PFIR - People For Internet Responsibility
PFIR Statement on Spam

March 11, 2000

PFIR Home Page

Greetings. One of the increasingly disruptive and costly forces on the Internet today is what has become known as "spam"--more officially called "UBE"--unsolicited bulk e-mail, or "UCE"--unsolicited commercial e-mail. Spam threatens to drown electronic mail users, and the Information Service Providers (ISPs) who host e-mail and other crucial networking capabilities, in a sea of unwanted electronic garbage.

The use of the word spam in this context, by the way, is probably coined from a segment of the classic "Monty Python's Flying Circus" TV series, where a group of boisterous Vikings repeatedly interrupt other characters by singing the praises of a famous canned luncheon meat. The term was originally applied to annoying messages on the Usenet netnews network and then made its way into the lexicon of the e-mail world.

There's nothing at all funny about e-mail spam. It's difficult to overstate the waste of money, time, and good will triggered by the uncaring organizations and individuals who generate this trash. While spam can focus on any product or service, it tends to skew towards promoting Internet porn sites, multi-level marketing scams, fake illegal cable TV descrambler plans, and one of the biggest categories of all, software and mailing lists for... sending out even more spam! Some spam is disguised to look as if the recipient has "accidently" received someone else's e-mail--which just happens to contain a useless stock pick, "secret" Web address to visit, or news about some "wonderful" product that just can't be missed.

Spammers compile the e-mail addresses for their massive mailings from many varied sources. It is unfortunately almost impossible for the average e-mail recipient to accurately determine the origin for much of the spam that they receive. Spam messages often have forged sender addresses and falsified message headers, and are frequently relayed in vast quantities through naive or careless third party sites, exploiting openings in the mail server software systems that were originally designed for a much more benign and cooperative networking environment.

The spammers frequently attempt to justify their abusive practices on First Amendment grounds, or by pointing to physical bulk mail advertising delivered by the postal service as a comparable situation. But it's the sender who pays the cost of delivering conventional mail (via postage fees), while it's the recipients and the service providers who foot the bill for spam, and these enormous costs in money and time end up being borne by all e-mail users.

Most reputable firms have quickly learned that sending out unsolicited commercial e-mail will result in many angry recipients who typically will have no reservations about making their displeasure known. There have been predictions from some quarters that e-mail marketing will be "bigger than banner ads" and that recipients will get used to it. There are certainly many who would dispute this view! Even firms who send e-mail solicitations to their "established" customers or visitors (perhaps after registration at a Web site) must tread with caution. If recipients feel that they never really opted-in for such mailings, or that they have no simple way to control them, they are likely to consider such messages to be simple spam, to be complained about and possibly reported to their ISPs just like all the rest.

Most ISPs will immediately cancel the accounts of users found to be sending spam, and sometimes charge penalty fees as well. Being involved in the generation or transmission of spam can also cause problems for entire sites, even for "accidentally" open mail relay sites who were not knowingly relaying spam messages. Sites found to be in the transmission path of spam may find themselves added to publicly accessible e-mail blocking lists. These lists are widely referenced to block all e-mail sent by or through offending sites.

It's certainly in the interest of all sites, however large or small they might be, to take proactive steps to assure that their mail systems are closed to unauthorized mail relaying, and for businesses and individuals alike to think long and hard before embarking on a spamming campaign.

Continuing technical and legislative actions will be needed to bring spam into some semblance of control. The latter course is controversial--there are concerns that poorly drafted legislation might cause new problems, or possibly affect categories of Internet speech that aren't truly spam--but spamming is intolerable in the long run. Both state and federal efforts have progressed to various levels, with some related laws already on the books.

A number of common spamming actions, such as the hijacking of third-party mail relay servers for spam transmissions, could potentially be prosecuted under other computer crime laws. However, as in the case of dealing with computer hacking (please see the PFIR Statement on Hacking), it's important that the punishment fit the crime, and that a naive individual spammer sucked in by a commercial spamming software pitch not be treated the same as the big money pros who actually drive the spamming machine.

Given the interstate and international nature of the Internet, none of these efforts at control will be easy, but until spamming is clearly illegal, even starting down the path to reasonable solutions is extremely difficult. We know for sure that self-regulation will never work in this case!

In the meantime, there are some things that individuals can do to try deal with spam. Some software packages will attempt to detect and delete spam as it arrives in mailboxes, but you still have to download it all, and by then much of the wasteful damage has also already been done to servers and ISPs. You may wish to contact your service provider and provide them with full headers from the spam messages. ISPs should have resources to help track down spammers' origins or can provide you with more detailed information.

Be warned though! Many spam messages ask that you send a reply to a specific e-mail address to be "removed" from their mailing lists. In general, you should never make such replies--they're often used only to verify valid e-mail addresses for future spam mailings! And perhaps most importantly, never, ever buy from a spammer. Responding positively to any spam, no matter how enticing it may make its pitch, only serves to help perpetuate the spamming specter.

--Lauren--
Lauren Weinstein
lauren@vortex.com
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy