Fog Creek Software
Discussion Board




Spam

Since there's a bit of discussion about spam recently I just wondered how much spam people get every week. For me it's not too bad, I probably get about 6 or so (on average) emails concerning either porn or credit cards or such like each week.

Almost all the spam I get comes from aol or yahoo.

The most annoying one is for a dating agency that no matter how many times I unsubscribe, just keeps coming back, in fact I think my unsubscription automatically adds me to other mailing lists!

How much spam are you getting?

Alberto
Monday, November 18, 2002

20 in the last year (including 10 virus attempts), and I usually post my email when I reply on this board.

but not this time
Monday, November 18, 2002

I get virtually none, somewhat less that six I'd say. This is because I have my own domain and with few exceptions all email addresses at that domain come to me. Whenever I sign up anywhere, I use some form of the site's name to create a new email address. Like for this site I might use joelonsoftware@xyz.com.

Then, if I start getting spam I configure my mail server (hosted by m6.net) to redirect email sent to that address back to somebody at the site where it came from. Like if I started getting spam from this site to my joelonsoftware@xyz.com address, I would find Joel's email address and redirect the mail back to him. Typically tho I send it to something like webmaster@thatsite.com.

Even doing this I rarely get spam to my latest address and rarely have to setup one of these redirects. I think I only have three setup right now.  My old email address, which I eventually had to abandon, got spammed to their death.

Anonymous
Monday, November 18, 2002

2 Nigerian spam scams per day.  I suscribe to 3 Xfree86 lists and the linux-networking list. 

Nat Ersoz
Monday, November 18, 2002

It varies quite a bit.  About 6-10 per day is typical for me.

A lot of the spam I get claims to be from AOL or Yahoo, but most "From" addresses are forged.  A look at the headers usually shows another source.

Most of it is the standard junk: mortgage loans, Nigerian 419 scams, fake Viagra, septic tank cleaner, etc....

I never use the opt-out links in spam.  They typically say that their spam is not spam and I am getting it because I opted-in to their list.  If they lied about that, I don't have much confidence that their opt-out link will work.

mackinac
Monday, November 18, 2002

My home E-Mail address has been the same for 12 years.  Many years ago, I nievely made some usenet postings using my real address.  I get about 15 spams a day, likely as a result of those postings.

It would be nice to be able to "trace" a spam and know who leaked the address.  I've heard of people using a different middle initial to trace the source of junk postal mail.

Bill Carlson
Monday, November 18, 2002

6 email accounts, all of which have me as a resident of countires from belgium to the maldives, diff information in all of them.


I still get about 10 emails every week that could be counted as SPAm.


I susbcribe to quite a few newsletters, cnet, computer world, economist, forbes, wsj, fortune, joel's,etc/

Prakash S
Monday, November 18, 2002

We get roughly 1 every half hour, not counting the domains we don't accept mail from.  I know this because we graph our incoming mail and spam - and we use the results of the graph to determine which repeat offender to concentrate on next.

We have pretty good filtering - maybe one every couple of weeks slips through the filter, and I can't remember the last false positive we've had.

It's the bandwidth waste that annoys me, so with my admittedly limited resources I also attempt to get the worst offenders to stop.

Aside from not accepting connections from some (unfortunately kind of like whacking the head off a monster with millions of regenerating heads), we also send out a contract to the worst offenders (and anyone who sends us junk faxes - very annoying, and often illegal, although that doesn't stop many).  The contract offers to accept unsolicited messages at US$50 per message.  To accept the contract, they can send us mail.  We also point out that it is our corporate policy to boycott any companies sending us unsolicited correspondance, unless they are a contracted customer. To decline, they can simply quit sending us unsolicited correspondance.

Very often, I get a response with just the contract. Mostly, the response comes from blustery and defensive people who don't understand at all why we would rather not waste the bandwidth to receive something we aren't even going to read.  Sometimes they claim not to be able to remove our addresses from their database (Industry Canada, for example).  Hilariously, one guy threatened to let all of his customers and vendors know that they shouldn't send our company unsolicited email.  I said "Great!".

