Stopping e-mail abuse
Encyclopedia
To prevent e-mail spam
(aka unsolicited bulk email), both end users and administrator
s of e-mail systems use various anti-spam techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users and administrators. No one technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate e-mail vs. not rejecting all spam, and the associated costs in time and effort.
Anti-spam techniques can be broken into four broad categories: those that require actions by individuals, those that can be automated by e-mail administrators, those that can be automated by e-mail senders and those employed by researchers and law enforcement officials.
Detecting spam based on the content of the e-mail, either by detecting keywords such as "viagra" or by statistical means (content or non-content based), is very popular. Content based statistical means or detecting keywords can be very accurate when they are correctly tuned to the types of legitimate email that an individual gets, but they can also make mistakes such as detecting the keyword "cialis" in the word "specialist"; see also Internet censorship#"By-catch". The content also doesn't determine whether the email was either unsolicited or bulk, the two key features of spam. So, if a friend sends you a joke that mentions "viagra", content filters can easily mark it as being spam even though it is neither unsolicited nor sent in bulk. Non-content base statistical means can help lower false positives because it looks at statistical means vs. blocking based on content/keywords. Therefore, you will be able to receive the friend who sends you a joke that mentions "viagra".
s (DNS Blacklists) are lists of IP addresses of known spammers, known open relays, known proxy servers, compromised “zombie” spammers, as well as hosts on the internet that shouldn’t be sending external emails, such as the end-user address space of a consumer ISP. These are known as “Dial Up Lists”, from the time when end users had to dial up to the internet with a modem and a phone line.
Spamtrap
s are often email addresses that were never valid or have been invalid for a long time that are used to collect spam. An effective spamtrap is not announced and is only found by dictionary attack
s or by pulling addresses off hidden webpages. For a spamtrap to remain effective the address must never be given to anyone. Some black lists, such as spamcop
, use spamtraps to catch spammers and blacklist them.
Enforcing technical requirements of the Simple Mail Transfer Protocol
(SMTP) can be used to block mail coming from systems that are not compliant with the RFC standards. A lot of spammers use poorly written software or are unable to comply with the standards because they do not have legitimate control of the computer sending spam (zombie computer
). So by setting restrictions on the mail transfer agent
(MTA) a mail administrator can reduce spam significantly, such as by enforcing the correct fall back of Mail eXchange (MX) records in the Domain Name System
, or the correct handling of delays (Teergrube).
, but users should ensure that the fake address is not valid. Users who want to receive legitimate email regarding their posts or Web sites can alter their addresses so humans can figure out but spammers cannot. For instance, joe@example.com might post as joeNOS@PAM.invalid.example.com. Address munging, however, can cause legitimate replies to be lost. If it's not the user's valid address, it has to be truly invalid, otherwise someone or some server will still get the spam for it.
Other ways use transparent address munging to avoid this by allowing users to see the actual address but obfuscate it from automated email harvesters with methods such as displaying all or part of the e-mail address on a web page as an image, a text logo shrunken to normal size using in-line CSS
, or as jumbled text with the order of characters restored using CSS.
Sender addresses are often forged in spam messages, including using the recipient's own address as the forged sender address, so that responding to spam may result in failed deliveries or may reach innocent e-mail users whose addresses have been abused.
In Usenet
, it is widely considered even more important to avoid responding to spam. Many ISPs have software that seek and destroy duplicate messages. Someone may see a spam and respond to it before it is cancelled by their server, which can have the effect of reposting the spam for them; since it is not a duplicate, the reposted copy will last longer. Replying may also cause the poster to be falsely linked to as part of the spam message.
functionality, such as the display of HTML
, URLs, and images. This can easily expose the user to offensive images in spam. In addition, spam written in HTML can contain web bug
s which allows spammers to see that the e-mail address is valid and that the message has not been caught in spam filters. JavaScript
programs can be used to direct the user's Web browser to an advertised page, or to make the spam message difficult to close or delete. Spam messages have contained attacks upon security vulnerabilities in the HTML renderer, using these holes to install spyware
. (Some computer virus
es are borne by the same mechanisms.)
Mail clients which do not automatically download and display HTML, images or attachments, have fewer risks, as do clients who have been configured to not display these by default.
The "plus addressing" technique appends a password to the "username" part of the email address.
Examples of these online tools are SpamCop
and Network Abuse Clearinghouse
. They provide automated or semi-automated means to report spam to ISPs. Some spam-fighters regard them as inaccurate compared to what an expert in the email system can do; however, most email users are not experts.
A free tool called Complainterator may be used in the reporting of spam. The Complainterator will send an automatically generated complaint to the registrar of the spamming domain and the registrar of its name servers.
Historically, reporting spam in this way has not seriously abated spam, since the spammers simply move their operation to another URL, ISP or network of IP addresses.
Consumers may also forward "unwanted or deceptive spam" to an email address ( spam@uce.gov) maintained by the FTC. The database collected is used to prosecute perpetrators of scam or deceptive advertising.
An alternative to contacting ISPs is to contact the registrar of a domain name that has used in spam e-mail. Registrars, as ICANN-accredited administrative organizations, are obliged to uphold certain rules and regulations, and have the resources necessary for dealing with abuse complaints.
The basic idea is to make spamming less attractive to the spammer, by increasing the spammer's overhead. There are several ways to reach a spammer, but besides the caveats mentioned above, it may lead to retaliations by the spammer.
There is an increasing trend of integration of anti-spam techniques into MTAs whereby the mail systems themselves also perform various measures that are generally referred to as filtering, ultimately resulting in spam messages being rejected before delivery (or blocked).
Many filtering systems take advantage of machine learning
techniques, which improve their accuracy over manual methods. However, some people find filtering intrusive to privacy, and many e-mail administrators prefer blocking to deny access to their systems from sites tolerant of spammers.
s; but rather than being used to list nonconformant sites, the DNS is used to list sites authorized to send email, and (sometimes) to determine the reputation of those sites. Other methods of identifying ham (non-spam email) and spam are still used.
Authentication systems cannot detect whether a message is spam. Rather, they allow a site to express trust that an authenticated site will not send spam. Thus, a recipient site may choose to skip expensive spam-filtering methods for messages from authenticated sites.
.
, and look that checksum up in a database which collects the checksums of messages that email recipients consider to be spam (some people have a button on their email client which they can click to nominate a message as being spam); if the checksum is in the database, the message is likely to be spam.
The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters. The disadvantage is that spammers can insert unique invisible gibberish—known as hashbusters—into the middle of each of their messages, thus making each message unique and having a different checksum. This leads to an arms race
between the developers of the checksum software and the developers of the spam-generating software.
Checksum based filtering methods include:
s, are used for heuristic filtering and blocking. A site publishes lists (typically of IP addresses) via the DNS
, in such a way that mail servers can easily be set to reject mail from those sources. There are literally scores of DNSBLs, each of which reflects different policies: some list sites known to emit spam; others list open mail relay
s or proxies; others list ISPs known to support spam.
Other DNS-based anti-spam systems list known good ("white") or bad ("black") IPs domains or URLs, including RHSBLs and URIBLs.
(SMTP) can be used to judge the likelihood of the message being spam. A lot of spammers use poorly written software or are unable to comply with the standards because they do not have legitimate control of the computer they are using to send spam (zombie computer
). By setting limits on the deviation from RFC standards that the MTA
will accept, a mail administrator can reduce spam significantly.
There are some legitimate sites that play "fast and loose" with the SMTP specifications, and may be caught by this mechanism. It also has a tendency to interact badly with sites that perform callback verification
, as common callback verification systems have timeouts that are much shorter than those mandated by RFC 5321 4.5.3.2.
Greylisting is based on the premise that spammers and spambots will not retry their messages but instead will move on to the next message and next address in their list. Since a retry attempt means the message and state of the process must be stored, it inherently increases the cost incurred by the spammer. The assumption is that, for the spammer, it's a better use of resources to try a new address than waste time re-sending to an address that's already exhibited a problem. For a legitimate message this delay is not an issue since retrying is a standard component of any legitimate sender's server.
