The Fight Against Spam, Part 1by FJ de Kermadec
Spam has become a supreme annoyance on the Internet. Everyone has to deal with it, just as everyone has to deal with telemarketers and mail-order catalogs in the real world.
However, assuming that we cannot get totally rid of it, spam can, to a large extent, be avoided by following a few simple rules. My goal in this series of three articles is not to provide you with the ultimate, fool-proof anti-spam strategy. Why? Because there isn't one, and I would be lying to you if I wrote that there was. What I will try to do is to list a few common-sense, easy-to-follow rules that should allow you to spend most of your time on the Web without having to worry.
In the first part of this series, we're going to focus on defining spam -- not an easy task, despite the appearances -- and see how you can start fighting against it. Once you have followed these steps, you will be just in time to read the following installments that focus on fine-tuning our strategy. They also feature an exclusive interview with Kim Silverman, principal research scientist and manager of spoken-language technologies at Apple, about Mail.app's junk-mail filtering capabilities.
Before We Start
As in my previous article, "A Security Primer for Mac OS X," let me remind you that your own needs may vary from what is listed here. This article is intended for home users and small businesses, but multinational companies or users who handle an unusual amount of mail every day will probably want to seek professional help and to rely on custom hardware and software solutions.
What Is Spam, Anyway?
When we say "spam" here on the Mac DevCenter, we rarely speak about the "tinned luncheon meat made largely from pork, developed in 1937."
The definition of spam varies greatly from user to user, therefore raising issues in the detection and reporting processes. However, mails that have been sent to multiple users without their prior consent is generally considered to be spam.
An email sent on your request or sent to you specifically -- by a relative, a coworker, or someone who wants to hurt you in some way -- is technically not spam, although it can be just as dangerous and bothersome.
Emails sent by viruses in order to propagate themselves are usually not considered spam, although they can have a similar effect -- and be sometimes even worse, since their attachments weigh a lot and eat precious bandwidth.
Notifications sent to you by an overzealous provider about network status, bounces, delivery failures, and viruses are not technically spam, either.
Bounced spam is trickier: a spammer may have impersonated you and you are just receiving emails that did not reach their destinations or were bounced back by users. While you are technically not directly spammed, it is important to react quickly since the situation can quickly become unbearable.
Is There Such a Thing as Legitimate Spam?
In a way, yes -- although it probably shouldn't be called spam in this case, but "bulk mail." Many, if not most, web sites will ask you whether or not you will allow their "partners" to send "information" and "promotional offers" to the email address you provide to them.
As soon as you give your consent and allow multiple companies to use your address, the advertisers sending you mail are not necessarily at fault -- unless you can prove that they are sending you mails that pose a threat to the normal operation of your network or computer.
Most countries have specific laws regarding the use of contact information by third-party companies, making it difficult to establish what is and is not legal in your area. As a general rule, however, you can expect a site to follow the rule of the country it is located in, and not yours, even if it is stricter. That's why you should always have a look at where the company you are dealing with is located. A few countries ask foreign companies doing online business on their territory to follow local regulations, but unfortunately, the lack of a worldwide law enforcement system in such matters makes it almost impossible. Whether this is a bad or a good thing I don't know.
Usually, legal "spam" (notice the quotes) can be stopped: simply ask the company that sends it to you to stop, and it should work. If you do not want to receive the O'Reilly newsletter, contact O'Reilly: this will work much better than setting filters for it in your mail client.
Therefore, the absolute first step in any anti-spam strategy is to go through the list of your "spammers" and to ask yourself what can be stopped peacefully and legally. While this may not account for the largest part of the promotional mails you receive, it is guaranteed to make a difference. This step is often overlooked by users who receive so much spam that they can no longer take the time to ask themselves whether they signed up for it or not.
Here is our first anti-spam tip: never, ever allow a company to send your address to "partners." Why? Because you may not know who these partners are, and this will make tracking down the source of legal "spam" much more difficult, even if a serious company has a good chance of having selected serious partners. It is also a good idea to maintain a list of the newsletters you are subscribed to: write down their names, the companies' URLs, and the opt-out procedures that should have been clearly explained to you when you signed in. Such information is extremely useful and often hard to find after a few months!
Within the "legal spam" category falls another that is rarely talked about: all of the promotional emails and newsletters you signed up for but cannot stop, for some reason. Since you signed up, it's technically legal, but the fact that you cannot stop them once you don't want them any more makes them look frighteningly similar to spam. Some companies -- or at least their online marketing departments -- actually engage in such practices, so watch out before signing up!
A good place to look for such clues is Usenet. Luckily, you can browse most of the posts through services such as Google Groups that do not require any setup on your end. Google Groups contains the entire archive of Usenet discussion groups dating back to 1981. Of course, you will find very diverse -- even opposite -- opinions, slandering, and strong language in these groups too, so read with care.
Who May Receive Spam?
Anyone may receive spam. More precisely, any active user on the Internet who uses an email address and sends it to third parties.
