Do Unsubscribe Links Stop Spam?

Kaiten writes "Brian McWilliams of Spam Kings fame has just published a fascinating spammer exposé over at Salon. Using a pseudonym, he was hired to send junk email on behalf of a spam operation that has been burying people (me included) with spam for fake Rolex watches. The article details how the spammers handle the 200,000-plus unsubscribe requests they get each month. Seems that LOTS of geeks actually cross their fingers and click those remove links. And, surprise, surprise, the spammers usually ignore the unsubscribe requests."

For a couple weeks...

[lordbry]

Usually I go through periodically and unsubcribe the ones I can. The volume then goes down for a couple weeks, so it is worth it.

Often, however, the unsubscribe links don't even display a page, much less get me unsubscribed. Porn spam is actually one that I have noticed DOES work more often. I started getting porn spam at work, and being one of the network admins, told the other guys that I would be going to porn spam site to unsubscribe, and they actually worked. That was 1 1/2 months ago, no more porn spam.

Anti-Spam Laws?

[FortKnox]

Doesn't that violate some states anti-spam laws? I thought one of the points is to make a way for people to remove themselves from the list in a way such as this...

The even bigger surprise...

[Lonesome Squash]

According to tFA, was that some spammer "affiliates" actually seemed to honor the remove requests.

Re:How many people...

[Anonymous Coward]

I didn't... then I tried it.

I went from 100-150 spam emails a day, to perhaps 5.

(identity hidden cos there's always assholes who'll be contrary turds and try adding me to spam lists just for saying that)

Do Unsubscribe Links Stop Spam?

[ErichTheWebGuy]

In my experience, no. There was a time when I was naive enough to think that they would, but unfortunately, experience has proven otherwise.

In fact, I did an informal experiment of my own. I created an email address specifically for this purpose, and posted that address on a few sites. I was getting spam within 2 days (3 messages on day 2). After I got the first spam, I removed my email address from the sites. I also used the unsubscribe link on just one email. Guess what? The volume of spam jumped 400% within 24 hours (12 more messages came in).

Most effective weapon against spam? The delete key.

Evolution++

[Doc Ruby]

Evolution lets you skip loading external/embedded images, by default, if that option is selected. I'd like to have an extra filter in there: white/blacklists (in my contact list) for message senders and image SRC URL patterns - all default to "NO". That way, senders/servers I trust - they already have my email/IP#/existence confirmed from other messages - send mesages that aren't broken. The rest can go to hell. A good filter would find messages that point at untrusted servers, and add their senders to the blacklist. That kind of Evolution plugin, with spamfilter against the blacklist, would go a long way towards suffocating the spammers drowning us in privacy invasions. And also make Evolution a much more attractive draw than, say, Outlook, for people who use their computer to communicate with other people, not with machines or reptillian spammers.

just DO IT! (was: Re:That's easy...)

[beh]

I'm actually (at the cost of some traffic) using this to help me fight spam...

It's not just that spammers are ignoring these requests, they will actually just merge their lists with the responses (on the off chance that you might try to also unsubscribe some of your other email addresses / or a friend's email address).

In fact, if you enter just a random address in there, you can be pretty sure that this address will get spammed in the future, too.

If you use bayesian filter software, like bogofilter or spamprobe, you can turn this into an advantage. I've actually "unregistered" some previously non-existent email address on my internet domain that I'm not going use anywhere else. Now I know that any email coming in for that address is definitely spam - and can hence use it to automatically improve bogofilter/spamprobe by passing that email from procmail into them with the spam "learn" flags set.

Forced to read an ad to RTFA? No way!

[TFGeditor]

Salon.com forces you to read an ad before you can RTFA. They can go to hell.

I did and it works

[oneeyedelf1]

Before I was getting around 30 spams a day, now about 2 to 4. One problem with unsubscribing to spam, I noticed if you do it every day you continue to get the spam. On their opt out links they say something like please allow 7 days for their servers to delete you. Guess what after 6 days and you unsubscribe again, they wait to those new 7 days are up. It really works, though not all spams have unsubscribing, and usually it takes a while to hunt and find the link. The worst is medical sites I can never find them, http://lcv.pharmnnfh.com/ [pharmnnfh.com] help me find the link. What really needs to happen is the people who work in the spam division at gmail, hotmail, and yahoo need to get their acts together and put together pages where you can mass unsubscribe to these things.