The downside of greylisting is that all legitimate messages from first time senders will experience a delay in delivery, with the delay period before a new message is accepted from an unknown sender usually being configurable in the software. There also exists the possibility that some legitimate messages won't be delivered, which can happen if a poorly configured (but legitimate) mail server interprets the temporary rejection as a permanent rejection and sends a bounce message to the original sender, instead of trying to resend the message later, as it should.
can be detected by a number of simple checks confirming compliance with standard addressing and MTA operation. RFC 5321 section 4.1.4 says that
"An SMTP server MAY verify that the domain name argument in the EHLO command actually corresponds to the IP address of the client. However, if the verification fails, the server MUST NOT refuse to accept a message on that basis.", so to be in compliance with the RFCs, rejecting connections must be based on additional information/policies.
Invalid HELO localhost
Invalid HELO 127.0.0.1
Valid HELO domain.tld
Valid HELO [127.0.0.1]
Fraudulent HELO friend
Fraudulent HELO -232975332
s), and further specifies mandatory error-handling behavior when servers in that list cannot be contacted. Nolisting is a technique of purposely creating unreachable MX records, so that only senders who have implemented this error-handling behavior can successfully deliver mail.
are capable of detecting whether or not the connection is closed with the quit command and can track patterns of use for the purpose of building DNSBL
s.
s, or store them for analysis.
and Policyd-weight
uses some or all of the various tests for spam, and assigns a numerical score to each test. Each message is scanned for these patterns, and the applicable scores tallied up. If the total is above a fixed value, the message is rejected or flagged as spam. By ensuring that no single spam test by itself can flag a message as spam, the false positive rate can be greatly reduced.
or similar techniques to route SMTP
messages to a filtering service). Or, it can be implemented within a standard SMTP gateway. While the primary economic impact of spam
is on spam recipients, sending networks also experience financial costs, such as wasted bandwidth, and the risk of having IP addresses blocked by receiving networks.
The advantage of outbound spam protection is that it stops spam before it leaves the sending network, protecting receiving networks globally from the damage and costs that would otherwise be caused by the spam. Further it lets system administrators track down spam sources on the network and remediate them – for example, providing free anti-virus tools to customers whose machines have become infected with a virus
or are participating in a botnet
. Given an appropriately designed spam filtering algorithm, outbound spam filtering can be implemented with a near zero false positive rate, which keeps customer related issues with blocked legitimate email down to a minimum.
There are several commercial software vendors who offer outbound spam protection products, including Cloudmark
, MailChannels
and Commtouch
.
, a developer of anti-spam software, their Recurrent Pattern Detection (RPD) software can be integrated into other appliances and applications. This method is more automated than most because the service provider maintains the comparative spam database instead of the system administrator.
s disallowed in mail messages. Thus, if a site receives spam advertising "herbal Viagra", the administrator might place this phrase in the filter configuration. The mail server would then reject any message containing the phrase.
Header filtering is the means of inspecting the header of the email, the part of the message that contains information about the origin, destination and content of the message. Spammers will often spoof
fields in the header in order to hide their identity, or to try to make the email look more legitimate than it is; many of these spoofing methods can be detected. Also, a violation of the RFC 5322 standard on how the header is to be formed can serve as a basis for rejecting the message.
Disadvantages of filtering are threefold: First, filtering can be time-consuming to maintain. Second, it is prone to false positives. Third, these false positives are not equally distributed: since content filtering is prone to reject legitimate messages on topics related to products frequently advertised in spam. A system administrator who attempts to reject spam messages which advertise mortgage refinancing, credit or debt may inadvertently block legitimate e-mail on the same subject.
Spammers frequently change the phrases and spellings they use. This can mean more work for the administrator. However, it also has some advantages for the spam fighter. If the spammer starts spelling "Viagra" as "V1agra" (see leet
) or "Via_gra", it makes it harder for the spammer's intended audience to read their messages. If they try to trip up the phrase detector, by, for example, inserting an invisible-to-the-user HTML comment in the middle of a word ("Via<!---->gra"), this sleight of hand is itself easily detectable, and is a good indication that the message is spam. And if they send spam that consists entirely of images, so that anti-spam software can't analyze the words and phrases in the message, the fact that there is no readable text in the body can be detected, making that message a higher risk of being spam.
Content filtering can also be implemented to examine the URL
s present (i.e. spamvertising
) in an email message. This form of content filtering is much harder to disguise as the URLs must resolve to a valid domain name. Extracting a list of such links and comparing them to published sources of spamvertised domains is a simple and reliable way to eliminate a large percentage of spam via content analysis.
A potential difficulty with such systems is that the licensing organization makes its money by licensing more senders to use the tag—not by strictly enforcing the rules upon licensees. A concern exists that senders whose messages are more likely to be considered spam would accrue a greater benefit by using such a tag. The concern is that these factors form a perverse incentive
for licensing organizations to be lenient with licensees who have offended. However, the value of a license would drop if it was not strictly enforced, and financial gains due to enforcement of a license itself can provide an additional incentive for strict enforcement.
Callback verification can be compliant with SMTP RFCs, but it has various drawbacks. Since nearly all spam has forged return addresses, nearly all callbacks are to innocent third party mail servers that are unrelated to the spam. At the same time, there will be numerous false negatives due to spammers abusing real addresses and some false positives.
As an example, consider the email address "spamtrap@example.org". If this email address were placed in the source HTML of our web site in a way that it isn't displayed on the web page, normal humans would not see it. Spammers, on the other hand, use web page scrapers and bots to harvest email addresses from HTML source code so they would find this address.
When the spammer sends mail with the destination address of "spamtrap@example.org" the SpamTrap knows this is highly likely to be a spammer and can take appropriate action.
Typical statistical filtering uses single words in the calculations to decide if a message should be classified as spam or not. A more powerful calculation can be made using groups of two or more words taken together. Then random "noise" words can not be used as successfully to fool the filter.
Software programs that implement statistical filtering include Bogofilter
, DSPAM
, SpamBayes
, ASSP
, the e-mail programs Mozilla
and Mozilla Thunderbird
, Mailwasher
, and later revisions of SpamAssassin
. Another interesting project is CRM114 which hashes phrases and does bayesian classification on the phrases.
There is also the free mail filter POPFile
, which sorts mail in as many categories as the user wants (family, friends, co-worker, spam, whatever) with Bayesian filtering.
s.
s on new accounts to verify that it is a real human registering the account, and not an automated spamming system. They can also verify that credit cards are not stolen before accepting new customers, check the Spamhaus Project
ROKSO list, and do other background checks.
To prevent this abuse, MAPS and other anti-spam organizations encourage that all mailing lists use confirmed opt-in (also known as verified opt-in or double opt-in). That is, whenever an email address is presented for subscription to the list, the list software should send a confirmation message to that address. The confirmation message contains no advertising content, so it is not construed to be spam itself — and the address is not added to the live mail list unless the recipient responds to the confirmation message. See also the Spamhaus
Mailing Lists vs. Spam Lists page.
All modern mailing list management programs (such as GNU Mailman
, LISTSERV
, Majordomo
, and qmail
's ezmlm) support confirmed opt-in by default.
or anti-virus warning gets sent to a forged email address, the result will be backscatter
.
Problems with sending challenges to forged e-mail addresses can be greatly reduced by not creating a new message that contains the challenge. Instead, the challenge can be placed in the Bounce message
when the receiving mail system gives a rejection-code during the SMTP session. When the receiving mail system rejects an e-mail this way, it is the sending system that actually creates the bounce message. As a result, the bounce message will almost always be sent to the real sender, and it will be in a format and language that the sender will usually recognize.
s or send e-mail. This practice is somewhat controversial when ISPs block home users, especially if the ISPs do not allow the blocking to be turned off upon request. E-mail can still be sent from these computers to designated smart host
s via port 25 and to other smart hosts via the e-mail submission port 587.
can be used to intercept all port 25 (SMTP) traffic and direct it to a mail server that enforces rate limiting and egress spam filtering. This is commonly done in hotels, but it can cause e-mail privacy
problems, as well making it impossible to use STARTTLS
and SMTP-AUTH if the port 587 submission port isn't used.
s. By limiting the rate that e-mail can be sent around what is typical for the computer in question, legitimate e-mail can still be sent, but large spam runs can be slowed down until manual investigation can be done.
, AOL
's feedback loop, and Network Abuse Clearinghouse
, the domain's abuse@ mailbox, etc., ISPs can often learn of problems before they seriously damage the ISP's reputation and have their mail servers blacklisted.
(AUP) or a Terms of Service
(TOS) agreement that discourages spammers from using their system and allows the spammer to be terminated quickly for violations.
and phishing
activities and gathering evidence for criminal cases.
