Gerald Pfeifer
Contact
Publications
Notes/FAQs
Bookmarks
  

Whither Unsolicted Commercial E-mail (aka Spam)

This FAQ tries to explain various UCE related questions and especially focuses on common misconceptions regarding how to deal with UCE from the victim's perspective.

(It was originally written back in 1998, and I was quite suprised to see how timeless the comments have proven, when I resurrected and published it in May 2004.)

Filtering UCE is easy. Simply junk messages where you do not appear in the To: resp. Cc: headers.

This is definitely not a good idea. This will junk blind carbon copies (BCCs) and most mailing lists. Clearly you can add filters for mailing lists as well, but this means additional work on your side[1] and still breaks if one of the headers you use for filtering changes for whatever reason.

Besides spammers continuously adjust their techniques, and these days it is getting increasingly common to find your name and/or address in the To: or Cc: headers.

Okay, so I quickly scan over the subjects of incoming mails and quickly delete spam.

For average users this is not that easy, especially if they do not speak English very well, but even for advanced users it does consume time[1] and it's only a question of time until they erroneously "kill" some personal e-mail.

Plus, why should one take that additional burden at all? It does not scale!

How about using a separate address for Usenet, which is valid but never read?

This is not a good idea, either. Usenet and e-mail have been designed to complement one another. In most hierarchies (at.*, de.*, the Big-8,...) it considered polite to move personal issues to e-mail, for example. In general, it is considered extremely unpolite to use an e-mail address that is not actually read.

Well, but if I never post on Usenet I won't receive spam, will I?

No. There are many further sources where spammers can obtain e-mail addresses: InterNIC and RIPE databases, web pages,...

How about the following: I block all messages, unless they contain some magic token in the subject?

This puts an additional burden on those who want to contact you. Of course, you can add exceptions for your friend, but that will mean additional work for you.

So how can I block spam?

The Spamhaus Project and others maintain lists of servers that have been or easily can be (ab)used for spamming. These can be used on a personal basis or on your mail server to block mail from these servers.

MAPS and ORBS are bad, for they block entire domains

This is not true. MAPS and ORBS block abusive resp. incorrectly configured mail servers, not domains nor e-mail addresses. These are completely different concepts.

[1] This is one of the major drawbacks of many (pseudo) solutions: They require additional work on the side of the user who does not want to receive UCE.

Gerald Pfeifer (gerald@pfeifer.com)
Last modified Sun Feb 12 02:39:53 2023.