'Spamming will make you millions of dollars:' Internet ScamBusters #12
As you probably know, the Internet ScamBusters list was spammed on Thanksgiving. We sent out an apology as soon as we discovered the spam (called "Bargains")--and the positive response from our subscribers has been tremendous. We had only 10 people cancel their subscriptions, and we got hundreds of supportive emails. We want you to know how much we appreciate your support!
In fact, we got so many emails requesting information about this spam, how it happened, what to do when you get spammed, etc., that we thought we'd devote this issue to unsolicited emails. We can't possibly answer all these questions privately (since we publish this zine as a public service), but we'll answer the most common and most interesting questions in this (and future) issues.
We would like to welcome the many readers of Wired who have joined us after reading about ScamBusters in the Jan. 97 issue. (page 40)
SCAM: Sending Unsolicited Bulk Email
Will Make You Millions of Dollars.
We've already covered the basics about why you shouldn't send bulk email in past issues. Unfortunately, the number of people sending unsolicited bulk email is increasing quite dramatically (but according to many experts, the results they are achieving certainly are not improving).
One of the ways that bulk emailers are now sending out their messages is by spamming a mailing list like Internet ScamBusters. We learned that the same message ("Bargains") was spammed to at least one other mailing list the week before the ScamBusters list got spammed. This trend is most likely going to increase before it decreases. So, if you subscribe to other lists, it's likely that you'll wind up with spammed messages there as well.
How was the Internet ScamBusters email list spammed?
The ScamBusters list is a one-way only mailing list that sends out a zine once or twice per month. It also has an auto responder feature to allow past issues to be sent upon request. Since we travel a good deal, we set up our list server as a simple moderated list that would allow us to easily post an issue from anywhere. We set it up so that all email sent to the email address "firstname.lastname@example.org" with a specified return address would be sent to our entire list.
This worked without any problems for one year, even though anyone with Eudora, Netscape or almost any other email program could have put our email address in the return address field and spammed the list. And of course, this method stopped working as soon as we discovered the spam.
So, as you can see, technically, it wasn't difficult for the spammer to send the message to our mailing list. The ScamBusters list of email addresses was not stolen, nor can the spammer send this (or any other) message again.
The moral of this part of the story is: Don't make it this easy for someone to spam your list.
What are you doing so that the ScamBusters list is not spammed again?
We've implemented a number of security features that make it much harder for us to send out an issue of this zine, but provide important safeguards so that this doesn't happen again. Here are some tips:
- There are many ways to prevent this type of spamming. How you do this depends in part on what list server software you use. One of the more secure ways to prevent spams for a one-way zine email list like ScamBusters is to install the current issue in the autoresponder and then tell the list to send the issue. This way, the most damage a spammer could do is to trigger the server to send the zine again to all the subscribers. This would be annoying, but at least the spammer's message would not get out to the list.
- Use password protection and domain origin restrictions built into the server. Every server is different on how to implement these security enhancements. We've certainly done this for the ScamBusters list.
What do I do if I get spammed?
Actually, the better question is: What do I do *when* I get spammed? We don't know anyone who's been on the Net for any length of time who hasn't received frequent spams. Here are a few tips:
- Probably the most ineffective anti-spam technique is asking the spammer to stop. It virtually never works.
- Complain to the ISP of the spammer.
- If the spam includes a URL, like the "Bargains" spam, complain to the postmaster of that domain and to the ISP or company that hosts that domain. Often, the company will deny that they are even aware of the spam, which may or may not be true.For example, you might send an email message to email@example.com that says: "I received the following spammed email message, which seems to have originated at your site. Please take appropriate action so that this doesn't happen again. Thank you."
- If the spam comes from AOL or CompuServe, complain to that service. This is more effective if you are a customer of AOL or CompuServe and if you complain from your AOL or CompuServe account.
- Complain to other relevant companies. For example, a couple of our subscribers sent emails to the Internet Link Exchange--here's a good example:
Please cancel the subscription of: <http://www.yesman.com/>
They did an outrageous thing by spamming and hacking a very important, serious and useful service to the Internet community -- the ScamBusters list. We STRONGLY OBJECT to such practices as we are sure you do too. As members of your link exchange we do not wish to see such people being advertised side by side with us. We support serious business practices.
- Contact a Blacklist of Internet Advertisers (one of many lists):
- Use your email program to filter out spams so that you don't have to see them. (If you use a Mac rather than Windows, the process works basically the same way, except for some menu names and locations.
That's it for now. We'll provide more anti-spam resources in a future issue of ScamBusters.