The penalty provisions of the Australian Spam Act 2003 dropped Australia's ranking in the list of spam-relaying countries for email spam from tenth to twenty-eighth.
Legislation that provides mandates that bulk emailers must follow makes compliant spam easier to identify and filter out.
by a given piece of spam often leads to questionable registrations of Internet domain names. Since registrars are required to maintain trustworthy WHOIS
databases, digging into the registration details and complaining at the proper locations often results in site shutdowns. Uncoordinated activity may not be effective, given today's volume of spam and the rate at which criminal organizations register new domains. However, a coordinated effort, implemented with adequate infrastructure, can obtain good results.
attempts to make spamming less profitable by bringing lawsuits against spammers.
(IRTF) is working on a number of email authentication and other proposals for providing simple source authentication that is flexible, lightweight, and scalable. Recent Internet Engineering Task Force
(IETF) activities include MARID
(2004) leading to two approved IETF experiments in 2005, and DomainKeys Identified Mail
in 2006.
Channel email
is a new proposal for sending email that attempts to distribute anti-spam activities by forcing verification (probably using bounce message
s so back-scatter doesn't occur) when the first email is sent for new contacts.
E-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
(aka unsolicited bulk email), both end users and administrator
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
s of e-mail systems use various anti-spam techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users and administrators. No one technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate e-mail vs. not rejecting all spam, and the associated costs in time and effort.
Anti-spam techniques can be broken into four broad categories: those that require actions by individuals, those that can be automated by e-mail administrators, those that can be automated by e-mail senders and those employed by researchers and law enforcement officials.
Checking words: false positives
People tend to be much less bothered by spam slipping through filters into their mail box (false negatives), than having desired e-mail ("ham") blocked (false positives). Trying to balance false negatives (missed spams) vs false positives (rejecting good e-mail) is critical for a successful anti-spam system. Some systems let individual users have some control over this balance by setting "spam score" limits, etc. Most techniques have both kinds of serious errors, to varying degrees. So, for example, anti-spam systems may use techniques that have a high false negative rate (miss a lot of spam), in order to reduce the number of false positives (rejecting good e-mail).Detecting spam based on the content of the e-mail, either by detecting keywords such as "viagra" or by statistical means (content or non-content based), is very popular. Content based statistical means or detecting keywords can be very accurate when they are correctly tuned to the types of legitimate email that an individual gets, but they can also make mistakes such as detecting the keyword "cialis" in the word "specialist"; see also Internet censorship#"By-catch". The content also doesn't determine whether the email was either unsolicited or bulk, the two key features of spam. So, if a friend sends you a joke that mentions "viagra", content filters can easily mark it as being spam even though it is neither unsolicited nor sent in bulk. Non-content base statistical means can help lower false positives because it looks at statistical means vs. blocking based on content/keywords. Therefore, you will be able to receive the friend who sends you a joke that mentions "viagra".
Lists of sites
The most popular DNSBLDNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
s (DNS Blacklists) are lists of IP addresses of known spammers, known open relays, known proxy servers, compromised “zombie” spammers, as well as hosts on the internet that shouldn’t be sending external emails, such as the end-user address space of a consumer ISP. These are known as “Dial Up Lists”, from the time when end users had to dial up to the internet with a modem and a phone line.
Spamtrap
Spamtrap
A spamtrap is a honeypot used to collect spam.Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam...
s are often email addresses that were never valid or have been invalid for a long time that are used to collect spam. An effective spamtrap is not announced and is only found by dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
s or by pulling addresses off hidden webpages. For a spamtrap to remain effective the address must never be given to anyone. Some black lists, such as spamcop
SpamCop
SpamCop is a free spam reporting service, allowing recipients of unsolicited bulk email and unsolicited commercial email to report offenders to the senders' Internet Service Providers , and sometimes their web hosts...
, use spamtraps to catch spammers and blacklist them.
Enforcing technical requirements of the Simple Mail Transfer Protocol
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
(SMTP) can be used to block mail coming from systems that are not compliant with the RFC standards. A lot of spammers use poorly written software or are unable to comply with the standards because they do not have legitimate control of the computer sending spam (zombie computer
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
). So by setting restrictions on the mail transfer agent
Mail transfer agent
Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
(MTA) a mail administrator can reduce spam significantly, such as by enforcing the correct fall back of Mail eXchange (MX) records in the Domain Name System
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
, or the correct handling of delays (Teergrube).
End-user techniques
There are a number of techniques that individuals can use to restrict the availability of their e-mail addresses, reducing or preventing their attractiveness to spam.Discretion
Sharing an email address only among a limited group of correspondents is one way to limit spam. This method relies on the discretion of all members of the group, as disclosing email addresses outside the group circumvents the trust relationship of the group. For this reason, forwarding messages to recipients who don't know one another should be avoided. When it is absolutely necessary to forward messages to recipients who don't know one another, it is good practice to list the recipient names all after "bcc:" instead of after "to:". This practice avoids the scenario where unscrupulous recipients might compile a list of email addresses for spamming purposes. This practice also reduces the risk of the address being distributed by computers affected with email address harvesting malware. However, once the privacy of the email address is lost by divulgence, it cannot likely be regained.Address munging
Posting anonymously, or with a fake name and address, is one way to avoid e-mail address harvestingE-mail address harvesting
Email harvesting is the process of obtaining lists of email addresses using various methods for use in bulk email or other purposes usually grouped as spam.-Methods:...
, but users should ensure that the fake address is not valid. Users who want to receive legitimate email regarding their posts or Web sites can alter their addresses so humans can figure out but spammers cannot. For instance, joe@example.com might post as joeNOS@PAM.invalid.example.com. Address munging, however, can cause legitimate replies to be lost. If it's not the user's valid address, it has to be truly invalid, otherwise someone or some server will still get the spam for it.
Other ways use transparent address munging to avoid this by allowing users to see the actual address but obfuscate it from automated email harvesters with methods such as displaying all or part of the e-mail address on a web page as an image, a text logo shrunken to normal size using in-line CSS
CSS
-Computing:*Cascading Style Sheets, a language used to describe the style of document presentations in web development*Central Structure Store in the PHIGS 3D API*Closed source software, software that is not distributed with source code...
, or as jumbled text with the order of characters restored using CSS.
Avoid responding to spam
Spammers often regard responses to their messages—even responses like "Don't spam me"—as confirmation that an email address is valid. Likewise, many spam messages contain Web links or addresses which the user is directed to follow to be removed from the spammer's mailing list. In several cases, spam-fighters have tested these links, confirming they do not lead to the recipient address's removal—if anything, they lead to more spam. This removal request of filing a complaint may get the address list washed. To lower complaints so the spammer can stay active before having to acquire new accounts and/or internet provider.Sender addresses are often forged in spam messages, including using the recipient's own address as the forged sender address, so that responding to spam may result in failed deliveries or may reach innocent e-mail users whose addresses have been abused.
In Usenet
Usenet
Usenet is a worldwide distributed Internet discussion system. It developed from the general purpose UUCP architecture of the same name.Duke University graduate students Tom Truscott and Jim Ellis conceived the idea in 1979 and it was established in 1980...
, it is widely considered even more important to avoid responding to spam. Many ISPs have software that seek and destroy duplicate messages. Someone may see a spam and respond to it before it is cancelled by their server, which can have the effect of reposting the spam for them; since it is not a duplicate, the reposted copy will last longer. Replying may also cause the poster to be falsely linked to as part of the spam message.
Contact forms
Contact forms allow users to send email by filling out forms in a web browser. The web server takes the form data, forwarding it to an email address. Users never see the email address. Such forms, however, are sometimes inconvenient to users, as they are not able to use their preferred e-mail client, risk entering a faulty reply address, and are typically not notified about delivery problems. Further, contact forms have the drawback that they require a website that supports server side scripts. Finally, if the software used to run the contact forms is badly designed, it can become a spam tool in its own right. Additionally, some spammers have begun to send spam using the contact form.Disable HTML in e-mail
Many modern mail programs incorporate Web browserWeb browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
functionality, such as the display of HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....
, URLs, and images. This can easily expose the user to offensive images in spam. In addition, spam written in HTML can contain web bug
Web bug
A web bug is an object that is embedded in a web page or e-mail and is usually invisible to the user but allows checking that a user has viewed the page or e-mail. One common use is in e-mail tracking. Alternative names are web beacon, tracking bug, and tag or page tag...
s which allows spammers to see that the e-mail address is valid and that the message has not been caught in spam filters. JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
programs can be used to direct the user's Web browser to an advertised page, or to make the spam message difficult to close or delete. Spam messages have contained attacks upon security vulnerabilities in the HTML renderer, using these holes to install spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
. (Some computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
es are borne by the same mechanisms.)
