and unsubcribe the ones I can. The volume then goes down for a couple weeks, so it is worth it.

    Often, however, the unsubscribe links don't even display a page, much less get me unsubscribed. Porn spam is actually one that I have noticed DOES work more often. I started getting porn spam at work, and being one of the network admins, told the other guys that I would be going to porn spam site to unsubscribe, and they actually worked. That was 1 1/2 months ago, no more por
  • Anti-Spam Laws? (Score:2, Interesting)

    by FortKnox (169099)
    Doesn't that violate some states anti-spam laws? I thought one of the points is to make a way for people to remove themselves from the list in a way such as this...
    • Sure it might take you off of that particular list, but who's to say how many other lists it put you on? And AFAIK (and IANAL) that isn't illegal.
    • Re:Anti-Spam Laws? (Score:3, Insightful)

      by Zorilla (791636)
      You must be new....uh....to spam :)
    • They probably would say in court that their opt-out server just happened to be down due to misfortune. A broken link "proves" that you tried.

      -Jesse
    • " Doesn't that violate some states anti-spam laws?"

      Yes, it violates Federal law. This is from the article:
      "Bulk e-mailers are required to honor list-removal requests under the U.S. CAN-SPAM law. But still it's common knowledge that clicking an unsubscribe link or handing over your e-mail address on a junk e-mailer's remove page is insane. The U.S. Computer Emergency Readiness Team (US-CERT) warns that unsubscribe links are "often just a method for collecting valid addresses that are then sent other spam.

  • no, they now have the images link back to the server to confirm your email address. it is all worthless.

    until they come up with a real solution, we won't have much to fight it.
    • by tgd (2822)
      Why are you loading the images in the spam you get?

      • I can think of a reason why: what if someone wrote a thunderbird extension that instead of blocking the loading of images, loaded the images 100 times. for successive spams that link to images on the same domain or ip load the images 1000 times, 10000 times, etc. If enough people had this extension it could really work. (And get us all thrown in jail, but that's beside the point).

        OK so that's probably not the reason that the grandparent was loading the images, I don't know what he was thinking.

  • Yes and No (Score:5, Insightful)

    by Doesn't_Comment_Code (692510) on Wednesday December 15, 2004 @12:25PM (#11093098)
    Do Unsubscribe Links Stop Spam?

    While they don't exactly stop spam, they do prove useful. You can immediately sort possible-spam by whether it offers an unsubscribe option. If it doesn't have it, it's definitely spam. If it does have an unsubscribe link, it's either legit (newsletter perhaps), or spam disguised with a fake unsubscribe. While the fake unsubscribe doesn't really help the end user, it offers a way to track and prosecute those who violate CANSPAM which requires that the unsubscribe option be present in some form, and that it work.
    • You can immediately sort possible-spam by whether it offers an unsubscribe option. If it doesn't have it, it's definitely spam.

      Strike that... reverse it.

      Mail that has an unsubscribe link is more likely to be commercial solicitation than it is to be, say, a message from a bud. Most of the heuristics I've seen use "Unsubscribe link" as a positive indicator of spamness.
    • Re:Yes and No (Score:3, Insightful)

      by JuggleGeek (665620)
      You can immediately sort possible-spam by whether it offers an unsubscribe option.

      Bullshit. I've seen normal email (from individual people, not mailing lists) get caught in spam filters.

      I run a (very small, very specialized) mailing list myself. I've met almost everyone on it personally, and I used a confirmed opt in system so nobody is on it by accident. I don't put any "unsubscribe" instructions in it. On occassion, people want to be removed, or to have it sent to a different account. They simpl

  • According to tFA, was that some spammer "affiliates" actually seemed to honor the remove requests.
  • by Anonymous Coward on Wednesday December 15, 2004 @12:26PM (#11093121)
    Dec. 14, 2004 | Casper Jones is the head of BlackMarketMoney.com, a spam operation that's been pelting the Internet with junk e-mail for fake Rolex watches. I'm almost positive his name is a pseudonym. But does he know that Chris Smith is not my real name?

    That's how I introduced myself last month, when I sent Casper an e-mail asking to join his spamming crew. I fibbed to him that I was a full-time bulk e-mailer looking for a new sponsor. I said that one of my business associates had recommended his program. (For authenticity, I lightly sprinkled typos and grammatical errors throughout the message.)

