I Don't Like Spam: A Personal History and Analysis

Contents:

1. My Motiviation: A Personal History
2. Taxonomy of Spam
3. The First Amendment and Spam
4. Fighting Spam
5. Appendix A: Noteworthy Responses from ISPs
6. Appendix B: Spam-related excerpt from CHI'97 Talk

My Motivation: A Personal History

I've been using e-mail since the early 80's, when I worked at Xerox. Back then, the only thing akin to today's spam was the occasional email sent to the entire company by overzealous employees who were Mary Kaye cosmetics distributors, parents of Girl Scouts, or the like. (Such transgressions occurred in spite of the fact that most Xerox employees had to read an email etiquette document before being given an email account.) Transgressors were quickly educated as to proper use of the company net. Even though the company could use authoritarian methods to punish transgressors, that seldom occurred. Instead, transgressors received their comeuppance the democratic way: by receiving hundreds of replies advising them not to abuse the net again.

In the early 90's, I participated in some Internet newsgroups. There were always a fair proportion of off-topic and cross-posted messages, but no commercial postings until late 1993, when newsgroup chain-letters began to appear. At first, most such postings were by net-newcomers who in their ignorance didn't even try to conceal their addresses. Once informed (by many) that chain letters were illegal and spamming was inappropriate, most were suitably contrite. But over time, newsgroup spam from net-newbies became insignificant compared to intentional spam from commercial posters, who were concealing their return-addresses. (It was about this time that Sanford Wallace, a lawyer in Texas, started systemmatically spamming newsgroups, lost his account, sued his ISP, and formed CyberPromo, aka the "Spam King".)

In about 1995, I began hearing other people's complaints about email spam, but had never received any myself. Most of the complaints came from subscribers of large on-line services like AOL and Compuserve, rather than from people who had corporate internet addresses or subscribed to basic Internet Service Providers (ISPs).

My email accounts up to this point had been provided by my employers. In July 1996, I quit my job at Sun Microsystems, started my own consulting company, and got an email account through the Institute for Global Communications (IGC). IGC has been very good at insulating its subscribers from spam, so I remained fortunate not to receive any. Nonetheless, the increasing complaints of my friends were enough to induce me to discuss the problem in a talk I gave at the ACM conference on Computer Human Interaction in March 1997 (see excerpt in Appendix B, below).

In August of 1997, over a year after I had quit Sun, I began doing some consulting for them. To facilitate my communication with the project team I was advising, Sun set me up with a workstation and a company email account, which, coincidentally, had the same address I had had as an employee. Suddenly, all hell broke loose. The first time I logged onto my new/old email account, I had several hundred spam messages awaiting me, offering pornographic pictures, Russian wives, phone sex, chain letters, cable de-scramblers, tax advice, email lists for spamming, you name it. I am guessing that spammers or spamming list-services had collected my old Sun address from newsgroup archives, and Sun's email servers had dutifully stored the mail for me until I came back.

Angry, but too busy to do anything about the spam, I deleted all of it and began my consulting work. Two days later, when I returned to do more on-site work at Sun, about more 30 spam messages were in my Sun inbox. I do on-site work at Sun a couple of days a week, and each time, between 10 and 30 spam messages are waiting for me.

A few months ago, I decided that enough was enough, and I started fighting back. On days when I had to do on-site work at Sun, I arrived early (i.e., before my billed consulting time starts) and spend the extra time dealing with spam. At first, my efforts were fruitless: most of the email I sent, either to try to get off of mailing lists, flame the spammer, or complain to the spammer's ISP, simply bounced undelivered or disappeared into the ether. Over time, I got better at picking through the header and the message body for promising email addresses to either flame or complain to. I've actually had several successes at getting spammers booted off of ISPs, and getting ISPs whose sites are vulnerable to spam relays to close their loopholes (see Appendix A: Noteworthy Responses from ISPs). But of course, I still get a lot of bounced messages. Spammers are getting better at concealing their identities. Also, an increasing amount of recent spam comes from ISPs that are in business specifically to host spammers; complaining to them is of course fruitless.

At my home email address (i.e., via IGC), I have begun receiving email spam, but it is still extremely rare, e.g., about one a month. I attribute this to the fact that I have to-date done virtually no newsgroup posting from this address. Friends advise me that before I post anything to newsgroups, I should set my newsreader to insert some bogus characters into my from-address so that real people can figure out my return address but automated address-searching software can't, e.g., jeff*no-spam*johnson@igc.apc.org.

Taxonomy of Spam

I categorize spam into a 5x4 matrix depending on how socially irresponsible it is. One dimension has to do with the method of delivery; the other has to do with message content.