Mail clients which do not automatically download and display HTML, images or attachments, have fewer risks, as do clients who have been configured to not display these by default.
Disposable e-mail addresses
An email user may sometimes need to give an address to a site without complete assurance that the site owner will not use it for sending spam. One way to mitigate the risk is to provide a disposable email address—a temporary address which the user can disable or abandon which forwards email to a real account. A number of services provide disposable address forwarding. Addresses can be manually disabled, can expire after a given time interval, or can expire after a certain number of messages have been forwarded. Site owners that fail to keep addresses they have gathered confidential have found themselves in legal jeopardy due to the ability of disposable email address users to trace which website passed on their email without permission.Ham passwords
Systems that use ham passwords ask unrecognised senders to include in their email a password that demonstrates that the email message is a "ham" (not spam) message. Typically the email address and ham password would be described on a web page, and the ham password would be included in the "subject" line of an email address. Ham passwords are often combined with filtering systems, to counter the risk that a filtering system will accidentally identify a ham message as a spam message.The "plus addressing" technique appends a password to the "username" part of the email address.
Reporting spam
Tracking down a spammer's ISP and reporting the offense can lead to the spammer's service being terminated. Unfortunately, it can be difficult to track down the spammer—and while there are some online tools to assist, they are not always accurate. Occasionally, spammers employ their own netblocks. In this case, the abuse contact for the netblock can be the spammer itself and can confirm your address.Examples of these online tools are SpamCop
SpamCop
SpamCop is a free spam reporting service, allowing recipients of unsolicited bulk email and unsolicited commercial email to report offenders to the senders' Internet Service Providers , and sometimes their web hosts...
and Network Abuse Clearinghouse
Network Abuse Clearinghouse
The Network Abuse Clearinghouse, better known as abuse.net, maintains a contact database for reporting misuse on the Internet. It makes entries from the database available , and provides an intermediary service for registered users to forward complaints by e-mail.-See also:* Anti-spam techniques *...
. They provide automated or semi-automated means to report spam to ISPs. Some spam-fighters regard them as inaccurate compared to what an expert in the email system can do; however, most email users are not experts.
A free tool called Complainterator may be used in the reporting of spam. The Complainterator will send an automatically generated complaint to the registrar of the spamming domain and the registrar of its name servers.
Historically, reporting spam in this way has not seriously abated spam, since the spammers simply move their operation to another URL, ISP or network of IP addresses.
Consumers may also forward "unwanted or deceptive spam" to an email address ( spam@uce.gov) maintained by the FTC. The database collected is used to prosecute perpetrators of scam or deceptive advertising.
An alternative to contacting ISPs is to contact the registrar of a domain name that has used in spam e-mail. Registrars, as ICANN-accredited administrative organizations, are obliged to uphold certain rules and regulations, and have the resources necessary for dealing with abuse complaints.
Responding to spam
Some advocate responding aggressively to spam—in other words, "spamming the spammer".The basic idea is to make spamming less attractive to the spammer, by increasing the spammer's overhead. There are several ways to reach a spammer, but besides the caveats mentioned above, it may lead to retaliations by the spammer.
- Replying directly to the spammer's email address
- Just clicking "reply" will not work in the vast majority of cases, since most of the sender addresses are forged or made up. In some cases, however, spammers do provide valid addresses, as in the case of Nigerian scamsAdvance fee fraudAn advance-fee fraud is a confidence trick in which the target is persuaded to advance sums of money in the hope of realizing a significantly larger gain...
.
- Just clicking "reply" will not work in the vast majority of cases, since most of the sender addresses are forged or made up. In some cases, however, spammers do provide valid addresses, as in the case of Nigerian scams
- Targeting the computers used to send out spam
- In 2005, IBM announced a service to bounce spam directly to the computers that send out spam. Because the IP addresses are identified in the headers of every message, it would be possible to target those computers directly, sidestepping the problem of forged email addresses. In most cases, however, those computers do not belong to the real spammer, but to unsuspecting users with unsecured or outdated systems, hijacked through malwareMalwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
and controlled at distance by the spammer; these are known as zombie computerZombie computerIn computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
s. However, in most legal jurisdictions, ignorance is no defense, and many victims of spam regard the owners of zombie computers as willfully compliant accomplices of spammers.
- In 2005, IBM announced a service to bounce spam directly to the computers that send out spam. Because the IP addresses are identified in the headers of every message, it would be possible to target those computers directly, sidestepping the problem of forged email addresses. In most cases, however, those computers do not belong to the real spammer, but to unsuspecting users with unsecured or outdated systems, hijacked through malware
- Leaving messages on the spamvertised site
- Spammers selling their wares need a tangible point of contact so that customers can reach them. Sometimes it is a telephone number, but most often is a web site containing web formsForm (web)A webform on a web page allows a user to enter data that is sent to a server for processing. Webforms resemble paper or database forms because internet users fill out the forms using checkboxes, radio buttons, or text fields...
through which customers can fill out orders or inquiries, or even "unsubscribe" requests. Since positive response to spam is probably much less than 1/10,000, if just a tiny percentage of users visit spam sites just to leave negative messages, the negative messages could easily outnumber positive ones, incurring costs for spammers to sort them out, not mentioning the cost in bandwidth. An automated system, designed to respond in just such a way, was Blue FrogBlue FrogThe Blue Frog tool, produced by Blue Security Inc., operated in 2006 as part of a community-based anti-spam system which tried to persuade spammers to remove community members' addresses from their mailing lists by automating the complaint process for each user as spam is received...
. Unfortunately, in doing so, you risk arousing the ire of criminals who may respond with threats or 'target' your address with even more spam.
- Spammers selling their wares need a tangible point of contact so that customers can reach them. Sometimes it is a telephone number, but most often is a web site containing web forms
Automated techniques for e-mail administrators
There are a number of appliances, services, and software systems that e-mail administrators can use to reduce the load of spam on their systems and mailboxes. Some of these depend upon rejecting email from Internet sites known or likely to send spam. Other more advanced techniques analyze message patterns in real time to detect spam like behavior and then compares it to global databases of spam. Those methods are capable of detecting spam in real time even when there is no content (common to image based spam) and in any language. Another method relies on automatically analyzing the content of email messages and weeding out those which resemble spam. These three approaches are sometimes termed blocking, pattern detection, and filtering.There is an increasing trend of integration of anti-spam techniques into MTAs whereby the mail systems themselves also perform various measures that are generally referred to as filtering, ultimately resulting in spam messages being rejected before delivery (or blocked).
Many filtering systems take advantage of machine learning
Machine learning
Machine learning, a branch of artificial intelligence, is a scientific discipline concerned with the design and development of algorithms that allow computers to evolve behaviors based on empirical data, such as from sensor data or databases...
techniques, which improve their accuracy over manual methods. However, some people find filtering intrusive to privacy, and many e-mail administrators prefer blocking to deny access to their systems from sites tolerant of spammers.
Authentication and reputation
A number of systems have been proposed to allow acceptance of email from servers which have authenticated in some fashion as senders of only legitimate email. Many of these systems use the DNS, as do DNSBLDNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
s; but rather than being used to list nonconformant sites, the DNS is used to list sites authorized to send email, and (sometimes) to determine the reputation of those sites. Other methods of identifying ham (non-spam email) and spam are still used.
Authentication systems cannot detect whether a message is spam. Rather, they allow a site to express trust that an authenticated site will not send spam. Thus, a recipient site may choose to skip expensive spam-filtering methods for messages from authenticated sites.
Challenge/response systems
Another method which may be used by internet service providers, by specialized services or enterprises to combat spam is to require unknown senders to pass various tests before their messages are delivered. These strategies are termed challenge/response systems or C/R. Some view their use as being as bad as spam since they place the burden of spam fighting on legitimate email senders—who it should be noted will often indeed give up at the slightest hindrance. A new implementation of this is done in Channel emailChannel email
Channel email, unlike filters, lists, and challenges, doesn’t target spammers but treats everyone the same. Its design enables polite conversation, which naturally combats spam.-Conversational requirements:...
.
