Complaining about spam 101

Spam is like the weather. Everyone complains about it, but few do anything about it. If you reply to it with a nasty message, either your message bounces or you get the message delivered to someone whose email address was forged who had nothing to do with the spam.

What to do, and not to do, if you are on a mailing list that you do not want to be on

  1. Never respond to remove instructions, unless you actually signed up for the list in the first place. An FTC study found that most removal instructions are fraudulent, and the net result is more spam, rather than less. By responding to remove instructions you are telling the spammer 3 things:

*       Your email address is valid

*       You read to the bottom of spams

*       You're very gullible

  1. Never do business with a spammer. If no one ever did business with spammers, spam wouldn't be profitable. The Boulder Pledge says "Under no circumstances will I ever purchase anything offered to me as the result of an unsolicited e-mail message. Nor will I forward chain letters, petitions, mass mailings, or virus warnings to large numbers of others. This is my contribution to the survival of the online community."
  2. Never respond angrily to the email. The originating email address on spam is almost always forged. Usually, the address is non existent. When it is a valid address, it belongs to someone that the spammer decided to harass. By helping the spammer to flood the victim's mailbox with irate responses, you are aiding the spammer in his harassment campaign.
  3. Complain effectively. The address may be forged, but there are hidden headers that any mail reader will reveal that may identify the source of the spam. Spamcop http://www.spamcop.net can help you do that. If you want to try it on your own, see my links to tools and tutorials at http://denveraitp.org/legislative/spam.html.
  4. Remember to include a full copy of the headers of the e-mail in any complaint you file with the spammer’s provider. Most providers will ignore spam complaints that exclude the original message’s header information.
  5. Remember that if you asked to be on a mailing list, it isn't spam until you ask to be taken off and they fail to do so. If you asked to be on a list, ask to be removed. It is important to follow the directions for unsubscribing from the list, as not all list removals work the same way. Unsubscribing from a list you opted into is different from lists that you never asked to be on, which you are under no obligation to ask to be removed from.
  6. If you ISP or employer has a filtering system, report the spam to the filtering mechanism.

Running a mailing list responsibly

Let's look at the problem from the other side, for a moment. You're an AITP leader. You want to run an email list so local members of the I.T. Community can get information about AITP dinners. Or perhaps you run the local Linux user group, or want to provide information about your company's products and services to people who really want to receive it. Or you want to know about the updates to the software you have on your PC.

How does a list operator ensure that they aren't sending out spam?

Spam is a slang term for unsolicited bulk email. There is nothing wrong with bulk email. It is the unsolicited part that causes the problem. Ethical list owners do not want anyone on the list who does not want to be on the list. A good, detailed explanation of how to accomplish that can be found at http://mail-abuse.org/manage.html which is also linked to from the AITP legislative page in the spam fighting section. What follows are some of the high points.

First, some definitions are needed. An opt-out list is a list where subscribers are added without their knowledge or consent, and they have to ask off. An opt-in list is one where any address that asks to be on the list is added to the list, without any check being done to confirm that the person doing the asking owns the address. A confirmed opt-in list goes one step further. The list owner who receives a request to add an address first generates an email to that address asking the address owner to confirm that they want on the list and that the address belongs to the person who is attempting to subscribe. To see how a confirmed opt-in list works in practice, join the legislative committee discussion list from our AITP legislative web page. Spammers, incidentally, will try to redefine our confirmed optin list as a "double optin" list and define something else as a confirmed opt-in list. How they can call anything confirmed that doesn't contain a confirmation step eludes me.

With an opt-out list, no effort is made to determine whether the subscriber wants onto the list or not. This type of list is almost never justified, and almost always spam. The sole exception to that would be a list that you are subscribed to as a condition of employment or membership. The AITP Board of Directors has a list of its board members. Being a subscriber to that list is a condition of being on the Board. Any company is certainly entitled to create and use an email list of its employees' office email addresses and probably is even be entitled to create a list of their home email addresses. This is not to say that email lists should not have an opt-out function. Even when I legitimately asked to get on a list five years ago, I am entitled to change my mind. I'll discuss that opt-out function in more detail later.

An opt-in list without a confirmation function is a disaster waiting to happen. Without the confirmation step, you have no evidence that the person whose email address got added to the list really asked to be on the list. My wife once asked me to add her new office email address to a list. I did, but got her domain name wrong. The domain I used by mistake happened to be valid, and her email address was still valid on that wrong domain. The domain owner complained. Fortunately, the list had the confirmation step in place, so other than the confirmation message the unintended recipient would never have received any messages from that list even if he hadn't complained. The same problem occurs if a subscriber on a large domain like AOL transposes a character by accident. Not all of the inaccurate subscriptions are accidental. One of your competitors could subscribe people to your list whom he knows will complain if they receive spam. Without the confirmation, those complaints would actually be valid, and your domain could be shut down.

A confirmed opt-in list has that extra step in it that makes sure that the person really wants onto the list, and gave you a valid address. If they do not respond to the confirmation message, either because the address doesn't exist or because someone other than the address owner entered it, the address doesn't get added. The best process will have a unique, unguessable token in the confirmation string as an added security measure. If six months later the person complains that they never asked to be on the list, you will have the confirmation message as evidence to the contrary.

Once on a list, it must be easy to unsubscribe. I recommend a web based unsubscribe function rather than one asking the subscriber to send an email, since the subscriber may no longer have access to the email address from which they subscribed. So, to run an effective unsubscribe process, I recommend three things:

*       Provide unsubscribe instructions in every email to the list.

*       Provide a means for a list member to contact a live person if problems arise.

*       Handle the unsubscribe process via a web page. Email can be an option, but not the sole option.

It is important to respect the intentions of the subscribers to the list. I recently provided the Denver Broncos with my email address for communications related to my football season tickets. When the address I gave them showed up on a mailing for the Colorado Rapids soccer team, a team with which I had no prior business relationship and from whom I never consented to receive email, the communication was reported to their ISP as spam. Because of multiple spams and multiple complaints, the IP address that this spam came from was listed as a spam source by Spamcop, and the traffic was blocked.

Lists should have acceptable use policies, a well-defined complaint process, and diligent list administrators who take swift action against list abusers. A responsible list owner also responds quickly to complaints of his list members when one member abuses the list by violating the list’s policies.

And finally, of course, never sell the list, nor buy a list from elsewhere. There is no such thing as a purchased confirmed opt-in list. I opted into employment related communications from monster.com. When jobseekernews or some intermediary obtained the list despite monster.com's privacy policy, communications from jobseekernews were reported as spam and they are now listed on SPEWS as a source of spam.

Follow these procedures, respect the wishes of subscribers to your list, and you'll have many years of happy communications without accusations of being a spammer.