Delivery Categories:

• Naive newbie spam: On the delivery-method axis, the most benign category comes from some overzealous or naive person who somehow obtained a mailing list. The return address is not faked. Annoying, but easily dealt with. Such spam was initially the main kind, then became rare as more professional spammers came online. Recently, there has been a resurgence of amateur spam, as naive individuals at mainstream ISPs fall for spam offers of spamming lists or services (see Spam Spam, below). These suckers sent their (usually highly amateurish) spam using one of the services, and often lost their ISP account because of it.
• Masked ID spam with valid Remove instructions: A notch up in delivery irresponsibility is spam that gives an invalid from-address so that replies will bounce, but provides a website or email address that really gives recipients a way to take themselves off the list (supposedly in accordance with some spam-industry guidelines). Many such websites and addresses are bogus or worse, but I honestly believe a few do what they claim so as to forestall strong anti-spam legislation.
• Masked ID spam without valid Remove instructions: The next step in delivery irresponsibility is spam that masks its address and provides no valid method for recipients to remove themselves.
• Masked ID spam that forges another's return-address: Next, we have spam that forges someone else's address as its return-address. As Phil points out, this can be very damaging to the one whose address is forged.
• Spam relays: The height (or nadir, depending on how you think about it) of delivery irresponsibility is relaying spam through some hapless ISP's mail-servers. This sort of spam takes advantage of longstanding protocol for forwarding email from server to server across the Internet, in the same way the Robert Morris' Internet worm took advantage of the way the Internet is supposed to work to propagate itself. In fact, the comparison with Morris' worm is especially apt, because spam relays, like the Morris worm, don't destroy data per se, but cause damage by overloading the processing capability of the Internet hosts they hit. In my opinion, if Morris committed a crime (theft of computing resources nationwide) by releasing his worm -- and the courts found that he did -- then spam-relays are also a crime, because they consume resources in exactly the same way. Many reputable ISPs (e.g., IGC and CPSR's Seattle Community Network) have been hit by spam-relays before they wised up and close down some of the forwarding services that made relays possible... at the cost of reducing the efficiency with which the distributed Internet can forward legitimate e-mail.

• Most spam: In terms of content, I consider most spam as being equivalent: offensive because it is spam, not because of what is in it. I personally am no more offended by a spam ad for phone sex than by a spam ad for a book about how to save the rainforest. So for me, most spam-content is in a single category. But I put a few spams into two additional categories.
• Spam to kids: Messages containing sexually explicit or violent material or web-links or 900-numbers for same, sent to extremely broad lists that most likely include children. I've actually seen messages that say, more or less: "We don't intend to offend anyone, so if you have received this and are under 18, please delete it." Yeah, right! This sort of spam will provide ammunition to those who promote blanket content-restrictions such as the Communications Decency Act, undermine our arguments that the net does not push porn at anyone, and have the chilling effect of inducing parents to keep their kids off the Internet altogether. I talked to a phone company executive who told me "I'm not letting my kids anywhere near the Internet"; too bad for his kid, but also too bad for the NII as a whole if large numbers of parents follow suit.
• Spam spam: I'm seeing an increasing amount of spam that offers spamming services. One can only hope that most of this is really scam spam (see below), so that those who fall for it don't get the services they expect.
• Scam spam: Finally, some spam falls into the supreme category of illegal content, e.g., chain-letter solicitations, financial scams.

The First Amendment and Spam

I have seen arguments that spamming is protected by the First ("Free-Speech") Amendment to the U.S. Constitution. I am a strong First Amendment supporter, but this argument is utter hooey.

Firstly, the First Amendment is about content, not about transmission mechanisms. In the case of cyberspace, it gives anyone the right to put anything they want the web, but it does not give anyone the right to push material at anyone. For example, the Communciations Decency Act passed by the U.S. Congress as part of the Telecommunications Reform Bill of 1996 violated the First Amendment because it attempted to restrict what people could put on websites. Websites don't push anything; people pull information from them, so websites are protected by the First Amendment. Email spam, on the other hand, pushes unsolicited material at people, sometimes even making them pay to receive it (e.g., if the recipient pays for the connect time required to download his/her e-mail from the ISP, as I do at my home address). Email spam is in no way protected by the First Amendment.

Secondly, the First Amendment applies only in the United States. The Internet is global, and most spam is distributed globally. Outside of the U.S., there is no First Amendment, so the issue of what is and is not protected by it is irrelevant. One can argue that other countries should have equivalent basic laws, or that there should be an internationally recognized right to free speech, but until that comes to pass, arguments about First Amendment protection for international email spam are moot.

Fighting Spam

Most of the methods I've used to fight spam are described in Phil Agre's comprehensive article "How to Complain About Spam", so I won't repeat them here. I have used only a small subset of the methods Phil lists, and will continue to do so because of time-limitations.

All I'll add is that spammers rely on two facts about spam recipients:

1. Most are too busy or insufficiently motivated to do anything other than delete the spam. Deleting it is easy, mindless, and can be done in small amounts of time. Taking action against the spam takes energy, larger amounts of time, and maybe even money. One might ask, for example, why I don't just delete the email spam I receive, since almost all of it comes to my Sun account, where I don't pay for access time, and where I have to carefully plan my time for anti-spam activities so that I don't bill Sun for it. The answer is that I believe that by doing nothing, I would be contributing to the likelihood that the problem will spread to my home email account. The thought of logging onto IGC with my 28.8kbaud modem and having to download 20-30 long spam messages a day provides me with plenty of motivation for taking action.
2. The spam recipients who could do the most to fight spam -- computer professionals -- often restrict their responses to flames and other things that can be done online. Taking offline action (i.e., without the computer) tends to be low on their list. Recognizing this tendency in myself, I very quickly reacted against it and began printing possibly illegal messages and snail-mailing them to the relevant postmasters. Organized activity seems like it would be even more useful.

Return to the CPSR home page.

Send mail to webmaster.