Checksum-based filtering
Checksum-based filter exploits the fact that the messages are sent in bulk, that is that they will be identical with small variations. Checksum-based filters strip out everything that might vary between messages, reduce what remains to a checksumChecksum
A checksum or hash sum is a fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage. The integrity of the data can be checked at any later time by recomputing the checksum and...
, and look that checksum up in a database which collects the checksums of messages that email recipients consider to be spam (some people have a button on their email client which they can click to nominate a message as being spam); if the checksum is in the database, the message is likely to be spam.
The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters. The disadvantage is that spammers can insert unique invisible gibberish—known as hashbusters—into the middle of each of their messages, thus making each message unique and having a different checksum. This leads to an arms race
Arms race
The term arms race, in its original usage, describes a competition between two or more parties for the best armed forces. Each party competes to produce larger numbers of weapons, greater armies, or superior military technology in a technological escalation...
between the developers of the checksum software and the developers of the spam-generating software.
Checksum based filtering methods include:
- Distributed Checksum ClearinghouseDistributed Checksum ClearinghouseDistributed Checksum Clearinghouse is a hash sharing method of spam email detection.The basic logic in DCC is that most spam mails are sent to many recipients. The same message body appearing many times is therefore bulk email. DCC identifies bulk email by taking a checksum and sending that...
- Vipul's RazorVipul's RazorVipul's Razor is a checksum-based, distributed, collaborative, spam-detection-and-filtering network. Through user contribution, Razor establishes a distributed and constantly updating catalogue of spam in propagation that is consulted by email clients to filter out known spam. Detection is done...
Country-based filtering
Some e-mail servers expect to never communicate with particular countries from which they receive a great deal of spam. Therefore, they use country-based filtering - a technique that blocks e-mail from certain countries. This technique is based on country of origin determined by the sender's IP address rather than any trait of the sender.DNS-based blacklists
DNS-based Blacklists, or DNSBLDNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
s, are used for heuristic filtering and blocking. A site publishes lists (typically of IP addresses) via the DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
, in such a way that mail servers can easily be set to reject mail from those sources. There are literally scores of DNSBLs, each of which reflects different policies: some list sites known to emit spam; others list open mail relay
Open mail relay
An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users...
s or proxies; others list ISPs known to support spam.
Other DNS-based anti-spam systems list known good ("white") or bad ("black") IPs domains or URLs, including RHSBLs and URIBLs.
Enforcing RFC standards
Analysis of an email's conformation to RFC standards for the Simple Mail Transfer ProtocolSimple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
(SMTP) can be used to judge the likelihood of the message being spam. A lot of spammers use poorly written software or are unable to comply with the standards because they do not have legitimate control of the computer they are using to send spam (zombie computer
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
). By setting limits on the deviation from RFC standards that the MTA
Mail transfer agent
Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
will accept, a mail administrator can reduce spam significantly.
Greeting delay
A greeting delay is a deliberate pause introduced by an SMTP server before it sends the SMTP greeting banner to the client. The client is required to wait until it has received this banner before it sends any data to the server. (per RFC 5321 3.1). Many spam-sending applications do not wait to receive this banner, and instead start sending data as soon as the TCP connection is established. The server can detect this, and drop the connection.There are some legitimate sites that play "fast and loose" with the SMTP specifications, and may be caught by this mechanism. It also has a tendency to interact badly with sites that perform callback verification
Callback verification
Callback verification, also known as callout verification or Sender Address Verification, is a technique used by SMTP software in order to validate e-mail addresses. The most common target of verification is the sender address from the message envelope...
, as common callback verification systems have timeouts that are much shorter than those mandated by RFC 5321 4.5.3.2.
Greylisting
The SMTP protocol allows for temporary rejection of incoming messages. Greylisting is the technique to temporarily reject messages from unknown sender mail servers. A temporary rejection is designated with a 4xx error code that is recognized by all normal MTAs, which then proceed to retry delivery later.Greylisting is based on the premise that spammers and spambots will not retry their messages but instead will move on to the next message and next address in their list. Since a retry attempt means the message and state of the process must be stored, it inherently increases the cost incurred by the spammer. The assumption is that, for the spammer, it's a better use of resources to try a new address than waste time re-sending to an address that's already exhibited a problem. For a legitimate message this delay is not an issue since retrying is a standard component of any legitimate sender's server.
The downside of greylisting is that all legitimate messages from first time senders will experience a delay in delivery, with the delay period before a new message is accepted from an unknown sender usually being configurable in the software. There also exists the possibility that some legitimate messages won't be delivered, which can happen if a poorly configured (but legitimate) mail server interprets the temporary rejection as a permanent rejection and sends a bounce message to the original sender, instead of trying to resend the message later, as it should.
HELO/EHLO checking
For example, some spamwareSpamware
Spamware is software designed by or for spammers. Spamware varies widely, but may include the ability to import thousands of addresses, to generate random addresses, to insert fraudulent headers into messages, to use dozens or hundreds of mail servers simultaneously, and to make use of open relays....
can be detected by a number of simple checks confirming compliance with standard addressing and MTA operation. RFC 5321 section 4.1.4 says that
"An SMTP server MAY verify that the domain name argument in the EHLO command actually corresponds to the IP address of the client. However, if the verification fails, the server MUST NOT refuse to accept a message on that basis.", so to be in compliance with the RFCs, rejecting connections must be based on additional information/policies.
- Refusing connections from hosts that give an invalid HELO - for example, a HELO that is not an FQDNFQDNA fully qualified domain name , sometimes also referred as an absolute domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System . It specifies all domain levels, including the top-level domain and the root domain...
or is an IP address not surrounded by square brackets
Invalid HELO localhost
Invalid HELO 127.0.0.1
Valid HELO domain.tld
Valid HELO [127.0.0.1]
- Refusing connections from hosts that give an obviously fraudulent HELO
Fraudulent HELO friend
Fraudulent HELO -232975332
- Refusing to accept email claiming to be from a hosted domain when the sending host has not authenticated
- Refusing to accept email whose HELO/EHLO argument does not resolve in DNS. Unfortunately, some email system administrators ignore section 2.3.5 of RFC 5321 and administer the MTA to use a nonresolvable argument to the HELO/EHLO command.
Invalid pipelining
The SMTP protocol can allow several SMTP commands to be placed in one network packet and "pipelined". For example, if an e-mail is sent with a CC: header, several SMTP "RCPT TO" commands might be placed in a single packet instead of one packet per "RCPT TO" command. The SMTP protocol, however, requires that errors be checked and everything is synchronized at certain points. Many spammers will send everything in a single packet since they do not care about errors and it is more efficient. Some MTAs will detect this invalid pipelining and reject e-mail sent this way.Nolisting
The SMTP protocol requires that email servers for any given domain be provided in a prioritized list (namely, MX recordMX record
A mail exchanger record is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available...
s), and further specifies mandatory error-handling behavior when servers in that list cannot be contacted. Nolisting is a technique of purposely creating unreachable MX records, so that only senders who have implemented this error-handling behavior can successfully deliver mail.
Quit detection
The SMTP protocol requires connections to be closed with a QUIT command. (RFC 5321 section 4.1.4) Many spammers skip this step because their spam has already been sent and taking the time to properly close the connection takes time and bandwidth. Some MTAs like EximExim
Exim is a mail transfer agent used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail....
are capable of detecting whether or not the connection is closed with the quit command and can track patterns of use for the purpose of building DNSBL
DNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
s.
Honeypots
Another approach is simply an imitation MTA which gives the appearance of being an open mail relay, or an imitation TCP/IP proxy server which gives the appearance of being an open proxy. Spammers who probe systems for open relays/proxies will find such a host and attempt to send mail through it, wasting their time and resources and potentially revealing information about themselves and the origin of the spam they're sending to the entity that operates the honeypot. Such a system may simply discard the spam attempts, submit them to DNSBLDNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
s, or store them for analysis.
Hybrid filtering
Hybrid filtering, such as is implemented in the open source programs SpamAssassinSpamAssassin
SpamAssassin is a computer program released under the Apache License 2.0 used for e-mail spam filtering based on content-matching rules. It is now part of the Apache Foundation....
and Policyd-weight
Policyd-weight
policyd-weight is a mail filter for the Postfix mail transfer agent written in Perl, by Robert Felber. It allows postfix to evaluate mail envelope information and to score mail against several DNS-based Blackhole Lists before the mail is queued...
uses some or all of the various tests for spam, and assigns a numerical score to each test. Each message is scanned for these patterns, and the applicable scores tallied up. If the total is above a fixed value, the message is rejected or flagged as spam. By ensuring that no single spam test by itself can flag a message as spam, the false positive rate can be greatly reduced.