    I wanted to be one of Casper's sales affiliates. In today's world of spam, a sales affiliate sends out junk mail on behalf of a spam-site operator or "sponsor," who assigns the affiliate a special tracking code to include in his e-mail ads. For every sale the affiliate's spams generate, he is paid a commission by the site operator. Sponsors also provide "remove" lists, spamming software, and other support to help their affiliates successfully market the site.

    Since September, Casper and his associates had been clogging my various e-mail accounts with ads for a watch shop called Royal-Replicas.com (formerly onlinereplicastore.com). I filed several complaints with the Chinese Internet service provider hosting the site, to no avail.

    I suppose I could have just clicked the "unsubscribe" links in the dozen or so spams they sent me every day. But I didn't trust these people one bit. I was sure that if I could get inside Casper's operation, I would find hard evidence confirming what savvy Internet users instinctively know: Trying to unsubscribe from spam is a fool's game.

    Just look at the place. Royal-Replicas.com provides no physical mailing address in its junk e-mails or at the site. The domain's registration record lists someone in Spain as the owner. The site is hosted on a server in China, but the order page cites prices in Indian rupees as well as U.S. dollars. The headers of the spams reveal that many have been sent via "zombied" home computers. Even the headers of Casper's private e-mails are a fraud. (He routed all his messages to me through proxy computers in South Korea.)

    The "About Us" page at Royal-Replicas.com doesn't help much, either. It contains little more than a bizarre rationale for buying its $300 knockoffs rather than the real thing: "Many people purchase watches that cost thousands of dollars and render the wearer liable to get their hand chopped off while walking home from a posh cocktail party."

    Bulk e-mailers are required to honor list-removal requests under the U.S. CAN-SPAM law. But still it's common knowledge that clicking an unsubscribe link or handing over your e-mail address on a junk e-mailer's remove page is insane. The U.S. Computer Emergency Readiness Team (US-CERT) warns that unsubscribe links are "often just a method for collecting valid addresses that are then sent other spam." The FTC has sent warning letters to at least 77 marketers for their failure to honor unsubscribe requests.

    Sure, a few spammers might take your name off to avoid trouble. But to most, you're merely confirming that they've found a live one. Next thing you know, they'll have sold your e-mail address to other spammers as "validated" -- or, in other words, ready for spamming.

    At least, that's what I thought until Casper brought me onboard. My undercover mission into the heart of fake-Rolex spam didn't turn out exactly as I had expected.

    I tried flattering Casper in my e-mails, gushing that he had astutely tapped into a timely and lucrative spamming niche. (You could probably find similar watches on the streets of Chinatown for $25, but hey, some people prefer the convenience of holiday shopping from home.) But Casper doesn't let just anyone join BlackMarketMoney.com. After I sent my introductory e-mail as "Chris Smith" from a free webmail account I had created, he asked to know the name of the person who had referred m

  • by Tackhead (54550) on Wednesday December 15, 2004 @12:26PM (#11093123)
    Prosser: Have you any idea how much damage that bulldozer would suffer if I just let it run straight over you?

    Dent: No, how much?

    Prosser: None at all.

    > The article details how the spammers handle the 200,000-plus unsubscribe requests they get each month

    By a strange coincidence, "none at all" describes the actions taken on 200,000 remove requests a day by a bunch of ape-descended spammers targeting a group of fellow ape-descended lifeforms so amazingly primitive that they still thought that ch33p r0l3x watches were a good idea.

  • Don't click remove (Score:5, Insightful)

    by bigberk (547360) <bigberk@users.pc9.org> on Wednesday December 15, 2004 @12:27PM (#11093135)
    No, I know for sure that they don't help. For years I have been trying to get MORE spam. The main way I have done this has been unsubscribing from lists! In fact, I even "unsubscribe" an address that was never subscribed. Indeed, that new address is now getting plenty of spam.

    Unsubscribing from spammer's sites will get you more spam. Unsubscribing from mailing lists will work, of course, but mailing lists != spam.
    • > The main way I have done this has been unsubscribing from lists! In fact, I even "unsubscribe" an address that was never subscribed. Indeed, that new address is now getting plenty of spam.

