Do Unsubscribe Links Stop Spam? 521
Kaiten writes "Brian McWilliams of Spam Kings fame has just published a fascinating spammer exposé over at Salon. Using a pseudonym, he was hired to send junk email on behalf of a spam operation that has been burying people (me included) with spam for fake Rolex watches. The article details how the spammers handle the 200,000-plus unsubscribe requests they get each month. Seems that LOTS of geeks actually cross their fingers and click those remove links. And, surprise, surprise, the spammers usually ignore the unsubscribe requests."
Don't do it! (Score:5, Informative)
MIT Spam Conference (Score:5, Informative)
John.
It's not only spammers.. (Score:4, Informative)
Re:Don't do it! (Score:5, Informative)
So you dont have to watch the Ad.... (Score:5, Informative)
That's how I introduced myself last month, when I sent Casper an e-mail asking to join his spamming crew. I fibbed to him that I was a full-time bulk e-mailer looking for a new sponsor. I said that one of my business associates had recommended his program. (For authenticity, I lightly sprinkled typos and grammatical errors throughout the message.)
I wanted to be one of Casper's sales affiliates. In today's world of spam, a sales affiliate sends out junk mail on behalf of a spam-site operator or "sponsor," who assigns the affiliate a special tracking code to include in his e-mail ads. For every sale the affiliate's spams generate, he is paid a commission by the site operator. Sponsors also provide "remove" lists, spamming software, and other support to help their affiliates successfully market the site.
Since September, Casper and his associates had been clogging my various e-mail accounts with ads for a watch shop called Royal-Replicas.com (formerly onlinereplicastore.com). I filed several complaints with the Chinese Internet service provider hosting the site, to no avail.
I suppose I could have just clicked the "unsubscribe" links in the dozen or so spams they sent me every day. But I didn't trust these people one bit. I was sure that if I could get inside Casper's operation, I would find hard evidence confirming what savvy Internet users instinctively know: Trying to unsubscribe from spam is a fool's game.
Just look at the place. Royal-Replicas.com provides no physical mailing address in its junk e-mails or at the site. The domain's registration record lists someone in Spain as the owner. The site is hosted on a server in China, but the order page cites prices in Indian rupees as well as U.S. dollars. The headers of the spams reveal that many have been sent via "zombied" home computers. Even the headers of Casper's private e-mails are a fraud. (He routed all his messages to me through proxy computers in South Korea.)
The "About Us" page at Royal-Replicas.com doesn't help much, either. It contains little more than a bizarre rationale for buying its $300 knockoffs rather than the real thing: "Many people purchase watches that cost thousands of dollars and render the wearer liable to get their hand chopped off while walking home from a posh cocktail party."
Bulk e-mailers are required to honor list-removal requests under the U.S. CAN-SPAM law. But still it's common knowledge that clicking an unsubscribe link or handing over your e-mail address on a junk e-mailer's remove page is insane. The U.S. Computer Emergency Readiness Team (US-CERT) warns that unsubscribe links are "often just a method for collecting valid addresses that are then sent other spam." The FTC has sent warning letters to at least 77 marketers for their failure to honor unsubscribe requests.
Sure, a few spammers might take your name off to avoid trouble. But to most, you're merely confirming that they've found a live one. Next thing you know, they'll have sold your e-mail address to other spammers as "validated" -- or, in other words, ready for spamming.
At least, that's what I thought until Casper brought me onboard. My undercover mission into the heart of fake-Rolex spam didn't turn out exactly as I had expected.
I tried flattering Casper in my e-mails, gushing that he had astutely tapped into a timely and lucrative spamming niche. (You could probably find similar watches on the streets of Chinatown for $25, but hey, some people prefer the convenience of holiday shopping from home.) But Casper doesn't let just anyone join BlackMarketMoney.com. After I sent my introductory e-mail as "Chris Smith" from a free webmail account I had created, he asked to know the name of the person who had referred m
Re:Don't do it! (Score:5, Informative)
Hmm (Score:5, Informative)
I really don't agree. Any respectable geek shouldn't be getting spam in the first place, let alone be stupid enough to click the unsubscribe links.
Personally I haven't had more than 30-50 spams in the last 3 years or so.
I have my main address, which only 'real people' know, friends and family. It never gets any spam because it's totally secret.
Then for everything else I assign a throw away address on one of my domains, the mail on these gets checked only when I'm expecting something (like a signup confirmation/verification etc).
I also have a semi-secret address to give slightly less trustworthy people and to date that hasn't had any spam either.
Obviously I make sure none of my addresses get posted in plain text on the internet either.
It is simply a matter of keeping your address clean. The only way spammers can send me mail right now is if they brute force my email address, and that doesn't happen very often.
Legitimate mass mailings vs. spam (Score:4, Informative)
It's amazing that this is considered "news", but I guess you have to repeat experiments every so often to prove that the theories they provide support for still hold water.
When will people learn? (Score:3, Informative)
Here's one article that was written about the IEMMC [familychronicle.com].
NOOOOOOO (Score:2, Informative)
Besides filtering spam I started creating a seperate email alias for every website I need an email address on. When that alias starts to get spam I delete it, and I know where its coming from.
The most surprising place I ever get spam from is sears. I think they have someone on the inside selling their customer list because I will start getting spam about 2 weeks after ordering something.
I worked for a bulk emailer (Score:1, Informative)
Still, I was never proud to tell people where I worked because people think of bulk email as spam unless they're educated about the difference. In my interviews since I left the firm, I've always had to be very careful to describe the white hat nature of what I used to do.