Did you post your email address on your site or on a forum? Well, there are robots specifically designed to read millions of web pages, extract any email addresses they can find from them, and add those addresses to mailing lists. Some forum software packages actually create forums that are so complex that most robots get stuck and never get to actually read the addresses; WebX, for example, is supposed to be quite spam-resistant. You should, however, treat every forum equally and avoid posting your address without scrambling it.
Do you send mail to PC users? Well, they may receive viruses that will read their address books and, while sending you dozens of infected mails per day -- which are, if you remember what we said above, not "spam" -- will also subscribe you to lists and flood your inbox with messages.
A less common but equally frightening case: some people use anti-spam software that subscribes you to lists, and you begin to receive even more spam than you can accept, a "fight back" way of protecting oneself. Unfortunately, since addresses are easily spoofed, this means that these applications very often end up punishing the wrong person.
A little unsettling, isn't it? Luckily, there are ways around most of that, so don't panic. However, it's important to realize that even someone who leads a perfectly respectable online life and is cautious may receive spam.
Help! I'm Already Flooded with Junk Mail
Create a New Address
If you're already flooded with junk mail, the easiest, most effective way to get rid of it is to create a new email address. Indeed, spam can reach a point where deleting it and looking for legitimate correspondence in your inbox slows you and your work down.
It can also be dangerous, transforming your mailbox into a floodgate for malicious code. Imagine what can happen the next time that you check your mails from your work PC or on a friend's XP Home machine!
Of course, creating a new address alone won't help; you also need to understand at what point your address was revealed to spammers. Otherwise, you may well end up creating a new address every few weeks -- and this definitely isn't practical.
One of the biggest issues when creating mailboxes is letting your correspondents know about them. In fact, many users never do this because they fear that they are going to lose customers, friends, or other contacts they may have. This is a legitimate fear, but everyone moves and changes addresses in the real world, too. What can be managed in life should normally be manageable online!
Obviously, you cannot set your old address to send auto-reply mail containing your new address. Otherwise, you would simply send your new address to spammers even before all your legitimate correspondents have had the time to learn about it. Worse, should one of your correspondents have an auto-reply system too, your two mail servers could enter an auto-replying loop, filling your mailbox and preventing other legitimate users from receiving the new address notification.
Using Address Book to Solve Transition Issues
Chances are that the last time you moved, you had to send cards to everyone to make sure that they were aware of your new contact information. You can do the same online by using the Panther Address Book and its great Send Updates feature.
The Send Update feature will automatically send your new contact information to a group of people, by clicking on a few buttons. A lot easier than doing things manually, isn't it? Of course, it sends your information as a vCard, ensuring cross-platform compatibility and consistency in what you send -- so you won't make a typo in your new email address on half of the cards you send, something that can happen when writing hundreds of notes in a few days.
To send the update, here are the steps to follow:
- Select your card in Address Book and make sure that it is up to date. Also, make sure that it is marked as "Your card." You will see "me" written on the picture you have set.
- Create a group: Open your Address Book and select the "Card and column" view by using the switch located on the top left of the window. Notice the "+" button at the bottom, on the far left. Click on it to create a new group and give the group a meaningful name, such as "New address mailing."
- Populate the group: Click on the "all" group and pick the cards you want to put into the other. To click on multiple contiguous cards, hold down the shift key. To pick cards at random, hold down the Apple key. Once you have selected the cards you want, drag them over the new group icon and drop them. This will populate the group you have just created.
- Make sure that you use the right address: If your correspondents have multiple email addresses, you can use the "Edit distribution list" feature, available through the "Edit" menu, to select the addresses to which your note will be sent.
- Once you are all set: Use the "File" menu to chose the "Send Updates" menu item.
- In the window that appears: Select the group to which you want to send the note. In our example, this is the group we just created.
- Then, enter a title and a message: Try to make the title and message personal enough so that spam filters don't stop it and that your correspondents actually read it!
- Once you are ready, click on "Send": A few seconds later, you will hear the mail-sending sound from Mail.app.
Of course, while sending an update, make sure that you don't send it to a potential spammer -- in case you have companies in your address book -- or to PC users who collect spam-inducing viruses on their hard drives. You should also make sure that Mail is properly set up and doesn't display the addresses of all of the members of the group. Revealing the addresses of your correspondents can cause the (justified) ire of some of them -- and is also a great way to promote spam if one of them uses an virus-infected PC.
Here is a privacy-related tip: before sending out your card, drag it onto the desktop to export it and open the resulting vCard in TextEdit. You can do so safely since vCards are nothing more than a text document in disguise. This will reveal the actual contents of the card and help you make sure that it doesn't contain information that you don't want to share, such as an email address or a custom category.
Address Book also has a very nifty feature called "Enable Private Me Card," accessible through the vCard preference pane. When turned on, this feature allows you not to share some of the contents of your vCard. This can be very handy if you want to create a "meta vCard" on which you have all your contact information, and pick on the fly what you want to share. It is, however, always a good idea to make sure that it is properly configured before sending the information out.
In the same pane, you will see a checkbox called "Export Notes in vCards." You can use this to add a comment to your own vCard that you will hand out. This can be a short bio or a note that explains your address change and apologizes for the inconvenience this may cause.
Pages: 1, 2