      Neat idea. 'Unsubscribe' known spammer addresses?

      Come to think of it, also 'Unsubscribe' the network admins for the Chinese ISP that are mentioned in the article.
      • You can test it for yourself, if you have a fresh disposable email address. Unsubscribe from the following (picked out of very fresh spam) and see if in a few months you start to get spam. here [k5medical.com], here [broadcaste...gtoday.biz], here [crazy-barginz.net], here [thebestmortage.com]
  • by ErichTheWebGuy (745925) on Wednesday December 15, 2004 @12:27PM (#11093137) Homepage
    In my experience, no. There was a time when I was naive enough to think that they would, but unfortunately, experience has proven otherwise.

    In fact, I did an informal experiment of my own. I created an email address specifically for this purpose, and posted that address on a few sites. I was getting spam within 2 days (3 messages on day 2). After I got the first spam, I removed my email address from the sites. I also used the unsubscribe link on just one email. Guess what? The volume of spam jumped 400% within 24 hours (12 more messages came in).

    Most effective weapon against spam? The delete key.
  • its those bastards that are filling my mailbox up is it? I get nearly 300 Rolex spams a day alone, and like a good little boy I eat all of them, no bouncing no unsubscribing. Why isnt there a SMTP server that checks it as it comes in and refuses it there and then, telling the sending server to bugger off? That might get you taken off the list, whereas bouncing only annoys some poor sap whoes had their email address hijacked, and unsubscribing just announces that the address reaches a human.
  • See, the spammer is like any other advertiser: they want to try and sell you something.

    So they send out a few billion spams, and 20% of them unsubscribe. Instead, they ignore it... and resend the same spam.

    What, do they REALLY think if the person took the time to unsubscribe that upon seeing it a second time they'd think, "Oh WAIT, YES, *slaps forehead* I DO need a new pair of sunglasses!!! Silly me. I can't eat carpet"? Sorry, doesn't happen.

    I don't know if it's just laziness or what, but ignoring the m
    • Unfortunately, many advertisers work this way. I get an offer in the mail for a Chase Visa card at least once a week. You would think that they would figure out that if I didn't sign up the first 50 times they sent something, I would still be unlikely to do so the 51st time. They could save some postage and just stop sending it. I assume the company sending out the ads is different than the one actually offering the product and they are just paid by the number they send out, regardless of effectiveness.
  • ...there should be laws against this type of flagrant disregard for the wishes of the "spamee." Perhaps something like the United States government's do-not-call list ( https://www.donotcall.gov/ [donotcall.gov]), only a systen im which one registers his or her e-mail to not recieve spam.

    At the very least, however, the same laws which apply to telemarketers should apply to spammers. If I remember correctly, here in the States, if someone recieves a telemarketing call and requests to be removed from the telemarketers' list o

  • Hmm (Score:5, Informative)

    by SnAzBaZ (572456) on Wednesday December 15, 2004 @12:36PM (#11093246) Homepage
    "Seems that LOTS of geeks actually cross their fingers and click those remove links"

    I really don't agree. Any respectable geek shouldn't be getting spam in the first place, let alone be stupid enough to click the unsubscribe links.

    Personally I haven't had more than 30-50 spams in the last 3 years or so.

    I have my main address, which only 'real people' know, friends and family. It never gets any spam because it's totally secret.

    Then for everything else I assign a throw away address on one of my domains, the mail on these gets checked only when I'm expecting something (like a signup confirmation/verification etc).

    I also have a semi-secret address to give slightly less trustworthy people and to date that hasn't had any spam either.

    Obviously I make sure none of my addresses get posted in plain text on the internet either.

    It is simply a matter of keeping your address clean. The only way spammers can send me mail right now is if they brute force my email address, and that doesn't happen very often.

    • Re:Hmm (Score:4, Insightful)

      by justins (80659) on Wednesday December 15, 2004 @12:57PM (#11093490) Homepage Journal
      I have my main address, which only 'real people' know, friends and family. It never gets any spam because it's totally secret.


      Then for everything else I assign a throw away address on one of my domains, the mail on these gets checked only when I'm expecting something (like a signup confirmation/verification etc).