Outbound spam protection
Outbound spam protection involves scanning email traffic as it exits a network, identifying spam messages and then taking an action such as blocking the message or shutting off the source of the traffic. Outbound spam protection can be implemented on a network-wide level (using policy-based routingPolicy-based routing
In computer networking, policy-based routing is a technique used to make routing decisions based on policies set by the network administrator....
or similar techniques to route SMTP
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
messages to a filtering service). Or, it can be implemented within a standard SMTP gateway. While the primary economic impact of spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
is on spam recipients, sending networks also experience financial costs, such as wasted bandwidth, and the risk of having IP addresses blocked by receiving networks.
The advantage of outbound spam protection is that it stops spam before it leaves the sending network, protecting receiving networks globally from the damage and costs that would otherwise be caused by the spam. Further it lets system administrators track down spam sources on the network and remediate them – for example, providing free anti-virus tools to customers whose machines have become infected with a virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
or are participating in a botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
. Given an appropriately designed spam filtering algorithm, outbound spam filtering can be implemented with a near zero false positive rate, which keeps customer related issues with blocked legitimate email down to a minimum.
There are several commercial software vendors who offer outbound spam protection products, including Cloudmark
Cloudmark
Cloudmark, Inc is a privately held company, San Francisco-based, providing protection against spam, viruses, phishing, and similar threats that affect email....
, MailChannels
MailChannels
MailChannels Corporation is an anti-spam technology company founded in 2004 and based in Vancouver, British Columbia. The firm was created by some former employees of ActiveState to develop new techniques for fighting spam. The company's first product, "Traffic Control," is a software-based SMTP...
and Commtouch
Commtouch
Commtouch is an Internet security technology company founded in 1991. The company is headquartered in Netanya, Israel, with a subsidiary in Sunnyvale, California....
.
Pattern detection
Pattern detection, is an approach to stop spam in real time before it gets to the end user. This technology monitors a large database of messages worldwide to detect spam patterns. Many spam messages have no content or may contain attachments which this method of detection can catch. Pioneered by CommtouchCommtouch
Commtouch is an Internet security technology company founded in 1991. The company is headquartered in Netanya, Israel, with a subsidiary in Sunnyvale, California....
, a developer of anti-spam software, their Recurrent Pattern Detection (RPD) software can be integrated into other appliances and applications. This method is more automated than most because the service provider maintains the comparative spam database instead of the system administrator.
PTR/reverse DNS checks
The PTR DNS records in the reverse DNS can be used for a number of things, including:- Most email mail transfer agentMail transfer agentWithin Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
s (mail servers) use a forward-confirmed reverse DNS (FCrDNS) verification and if there is a valid domain name, put it into the "Received:" trace header field. - Some email mail transfer agents will perform FCrDNS verification on the domain name given in the SMTP HELO and EHLO commands. See #HELO/EHLO checking.
- To check the domain names in the rDNS to see if they are likely from dial-up users, dynamically assigned addresses, or home-based broadband customers. Since the vast majority, but by no means all, of email that originates from these computers is spam, many mail servers also refuse email with missing or "generic" rDNS names.
- A Forward Confirmed reverse DNS verification can create a form of authentication that there is a valid relationship between the owner of a domain name and the owner of the network that has been given an IP address. While reliant on the DNS infrastructure, which has known vulnerabilities, this authentication is strong enough that it can be used for whitelisting purposes because spammersSpam (electronic)Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
and phishersPhishingPhishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
cannot usually bypass this verification when they use zombie computerZombie computerIn computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
s to forge the domains.
Rule-based filtering
Content filtering techniques rely on the specification of lists of words or regular expressionRegular expression
In computing, a regular expression provides a concise and flexible means for "matching" strings of text, such as particular characters, words, or patterns of characters. Abbreviations for "regular expression" include "regex" and "regexp"...
s disallowed in mail messages. Thus, if a site receives spam advertising "herbal Viagra", the administrator might place this phrase in the filter configuration. The mail server would then reject any message containing the phrase.
Header filtering is the means of inspecting the header of the email, the part of the message that contains information about the origin, destination and content of the message. Spammers will often spoof
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
fields in the header in order to hide their identity, or to try to make the email look more legitimate than it is; many of these spoofing methods can be detected. Also, a violation of the RFC 5322 standard on how the header is to be formed can serve as a basis for rejecting the message.
Disadvantages of filtering are threefold: First, filtering can be time-consuming to maintain. Second, it is prone to false positives. Third, these false positives are not equally distributed: since content filtering is prone to reject legitimate messages on topics related to products frequently advertised in spam. A system administrator who attempts to reject spam messages which advertise mortgage refinancing, credit or debt may inadvertently block legitimate e-mail on the same subject.
Spammers frequently change the phrases and spellings they use. This can mean more work for the administrator. However, it also has some advantages for the spam fighter. If the spammer starts spelling "Viagra" as "V1agra" (see leet
Leet
Leet , also known as eleet or leetspeak, is an alternative alphabet for the English language that is used primarily on the Internet. It uses various combinations of ASCII characters to replace Latinate letters...
) or "Via_gra", it makes it harder for the spammer's intended audience to read their messages. If they try to trip up the phrase detector, by, for example, inserting an invisible-to-the-user HTML comment in the middle of a word ("Via<!---->gra"), this sleight of hand is itself easily detectable, and is a good indication that the message is spam. And if they send spam that consists entirely of images, so that anti-spam software can't analyze the words and phrases in the message, the fact that there is no readable text in the body can be detected, making that message a higher risk of being spam.
Content filtering can also be implemented to examine the URL
Uniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
s present (i.e. spamvertising
Spamvertising
Spamvertising is the practice of sending E-mail spam, advertising a website. The word is a portmanteau of the words "spam" and "advertising".It also refers to vandalizing wikis, blogs and online forums with hyperlinks in order to get a higher search engine ranking for the vandal's website...
) in an email message. This form of content filtering is much harder to disguise as the URLs must resolve to a valid domain name. Extracting a list of such links and comparing them to published sources of spamvertised domains is a simple and reliable way to eliminate a large percentage of spam via content analysis.
Sender-supported whitelists and tags
There are a small number of organizations which offer IP whitelisting and/or licensed tags that can be placed in email (for a fee) to assure recipients' systems that the messages thus tagged are not spam. This system relies on legal enforcement of the tag. The intent is for email administrators to whitelist messages bearing the licensed tag.A potential difficulty with such systems is that the licensing organization makes its money by licensing more senders to use the tag—not by strictly enforcing the rules upon licensees. A concern exists that senders whose messages are more likely to be considered spam would accrue a greater benefit by using such a tag. The concern is that these factors form a perverse incentive
Perverse incentive
A perverse incentive is an incentive that has an unintended and undesirable result which is contrary to the interests of the incentive makers. Perverse incentives are a type of unintended consequences.- Examples :...
for licensing organizations to be lenient with licensees who have offended. However, the value of a license would drop if it was not strictly enforced, and financial gains due to enforcement of a license itself can provide an additional incentive for strict enforcement.
SMTP callback verification
Since a large percentage of spam has forged and invalid sender ("from") addresses, some spam can be detected by checking that this "from" address is valid. A mail server can try to verify the sender address by making an SMTP connection back to the mail exchanger for the address, as if it was creating a bounce, but stopping just before any e-mail is sent.Callback verification can be compliant with SMTP RFCs, but it has various drawbacks. Since nearly all spam has forged return addresses, nearly all callbacks are to innocent third party mail servers that are unrelated to the spam. At the same time, there will be numerous false negatives due to spammers abusing real addresses and some false positives.
SMTP proxy
SMTP proxies allow combating spam in real time, combining sender's behavior controls, providing legitimate users immediate feedback, eliminating a need for quarantine.Spamtrapping
Spamtrapping is the seeding of an email address so that spammers can find it, but normal users can not. If the email address is used then the sender must be a spammer and they are black listed.As an example, consider the email address "spamtrap@example.org". If this email address were placed in the source HTML of our web site in a way that it isn't displayed on the web page, normal humans would not see it. Spammers, on the other hand, use web page scrapers and bots to harvest email addresses from HTML source code so they would find this address.
When the spammer sends mail with the destination address of "spamtrap@example.org" the SpamTrap knows this is highly likely to be a spammer and can take appropriate action.