Sometimes, the contract is ignored, so we send out an invoice.  So far, once we've gone that far the stream of spam has ceased abruptly from that source.  My theory is that the invoice gets the attention of someone higher up who is not interested in going legal.  Especially since continuing to send the messages is obviously not going anywhere.

Eventually, we'd like to be able to drop mail connections as soon as we determine it is spam, since one rarely has to read the entire message to make that determination.

Phibian
Monday, November 18, 2002

Phibian, how do you track down the spammers? Most spam I receive has fake sender address. I receive about 5-10 per week.

I find it ironic that most spam tries to hide its source, yet they somehow expect to take your money. How can they do that when they are hiding their identity? Where do I send my money?

Z M
Monday, November 18, 2002

About 40/day in my Hotmail account. About 2/day in my company account. This is why it's so irritating that SpamNet only works with Outlook and not Outlook Express. The other problem with SpamNet (and other spam blockers) is that it seems to favor blocking legit emails over allowing spam through when the opposite would be smarter. There's little use for a spam blocker that still requires you to review your spam folder.

pb
Monday, November 18, 2002

Q. How do we track down spammers?

A.  We check information provided on mass-mailer websites (usually we'll use a sales address).  We also use billing addresses linked to the particular domain, if applicable.  Sometimes I will call and ask for a mailing address.  Or I will ask to talk to the sales department - posing as a potential customer.  However, I should be clear and state that the "contract" tactic only works on the quasi-legit operations.

We don't have time to track down the really sleazy spammers where they spoof all of their information and take advantage of open relays etc.  And you are right, often there is very little way to respond to some of the more annoying spam.  Apparently, most of the time these are people "fishing" to determine if the email address is valid (ie doesn't bounce).

We certainly don't bother trying to track people sending mail through Yahoo (for example) - chances are that the account will be cancelled before we check the spam bucket...

Phibian
Monday, November 18, 2002

I get about 80-90 a day on one of my older accounts.

anon
Monday, November 18, 2002

Read this:
http://diveintomark.org/archives/2002/10/29.html#club_vs_lojack_solutions


P.S., I've had a hotmail account since there was a hotmail.  I get about 70 spams on that account per day.  I register almost all non-personal stuff on that account.

However, I've recently gotten my own domain, and I think the previous domain owner's idea is pretty slick.
...

Though clearly, that approach is beyond Joe AOL User, and there needs to be a solution for the everyman.

;-)

Jeremy Dunck
Monday, November 18, 2002

I get 20-40 spams each day (on about 5-10 legitimate mails), but then I have had my email address plainly visible on my web site for years. It's hidden now, but I guess it's too late...

I might be tempted to write some kind of proxy mail server that implements Paul Graham's spam filtering technique so I can finally get rid of it.

Frederik Slijkerman
Tuesday, November 19, 2002

Around 20 a day. It doesn't bother me all that much. It takes about a second to deal with a spam message, so what's the big issue here.
I frankly get more annoyed with all the junk I recieve in my paper mailbox every day. Dead trees and all that.

Just me (Sir to you)
Tuesday, November 19, 2002

For me, it differs a lot over time. There are weeks (normally after I posted my real email adress to a site to get a registration key or the like) when I get 20 or more spams and then there are phases when it goes back to almost nothing. Newsgroups are even worse, but I do not use my normal email address in the newsnet any longer.

So far this has not bothered me enough to care much about spam filters or the like. I only used those to get rid of two or three newsletters I never subscribed to and which always disregarded my attempts to unsubscribe (Apple news for examples used to be a real pest).

My email address is visible on my website for almost two years now, but I never had the impression that it was picked up from there for spamming.

Have fun,

Jutta Jordans
Tuesday, November 19, 2002

Those who expressed interest in using some sort of quasi-throwaway email address that _also_ allows you  to work out who it is that's sold your address onto someone else's "opt-in" *ahem*  list might like to have a look at SpamGourmet ( http://www.spamgourmet.com/ ).