      You must not be involved in business or dealing with the public. That's nice. Here on planet "not living in our parents' basement," we need to let people know what our email address is and have that email address be there for a while.

      Any respectable geek shouldn't be getting spam in the first place, let alone be stupid enough to click the unsubscribe links.

      The second part of that might actually be true.
  • by Junior J. Junior III (192702) on Wednesday December 15, 2004 @12:36PM (#11093251) Homepage
    Unsubscribe generally does work for legitimate mass mailings, ie the ones you had to sign up for in the first place. It doesn't work for true SPAM, and indeed as others have pointed out, tends to actually make the problem worse.

    It's amazing that this is considered "news", but I guess you have to repeat experiments every so often to prove that the theories they provide support for still hold water.
  • by dmuth (14143) <doug.muth+slashdot@ g m a i l . com> on Wednesday December 15, 2004 @12:39PM (#11093276) Homepage Journal
    This has been going on since before the days of the (long since defunct) IEMMC with their bogus remove list, which was back in 1997 or so.

    Here's one article that was written about the IEMMC [familychronicle.com].

  • NOOOOOOO (Score:2, Informative)

    by SQLz (564901)
    Of course they don't. If anything,unsubsribing will triple the spam you do get.

    Besides filtering spam I started creating a seperate email alias for every website I need an email address on. When that alias starts to get spam I delete it, and I know where its coming from.

    The most surprising place I ever get spam from is sears. I think they have someone on the inside selling their customer list because I will start getting spam about 2 weeks after ordering something.
  • Salon.com forces you to read an ad before you can RTFA. They can go to hell.
  • I did and it works (Score:2, Interesting)

    by oneeyedelf1 (793839)
    Before I was getting around 30 spams a day, now about 2 to 4. One problem with unsubscribing to spam, I noticed if you do it every day you continue to get the spam. On their opt out links they say something like please allow 7 days for their servers to delete you. Guess what after 6 days and you unsubscribe again, they wait to those new 7 days are up. It really works, though not all spams have unsubscribing, and usually it takes a while to hunt and find the link. The worst is medical sites I can never find
  • Red box spam (Score:2, Interesting)

    by Tablizer (95088)
    with spam for fake Rolex watches.

    I once saw an actual brand called "Relox". By changing the spelling they could legally get away with it, at least in the short-term until Rolex sues them for confusing consumers, which takes longer in the courts than direct rip-offs.

    Anyhow, another annoying repeating spam is the one with the red box in the upper left selling penis pills. It comes in as an embedded image from different sources. The only constant is that it is always the same image. My filter can only fil
  • I mean, there's nothing more valuable to a spammer than a list of functional e-mail addresses. How best to trick people into letting a spammer know an e-mail addy is good? The unsubscribe link, LOL.

    NEVER use the 'remove me' or 'unsubscribe' link when the spam is from a company you do not trust.
  • by pla (258480)
    Do Unsubscribe Links Stop Spam?

    If by "Unsubscribe" you mean "trade one source of crap for a hundred others"...

    By "Links" you mean "deliberately mangled URLs often either hidden in the page source or only appearing in white text on a white background"...

    And by "stop spam" you mean "accomplish nothing more than waste time and speed your journey to a RSI"...

    Then yes. Absolutely. Click away, Merrill, click away!"
  • Company ID (Score:5, Interesting)

    by Tablizer (95088) on Wednesday December 15, 2004 @12:52PM (#11093444) Homepage Journal
    One thing really missing is a national or perhaps even a global unique "company ID". Law makers are so eager to tag and trace individuals, but ignore company tracking. It is time for a national company-ID number.

    Any company that wants to do business in the US would be required to have such a number and include it in any email they send across our borders, perhaps as a new email header attribute. Ideally it would be globally enforced and the US could pressure problem countries such as China to crack down on businesses that abuse email and/or the company number.

    There are too many fly-by-night companies running around.
    • Re:Company ID (Score:5, Insightful)

      by pnuema (523776) on Wednesday December 15, 2004 @02:43PM (#11094858)
      One thing really missing is a national or perhaps even a global unique "company ID". Law makers are so eager to tag and trace individuals, but ignore company tracking. It is time for a national company-ID number. Every company that pays US taxes is assigned a Tax ID. Been around forever. I used to be able to rattle off Tax IDs for about half of the Fortune 500 due to my job. What possible good would it do to identify companies by a number rather than a name? The problem is fraudulent companies, not an inability to identify them by number.
  • Not just "spammers" (Score:3, Interesting)

    by jridley (9305) on Wednesday December 15, 2004 @01:02PM (#11093543)
    Heck, legitimate businesses often either ignore or don't test their unsubscribe systems.

