Marketing & SEO Discussion List - LED Digest

1. A sends an email to B.

2. Since B has never corresponded with A, B's system sends a challenge.

3. A gets the challenge, does not know B, so A's system sends a challenge to B.

How are A and B ever going to talk?

Another scenario:

1. C sends spam or a virus to B, using A's address as the sender address.

2. The C/R filter sends an email to A, who has no idea what's going on.

3. If A does not reply, he won't find out why he received the C/R mail, because to ask B any question he has to get on B's whitelist. In fact, B won't see the reason for the C/R mail to A either until A has confirmed his address. If A ignores the challenge his address may even get blacklisted by B, so he can never contact him.

4. If A successfully responds to the challenge, he will permit a spam or a virus mail to be delivered to B.

5. Whether or not A responds, B has sent unsolicited bulk email. If B receives 100 spams a day and 80 of these use fake senders, B will turn these 100 into 180 spams a day.

The problem is that the "from" or "reply-to" in a low-life SPAM email is usually faked so the challenge is going to the wrong person.  Basically, the user of the Challenge-Response system is using everyone else to filter his email to eliminate SPAM directed at him.

Also, some people HATE challenges. Consider this quote from an eBay seller as it appears in the info about his items:

"Some earthlink customers have a filter that requires one to fill in a form to be allowed to contact the user. If you have this, please do not win, as it infuriates me."

Another comment I ran across in my research was

"If I get a challenge caused by SPAM because someone faked my address in an email, I always send a response.  Let the challenger deal with his own SPAM".

Use of Challenge-Response also creates the possibility of the user being branded as a SPAMmer (All those challenges going to faked "From" addresses.)  For more info on the problems with Challenge-Response filtering, check out http://www.joewein.de/sw/spam-challenge-response.htm and http://kmself.home.netcom.com/Rants/challenge-response.html

Finally, there is the CAN-SPAM act.  Many believe that it is not working.  I disagree.  You have to use it if you expect it to work. CAN-SPAM essentially says SPAM must contain a means of unsubscribing, and if that doesn't work, report the SPAM to the FTC at http://www.ftc.gov/bcp/conline/edcams/spam/index.html.

The problem here is that the conventional advice you get from the "experts" is to never, never send an unsubscribe because that will just confirm your email address and you will end up getting more SPAM.  That advice has always bothered me.  So following advice that appeared in a magazine that one should "follow the money" to see where spyware really originated, I applied the advice to SPAM. It seemed to me that the person / company that most benefits from the "don't unsubscribe" advice is the spammer or the seller of the email lists used by the SPAMmer.  If the CAN-SPAM act depends on sending unsubscribe requests to achieve its results you cannot expect any benefit if you do not unsubscribe. Think about that.

Since I had considered abandoning the one email account anyway, I had nothing to lose, so I decided this account would make a really good test case.  For 30 consecutive days, I kept track of the numbers of SPAM emails I received and kept a most recent 10 day moving average (this smooths out unusual highs and / or lows).  I established that I was receiving an average 295 SPAM emails per day and this remained relatively steady.

Next, I started following unsubscribe instructions when they appeared in a SPAM - not always for all of them in a day, but an average of about 10 a day.  Many SPAM emails will have two unsubscribe options, one to unsubscribe from the list for the particular company sending the email, a second to unsubscribe from all the companies using that particular list.  This is the better option to use.  Many responses to the unsubscribes say you will be removed in as little as 24 hours or as long as 7 or 10 days so you may continue to receive SPAM from that source for that long.  I didn't worry about keeping track, I just did the unsubscribe so many lists would have received multiple requests from me.

I continued with the 10 day moving average.  The results were dramatic as the 10 day average dropped to 210 within the first 10 days.  After 35 days, the average was down to 151 SPAM emails per day, 51% of the original number. This is the exact opposite result that the convetional "expert" advice would lead you to expect.

Of the remaining 151, an average breakdown was as follows:

- 45 foreign (Russian, Brazilian, Chinese, Indian, etc.) that I could not read.

- 45 no form of unsubscribe offered.

- 8 variations of the Nigerian 419 scam or phishing emails.

- The remainder (53) were for things like "genuine Rolex replicas", Viagra, Cialis, mortgage offers, etc.  Many contained unsubscribe options, but the unsubscribes were ignored (and did not result in any added SPAM, either).

An "unsupported by solid data" observation:  I was getting so many "genuine Rolex replica" offers that one day I got really, really annoyed.  So I went to the real Rolex site, found an address to email, and sent an email that essentially said that I knew Rolls Royce used to be extremely proactive in defending their name and would take legal action if necessary to prevent others from using Rolls Royce as any part of a product name or description. I suggested that, since a Rolex replica must involve trademark and copyright infringements and possibly patent infringements, looked like the real thing but was of unknown quality, that maybe, to protect the Rolex name, the company should be more proactive in coming down on these fake producers / sellers.  I have no hard numbers, but I am positive that the number of these offers I receive now is less than half what I was gettng last fall.  Maybe Rolex has taken action.

I keep an eye on the incoming SPAM and will occasionally still get one with a valid unsubscribe (I recognize them now), so I unsubscribe.  Also, some of the foreign ones contain links that are recognizably intended for unsubscribing and I use these when I see them.  Mostly they seem to work.

This past 2 weeks, I checked out the average number of SPAM I receive again and it is now at 138 so I would have to conclude that CAN-SPAM does work *provided you use it*.  Having established that it works, my next phase in my personal SPAM fight will be to regularly report selected SPAM to the FTC, mainly the scams, phishing, Rolex, Viagra, mortgage, etc. low-lifes.

Also, in the case of Nigerian 419 scam variations, since many of these give a public type email address for the response (using netscape, yahoo, hotmail, walla, gmail, etc.), I usually forward a copy with complete headers to that hosting company (if you can't find a reference at the host site, just try This email address is being protected from spam bots, you need Javascript enabled to view it - it usually is all you need).  I often get an almost instant response that the email account was closed.  Same with phishing emails.  If you move your mouse pointer over the link you are asked to click, the host or IP should show in your browser status bar.  It becomes relatively easy then to track down the host owner and / or an appropriate abuse email for reporting the attempted scam and the faked site will usually be closed in hours (or sometimes even in minutes - my personal record is 4 1/2 minutes, including a thank-you from the hosting company for reporting the abuse).

So don't sit back and live with SPAM.  We can all fight SPAM.  We may not be able to totally win, but all of us together can probably make a big difference.

Tom Aman

Aman Software

---

Written by Reg Charie
February 4, 2006

As a recipient of over 4000 spam emails a week, it is something that one learns to live with. I would like to thank Tom Aman for the link to the spamRIP program, as my Outlook and Norton spam filters only get about 85%. Occasionally, I try to do something about spam, and the readers may get a chuckle form my last attempt. I have an email policy on my site right at the bottom of the mainpage that states,

"Email policy: as of June 01 2004 I offer to accept unsolicited e-mail advertisements from you in return for your promise to pay me $1,000 each time you send mail to any of my addresses at DotCom-Productions.com. Your use of my address to send unsolicited e-mail to me will constitute your acceptance of this offer."

Yesterday I received a spam promoting TRIO Display, a company that sells store display systems. Since the spam included a link to their forums, I signed up and added a post entitled "Your Spam" (triodisplay.com/forums/viewtopic.php?t=16)

The body of the post stated:

Posted: Wed Feb 01, 2006 1:25 am

Post subject: Your Spam Email

Reg Charie

metacryl.com