Statistical content filtering
Statistical (or Bayesian) filtering once set up, requires no administrative maintenance per se: instead, users mark messages as spam or nonspam and the filtering software learns from these judgements. Thus, a statistical filter does not reflect the software author's or administrator's biases as to content, but rather the user's biases. For example, a biochemist who is researching Viagra won't have messages containing the word "Viagra" automatically flagged as spam, because "Viagra" will show up often in his or her legitimate messages. Still, spam emails containing the word "Viagra" do get filtered because the content of the rest of the spam messages differs significantly from the content of legitimate messages. A statistical filter can also respond quickly to changes in spam content, without administrative intervention, as long as users consistently designate false negative messages as spam when received in their email. Statistical filters can also look at message headers, thereby considering not just the content but also peculiarities of the transport mechanism of the email.Typical statistical filtering uses single words in the calculations to decide if a message should be classified as spam or not. A more powerful calculation can be made using groups of two or more words taken together. Then random "noise" words can not be used as successfully to fool the filter.
Software programs that implement statistical filtering include Bogofilter
Bogofilter
Bogofilter is a mail filter that classifies e-mail as spam or ham by a statistical analysis of the message's header and content . The program is able to learn from the user's classifications and corrections. It was originally written by Eric S...
, DSPAM
DSPAM
DSPAM is a free software statistical spam filter written by Jonathan A. Zdziarski, author of the book Ending Spam and other books. It is intended to be a scalable, content-based spam filter for large multi-user systems...
, SpamBayes
SpamBayes
SpamBayes is a Bayesian spam filter written in Python which uses techniques laid out by Paul Graham in his essay "A Plan for Spam". It has subsequently been improved by Gary Robinson and Tim Peters, among others....
, ASSP
Anti-Spam SMTP Proxy
The Anti-Spam SMTP Proxy server project is an Open Source, Perl based, platform-independent transparent SMTP proxy server available at SourceForge.net that leverages numerous methodologies and technologies to both rigidly and adaptively identify e-mail spam...
, the e-mail programs Mozilla
Mozilla
Mozilla is a term used in a number of ways in relation to the Mozilla.org project and the Mozilla Foundation, their defunct commercial predecessor Netscape Communications Corporation, and their related application software....
and Mozilla Thunderbird
Mozilla Thunderbird
Mozilla Thunderbird is a free, open source, cross-platform e-mail and news client developed by the Mozilla Foundation. The project strategy is modeled after Mozilla Firefox, a project aimed at creating a web browser...
, Mailwasher
Mailwasher
Mailwasher is an e-mail filtering software for Windows, Unix, and Macintosh systems that can detect and delete spam from a user's e-mail when it is on the mail server, before being downloaded to the user's computer....
, and later revisions of SpamAssassin
SpamAssassin
SpamAssassin is a computer program released under the Apache License 2.0 used for e-mail spam filtering based on content-matching rules. It is now part of the Apache Foundation....
. Another interesting project is CRM114 which hashes phrases and does bayesian classification on the phrases.
There is also the free mail filter POPFile
POPFile
POPFile is a free, open source, cross-platform mail filter originally written in Perl by John Graham-Cumming and maintained by a team of volunteers. It uses a naive Bayes classifier to filter mail. This allows the filter to "learn" and classify mail according to the user's preferences. Typically...
, which sorts mail in as many categories as the user wants (family, friends, co-worker, spam, whatever) with Bayesian filtering.
Tarpits
A tarpit is any server software which intentionally responds pathologically slowly to client commands. By running a tarpit which treats acceptable mail normally and known spam slowly or which appears to be an open mail relay, a site can slow down the rate at which spammers can inject messages into the mail facility. Many systems will simply disconnect if the server doesn't respond quickly, which will eliminate the spam. However, a few legitimate e-mail systems will also not deal correctly with these delays.Automated techniques for e-mail senders
There are a variety of techniques that e-mail senders use to try to make sure that they do not send spam. Failure to control the amount of spam sent, as judged by e-mail receivers, can often cause even legitimate email to be blocked and for the sender to be put on DNSBLDNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
s.
Background checks on new users and customers
Since spammer's accounts are frequently disabled due to violations of abuse policies, they are constantly trying to create new accounts. Due to the damage done to an ISP's reputation when it is the source of spam, many ISPs and web email providers use CAPTCHACAPTCHA
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person. The process usually involves one computer asking a user to complete a simple test which the computer is able to generate and grade...
s on new accounts to verify that it is a real human registering the account, and not an automated spamming system. They can also verify that credit cards are not stolen before accepting new customers, check the Spamhaus Project
The Spamhaus Project
The Spamhaus Project is an international organisation to track e-mail spammers and spam-related activity. It is named for the anti-spam jargon term coined by Linford, spamhaus, a pseudo-German expression for an ISP or other firm which spams or willingly provides service to spammers.-Spamhaus...
ROKSO list, and do other background checks.
Confirmed opt-in for mailing lists
One difficulty in implementing opt-in mailing lists is that many means of gathering user email addresses remain susceptible to forgery. For instance, if a company puts up a Web form to allow users to subscribe to a mailing list about its products, a malicious person can enter other people's email addresses — to harass them, or to make the company appear to be spamming. (To most anti-spammers, if the company sends e-mail to these forgery victims, it is spamming, albeit inadvertently.)To prevent this abuse, MAPS and other anti-spam organizations encourage that all mailing lists use confirmed opt-in (also known as verified opt-in or double opt-in). That is, whenever an email address is presented for subscription to the list, the list software should send a confirmation message to that address. The confirmation message contains no advertising content, so it is not construed to be spam itself — and the address is not added to the live mail list unless the recipient responds to the confirmation message. See also the Spamhaus
The Spamhaus Project
The Spamhaus Project is an international organisation to track e-mail spammers and spam-related activity. It is named for the anti-spam jargon term coined by Linford, spamhaus, a pseudo-German expression for an ISP or other firm which spams or willingly provides service to spammers.-Spamhaus...
Mailing Lists vs. Spam Lists page.
All modern mailing list management programs (such as GNU Mailman
GNU Mailman
GNU Mailman is a computer software application from the GNU project for managing electronic mailing lists.Mailman is coded primarily in Python and currently maintained by Barry Warsaw...
, LISTSERV
LISTSERV
LISTSERV was the first electronic mailing list software application, consisting of a set of email addresses for a group in which the sender can send one email and it will reach a variety of people...
, Majordomo
Majordomo (software)
Majordomo is a mailing list manager developed by Brent Chapman of Great Circle Associates. It is written in Perl and works in conjunction with sendmail on UNIX and related operating systems...
, and qmail
Qmail
qmail is a mail transfer agent that runs on Unix. It was written, starting December 1995, by Daniel J. Bernstein as a more secure replacement for the popular Sendmail program...
's ezmlm) support confirmed opt-in by default.
Egress spam filtering
E-mail senders can do the same type of anti-spam checks on e-mail coming from their users and customers as can be done for e-mail coming from the rest of the Internet.Limit e-mail backscatter
If any sort of bounce messageBounce message
In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
or anti-virus warning gets sent to a forged email address, the result will be backscatter
Backscatter (e-mail)
Backscatter is incorrect automated bounce messages sent by mail servers, typically as a side effect of incoming spam....
.
Problems with sending challenges to forged e-mail addresses can be greatly reduced by not creating a new message that contains the challenge. Instead, the challenge can be placed in the Bounce message
Bounce message
In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
when the receiving mail system gives a rejection-code during the SMTP session. When the receiving mail system rejects an e-mail this way, it is the sending system that actually creates the bounce message. As a result, the bounce message will almost always be sent to the real sender, and it will be in a format and language that the sender will usually recognize.
Port 25 blocking
Firewalls and routers can be programmed to not allow SMTP traffic (TCP port 25) from machines on the network that are not supposed to run Mail Transfer AgentMail transfer agent
Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
s or send e-mail. This practice is somewhat controversial when ISPs block home users, especially if the ISPs do not allow the blocking to be turned off upon request. E-mail can still be sent from these computers to designated smart host
Smart host
A smart host is a type of mail relay server which allows an SMTP server to route e-mail to an intermediate mail server rather than directly to the recipient’s server. Often this smart host requires authentication from the sender to verify that the sender has privileges to have mail forwarded...
s via port 25 and to other smart hosts via the e-mail submission port 587.