Re:That's easy... (Score:5, Informative)
I forgot about it for a while, and it wasn't until 2 months later I noticed an EXTREME drop in the number of spam emails. My last entire week of spam totals 51 emails. Curiously, not one of them contains an unsubscribe link. It's not down to "stopping spam" but it's a couple of orders of magnitude less. I never kept detailed stats on exactly when the drop off occurred, so I can't for sure say the unsubscribe links stopped it, but they certainly didn't add to it.
This story has inspired me to test entering a brand new unguessable email address into unsubscribe forms online, to see what happens coming from the other direction. That's going to take effort to dig up email archives though. I just don't have any spam available WITH unsubscribe links any more.
Re:That's easy... (Score:5, Informative)
Re:Don't do it! (Score:4, Informative)
Yes, but a live address that isn't likely to respond well to spam. I find it remarkable that so many people love to try to look smart by repeating that old abiout unsubscribe just getting you more spam lists, while obviously noone has actually checked if it is the case.
Well, I have. At one point my spam bucket just became too big to check in any case (~200/day), so I thought "what the heck; let's see what happens".
I unsubscribed everything that worked for two days straight. Spam went down 50% over the next few days. Then started to slowly rise again, and after a couple of months was back on the curve that previous history would have predicted.
Interestingly, it seemed least effective for viagra and penis enlargement spam (which was also the class that often didn't even have a link), and almost 200% effective against porn spam (for the next two months, only one easily recognisable source kept bugging me).
So the idea that you will necessarily only increase your spam load by using the links does seem to be just a myth, and even the percetion that no spammers heed them.
Now, that doesn't mean I'm claiming the famous opt-out exploitation has never happened, that the majority of spammers will effect your unsubscribtion, that the effort is worth it, that unsubscribing is any sort of good alternative to a proper filter, or that spammers don't deserve to die in screaming agony in any case. Just reminding people that hearsay is hearsay, even if it sounds like the "expert" opinion.
Re:Hmm (Score:2, Informative)
Re:Don't do it! (Score:2, Informative)
Re:Don't do it! (Score:2, Informative)
Re:Don't do it! (Score:5, Informative)
If you install Service Pack 2, Outlook Express does too.
Re:Forced to read an ad to RTFA? No way! (Score:4, Informative)
make it the first page before you visit the main salon.com site and it will bypass them forcing you to watch an ad.
I use it religiously.
-Meow.
A better way to stop spam (Score:4, Informative)
The best way is to run your own mail server and simply prevent the spammers from connecting. One way is to add blackhole lists to your MTA (Sendmail, or whatever). That really did cut my spam quite a bit. But recently I noticed I was still getting quite a bit of spam directly from China and Korea decided to get tough and start blocking net ranges completely. I had tried blocking SMTP from a few /8 address ranges before, but this time I didn't want to unnecessarily block Australia or Japan, so I took the time to look at the /16 level to find sub-ranges to block.
It's already working, too. Here are the ranges I've added so far. (The second column is the number of connection attempts that were rejected.) At this point, I only plan to add new blocks as I encounter them in actual spam.
Oh, and those first two lines? Google for Cyvelliance and you'll understand why they're there.
Re:Don't do it! (Score:2, Informative)
Re:That's easy... (Score:3, Informative)
You just have to click through about five pages of ads.. but there's no animation or sound or anything, so you can click NEXT as soon as the page loads.
Re:alternatively (Score:3, Informative)
That way, I can easily filter out all business related emails (*@biz.) to one mailbox, and in case one of those starts spamming, I will send every future email to that recipient address to bogofilter without even looking at it any more...
(If you're not allowed sub-domains, it's not too much of a problem either; in that case instead of companyname.com@biz... use something like companyname.com-biz@...
That still allows you to procmail
Benedikt
Oh come on, We are geeks. This is simple: (Score:4, Informative)
2) Only give it to real people
3) Use a mailinator address for online registrations and whatnot where you have to read a reply.
4) For those sites that force you to reply from a real email address to complete registration, use a spam webmail address.
This has stopped almost all spam from bugging me.
Anecdote: My first email address ever was from Cornell in 1990. Cornell has a policy that lets you keep your email address for life by setting up an auto-forward after you graduate. The irony is that Cornell, back in the days before spam, unfortunately picked an address format (initials+number@cornell.edu) that turned out to be easy to brute-force, and that I've since had to turn the auto-forward feature off due to too much spam, defeating the purpose of the "lifetime email address". oh well...
opt-out options are often here for the appearance (Score:1, Informative)
Here and there I've encountered similar issues with various websites that are in no way related to spam. They would just keep sending you their mailing list / special offers even though you clearly asked them not to bug you anymore.
Based on that experience, opt-out options seem to me to be here for nothing but the kick in a whole lot of cases. Hopefully I learned how to make a good use of hotmail adresses and mailinator.
More Spam (Score:1, Informative)
Re:Oh come on, We are geeks. This is simple: (Score:3, Informative)
You tell Amazon that your address is kencurry@mailinator.com (no need to register at mailinator.com, just do it)
Amazon sends you email, like a confirmation email.
You head on down to www.mailinator.com, enter "kencurry" as the email name to check, and voila! there's your email. Check it and forget it. Inbox stays clean. Mailinator holds emails for a few days but eventually deletes them.
Unsubscribe confirms your email-id (Score:2, Informative)
Also the URLs for images in HTML emails are tailored to confirm that you have actually opened the email and your email-id is valid.
--
Anand Babu