My Short Life As An Unintentional Spammer
from the leave-me-be dept
My Short Life As An Unintentional Spammer
by Mike Masnick
Ever wonder what sorts of emails end up in a spammer's email database? Want to know who actually responds to spam and what they say? Want to know the myriads of formats (and languages) a bounced email message can take? I can now tell you all of this. Without my knowledge, I recently became an accidental porn spammer.
When I got home one evening a few weeks ago, I noticed that I had more than the expected amount of email waiting for me. A quick glance through the inbox showed about fifty "bounced" emails - saying that email addresses of people I had emailed did not exist. The problem with this, of course, was that I hadn't actually emailed anyone.
It did not take long to figure out what happened. While some bounces simply told me that the recipient didn't exist, others included the original text of the email I had supposedly sent. It claimed to be from someone named "Chris" or "Ali" and was a reply to an alleged message from an online dating site. Chris and Ali apologized for taking so long to reply, and nervously suggested that the recipient find out more information about them by going to a website. Clearly, this was porn spam. Out of principal I won't visit the websites that were in the spam messages.
The problem was, I hadn't sent these messages at all. I'm not Chris or Ali. I don't use dating sites. I don't have a porn website. I don't send spam.
One of the popular "tricks" among spammers nowadays is to set the "reply-to" address as the same as the recipient's email address. That cuts out on the problems of bounce mails, and also has a psychological effect on recipients who are curious what email they've sent themselves. Most spam filters have figured out ways to still capture these spam messages (though, I'm now hearing stories of legitimate emails that people send to themselves being classified as spam). I've received plenty of these types of spam, and most are filtered away, never to be bothered with.
It seems that this particular spammer took things one step further, and made the "reply-to" address for all of his spam message set to my personal email address. If anyone looked at the headers, it was clear that I had nothing to do with the email whatsoever. However, most mail servers aren't so smart.
With any spam list, there's a certain percentage of "bad" or outdated email addresses. Generally speaking, a server that receives an email for someone they don't have an account for will "bounce" the message. Those bounces go to the person who sent the message - normally found in the "reply-to" line. Since my email address was in the reply-to line, all those bounces started coming my way, regrettably informing me that my pornographic spam emails had not found their intended recipient.
After dealing with the rapidly growing desire to reach through the internet and strangle whatever lower-than-life scum did this to my email address, I resigned myself to looking at this from an anthropological perspective. Suddenly, I was in a position to offer information on things that few others would (hopefully) ever willingly have access to.
Should anyone want it for research purposes, I now have a fairly large collection of bounce messages. It appears there is no standard format for a bounce message (which, by the way, makes them painfully difficult to filter). They have infinitely different subject lines. They say different things in the body of the message, sometimes nicely, sometimes rudely. They show up in different languages with different explanations. Some admit that the account has been closed due to too much spam. Others simply don't exist any more (if they ever did at all). Some bounces quote the original message; some don't. Some include full headers; some don't. Who knew there was such variety in how mail servers bounce their email?
Beyond the bounce messages were all sorts of auto-responders. It seems that some of the email addresses in the spammer's database were emails people used to send responses to those who "request more info". Suddenly I was receiving huge files of information that I really had no use for whatsoever. I also found out about a number of people who were on vacation that week, or who had recently switched jobs. One even had an auto-responder saying "this is closed...I am tired of the internet... all internet access for me is closing". Some of the addresses were to subscribe to various mailing lists. Many bounced back confirmation emails, asking to prove that I really wanted to subscribe, while others just subscribed me automatically (which will now force me to manually unsubscribe).
While most of the "information" was fairly useless, I suddenly had the opportunity to peek into the lives of people I had no association with whatsoever - connected only by spammer. I felt like reaching out and commiserating with those who were sick of the spam and wondered if I should congratulate those with new jobs. However, there was no time for that, I had more erroneous spam fallout to deal with.
Next, came the responses. I, like many people, often wonder what sorts of people actually respond to spam emails. For years, it has been beaten into my head that you never, under any circumstance, respond to a spam email. It just shows that you're a live human being, making your email address more valuable. I'm still shocked when I come across people who haven't heard this. However, they are out there, and they come in all different shapes and sizes. I have their emails to prove it.
There are the confused, but polite people. One woman wrote me a nice message saying that a "horrible" mistake had been made, and that she had not replied to my online dating ad. She did warn me, however, that there are "plenty of strange people out there" and that I should be careful. How nice. Another woman couldn't remember what she had said in her reply to my non-existent online dating profile and wanted to be reminded. A few others just asked who I was.
Then there are the unsubscribers, who are under the unfortunate delusion that asking spammers to take them off their list will help. They send simple messages saying simply "unsubscribe" or "unsubscribe, please", as if that will ever get to the actual spammer, or that they would actually pay any attention to it.
Lastly, are the angry, but clueless. I feel their pain, but they need to find a better outlet. I received emails telling me things I never knew (and find unlikely) about my lineage and suggesting I go places I have no interest in going, using all sorts of language you wouldn't use in polite company. I also received a threatening letter saying that I would be hearing from some company's corporate lawyer.
None of these people stopped to think that it was odd that my email address includes, pretty clearly, my name - which is neither Chris nor Ali. With the number of spam messages that go out every day, I wonder if these people reply to them all. I guess, for some people with anger management problems, this is a kind of outlet. All day, every day, respond angrily to spam messages, and maybe it will have a calming effect on your life.
What's scary is that, for the most, part, I only saw the bounced messages. They continued for approximately 36 hours, and then stopped abruptly. In the end, about 500 email messages bounced back to me, so I can only guess at how many thousands of poor, unsuspecting email boxes are currently dealing with spam sent with my email address as the reply-to. I apologize to all of you, even if I had nothing to do with it. I don't want to date you, and please, feel no compulsion to look at the web page in the email.
Most people agree that spam is evil. It's a waste of time and a general nuisance. I can argue against spam from a variety of levels. It's bad for the internet. It's bad for users. It's bad for business. It's just bad. Luckily, there's a rapidly growing industry of companies (and simply concerned individuals) creating software solutions to help stop the spam menace. While there are debates over how well any of these systems work, it is possible to at least reduce your spam intake. Personally, I use a spam filter that is pretty effective in reducing my spam load to a mostly manageable level.
However, with something like this, there simply is no effective preventative measure in place. The spammers spoof the reply-to, making it whatever they want - so it never even touches my mail server at all. My inbox gets bombarded because there's no simple way to filter out the bounced messages since they are all so different. It's difficult to track down a spammer normally - and more so when the spam isn't even sent to you. Despite the fact that my address was the reply-to, it seems the spammer never sent me the message directly. I found a bounce message that showed the full headers and tracked it back. The email came from a mail server in the Philippines, and pointed to a website hosted in China, owned by a company in London. Tracking down the actual spammer would likely be close to impossible. Assuming they could be found, suing them would be nearly impossible as well, not to mention costly.
One potential solution to this would be to require every outgoing email to have a verified identifier of some sort, so that any email can automatically be traced back to the original sender. This (as does every solution) brings up other problems. There are benefits to anonymous email, and we wouldn't want to take that away (though, perhaps you could limit the number of emails that could be sent anonymously to prevent bulkmailers from abusing the system).
In the end, though, this sort of stunt has killed off the tiniest amount of support I had for spammers. These spammers stand behind their First Amendment rights to speak their minds (which is an argument that can be shot full of holes in a second). In this case, though, the spammer made no use of any First Amendment rights. What they did was just mean and nasty and a complete waste of my time.