Basic level is a free email redirection service. Sign up using the userid "fred" for example, and give them your real email address. Then if you need to sign up with, say, the NYTimes  for something and need to give them a valid email address, simply give them something like nytimes.10.fred@spamgourmet.com . The number '10' indicates that up to 10 relays will be made through that address to your "real" address, and then everything after that will be binned. Up to a max of 20 relays, I think. Then if you receive any spam on that address, you can immediately identify who sold your address.

It's a pretty neat service when you just need to supply a valid email address to sign up for something and you _don't_ expect  any more than a handful of emails to be sent to that address (so it'd be useless for a mailing list, for example).

Anyway, it's a very cool free service. Some of those that have already contributed to this thread might be interested. (NB. I have no relation to this service other than as a satisfied non-paying user)

Pete.

Peter Wright
Tuesday, November 19, 2002

Pete, this spamgourmet sounds similar to http://www.mailshell.com , but mailshell doesn't have the "maximum number of relays" feature. I don't really grok this, could you clarify what this does?

Yves
Tuesday, November 19, 2002

Like Bill, one of my work addresses is 10 years old and at one point the company participated in a variety of Usenet groups through their BBS.

According to our mail server's spam reports, it's stopped 500 messages in my name in the past week.  About 15 made it through to my mailbox.

As for tracking, I recently sold my domain name and bought a new one.  I don't give out an address unless it's specific to the asker such as cblaise-company@mydomain.com.  Everybody's been good...so far.

The one that's really pissed me off lately is spammers using my above-mentioned work address and the bounces come to me.  I don't know of a way to get around this short of deleting the address.

Maybe that's not such a bad idea...

Chris

Chris Blaise
Tuesday, November 19, 2002

I get about 25 - 40 a day in my Hotmail account.  Every morning when I come to work, I find around 15 spam messages waiting for me.  And I delete quite a few during the day.

I've had this Hotmail account since 1997, and the only reason I don't give it up is that it's easy to remember -- [my last name]@hotmail.com.

I use it for any non-work-related e-mail correspondence with commercial entities.

programmer
Tuesday, November 19, 2002

Yves,

Spamgourmet's maximum relay idea (nytimes.10.fred@spamgourmet.com) basically creates an email address than will only accept 10 emails, then bounce everything. It's a disposable address.

This is a great idea -- you can sign up to some website and receive registration details by email, but don't have to give away your real email address and it doesn't matter if the website sells your address: it stops working pretty quickly.

Tom Payne
Tuesday, November 19, 2002

I get 20-30 per day across three accounts.

I used to have a Hotmail account, but I mainly used it to check my other accounts when away form home with the pop mail feature. How that got as much Spam as it did, I'll never know, since I almost never sent form the account, and never used it to sign up for anything. Needless to say it's long since been abandoned...

I'm looking to install some kind of server side filter. I was considering SpamAssassin, but Bayesian filtering seems to be the buzzword of the week, so I'm considering options based on that. BogoFilter looks promising, buy while the speed of something written in C has its attractions, I'd rather like something that I can fiddle with easily, which probably means doing it in Perl or PHP. I'd also like a web interface.

Since I know what I want, and I've a good idea of how to do it, writing my own seems like a strong possibility... just have to find time!

James

James Shields
Tuesday, November 19, 2002

I get about 15 per day in three accounts, but the distribution is not level. One account is about 6 years old and receives 90% of the spam. Mind you, I have almost never used this account for personal e-mail; it's mostly been a magnet used in registration forms.

I have noticed different spam patterns in each of my accounts. The 90% account mentioned above seems to get most of its messages from the same source. The specific ads change, but the subject line patterns are definitely consitent. (They will all begin with "Friend, " for a while, then "Steve, " then "Friend, " again.) My most active personal account only receives non-English spam (Big5 encoded). My work account only receives English spam with all-lowercase subject lines.