Port 25 interception
Network address translationNetwork address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
can be used to intercept all port 25 (SMTP) traffic and direct it to a mail server that enforces rate limiting and egress spam filtering. This is commonly done in hotels, but it can cause e-mail privacy
E-mail privacy
The protection of email from unauthorized access and inspection is known as electronic privacy. In countries with a constitutional guarantee of the secrecy of correspondence, email is equated with letters and thus legally protected from all forms of eavesdropping.In the United States, privacy of...
problems, as well making it impossible to use STARTTLS
Extended SMTP
Extended SMTP , sometimes referred to as Enhanced SMTP, is a definition of protocol extensions to the Simple Mail Transfer Protocol standard...
and SMTP-AUTH if the port 587 submission port isn't used.
Rate limiting
Machines that suddenly start sending lots of e-mail may well have become zombie computerZombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
s. By limiting the rate that e-mail can be sent around what is typical for the computer in question, legitimate e-mail can still be sent, but large spam runs can be slowed down until manual investigation can be done.
Spam report feedback loops
By monitoring spam reports from places such as spamcopSpamCop
SpamCop is a free spam reporting service, allowing recipients of unsolicited bulk email and unsolicited commercial email to report offenders to the senders' Internet Service Providers , and sometimes their web hosts...
, AOL
AOL
AOL Inc. is an American global Internet services and media company. AOL is headquartered at 770 Broadway in New York. Founded in 1983 as Control Video Corporation, it has franchised its services to companies in several nations around the world or set up international versions of its services...
's feedback loop, and Network Abuse Clearinghouse
Network Abuse Clearinghouse
The Network Abuse Clearinghouse, better known as abuse.net, maintains a contact database for reporting misuse on the Internet. It makes entries from the database available , and provides an intermediary service for registered users to forward complaints by e-mail.-See also:* Anti-spam techniques *...
, the domain's abuse@ mailbox, etc., ISPs can often learn of problems before they seriously damage the ISP's reputation and have their mail servers blacklisted.
FROM field control
Both malicious software and human spam senders often use forged FROM addresses when sending spam messages. Control may be enforced on SMTP servers to ensure senders can only use their correct email address in the FROM field of outgoing messages. In an email users database each user has a record with an e-mail address. The SMTP server must check if the email address in the FROM field of an outgoing message is the same address that belongs to the user's credentials, supplied for SMTP authentication. If the FROM field is forged, an SMTP error will be returned to the email client (e.g. "You do not own the email address you are trying to send from").Strong AUP and TOS agreements
Most ISPs and webmail providers have either an Acceptable Use PolicyAcceptable use policy
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used...
(AUP) or a Terms of Service
Terms of Service
Terms of service are rules which one must agree to abide by in order to use a service. Unless in violation of consumer protection laws, such terms are usually legally binding...
(TOS) agreement that discourages spammers from using their system and allows the spammer to be terminated quickly for violations.
Techniques for researchers & law enforcement
Increasingly, anti-spam efforts have led to co-ordination between law enforcement, researchers, major consumer financial service companies and Internet service providers in monitoring and tracking e-mail spam, identity theftIdentity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
and phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
activities and gathering evidence for criminal cases.
Legislation and enforcement
Appropriate legislation and enforcement can have a significant impact on spamming activity.The penalty provisions of the Australian Spam Act 2003 dropped Australia's ranking in the list of spam-relaying countries for email spam from tenth to twenty-eighth.
Legislation that provides mandates that bulk emailers must follow makes compliant spam easier to identify and filter out.
Analysis of spamvertisements
Analysis of sites being spamvertisedSpamvertising
Spamvertising is the practice of sending E-mail spam, advertising a website. The word is a portmanteau of the words "spam" and "advertising".It also refers to vandalizing wikis, blogs and online forums with hyperlinks in order to get a higher search engine ranking for the vandal's website...
by a given piece of spam often leads to questionable registrations of Internet domain names. Since registrars are required to maintain trustworthy WHOIS
WHOIS
WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores...
databases, digging into the registration details and complaining at the proper locations often results in site shutdowns. Uncoordinated activity may not be effective, given today's volume of spam and the rate at which criminal organizations register new domains. However, a coordinated effort, implemented with adequate infrastructure, can obtain good results.
New solutions and ongoing research
Several approaches have been proposed to improve the e-mail system.Cost-based systems
Since spamming is facilitated by the fact that large volumes of email are very inexpensive to send, one proposed set of solutions would require that senders pay some cost in order to send email, making it prohibitively expensive for spammers. Anti-spam activist Daniel BalsamDaniel Balsam
Daniel Balsam is an American lawyer best known for his lawsuits against e-mail spammers for violations of internet spam laws. Balsam has been filing lawsuits against spammers since 2002 and has earned over $1 million in court judgments. By filing lawsuits, Balsam aims to publicize the names of the...
attempts to make spamming less profitable by bringing lawsuits against spammers.
Other techniques
There are a number of proposals for sideband protocols that will assist SMTP operation. The Anti-Spam Research Group (ASRG) of the Internet Research Task ForceInternet Research Task Force
The Internet Research Task Force focuses on longer term research issues related to the Internet while the parallel organization, the Internet Engineering Task Force , focuses on the shorter term issues of engineering and standards making...
(IRTF) is working on a number of email authentication and other proposals for providing simple source authentication that is flexible, lightweight, and scalable. Recent Internet Engineering Task Force
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
(IETF) activities include MARID
MARID
MARID was an IETF working group in the applications area tasked to propose standards for E-mail authentication in 2004.The name is an acronym of MTA Authorization Records In DNS.- Background :Lightweight MTA Authentication Protocol...
(2004) leading to two approved IETF experiments in 2005, and DomainKeys Identified Mail
DomainKeys Identified Mail
DomainKeys Identified Mail is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message. The association is set up by means of a digital signature which can be validated by recipients...
in 2006.
Channel email
Channel email
Channel email, unlike filters, lists, and challenges, doesn’t target spammers but treats everyone the same. Its design enables polite conversation, which naturally combats spam.-Conversational requirements:...
is a new proposal for sending email that attempts to distribute anti-spam activities by forcing verification (probably using bounce message
Bounce message
In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
s so back-scatter doesn't occur) when the first email is sent for new contacts.
Research conferences
Spam is the subject of several research conferences, including:- Messaging Anti-Abuse Working GroupMAAWGThe Messaging Anti-Abuse Working Group started as a group of internet service providers, mobile network operators, telecommunications companies and infrastructure vendors and anti-spam technology vendors in early 2004. It has since expanded to include e-mail service providers and other forms of...
- TRECText Retrieval ConferenceThe Text REtrieval Conference is an on-going series of workshops focusing on a list of different information retrieval research areas, or tracks. It is co-sponsored by the National Institute of Standards and Technology and the Intelligence Advanced Research Projects Activity , and began in 1992...
via the TREC 2007 Spam (and Email) Track July 2007 - Conference on Email and Anti-Spam August 2007
- FTC Spam Summit July 2007
- MIT Spam Conference March 2007
External links
- AOL's postmaster page describing the Anti-Spam Technical Alliance (ASTA) Proposal
- Anti-Spam Research Group. ASRG is part of the IRTFIRTFIRTF may refer to:* Internet Research Task Force, a research organization working on topics related to the evolution of the Internet* NASA Infrared Telescope Facility, an infrared telescope in Hawaii...
, and affiliated with the IETF - Anti spam info & resource page of the US Federal Trade CommissionFederal Trade CommissionThe Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
(FTC) - CAUBE.AU - Fight Spam in Australia, The Coalition Against Unsolicited Bulk Email, Australia
- Composing abuse reports - what to send, how to send it, where to send it - and what not to send or do.
- Computer Incident Advisory Committee's suggestions: E-Mail Spamming countermeasures: Detection and prevention of E-Mail spamming (Shawn Hernan, with James R. Cutler and David Harris)
- Historical Development of Spam Fighting in Relation to Threat of Computer-Aware Criminals, and Public Safety by Neil Schwartzman.
- Mail DDoS Attacks through Mail Non Delivery Messages and Backscatter
- Spam Laws United StatesUnited StatesThe United States of America is a federal constitutional republic comprising fifty states and a federal district...
, European UnionEuropean UnionThe European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
, and other countries' laws and pending legislation regarding unsolicited commercial email. - Stopping Spam An article about spam in Scientific American
- Yahoo's Anti-Spam Resource Center
- Spam Filter Comparison
- SpamWise - Tools to check your website for address-harvesting risks.