Tuesday, September 25, 2007

Can SPAM Laws

Senate Bill 877, dubbed the Can Spam Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) was signed by President Bush and went into effect Jan 1, 2004. It was intended to go after large spammers and carry tough consequences for sending unwanted and offensive e-mails.

The law states that spammers:

  • Can't use false headers (fake email addresses or IP address)

  • Must have a Legitimate Physical Address

  • Must have a Valid Return Address

  • Must include a Valid Subject Line indicating the message is an advertisement

  • Must, if applicable, indicate that the email contains sexually oriented material

  • Must have a valid method for consumers to get off bulk lists "opt-out mechanism"

However, companies can still send you email even if you don't want it!

Basically, the law doesn't stop SPAM. It simply requires spammers to label their emails as SPAM, provide a valid return email address and allow their recipients to "opt-out" of their mailings. The problem is that most of the SPAM we receive is sent from countries other than the United States. In addition, using an "opt-out" mechanism actually helps the spammers verify that your email address is valid. So, quite often, spammers will allow you to "opt-out" of one campaign just to add your, now verified email address, to another campaign. It's a never ending cycle. This law has obvious and easily exploitable loopholes. I'm sure we can all agree that we haven't seen a decrease in SPAM since this law went into effect.

For more information, visit the FTC Website.

Saturday, September 22, 2007

Auto-Responders and Challenge/Response

I wanted to address a comment that was made to a previous post regarding spammers using auto-responders to defeat the challenge/response method of spam control.

Theoretically, it does seem that spammers could simply set up an auto response for any emails addressed to them so that they could get around systems like challenge/response. However, the reality of it is that most spammers (close to 100%) do not use addresses to which a response can be sent. Therefore, challenges are never delivered to them. They intentionally use invalid return email addresses so that they do not incur the costs associated with the huge number of bounces (emails that cannot be delivered) they often generate. Using a valid return address to process all the bounces just to look for challenge messages to which they would then respond would incur great processing expense and , in turn, defeat their economies of scale. Furthermore, it would also make spammers easier to block, track down and report.

Bottom line, trying to thwart challenge/response systems in this manner would defeat the cost-effectiveness of the bulk-mailing process. Simple economics allow challenge/response systems to provide effective SPAM prevention.

Now, if spammers do decide to use auto-responders, challenge/response systems could fairly easily modify their, currently very simple, methods to make it more difficult for spammers to use such a method. The level of difficulty could increase as much as is necessary for the sender to prove their humanity and legitimacy.

The idea is to keep the challenge/response systems as simple as possible to avoid inconveniencing legitimate senders, while at the same time difficult enough to thwart an automated response system. At the present time, most challenge/response systems offer the ability to confirm by simply replying to an email or clicking on a URL. There is no evidence to suggest that a more challenging procedure is even close to necessary at this time.

Better yet, if spammers do resort to auto-responders, we've all won a huge battle for the internet community by raising the bar and forcing them to leave breadcrumb trails leading right back to their lairs. So, as the focus on legislation continues, and spamming becomes an increasingly illegal activity, who will take these great risks for such little reward?

Finally, I would like to thank the person that asked the auto-responder question and prompted this reply. Please keep the questions coming. I look forward to any and all opinions regarding the prevention of SPAM.

Friday, September 21, 2007

SPAM Prevention Methods Explained

There are many ways to fight SPAM. The most widely used methods are Rule Based and Challenge-Response. A quick and concise overview of these two methods follows.

However, for those impatient readers, I'm guilty of this as well, the bottom line is that I am partial to the Challenge-Response method of SPAM prevention and strongly recommend the completely FREE software offered by The Spam Research Center. I have evaluated many different anti-SPAM programs, both free and paid, and I can honestly say that their software will not only stop close to 100% of SPAM, but it will also save you time and frustration.

Rule Based Systems

As the name infers, these methods use "rules" to determine what is and what is not SPAM. They generally look for specific keywords or content in the email. They may also use special algorithms or a distributed "community" approach where SPAM examples are sent in by users (the community) to central servers. The "community" can then use this ever-growing database to detect and block SPAM. However, because the "rule" databases are in a constant state of change in an attempt to keep up with or stay one step ahead of the "spammers", there is always the chance that valid emails will be mistaken as SPAM. In an attempt to avoid this situation, the emails are usually "tagged" as SPAM by adding a specific keyword to the email header, subject line or some other field. These keywords can then be included in email client (Outlook Express etc.) rules so that the questionable emails can be appropriately routed to special email folders for later inspection or deleted. Unfortunately, an additional burden is then put on the user to monitor "spam" email folders for falsely "tagged" emails. Although many of these Rule Based methods do reduce SPAM, the necessity of updating "rule" databases, the ever present possibility of valid emails being detected as SPAM and the time consuming need to review "spam" folder(s) makes these methods less than desireable.

Challenge-Response Systems

Although there is no perfect solution for eliminating SPAM, Challenge-Response methods have become increasingly popular. These methods are extremely simple and only require you to maintain a "white list" and a "black list". When an email is received from someone on your "white list", it is delivered. When an email is received from someone on your "black list", it is rejected and deleted. When an email is received from someone on neither of your lists, a simple "challenge" reply email is sent to them. When the unknown sender replies appropriately to the "challenge" message, they are added to your "white list" and their original and any future emails are delivered to your INBOX. The reason this method works so effectively is that "spammers" usually do not supply valid return email addresses and, if they do, there is usually a "robot" that sent the SPAM and it will not respond to your "challenge" message.


Both Rule Based and Challenge-Response methods have their PROS and CONS. However, taking everything into consideration, I feel that the Challenge-Response method is the best to date. With that said, I DO NOT feel that all implementations of this method are equal. Some Challenge-Repsonse software has the same shortcomings as those implementing the Rule Based method - "spam" folders to maintain and false positives.

I have evaluated many anti-SPAM solutions and can honestly say that I feel that Spam Research Center has the best challenge-response anti-SPAM software available today! This software has been thoughtfully designed and thoroughly tested to provide you with close to 100% SPAM protection without false positives. Better yet, the software is completely free!

I would be very interested to hear about any other free products that people have used with great success.