Red box spam

[Tablizer]

with spam for fake Rolex watches.

I once saw an actual brand called "Relox". By changing the spelling they could legally get away with it, at least in the short-term until Rolex sues them for confusing consumers, which takes longer in the courts than direct rip-offs.

Anyhow, another annoying repeating spam is the one with the red box in the upper left selling penis pills. It comes in as an embedded image from different sources. The only constant is that it is always the same image. My filter can only filter by whole words rather than parts of the (ASCII encoded) image.

I was in the process of building my own email filtering system with all kinds of "indicators" such as marks saying the email had HTML or image references and suspicious key words, but I didn't trust my own message parsing algorithm as far as isolating and altering messages and attachments as units. I am thus looking for libraries that do the basic parsing for me. I can then add the logic to screen and rank the content. I've been dabbling a bit in TCL of late, so TCL libraries may be the way to go.

Company ID

[Tablizer]

One thing really missing is a national or perhaps even a global unique "company ID". Law makers are so eager to tag and trace individuals, but ignore company tracking. It is time for a national company-ID number.

Any company that wants to do business in the US would be required to have such a number and include it in any email they send across our borders, perhaps as a new email header attribute. Ideally it would be globally enforced and the US could pressure problem countries such as China to crack down on businesses that abuse email and/or the company number.

There are too many fly-by-night companies running around.

Infiltrate the spammers

[Bruzer]

What a great article. I think more of us nerds should infiltrate the spammers and see if there is any way to shut them down. I realize that is a lot more work, but how much work do you spend filtering, or deleting spam each day?

On a related topic, I used to get 25-30 emails per day to the email address that is on my whois registration. Recently I had to renew my domain name and I noticed that my registrar offered an email address encryption. By selecting this option my spam emails went from 25 per day to 2 or 3 per day! I was astounded at the scum who are using the whois information to spam people.

So if you own a domain name, check to see if your registrar is offering a similar service.

- Bruzer

It's not only unsubscribe links.

[eMartin]

Much of spam that I get doesn't contain ANY usable information or links at all. And sometimes there are links, but they aren't even valid URLs.

What the hell is the point of spamming people with ads when they won't be able to get back to you to buy your product?

Post hoc ergo propter hoc...

[WIAKywbfatw]

Sorry for the latin, but I've always wanted to use that bit seriously just once...

Just because your spam dropped at that point that doesn't mean it was due to your unsubscribing session. There are many reasons why your spam levels fell. Perhaps your ISP/mail provider installed better spam filtering, perhaps the spammers responsible for a large proportion of your junk mail were shut down one way or another, etc.

There are many possible causes for the effect, so don't assume that you using the unsubscribe links was the catalyst for the change. That could have been it, but that's not necessarily it.

Not just "spammers"

[jridley]

Heck, legitimate businesses often either ignore or don't test their unsubscribe systems.

I signed up for emails from History Channel a year or so ago. A couple of months ago I decided I didn't really want them any more. I clicked on every unsubscribe link they sent me, probably a total of 6 or 8 of them over 2+ months. Finally I sent them an email telling them they'd better honor it or have a lawyer familiar with CAN-SPAM.

To their credit, I got a hand-written email back within 12 hours and I haven't gotten any more promotional emails from them. But it's pretty obvious that their unsubscribe system wasn't working when I tried to use it.

Unsubscribe Link *is* the purpose of some spam

[Rashkae]

I've received several pieces of spam lately where the URL of the website being advertised (the subject varies, free porn, free downloads, etc) is invalid... In fact, the only valid domain in these e-mails was in the unsubscribe link. I can only conclude that the purpose of this e-mail is to harvest the e-mail address of people who 'unsubscribe.'

I had good luck

[Anonymous Coward]

I had a junk hotmail address that I used as a spamtrap, but the amount of spam I was getting was really overwheliming. Figuring I had nothing to lose, I started unsubcribing from every piece of spam I got. Contary to conventional wisdom, it really did cut the amount of spam I got in half. For a while. Then I must've hit 'one of those', because the gates of spam-hell were opened, and I ended up creating a new account. But I think there are at least some spammers who try to play it legit.

They don't ignore them!

[macdaddy]

When will people get this through their heads. Spammers do not ignore unsubscribe requests!! Now that doesn't mean the unsubscribe you from the mailing lists you never subscribed to. Oh no. While they don't ignore your unsub requests they certainly use them to their advantage.

They take the unsub requests and diff them against their mailing lists. That allows them to quickly and easily compile a list of active suckers, I mean mailboxes. They in turn sell their new list of active mailboxes to other spammers. Thus causing the sucker to get more spam.

Spammers also take the list of unsub requests and flat out spam them, no questions ask, too. Anyone that gets themselves on that list is guaranteed to get the living hell spammed out of them because the list is in the hands of active spammers, not website scrappers trying to sell the list.

I have about a dozen domains I set up for the sole purpose of hosting spamtraps. I took a list of proper pronouns and compiled a list of just over 525,000 spamtrap addresses per domain. I used pronouns so that the spamtraps would have a legitimate appearance (some spammers got wise to the way of random characters). So I had this enormous list of spamtraps and I had Razor and Pyzor set up to submit spam to the DB. I also hadm y good buddy Procmail set up to munge the spamtrap address and forward a copy to NANAS and the FTC. So how did I go about getting the spammers to spam me you ask? Hell that was the easiest part of all. I automated the stuffing of their unsubscribe boxes with my spamtraps addresses. I used NANAS to find current (and active) unsubribe forms. I then either used wget or curl and some shell scripting to stuff the boxes, depending on whether they were POST or GET forms. Simple. Within minutes I was getting spam. Within a few days I was getting over 30,000 pieces of spam per day. That was after stuffing perhaps a dozen unique unsub forms. I stopped stuffing them after that because the flow of spam was saturating my cable connection. I have a co-lo that doesn't charge me by bandwidth. I should fire up the spamtraps again. This time I'll add DCC.

my filter

[chigun]

i've never ever gotten a personal email asking me if i want to opt out, so i set up a filter to block anything that has the word "unsuscribe" in it. worked out well.

Re:That's easy...

[Alphi1]

I'm not so sure. As an experiment early this year, march I guess, I went through my entire junk mail folder in an attempt to get as much spam as I could. What the hell, hey, I'm getting several hundred messages a day and more can't hurt, and even if it trebled it'll help train my spam filter, right? I entered my email address in all the unsubscribe links I could find. I forgot about it for a while, and it wasn't until 2 months later I noticed an EXTREME drop in the number of spam emails. My last entire week of spam totals 51 emails. Curiously, not one of them contains an unsubscribe link. It's not down to "stopping spam" but it's a couple of orders of magnitude less. I never kept detailed stats on exactly when the drop off occurred, so I can't for sure say the unsubscribe links stopped it, but they certainly didn't add to it. This story has inspired me to test entering a brand new unguessable email address into unsubscribe forms online, to see what happens coming from the other direction. That's going to take effort to dig up email archives though. I just don't have any spam available WITH unsubscribe links any more.

I did something similar a little while ago... I've had my home e-mail address for many years (going back to when I was more naive than now, with my e-mail posted on web pages, newsgroups, and the like).

Because of all of that, I used to get a bunch of spam e-mails (I don't remember off the top of my head, but I thought it was around 90-120 a day.

I was very close to just closing the account and opening a new one (to get a fresh start), when I decided to try something.

I figured I'd try clicking all the unsubscribe links I could, all the while tracking (weekly) how many spam e-mails I was getting.

To make a good experiment, I kept statistics for a few weeks before I even started, and got my averages then.

Then I clicked the "unsubscribe" links every time I could find one in the spams coming to me.

I did that for about a month.

After that month, I *DID* notice a significant drop in spams (down about 50% on average), which was a pleasant surprise.

The bad thing, is that it was only temporary. After a few months passed, I was right back up to the original level.

So long story short - it seemed to help in the short-term, but long-term it didn't help. On the other hand, long-term didn't exactly hurt either (I'm still not getting MORE spam e-mails on that account than before I started my experiment).

Re:That's easy...

[sootman]

Testing is definitely a good idea, especially if you have complete control over the new address. If you're with an ISP that you can tell to let all mail pass, or if you run your own server, great. I've seen mail (hotmail in particular, but I have many accounts) go up and down, from 100s of spams per week to 10s and back to 100s, as the provider changes filters.

Re:Evolution++

[Manwe's Herald]

If I remember correctly there is already an option in Evolution to automatically load images when the message is from someone in your contact list.