I post to Usenet regularly using my real, unmunged e-mail address (per http://members.aol.com/emailfaq/mungfaq.html#why-not-mung) and find that this account still remains mostly spam-free. That may indicate that address harvesting on Usenet has declined.

Steven E. Harris
Tuesday, November 19, 2002

I'm using Junkmail Buster which is part of PopUpBuster. It is easy to scan my e-mails and delete unwanted ones. Also, it is easy to opt-in, opt-out senders or domains.

The ratio of junkmail/mail on my public e-mail was 45/1 today.

I hate junkmail
Tuesday, November 19, 2002

You can also use multiple email addresses with many mail systems, for example youraccount+somespecialtoken@yourdomain.com.

Spam is evil especially when it's fraudulent. How do know if that unsolicited 'offer' mail is an offer for porn or an offer for your company to make a lot of money? or that 'remember me' mail is from a friend who likes to use cute names in their email address or porn? I can figure out how to handle these, but the average person doesn't even think that they need to think about it.

Hotmail accounts get spam even if you never use them. I had one account for a while I never told anyone about since the project never happened, and it got many messages every day.

I want to make my web site return a different address based on who is crawling it, though I get very little spam to my web site, mostly sort of legitimate stuff. (Church software once, for example?!)

mb
Tuesday, November 19, 2002

Speaking of bogofilter, has anyone run across a Windows port?

Chris Dunford
Tuesday, November 19, 2002

None on my work account - although some junk e-mails from Amazon, etc. To the best of my knowledge it has never stopped any legitimate mail.

Practically none on my Yahoo account. It does shunt various wanted mails to the 'bulk' mailbox thinking it's spam on various occasions.

Mr Jack
Wednesday, November 20, 2002

I get about the same as the original poster, about 5-6 a week.

ljlj20-3480j-jjooo203-22@aol.com
Wednesday, November 20, 2002

At work it's not much, about 1 per day, but that's because we recently switched domain names & it's taken the spammers some time to catch up.

At home, it's about 10-15 per day, but slowly decreasing as I apply more filtering rules to my email client.

Mark Williams
Wednesday, November 20, 2002

What's scary is that I have a domain that I've registered, and I have set up a few e-mail accounts there, but I have NEVER used these addresses -- for anything.

I opened the mailbox for one of the accounts, and found a spam message waiting for me.

How the hell did they find this mailbox?

Get A Free Prescription Card!_OK
Wednesday, November 20, 2002

Dear "Get a free subscritpion card now"

There are various ways they will find your mailbox. One is to check out if common domain names are registered. Another is simply to generate domain names randomly and send the spam out as they don't care if most of it bounces.

Another trick is to chose the most common names for each ISP so you get spam sent to john@suchandsuchISP dave@suchandsuchISP

I know this because my email is steve@myISP as I was one of the first customers when the internet started up here in Saudi, and so I get mail that could only have been generated by chance.

What is surprising is that I have been publicising that email address openly on discussion boards for three years now, and scarcely ever get any spam, whilst the work email that is publicized nowhere, gets half-a-dozen a week. (And the department email which is published in ads all over the web gets three or four 419's every day - but no Viagra!)

Stephen Jones
Wednesday, November 20, 2002

On a slightly related issue: Does anyone have any good ideas about what to do about spam resulting from on-line ordering?

I like to order things on-line - books and computers of course and other stuff as well.  Most of these companies seem to have the right idea.  I give them an email address for order confirmation and shipping notices.  They don't use it for advertising or their web site order form has a box to check to disallow such use.

Unfortunately, a few places feel that once they have my email address, they can send me all the junk email they want to.  If I had known they would do that, I wouldn't have ordered from them.
Usually that have an opt-out link, but it may or may not work.

Is there much hope for educating online merchants to have more respect for their customers?

mackinac
Wednesday, November 20, 2002

Just ran across this link to information on an upcoming Spam Conference:

http://www.spamconference.org/

programmer
Thursday, November 21, 2002

*  Recent Topics

*  Fog Creek Home