My Short Life As An Unintentional Spammer

from the leave-me-be dept

Regular readers of Techdirt will remember that two months ago I got hit with a "spam attack" of sorts where a spammer put my personal email address as the "reply-to" in a series of porn spam emails - meaning that approximately 500 bounce messages, autoresponders, and angry replies all came directly to my inbox in approximately 36 hours. It was not a fun experience, and I wouldn't wish it on anyone - but it does appear to be happening with increasing frequency to plenty of people. Two weeks ago, a friend of mine contacted me, afraid that someone had hijacked her email when she was a victim of such an attack. All the major news articles talking about spam seem to ignore this sort of attack. I've decided that since this does appear to be a growing issue, I would simply publish the article I wrote about it here. Click "Read More" below to read the entire story about my short-life as an unintentional spammer - where I explain just what sorts of people actually do reply to spam, and what they say.

My Short Life As An Unintentional Spammer
by Mike Masnick

Ever wonder what sorts of emails end up in a spammer's email database? Want to know who actually responds to spam and what they say? Want to know the myriads of formats (and languages) a bounced email message can take? I can now tell you all of this. Without my knowledge, I recently became an accidental porn spammer.

When I got home one evening a few weeks ago, I noticed that I had more than the expected amount of email waiting for me. A quick glance through the inbox showed about fifty "bounced" emails - saying that email addresses of people I had emailed did not exist. The problem with this, of course, was that I hadn't actually emailed anyone.

It did not take long to figure out what happened. While some bounces simply told me that the recipient didn't exist, others included the original text of the email I had supposedly sent. It claimed to be from someone named "Chris" or "Ali" and was a reply to an alleged message from an online dating site. Chris and Ali apologized for taking so long to reply, and nervously suggested that the recipient find out more information about them by going to a website. Clearly, this was porn spam. Out of principal I won't visit the websites that were in the spam messages.

The problem was, I hadn't sent these messages at all. I'm not Chris or Ali. I don't use dating sites. I don't have a porn website. I don't send spam.

One of the popular "tricks" among spammers nowadays is to set the "reply-to" address as the same as the recipient's email address. That cuts out on the problems of bounce mails, and also has a psychological effect on recipients who are curious what email they've sent themselves. Most spam filters have figured out ways to still capture these spam messages (though, I'm now hearing stories of legitimate emails that people send to themselves being classified as spam). I've received plenty of these types of spam, and most are filtered away, never to be bothered with.

It seems that this particular spammer took things one step further, and made the "reply-to" address for all of his spam message set to my personal email address. If anyone looked at the headers, it was clear that I had nothing to do with the email whatsoever. However, most mail servers aren't so smart.

With any spam list, there's a certain percentage of "bad" or outdated email addresses. Generally speaking, a server that receives an email for someone they don't have an account for will "bounce" the message. Those bounces go to the person who sent the message - normally found in the "reply-to" line. Since my email address was in the reply-to line, all those bounces started coming my way, regrettably informing me that my pornographic spam emails had not found their intended recipient.

After dealing with the rapidly growing desire to reach through the internet and strangle whatever lower-than-life scum did this to my email address, I resigned myself to looking at this from an anthropological perspective. Suddenly, I was in a position to offer information on things that few others would (hopefully) ever willingly have access to.

Should anyone want it for research purposes, I now have a fairly large collection of bounce messages. It appears there is no standard format for a bounce message (which, by the way, makes them painfully difficult to filter). They have infinitely different subject lines. They say different things in the body of the message, sometimes nicely, sometimes rudely. They show up in different languages with different explanations. Some admit that the account has been closed due to too much spam. Others simply don't exist any more (if they ever did at all). Some bounces quote the original message; some don't. Some include full headers; some don't. Who knew there was such variety in how mail servers bounce their email?

Beyond the bounce messages were all sorts of auto-responders. It seems that some of the email addresses in the spammer's database were emails people used to send responses to those who "request more info". Suddenly I was receiving huge files of information that I really had no use for whatsoever. I also found out about a number of people who were on vacation that week, or who had recently switched jobs. One even had an auto-responder saying "this is closed...I am tired of the internet... all internet access for me is closing". Some of the addresses were to subscribe to various mailing lists. Many bounced back confirmation emails, asking to prove that I really wanted to subscribe, while others just subscribed me automatically (which will now force me to manually unsubscribe).

While most of the "information" was fairly useless, I suddenly had the opportunity to peek into the lives of people I had no association with whatsoever - connected only by spammer. I felt like reaching out and commiserating with those who were sick of the spam and wondered if I should congratulate those with new jobs. However, there was no time for that, I had more erroneous spam fallout to deal with.

Next, came the responses. I, like many people, often wonder what sorts of people actually respond to spam emails. For years, it has been beaten into my head that you never, under any circumstance, respond to a spam email. It just shows that you're a live human being, making your email address more valuable. I'm still shocked when I come across people who haven't heard this. However, they are out there, and they come in all different shapes and sizes. I have their emails to prove it.

There are the confused, but polite people. One woman wrote me a nice message saying that a "horrible" mistake had been made, and that she had not replied to my online dating ad. She did warn me, however, that there are "plenty of strange people out there" and that I should be careful. How nice. Another woman couldn't remember what she had said in her reply to my non-existent online dating profile and wanted to be reminded. A few others just asked who I was.

Then there are the unsubscribers, who are under the unfortunate delusion that asking spammers to take them off their list will help. They send simple messages saying simply "unsubscribe" or "unsubscribe, please", as if that will ever get to the actual spammer, or that they would actually pay any attention to it.