    I signed up for emails from History Channel a year or so ago. A couple of months ago I decided I didn't really want them any more. I clicked on every unsubscribe link they sent me, probably a total of 6 or 8 of them over 2+ months. Finally I sent them an email telling them they'd better honor it or have a lawyer familiar with CAN-SPAM.

    To their credit, I got a hand-written email back within 12 hours and I haven't gotten any more promotional emails from them. But it's pretty obvious that their unsubscribe system wasn't working when I tried to use it.
  • by Rashkae (59673) on Wednesday December 15, 2004 @01:03PM (#11093548) Homepage
    I've received several pieces of spam lately where the URL of the website being advertised (the subject varies, free porn, free downloads, etc) is invalid... In fact, the only valid domain in these e-mails was in the unsubscribe link. I can only conclude that the purpose of this e-mail is to harvest the e-mail address of people who 'unsubscribe.'
  • by macdaddy (38372) * on Wednesday December 15, 2004 @01:11PM (#11093643) Homepage Journal
    When will people get this through their heads. Spammers do not ignore unsubscribe requests!! Now that doesn't mean the unsubscribe you from the mailing lists you never subscribed to. Oh no. While they don't ignore your unsub requests they certainly use them to their advantage.

    They take the unsub requests and diff them against their mailing lists. That allows them to quickly and easily compile a list of active suckers, I mean mailboxes. They in turn sell their new list of active mailboxes to other spammers. Thus causing the sucker to get more spam.

    Spammers also take the list of unsub requests and flat out spam them, no questions ask, too. Anyone that gets themselves on that list is guaranteed to get the living hell spammed out of them because the list is in the hands of active spammers, not website scrappers trying to sell the list.

    I have about a dozen domains I set up for the sole purpose of hosting spamtraps. I took a list of proper pronouns and compiled a list of just over 525,000 spamtrap addresses per domain. I used pronouns so that the spamtraps would have a legitimate appearance (some spammers got wise to the way of random characters). So I had this enormous list of spamtraps and I had Razor and Pyzor set up to submit spam to the DB. I also hadm y good buddy Procmail set up to munge the spamtrap address and forward a copy to NANAS and the FTC. So how did I go about getting the spammers to spam me you ask? Hell that was the easiest part of all. I automated the stuffing of their unsubscribe boxes with my spamtraps addresses. I used NANAS to find current (and active) unsubribe forms. I then either used wget or curl and some shell scripting to stuff the boxes, depending on whether they were POST or GET forms. Simple. Within minutes I was getting spam. Within a few days I was getting over 30,000 pieces of spam per day. That was after stuffing perhaps a dozen unique unsub forms. I stopped stuffing them after that because the flow of spam was saturating my cable connection. I have a co-lo that doesn't charge me by bandwidth. I should fire up the spamtraps again. This time I'll add DCC.

  • my filter (Score:3, Interesting)

    by chigun (770799) on Wednesday December 15, 2004 @01:19PM (#11093752) Homepage Journal
    i've never ever gotten a personal email asking me if i want to opt out, so i set up a filter to block anything that has the word "unsuscribe" in it. worked out well.
  • by Megane (129182) on Wednesday December 15, 2004 @01:39PM (#11094017) Homepage
    Of course clicking on the remove links isn't likely to be useful.

    The best way is to run your own mail server and simply prevent the spammers from connecting. One way is to add blackhole lists to your MTA (Sendmail, or whatever). That really did cut my spam quite a bit. But recently I noticed I was still getting quite a bit of spam directly from China and Korea decided to get tough and start blocking net ranges completely. I had tried blocking SMTP from a few /8 address ranges before, but this time I didn't want to unnecessarily block Australia or Japan, so I took the time to look at the /16 level to find sub-ranges to block.

    It's already working, too. Here are the ranges I've added so far. (The second column is the number of connection attempts that were rejected.) At this point, I only plan to add new blocks as I encounter them in actual spam.