Not perfect, but a step in the right direction.

alternatively

[Anonymous Coward]

To manage spam:

Create a Yahoo (or MSN or Gmail etc) account specifically for the purpose of spam reception. Don't put the word "spam" in the name of the account. Whenever you purchase anything online, or otherwise fill out ANY online form that requires an email address, use that one.

Create another (brand spanking new) account on one of the above providers or your ISP or wherever you want. Tell your friends to email you there, and also tell your friends never to put your email addy on a web form (like those "send this article to a friend" forms). Whenever they do anyway, bug them about it.

If you use yahoo chat, or IRC, or what have you, be sure that none of the information you provide (such as your screen name, the account with which you log in, etc.) can be traced back to your friends-only email account.

Also, make yet a third email account for professional contacts...job searching and so on.

I found this works quite well, and doesn't require you to use an anti-spam tool on your own network if you don't want to.

I've cleaned ...

[Anonymous Coward]

... a hotmail account of mine that I had stopped using because of intense spam. I never thought it would work, but I wanted to experiment with it anyways. I replied to every spam letter I could in there for maybe 10 minutes a day. It took about 2-3 weeks, but it's spic and spam free. I haven't gotten spam on the account for a year now and I'm a lot more careful about where I type my e-mail. It may seem at first that they ignore the requests, but if you're persistant enough you can have success.

Re:That's easy...

[Anonymous Coward]

I actually had a really badly screwed up hotmail account I wanted to fix. I kept unsubcribing for 2 or 3 weeks straight, kept getting new e-mail addresses for the same spam over and over, and kept either repying to them if they don't have a link or just using the unsubcribe.

May sound pathetic that I spent 10-20 minutes a day for 3 weeks doing it, but the account today has no spam. I guess it could be coincidence. I could always spam up some other account and then try to clean it up again, but I have no desire to spend that kind of time again.

Re:Don't do it!

[MilenCent]

Also, neither does Gmail, which disables image display by default.

Gmail, by the way, has a really sharp spam filter, I I've gotten less than one spam message a week on my normal account for months now. It (probably) works because it can use Baynesian filtering where the imputs are the spam reports of tens of thousands of users.

U.S. Bank

[AmberBlackCat]

Check out U.S. Bank's Unsubscribe page [usbank.com]. Basically what you do is click no on everything, put a checkmark in the checkbox and click the submit button.

The interesting thing is it asks if you're 13 years old or more. If you choose "No" then it won't let you unsubscribe. So if you're under 13 and truthful then there's no way to stop getting mail from them. And one could argue that no 13 year old has a bank account but then, why would they ask the age?

I just thought that was interesting.

Re:Don't do it!

[UranusReallyHertz]

Large webmail providers like gmail are in a unique position to detect spam. Simply analyse all the mails coming in to all the mailboxes and if an identical or nearly identical message is being sent to thousands of inboxes it gonna be spam.

AT&T

[wk633]

I have gone through AT&T's unsubscribe process many times, to no avail. Even though they tell me they'll stop sending me 'promotional' email, they still do. I have reported it to the FTC, and am planning to take my service elsewhere.

The FTC did reply to say that not unsubscribing someone, even if they are your customer, is in violation of CANSPAM. They were less than clear as to whether or not they'd actually do anything about it.

Re:Don't do it!

[_Sprocket_]

Yes, but a live address that isn't likely to respond well to spam. I find it remarkable that so many people love to try to look smart by repeating that old abiout unsubscribe just getting you more spam lists, while obviously noone has actually checked if it is the case.

A friend of mine worked for a spammer. The outfit wasn't as shady as these guys - they did sell legitimate products, as far as that goes. But they purchased email databases and didn't use any opt-in verification.

My friend was hired to manage their email. When he started working there, they ignored opt-out requests. But since they were trying to be "legitimate" one of his first tasks was set up a simple system to begin scrubbing their contacts database and removing opt-out addresses; much to the Sales' disgust. Then he started going through the database and picking up hits on inappropriate "root@" and "abuse@" type addresses. These did the company no good and were very, very unlikely to generate anything other than hassle for the company. Yet Sales fought the scrubbing of those addresses. To them, each address was worth $.15 no matter how legitimate it may or may not be.

These guys operate with a shotgun mentality (or maybe closer to fishing-with-dynamite). They don't understand what they're playing with. Nor do they really care if any particular aspect of what they do is legitimate. All they want is big numbers in hopes that it generates a sufficiently large enough, yet much smaller number of returns.

Re:Don't do it!

[droleary]

Well, I have. At one point my spam bucket just became too big to check in any case (~200/day), so I thought "what the heck; let's see what happens".

This is where your little experiment went wrong. You used an address that was already on all the spammers' lists. You saw a drop when they shifted from one temporary domain to another (brand new domain == brand new unsubscribe necessary, according to spammer logic), but you never left their master lists and you were never added to any new ones. I suggest trying again with a fresh address that has only just begun to receive spam.

I unsubscribed everything that worked for two days straight. Spam went down 50% over the next few days. Then started to slowly rise again, and after a couple of months was back on the curve that previous history would have predicted.

And that is the point (or pointlessness) of the issue with unsubscribe links. Whether or not you see a big jump after using one isn't really significant. What matters is that you never stop getting spam. Its volumes is always increasing; and there is no solution worth trying unless it permanently reduces the spew.

Re:AT&T

[wk633]

I should have clarified, I am an AT&T wireless customer (now Cingular, we'll see how that affects things).

AT&T Wireless gives the option of not receiving offers and promotions. I was 'in the system' as don't contact my any way shape or form. But, at least prior to the merger, every month or so I'd get an email from AT&T wireless hawking new ringtones or other 'offers'.

In any case I'm planning to switch to Verizon because AT&T's coverage in this area (Santa Barbara CA) sucks. The fact that for close to two years they have not honored a simple "don't send me offers and promotions" request doesn't help.

Once an address, ALWAYS an address

[zrk]

I have an account at my university that I used when Usenet was the thing, aka 15 YEARS AGO. I never played with it outside of there, and I used to have a few thousand emails waiting for me every few months. Only recently did I forward everything to /dev/null.

More recently, I returned to a consulting job I had left 6 years prior, around the start of the WWW days, when Usenet was pretty much the big thing. I re-opened my closed account, and received 50 spams within 30 minutes. Eesh.

My addresses were obviously harvested from Usenet archives (or maybe groups.google.com, but I digress). I pity the people who buy these 'guaranteed' lists of email addresses, expecting all addresses to work.

Take advantage of an open system

[t_allardyce]

Set up your mail to automatically look for 'opt-out' links and access them - and even fill in the form automatically - now for the bonus, if you get any mail from that place after 24 hours your program should hit the opt-out 10 times with 9 non-existant email accounts, if they still dont stop mailing you you keep doubling that 20, 40, 80 etc. If they are infact using the opt-out form to check if your account is real/read then they will start trying to spam all the other accounts (that don't exist) too. By even having an opt-out link that takes you to a web-page they are giving you an open door to hit them with, take advantage of it and kick them in the balls.

Re:Don't do it!

[amuro98]

Bounce it...where?

Over 99% of all spam uses forged headers, and has for many many years. Bouncing to the reply-to or from headers will either send the spam to another non-existant mailbox, or worse still, spammers will start sticking the email addresses of people they don't like in there, so that they get a nice DDOS style email bomb (boom) I've already had idiots do this to me. Over 3 days, I got over 5000 bounces, angry messages, viruses, and lots of "remove requests" (what was that about remove requests working again?)

Furthermore, since most spam is sent through zombie'd or otherwise misconfigured machines that act as proxies, the spammer doesn't know - and doesn't care! - which addresses bounce or why.

Re:just DO IT! (was: Re:That's easy...)

[Ozwald]

I'm wondering, you can kill a goldfish by giving it too much food. It just keeps eating and eating until it runs out of food or dies.

Running Spammers out of money just isn't happening, not sure why. But what if we did the opposite? We run the "unsubscribe" link with a script that creates millions of invalid email addresses (on an non existant domain please, not mine). Their system will automatically add it to their database. If enough people do this, what if anything will break? I'm thinking that the signal to noise ratio on their distribution CD's will give them a nightmare of a maintenance issue or make it take to long to transmit overwhelming their SMTP service, but I dunno.

Oz

I used to click unsubscribe...

[Anonymous Coward]

When you think about the motive behind SPAM the action of unsubscribing shows that the SPAM has worked - you had to read the SPAM to find the unclick button.

-- The Pumped Penis