Lastly, are the angry, but clueless. I feel their pain, but they need to find a better outlet. I received emails telling me things I never knew (and find unlikely) about my lineage and suggesting I go places I have no interest in going, using all sorts of language you wouldn't use in polite company. I also received a threatening letter saying that I would be hearing from some company's corporate lawyer.

None of these people stopped to think that it was odd that my email address includes, pretty clearly, my name - which is neither Chris nor Ali. With the number of spam messages that go out every day, I wonder if these people reply to them all. I guess, for some people with anger management problems, this is a kind of outlet. All day, every day, respond angrily to spam messages, and maybe it will have a calming effect on your life.

What's scary is that, for the most, part, I only saw the bounced messages. They continued for approximately 36 hours, and then stopped abruptly. In the end, about 500 email messages bounced back to me, so I can only guess at how many thousands of poor, unsuspecting email boxes are currently dealing with spam sent with my email address as the reply-to. I apologize to all of you, even if I had nothing to do with it. I don't want to date you, and please, feel no compulsion to look at the web page in the email.

Most people agree that spam is evil. It's a waste of time and a general nuisance. I can argue against spam from a variety of levels. It's bad for the internet. It's bad for users. It's bad for business. It's just bad. Luckily, there's a rapidly growing industry of companies (and simply concerned individuals) creating software solutions to help stop the spam menace. While there are debates over how well any of these systems work, it is possible to at least reduce your spam intake. Personally, I use a spam filter that is pretty effective in reducing my spam load to a mostly manageable level.

However, with something like this, there simply is no effective preventative measure in place. The spammers spoof the reply-to, making it whatever they want - so it never even touches my mail server at all. My inbox gets bombarded because there's no simple way to filter out the bounced messages since they are all so different. It's difficult to track down a spammer normally - and more so when the spam isn't even sent to you. Despite the fact that my address was the reply-to, it seems the spammer never sent me the message directly. I found a bounce message that showed the full headers and tracked it back. The email came from a mail server in the Philippines, and pointed to a website hosted in China, owned by a company in London. Tracking down the actual spammer would likely be close to impossible. Assuming they could be found, suing them would be nearly impossible as well, not to mention costly.

One potential solution to this would be to require every outgoing email to have a verified identifier of some sort, so that any email can automatically be traced back to the original sender. This (as does every solution) brings up other problems. There are benefits to anonymous email, and we wouldn't want to take that away (though, perhaps you could limit the number of emails that could be sent anonymously to prevent bulkmailers from abusing the system).

In the end, though, this sort of stunt has killed off the tiniest amount of support I had for spammers. These spammers stand behind their First Amendment rights to speak their minds (which is an argument that can be shot full of holes in a second). In this case, though, the spammer made no use of any First Amendment rights. What they did was just mean and nasty and a complete waste of my time.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Chris (NOSPAM) Wiltshire, 13 Feb 2003 @ 9:55pm

    Re: My technique

    If I get email to one of those addresses, I respond with an invoice for USD$1000.00, terms and conditions attached, and a statement thanking them for establishing a business relationship with me...

    I have not yet seen a second spam from any of them. (-:

    Not seen any replies? - Do you assume you've ever managed to send your invoice to the originator??


    On another note, it puzzles me why so many people who have posted replies to this column have used what would seem to be their own, unmasked email addresses.

    Also, don't think that masking your email in humanly removable character additions will save you. - Given a list of the email addresses in this forum so far, it would take someone around 3-4 minutes to filter through the obviously bogus emails, correct the masked ones, and apply the remainder and fixed ones to a new list.

    I have a question for those people who say: "Never reply to a SPAM email"..? - Systems which respond automatically to SPAM which request an end user to perform a human recognition test (such as entering the numbers seen in a graphic etc..) ARE performing exactly this REPLY action...

    Does anyone have any decent information on the effect of this kind of system on an email account's long term SPAM hit-count? Does this auto reply system actually go to AID the long term propogation of the email address through more and more spam lists? Or does it slowly reduce the number of spam attempts made on an account?


    Another item worth some thought if we are forced to use an accessible email address to register software with / register for services it IS worth using a mail system which allows you to identify each subscription / sign up:

    My mail server allows me to suffix my username with a - then a mailbox name, this will file those emails directly into a sub folder of my mail account. I used chris-MORPHEUS@... to sign up for Morpheus. - This is the WORST affected abuse from a known product I have EVER seen! I get 60+ a day to this address alone.! Needless to say, they are deleted in bulk and never read.

    I have a mail protection system in place on my inboxes (3 main accounts..) - one which I wrote myself.. It simply requests the end user to visit a webpage, and enter their email address into my acceptance list, then re-send the email. - I've YET to ever have a spammer add and resend. (-It's too much effort, and I'm guessing that most of my auto replies never reach the originator too...)

    The net result is that I've ended up with a nice long list of all of my friends from whom I love to accept emails... - I'd be happy to sell this list for a small fee? ;) - Joking..!


    Last point: DON'T ever use fake emails to sign up to anything, you MAY hit someone else's legit email address.. - I was horrified to see someone here had used 'nospam@nospam.org' - Well guess what?... I'm PRETTY sure that could well be an active account?

    Don't ever use a fake email address with an active TLD ie: anything.com or anything.org etc if you HAVE to use a bogus email address use something@rubbish.invalid

    - Just my 2.854cents worth (I tried to keep it to just 2, but I get carried away.. - I HATE SPAM!)

    Chris.

    (If you really want to reply to me by email, see if you can track me down.. Google is a wonderful thing isn't it?...)


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.