    00100 44 2164 deny ip from 63.148.99.224/27 to any
    00100 0 0 deny ip from 65.118.41.192/27 to any
    00110 36 1920 deny tcp from 211.32.0.0/11 to me 25
    00110 2 96 deny tcp from 211.144.0.0/12 to me 25
    00110 6 288 deny tcp from 211.160.0.0/11 to me 25
    00110 6 288 deny tcp from 211.192.0.0/10 to me 25
    00110 0 0 deny tcp from 222.16.0.0/12 to me 25
    00110 6 288 deny tcp from 222.32.0.0/11 to me 25
    00110 13 624 deny tcp from 222.64.0.0/10 to me 25
    00110 0 0 deny tcp from 222.128.0.0/12 to me 25
    00110 0 0 deny tcp from 222.160.0.0/11 to me 25
    00110 4 240 deny tcp from 206.81.80.0/20 to me 25
    00110 0 0 deny tcp from 216.224.0.0/13 to me 25
    00110 0 0 deny tcp from 216.240.0.0/13 to me 25
    00110 0 0 deny tcp from 61.32.0.0/13 to me 25
    00110 0 0 deny tcp from 61.40.0.0/14 to me 25

    Oh, and those first two lines? Google for Cyvelliance and you'll understand why they're there.

  • by Tumbleweed (3706) * on Wednesday December 15, 2004 @01:43PM (#11094082)
    Two years ago, it had gotten to the point that I was getting over 200 pieces of spam a day, and not the yummy kind that comes in a tin. Before initiating an email address change, I decided to try an experiment: see if clicking those unsubscribe links actually did anything. So, for one week, I followed the unsubscribe instructions on every piece of spam I got. The result: a 2/3 reduction in spam. That's pretty significant, but hardly worth the effort in my case, as I was still getting dozens of piece of spam a day, and unless you keep up with the unsubscribing, it just goes back up to the previous level within a few weeks, anyway.

    So, yeah, you CAN reduce the amount of spam, but it becomes a regular maintenance task every day, and really isn't worth it in the end.

    My advice: get your own domain and handle your own email accounts. Create special ones that simply forward to your main email address, to use on sites that require an email address for full functionality, and when you start getting spam, you know where it came from, and can shut that particular email forwarder down. It's a bit of a pain, but a LOT LESS pain than trying to unsubscribe from spam.

    Obviously, anti spam tools like bayesian filters and what-not are always a good idea, but can let spam get through, and can block some wanted emails.

    YMMV (but probably won't).
  • by 5n3ak3rp1mp (305814) on Wednesday December 15, 2004 @03:06PM (#11095206) Homepage
    1) Use a long email address that is difficult to brute-force
    2) Only give it to real people
    3) Use a mailinator address for online registrations and whatnot where you have to read a reply.
    4) For those sites that force you to reply from a real email address to complete registration, use a spam webmail address.

    This has stopped almost all spam from bugging me.

    Anecdote: My first email address ever was from Cornell in 1990. Cornell has a policy that lets you keep your email address for life by setting up an auto-forward after you graduate. The irony is that Cornell, back in the days before spam, unfortunately picked an address format (initials+number@cornell.edu) that turned out to be easy to brute-force, and that I've since had to turn the auto-forward feature off due to too much spam, defeating the purpose of the "lifetime email address". oh well...
  • by zrk (64468) <spam-from-slashdot@@@ackthud...net> on Wednesday December 15, 2004 @04:03PM (#11095979) Homepage
    I have an account at my university that I used when Usenet was the thing, aka 15 YEARS AGO. I never played with it outside of there, and I used to have a few thousand emails waiting for me every few months. Only recently did I forward everything to /dev/null.

    More recently, I returned to a consulting job I had left 6 years prior, around the start of the WWW days, when Usenet was pretty much the big thing. I re-opened my closed account, and received 50 spams within 30 minutes. Eesh.

    My addresses were obviously harvested from Usenet archives (or maybe groups.google.com, but I digress). I pity the people who buy these 'guaranteed' lists of email addresses, expecting all addresses to work.

"A great many people think they are thinking when they are merely rearranging their prejudices." -- William James

Working...